Erich Blume
1d4cbbfb84
CNPG Cluster on ringtail to receive the paperless + teslamate databases migrated off the minikube blumeops-pg via cold pg_dump/pg_restore. Mirrors the minikube cluster (managed roles eblume/borgmatic/paperless/teslamate, scram pg_hba) on ringtail's local-path storage, scoped to wave-1 roles (miniflux + authentik stay put for later waves). Apps reach it in-cluster at blumeops-pg-rw.databases.svc.cluster.local — same name as on minikube. Database creation is deferred to cutover: paperless restores into the bootstrap database; teslamate's DB is created by the eblume superuser at its cutover (the dump's earthdistance extension is untrusted). The four ExternalSecrets reuse the same 1Password items as the minikube cluster. Not yet synced; deploy waits for review. kustomize build verified. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
30 lines
717 B
YAML
30 lines
717 B
YAML
# ExternalSecret for borgmatic backup user password
|
|
#
|
|
# Replaces the manual op inject workflow from secret-borgmatic.yaml.tpl
|
|
#
|
|
# 1Password item: "borgmatic" in blumeops vault
|
|
# Field: "db-password"
|
|
#
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: blumeops-pg-borgmatic
|
|
namespace: databases
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: blumeops-pg-borgmatic
|
|
creationPolicy: Owner
|
|
template:
|
|
type: kubernetes.io/basic-auth
|
|
data:
|
|
username: borgmatic
|
|
password: "{{ .password }}"
|
|
data:
|
|
- secretKey: password
|
|
remoteRef:
|
|
key: borgmatic
|
|
property: db-password
|