C2(migrate-immich-to-ringtail): impl bootstrap immich-pg via pg_basebackup from minikube

Replaces the initdb bootstrap with a pg_basebackup from the minikube source over the tailnet (immich-pg.tail8d86e.ts.net). The ringtail cluster starts in replica mode (replica.enabled=true), streaming WAL from the source. Promotion happens by flipping replica.enabled=false after the replica catches up and the source is quiesced. Uses the source's streaming_replica TLS cert + CA, copied to ringtail as out-of-band secrets (source-immich-pg-replication, source-immich-pg-ca) — the standard CNPG-to-CNPG migration auth path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 12:54:36 -07:00 · 2026-05-13 12:54:36 -07:00 · 5752f00343
commit 5752f00343
parent be5255d685
1 changed files with 33 additions and 20 deletions
--- a/argocd/manifests/databases-ringtail/immich-pg.yaml
+++ b/argocd/manifests/databases-ringtail/immich-pg.yaml
@ -1,13 +1,13 @@
 # PostgreSQL Cluster for Immich on ringtail k3s.
 #
-# Mirror of argocd/manifests/databases/immich-pg.yaml (minikube), with
-# ringtail-specific tweaks (storageClass: local-path). The bootstrap
-# section may be rewritten when [[immich-pg-data-migration]] picks an
-# import method — both pg_dump/restore and CNPG externalCluster
-# basebackup require touching this block.
+# Initial bring-up is via CNPG pg_basebackup against the minikube
+# immich-pg cluster (reachable on the tailnet at
+# immich-pg.tail8d86e.ts.net). Once the basebackup completes and
+# the replica catches up, set replica.enabled=false to promote.
 #
-# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector
-# search. See: https://github.com/immich-app/immich/discussions/9060
+# After promotion, the externalClusters and bootstrap blocks can be
+# left in place (CNPG ignores them once initialized) or pruned in a
+# follow-up commit. See [[immich-pg-data-migration]] for procedure.
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@ -15,27 +15,40 @@ metadata:
  namespace: databases
 spec:
  instances: 1
-  # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0

  storage:
    size: 10Gi
    storageClass: local-path

-  # Bootstrap creates initial database and owner.
-  # Empty initdb today; replaced by the chosen data-migration method
-  # in immich-pg-data-migration.
-  bootstrap:
-    initdb:
-      database: immich
-      owner: immich
-      postInitSQL:
-        - CREATE EXTENSION IF NOT EXISTS vector;
-        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS cube CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+  # Streaming replica of the minikube source until promoted.
+  replica:
+    enabled: true
+    source: source-immich-pg

-  # Managed roles
+  # Bootstrap from the source via pg_basebackup.
+  bootstrap:
+    pg_basebackup:
+      source: source-immich-pg
+
+  externalClusters:
+    - name: source-immich-pg
+      connectionParameters:
+        host: immich-pg.tail8d86e.ts.net
+        user: streaming_replica
+        sslmode: verify-ca
+        dbname: postgres
+      sslCert:
+        name: source-immich-pg-replication
+        key: tls.crt
+      sslKey:
+        name: source-immich-pg-replication
+        key: tls.key
+      sslRootCert:
+        name: source-immich-pg-ca
+        key: ca.crt
+
+  # Managed roles (applied after promotion)
  managed:
    roles:
      - name: borgmatic