From 5752f0034343a0dc899c088b8d8a4cd9faf124c1 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 13 May 2026 12:54:36 -0700 Subject: [PATCH] C2(migrate-immich-to-ringtail): impl bootstrap immich-pg via pg_basebackup from minikube MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the initdb bootstrap with a pg_basebackup from the minikube source over the tailnet (immich-pg.tail8d86e.ts.net). The ringtail cluster starts in replica mode (replica.enabled=true), streaming WAL from the source. Promotion happens by flipping replica.enabled=false after the replica catches up and the source is quiesced. Uses the source's streaming_replica TLS cert + CA, copied to ringtail as out-of-band secrets (source-immich-pg-replication, source-immich-pg-ca) — the standard CNPG-to-CNPG migration auth path. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../databases-ringtail/immich-pg.yaml | 55 ++++++++++++------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/argocd/manifests/databases-ringtail/immich-pg.yaml b/argocd/manifests/databases-ringtail/immich-pg.yaml index 4650109..e878e39 100644 --- a/argocd/manifests/databases-ringtail/immich-pg.yaml +++ b/argocd/manifests/databases-ringtail/immich-pg.yaml @@ -1,13 +1,13 @@ # PostgreSQL Cluster for Immich on ringtail k3s. # -# Mirror of argocd/manifests/databases/immich-pg.yaml (minikube), with -# ringtail-specific tweaks (storageClass: local-path). The bootstrap -# section may be rewritten when [[immich-pg-data-migration]] picks an -# import method — both pg_dump/restore and CNPG externalCluster -# basebackup require touching this block. +# Initial bring-up is via CNPG pg_basebackup against the minikube +# immich-pg cluster (reachable on the tailnet at +# immich-pg.tail8d86e.ts.net). Once the basebackup completes and +# the replica catches up, set replica.enabled=false to promote. # -# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector -# search. See: https://github.com/immich-app/immich/discussions/9060 +# After promotion, the externalClusters and bootstrap blocks can be +# left in place (CNPG ignores them once initialized) or pruned in a +# follow-up commit. See [[immich-pg-data-migration]] for procedure. apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: @@ -15,27 +15,40 @@ metadata: namespace: databases spec: instances: 1 - # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0 imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0 storage: size: 10Gi storageClass: local-path - # Bootstrap creates initial database and owner. - # Empty initdb today; replaced by the chosen data-migration method - # in immich-pg-data-migration. - bootstrap: - initdb: - database: immich - owner: immich - postInitSQL: - - CREATE EXTENSION IF NOT EXISTS vector; - - CREATE EXTENSION IF NOT EXISTS vchord CASCADE; - - CREATE EXTENSION IF NOT EXISTS cube CASCADE; - - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE; + # Streaming replica of the minikube source until promoted. + replica: + enabled: true + source: source-immich-pg - # Managed roles + # Bootstrap from the source via pg_basebackup. + bootstrap: + pg_basebackup: + source: source-immich-pg + + externalClusters: + - name: source-immich-pg + connectionParameters: + host: immich-pg.tail8d86e.ts.net + user: streaming_replica + sslmode: verify-ca + dbname: postgres + sslCert: + name: source-immich-pg-replication + key: tls.crt + sslKey: + name: source-immich-pg-replication + key: tls.key + sslRootCert: + name: source-immich-pg-ca + key: ca.crt + + # Managed roles (applied after promotion) managed: roles: - name: borgmatic