feat: wire apps to shared postgres

batazor · batazor · commit 46f05e187368 · 2026-04-29T17:51:37.000+07:00
diff --git a/argocd/boundaries/auth/kratos.yaml b/argocd/boundaries/auth/kratos.yaml
@@ -56,10 +56,10 @@ spec:
       jqPathExpressions:
         - .spec.rules[] | select(.name|test("autogen-."))
     - kind: Secret
-      name: kratos-postgres-pguser-grafana
+      name: shortlink-postgres-pguser-grafana
       jqPathExpressions:
         - .data
     - kind: Secret
-      name: kratos-postgres-pguser-kratos
+      name: shortlink-postgres-pguser-kratos
       jqPathExpressions:
         - .data
diff --git a/argocd/boundaries/shop/common/application.yaml b/argocd/boundaries/shop/common/application.yaml
@@ -50,6 +50,6 @@ spec:
       jqPathExpressions:
         - .spec.rules[] | select(.name|test("autogen-."))
     - kind: Secret
-      name: shop-postgres-pguser-grafana
+      name: shortlink-postgres-pguser-grafana
       jqPathExpressions:
         - .data
diff --git a/argocd/infrastructure/kubernetes-replicator/application.yaml b/argocd/infrastructure/kubernetes-replicator/application.yaml
@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubernetes-replicator
+  namespace: argocd
+  annotations:
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: gitops
+    argocd.argoproj.io/manifest-generate-paths: ./ops/Helm/addons/kubernetes-replicator
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: shortlink
+  destination:
+    name: ''
+    namespace: kubernetes-replicator
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: ops/Helm/addons/kubernetes-replicator
+    repoURL: 'https://github.com/shortlink-org/helm'
+    targetRevision: HEAD
+    helm:
+      releaseName: kubernetes-replicator
+      valueFiles:
+        - values.yaml
+  syncPolicy:
+    automated:
+      prune: true
+      allowEmpty: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+        pod-security.kubernetes.io/enforce-version: latest
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+      - ApplyOutOfSyncOnly=true
+    retry:
+      limit: 2
+      backoff:
+        duration: 10s
+        maxDuration: 3m0s
+        factor: 2
+  ignoreDifferences:
+    - group: kyverno.io
+      kind: ClusterPolicy
+      jqPathExpressions:
+        - .spec.rules[] | select(.name|test("autogen-."))
diff --git a/argocd/infrastructure/store/postgres-operator/application.yaml b/argocd/infrastructure/store/postgres-operator/application.yaml
@@ -48,3 +48,39 @@ spec:
       name: crunchy-postgres-exporter
       jqPathExpressions:
         - .spec.podMetricsEndpoints[] | select(.action)
+    - kind: Secret
+      name: shortlink-postgres-pguser-admin
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-grafana
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-kratos
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-shop
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-oms
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-delivery
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-temporal
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-spicedb
+      jqPathExpressions:
+        - .data
+    - kind: Secret
+      name: shortlink-postgres-pguser-partman
+      jqPathExpressions:
+        - .data
diff --git a/argocd/kustomize/auth/spicedb-operator/kustomization.yaml b/argocd/kustomize/auth/spicedb-operator/kustomization.yaml
@@ -6,7 +6,8 @@ resources:
   - https://github.com/authzed/spicedb-operator/config?ref=v1.24.0
   - spicedb/secret.yaml
   - spicedb/spiceDBCluster.yaml
-  - spicedb/postgres-operator.yaml
+  # PostgresCluster moved to the shared postgres-operator chart.
+  # - spicedb/postgres-operator.yaml
   - spicedb/grpcRoute.yaml
 
