fe51c8c1bc
Adds a self-contained minikube environment for local development and
testing alongside the existing production env.
env: minikube
- cluster.domain: minikube (browser DNS routes *.minikube → minikube ip)
- tls issuer: mkcert (CA-signed via cert-manager mkcert ClusterIssuer)
- storageClass: standard (minikube hostpath provisioner)
- backups disabled; storagebox disabled
- excludes argocd, forgejo, hcloud-csi (manual kubectl apply for testing)
prototypes/garage:
- hand-rolled S3-compatible object store (single Deployment + PVC)
- mittwald-generated rpc_secret + admin_token (hex)
- PostSync init Job: assigns cluster layout, ensures bucket and access
key, writes ocis-s3-credentials cross-namespace into ocis ns
- idempotent: skips if k8s secret already populated; otherwise rotates
the garage key (admin API only returns secretAccessKey on create)
- cross-ns RBAC re-pinned via zz-cross-ns-rbac-fix overlay (ns.ytt.yaml
clobbers explicit namespace fields)
ocis:
- new admin-user-id init Job ensures secret.user-id is a valid UUID v4
(mittwald can't generate UUIDs; ocis-settings rejects non-UUID ids)
- mittwald no longer manages user-id; existing prod UUIDs preserved
- insecure flag (oidcIdpInsecure / ocisHttpApiInsecure / ocmInsecure)
parameterized; defaults to false; minikube sets true for self-signed
OIDC issuer URL trust
other prototypes:
- victoria-metrics-single helm values ytt-ified (storageClassName)
- grafana admin secret now generated by mittwald (was hand-created in
prod; manifest is no-op there since mittwald only fills empty fields)
flake.nix: minikube + docker + postgresql added to dev shell.
100 lines
3.1 KiB
YAML
100 lines
3.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
labels:
|
|
app.kubernetes.io/instance: cloudnative-pg
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: cloudnative-pg
|
|
app.kubernetes.io/version: 1.25.0
|
|
helm.sh/chart: cloudnative-pg-0.23.0
|
|
name: cloudnative-pg
|
|
namespace: cnpg-system
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/instance: cloudnative-pg
|
|
app.kubernetes.io/name: cloudnative-pg
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: 58eeb2f6847432d54310c44a01db93c370f722309827d3a3177b36183ae7399b
|
|
checksum/monitoring-config: 794b973f78a96e769be960221b62b1168deb2bc532c5b16b31096bbe801d2d54
|
|
checksum/rbac: f8bdccd5b7485612eb3d8e0b5b10c9916c9d017418e2862f96a78a9206b9e091
|
|
labels:
|
|
app.kubernetes.io/instance: cloudnative-pg
|
|
app.kubernetes.io/name: cloudnative-pg
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- controller
|
|
- --leader-elect
|
|
- --max-concurrent-reconciles=10
|
|
- --config-map-name=cnpg-controller-manager-config
|
|
- --webhook-port=9443
|
|
command:
|
|
- /manager
|
|
env:
|
|
- name: OPERATOR_IMAGE_NAME
|
|
value: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0
|
|
- name: OPERATOR_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: MONITORING_QUERIES_CONFIGMAP
|
|
value: cnpg-default-monitoring
|
|
image: ghcr.io/cloudnative-pg/cloudnative-pg:1.25.0
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 3
|
|
name: manager
|
|
ports:
|
|
- containerPort: 8080
|
|
name: metrics
|
|
protocol: TCP
|
|
- containerPort: 9443
|
|
name: webhook-server
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 3
|
|
resources: {}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 10001
|
|
runAsUser: 10001
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumeMounts:
|
|
- mountPath: /controller
|
|
name: scratch-data
|
|
- mountPath: /run/secrets/cnpg.io/webhook
|
|
name: webhook-certificates
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: cloudnative-pg
|
|
terminationGracePeriodSeconds: 10
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: scratch-data
|
|
- name: webhook-certificates
|
|
secret:
|
|
defaultMode: 420
|
|
optional: true
|
|
secretName: cnpg-webhook-cert
|