eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/databases
History
Erich Blume d75fdfdad6 Add PostgreSQL cluster manifest for Step 7 
- Create blumeops-pg Cluster with CloudNativePG
- Add eblume superuser role (matches current brew pg setup)
- Configure pg_hba for password auth from any IP (Tailscale handles security)
- Add secret template for eblume password from 1Password
- Create ArgoCD Application with manual sync policy
- Update Phase 1 plan with implementation notes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 08:55:08 -08:00
..
blumeops-pg.yaml Add PostgreSQL cluster manifest for Step 7 2026-01-19 08:55:08 -08:00
kustomization.yaml Add PostgreSQL cluster manifest for Step 7 2026-01-19 08:55:08 -08:00
README.md Add PostgreSQL cluster manifest for Step 7 2026-01-19 08:55:08 -08:00
secret-eblume.yaml.tpl Add PostgreSQL cluster manifest for Step 7 2026-01-19 08:55:08 -08:00

README.md

Database Manifests

PostgreSQL clusters managed by CloudNativePG operator.

blumeops-pg

Single-instance PostgreSQL cluster for blumeops services.

Configuration

  • Instances: 1 (single-node for minikube)
  • Storage: 10Gi on standard storage class
  • Initial database: miniflux owned by miniflux user

Users/Roles

User Role Purpose Password Source
postgres superuser CNPG internal (avoid using) blumeops-pg-superuser secret
miniflux app owner Owns miniflux database blumeops-pg-app secret
eblume superuser Admin access (matches brew pg) blumeops-pg-eblume secret (manual)

Manual Secret Setup

Before deploying, create the eblume password secret:

# Create namespace first
kubectl create namespace databases

# Apply eblume password from 1Password
op inject -i argocd/manifests/databases/secret-eblume.yaml.tpl | kubectl apply -f -

The miniflux user password is auto-generated by CloudNativePG and stored in blumeops-pg-app.

Connection Information

After the cluster is healthy:

# Connect as eblume (same style as current brew pg)
# Uses same password as pg.tail8d86e.ts.net
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
  psql -h <hostname> -U eblume -d miniflux

# Get miniflux app credentials (for applications)
kubectl -n databases get secret blumeops-pg-app -o jsonpath='{.data.uri}' | base64 -d

# Get postgres superuser credentials (emergency only)
kubectl -n databases get secret blumeops-pg-superuser -o jsonpath='{.data.password}' | base64 -d

Connecting via kubectl port-forward

Until Tailscale exposure is configured:

# Terminal 1: Port-forward to the primary
kubectl -n databases port-forward svc/blumeops-pg-rw 5432:5432

# Terminal 2: Connect as eblume
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
  psql -h localhost -U eblume -d miniflux

Status

# Check cluster health
kubectl -n databases get cluster blumeops-pg

# Check pods
kubectl -n databases get pods -l cnpg.io/cluster=blumeops-pg

# Check managed roles status
kubectl -n databases get cluster blumeops-pg -o jsonpath='{.status.managedRolesStatus}' | jq

# Operator logs
kubectl -n databases logs -l cnpg.io/cluster=blumeops-pg

Future: Tailscale Exposure

The cluster is currently internal-only. In Phase 4, after miniflux migrates to k8s, the pg.tail8d86e.ts.net Tailscale service will be pointed to this cluster.

When exposed, you'll be able to connect with:

psql -h pg.tail8d86e.ts.net -U eblume -W -d miniflux