 images:
diff --git a/argocd/kustomize/auth/spicedb-operator/spicedb/postgres-operator.yaml b/argocd/kustomize/auth/spicedb-operator/spicedb/postgres-operator.yaml
@@ -1,65 +1,68 @@
-apiVersion: postgres-operator.crunchydata.com/v1
-kind: PostgresCluster
-metadata:
-  name: spicedb-postgres
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-spec:
-  postgresVersion: 18
-  metadata:
-    annotations:
-      sidecar.istio.io/inject: "false"
-  instances:
-    - name: spicedb
-      replicas: 1
-      metadata:
-        annotations:
-          sidecar.istio.io/inject: "false"
-      dataVolumeClaimSpec:
-        storageClassName: local-path
-        accessModes:
-          - "ReadWriteOnce"
-        resources:
-          requests:
-            storage: 1Gi
-          # NOTE: wait new version chart > 5.6.0
-          # limit:
-          #   storage: 2Gi
-  patroni:
-    dynamicConfiguration:
-      postgresql:
-        parameters:
-          track_commit_timestamp: "on"
-          # TODO: enable pgmonitor_bgw
-          shared_preload_libraries: pg_stat_statements,auto_explain,pgaudit
-          pgmonitor_bgw.dbname: postgres,spicedb
-          pgmonitor_bgw.role: "postgres"
-  # backups:
-  #   pgbackrest:
-  #     metadata:
-  #       annotations:
-  #         sidecar.istio.io/inject: "false"
-  #     repos:
-  #       - name: repo1
-  #         volume:
-  #           volumeClaimSpec:
-  #             storageClassName: local-path
-  #             accessModes:
-  #               - "ReadWriteOnce"
-  #             resources:
-  #               requests:
-  #                 storage: 1Gi
-  monitoring:
-    pgmonitor:
-      exporter:
-        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:latest
-  users:
-    - name: admin
-      databases:
-        - postgres
-        - spicedb
-      options: "SUPERUSER"
-    - name: spicedb
-      databases:
-        - spicedb
-      options: "SUPERUSER"
+# Legacy per-application PostgresCluster.
+# The live SpiceDB database now uses shortlink-postgres from the shared postgres-operator chart.
+#
+# apiVersion: postgres-operator.crunchydata.com/v1
+# kind: PostgresCluster
+# metadata:
+#   name: spicedb-postgres
+#   annotations:
+#     argocd.argoproj.io/sync-wave: "1"
+# spec:
+#   postgresVersion: 18
+#   metadata:
+#     annotations:
+#       sidecar.istio.io/inject: "false"
+#   instances:
+#     - name: spicedb
+#       replicas: 1
+#       metadata:
+#         annotations:
+#           sidecar.istio.io/inject: "false"
+#       dataVolumeClaimSpec:
+#         storageClassName: local-path
+#         accessModes:
+#           - "ReadWriteOnce"
+#         resources:
+#           requests:
+#             storage: 1Gi
+#           # NOTE: wait new version chart > 5.6.0
+#           # limit:
+#           #   storage: 2Gi
+#   patroni:
+#     dynamicConfiguration:
+#       postgresql:
+#         parameters:
+#           track_commit_timestamp: "on"
+#           # TODO: enable pgmonitor_bgw
+#           shared_preload_libraries: pg_stat_statements,auto_explain,pgaudit
+#           pgmonitor_bgw.dbname: postgres,spicedb
+#           pgmonitor_bgw.role: "postgres"
+#   # backups:
+#   #   pgbackrest:
+#   #     metadata:
+#   #       annotations:
+#   #         sidecar.istio.io/inject: "false"
+#   #     repos:
+#   #       - name: repo1
+#   #         volume:
+#   #           volumeClaimSpec:
+#   #             storageClassName: local-path
+#   #             accessModes:
+#   #               - "ReadWriteOnce"
+#   #             resources:
+#   #               requests:
+#   #                 storage: 1Gi
+#   monitoring:
+#     pgmonitor:
+#       exporter:
+#         image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:latest
+#   users:
+#     - name: admin
+#       databases:
+#         - postgres
+#         - spicedb
+#       options: "SUPERUSER"
+#     - name: spicedb
+#       databases:
+#         - spicedb
+#       options: "SUPERUSER"
diff --git a/argocd/kustomize/auth/spicedb-operator/spicedb/spiceDBCluster.yaml b/argocd/kustomize/auth/spicedb-operator/spicedb/spiceDBCluster.yaml
@@ -3,7 +3,7 @@ kind: SpiceDBCluster
 metadata:
   name: shortlink
   annotations:
-    # After PostgresCluster (wave 1): needs spicedb-postgres-pguser-spicedb secret.
+    # After shared PostgresCluster (wave 1): needs shortlink-postgres-pguser-spicedb secret.
     argocd.argoproj.io/sync-wave: "2"
 spec:
   config:
@@ -59,7 +59,7 @@ spec:
                     - name: SPICEDB_DATASTORE_CONN_URI
                       valueFrom:
                         secretKeyRef:
-                          name: spicedb-postgres-pguser-spicedb
+                          name: shortlink-postgres-pguser-spicedb
                           key: uri
 
                     - name: SPICEDB_DISPATCH_CACHE_METRICS
@@ -99,5 +99,5 @@ spec:
                     - name: SPICEDB_DATASTORE_CONN_URI
                       valueFrom:
                         secretKeyRef:
-                          name: spicedb-postgres-pguser-spicedb
+                          name: shortlink-postgres-pguser-spicedb
                           key: uri
