Add Tailscale LoadBalancer for PostgreSQL testing

- Expose k8s-pg.tail8d86e.ts.net for testing during migration - Temporary service until Phase 4 when pg.tail8d86e.ts.net switches - Update README with connection info and cleanup notes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 09:14:34 -08:00 · 2026-01-19 09:14:34 -08:00 · 9854b4dbee
commit 9854b4dbee
parent d75fdfdad6
3 changed files with 39 additions and 11 deletions
--- a/argocd/manifests/databases/README.md
+++ b/argocd/manifests/databases/README.md
@ -39,10 +39,12 @@ The `miniflux` user password is auto-generated by CloudNativePG and stored in `b
 After the cluster is healthy:

 ```bash
-# Connect as eblume (same style as current brew pg)
-# Uses same password as pg.tail8d86e.ts.net
+# Connect via Tailscale (temporary hostname during migration)
+psql -h k8s-pg.tail8d86e.ts.net -U eblume -W -d miniflux
+
+# Or with password from 1Password
 PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
-  psql -h <hostname> -U eblume -d miniflux
+  psql -h k8s-pg.tail8d86e.ts.net -U eblume -d miniflux

 # Get miniflux app credentials (for applications)
 kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d
@ -53,7 +55,7 @@ kubectl -n databases get secret blumeops-pg-superuser -o jsonpath='{.data.passwo

 ### Connecting via kubectl port-forward

-Until Tailscale exposure is configured:
+Alternative if Tailscale service is unavailable:

 ```bash
 # Terminal 1: Port-forward to the primary
@ -80,12 +82,16 @@ kubectl -n databases get cluster blumeops-pg -o jsonpath='{.status.managedRolesS
 kubectl -n databases logs -l cnpg.io/cluster=blumeops-pg
 ```

-## Future: Tailscale Exposure
+## Tailscale Exposure

-The cluster is currently internal-only. In Phase 4, after miniflux migrates to k8s,
-the `pg.tail8d86e.ts.net` Tailscale service will be pointed to this cluster.
+### Current: Temporary Service

-When exposed, you'll be able to connect with:
-```bash
-psql -h pg.tail8d86e.ts.net -U eblume -W -d miniflux
-```
+`k8s-pg.tail8d86e.ts.net` - LoadBalancer service for testing during migration.
+
+### Phase 4: Production Service
+
+After miniflux migrates to k8s, the `pg.tail8d86e.ts.net` Tailscale service will switch
+from brew PostgreSQL (indri) to this k8s cluster. At that point:
+1. Delete `service-tailscale.yaml` (the `k8s-pg` service)
+2. Update/create a service with `tailscale.com/hostname: "pg"`
+3. Verify the orphaned `k8s-pg` device is removed from tailnet
--- a/argocd/manifests/databases/kustomization.yaml
+++ b/argocd/manifests/databases/kustomization.yaml
@ -5,3 +5,4 @@ namespace: databases

 resources:
  - blumeops-pg.yaml
+  - service-tailscale.yaml
--- a/argocd/manifests/databases/service-tailscale.yaml
+++ b/argocd/manifests/databases/service-tailscale.yaml
@ -0,0 +1,21 @@
+# Tailscale LoadBalancer for PostgreSQL access
+# Temporary service for testing during migration (k8s-pg.tail8d86e.ts.net)
+# Will be replaced by pg.tail8d86e.ts.net in Phase 4
+apiVersion: v1
+kind: Service
+metadata:
+  name: blumeops-pg-tailscale
+  namespace: databases
+  annotations:
+    tailscale.com/hostname: "k8s-pg"
+spec:
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+  selector:
+    cnpg.io/cluster: blumeops-pg
+    role: primary
+  ports:
+    - name: postgresql
+      port: 5432
+      targetPort: 5432
+      protocol: TCP