move cert-manager and progresql from apps to infrastructure

kubernetes/infrastructure/postgresql/app/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postgresql-ingress
+  namespace: postgresql
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "postgres.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: postgresql-primary
+                port:
+                  number: 5432
+    - host: "replica.postgres.cluster.local"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: postgresql-replica
+                port:
+                  number: 5432

kubernetes/infrastructure/postgresql/app/pvc.yaml

@@ -0,0 +1,93 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgresql-primary-pv
+  namespace: postgresql
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/postgresql/primary"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: postgresql-primary-pvc
+    namespace: postgresql
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-primary-pvc
+  namespace: postgresql
+  labels:
+    name: postgresql-primary-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgresql-replica-pv
+  namespace: flux-system
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/postgresql/replica"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: postgresql-replica-pvc
+    namespace: postgresql
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-3
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-replica-pvc
+  namespace: postgresql
+  labels:
+    name: postgresql-replica-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi

kubernetes/infrastructure/postgresql/app/release.yaml

@@ -0,0 +1,57 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: postgresql
+spec:
+  releaseName: postgresql
+  chart:
+    spec:
+      chart: postgresql
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    auth:
+      postgresPassword: ${postgres_password}
+      username: ${username}
+      password: ${password}
+      database: ${database}
+      replicationPassword: ${replication_password}
+    architecture: "replication"
+    replication:
+      synchronousCommit: "on"
+      numSynchronousReplicas: 1
+      applicationName: "postgres_repl"
+    primary:
+      podSecurityContext:
+        fsGroup: 1000
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      podLabels:
+        name: "postgresql-primary"
+      persistence:
+        existingClaim: postgresql-primary-pvc
+        selector:
+          matchLabels:
+            name: postgresql-primary-pvc
+    readReplicas:
+      name: "replica"
+      podSecurityContext:
+        fsGroup: 1000
+      containerSecurityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      podLabels:
+        name: "postgresql-replica"
+      persistence:
+        existingClaim: postgresql-replica-pvc
+        selector:
+          matchLabels:
+            name: postgresql-replica-pvc

kubernetes/infrastructure/postgresql/postgresql.yaml

@@ -0,0 +1,49 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: postgresql
+  path: ./postgresql
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql
+  namespace: postgresql
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/postgresql/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: postgresql-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: postgresql-secrets
+

kubernetes/infrastructure/postgresql/scripts/ingress-nginx-svc-controller-patch.yaml

@@ -0,0 +1,10 @@
+spec:
+  ports:
+    - name: postgresql-tcp
+      port: 5432
+      targetPort: 5432
+      protocol: TCP
+    - name: postgresql-repl--tcp
+      port: 5433
+      targetPort: 5433
+      protocol: TCP

kubernetes/infrastructure/postgresql/scripts/patch-ingress-nginx.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+
+kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"