Merge pull request #134 from HideyoshiSolutions/feat/adds-cert-issuer-cloudnative-pg

feat: adds cert issuer and cloudnative-pg

.github/workflows/deploy.yml

@@ -14,6 +14,8 @@ jobs:
         env:
             GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
             GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+            KUBE_CERT_SERVER: ${{ secrets.KUBE_CERT_SERVER }}
+            KUBE_DOMAIN_EMAIL: ${{ secrets.KUBE_DOMAIN_EMAIL }}
 
         steps:
             - name: Checkout Repository

deploy.sh

@@ -27,6 +27,12 @@ kubectl create namespace cert-manager \
 kubectl apply -f manifest/charts/cert-manager
 
 
+# deploy cloudnative-pg
+kubectl create namespace cnpg-system \
+    --dry-run=client -o yaml | kubectl apply -f -
+kubectl apply -f manifest/charts/cloudnative-pg
+
+
 ### set application namespaces and configures docker registry secret ###
 for NAMESPACE in ${NAMESPACES_LIST//,/ }; do
     kubectl create namespace $NAMESPACE \

manifest/charts/cert-manager/cert-manager-issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+    name: cluster-certificate-issuer
+spec:
+    acme:
+        server: ${KUBE_CERT_SERVER}
+        email: ${KUBE_DOMAIN_EMAIL}
+        privateKeySecretRef:
+            name: cluster-certificate-issuer
+        solvers:
+            - http01:
+                  ingress:
+                      class: nginx

manifest/charts/cert-manager/helm-release-cert-manager.yaml

@@ -18,6 +18,7 @@ spec:
     createNamespace: true
     crds: CreateReplace
   values:
+    installCRDs: true
     resources:
       limits:
         cpu: 50m

manifest/charts/cloudnative-pg/helm-release-cloudnative-pg.yaml

@@ -0,0 +1,77 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cnpg
+  namespace: cnpg-system
+spec:
+  interval: 10m
+  releaseName: cnpg
+  chart:
+    spec:
+      chart: cloudnative-pg
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    # CloudNative-PG Operator resource limits
+    operator:
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 50m
+          memory: 64Mi
+      # Security context
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        capabilities:
+          drop:
+            - ALL
+      # Pod security context
+      podSecurityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
+    
+    # Webhook configuration
+    webhook:
+      resources:
+        limits:
+          cpu: 50m
+          memory: 64Mi
+        requests:
+          cpu: 25m
+          memory: 32Mi
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        capabilities:
+          drop:
+            - ALL
+    
+    # Monitoring configuration
+    monitoring:
+      enabled: true
+      # Set to true if you have Prometheus
+      serviceMonitor:
+        enabled: false
+    
+    # Additional configuration
+    config:
+      # Default storage class for PostgreSQL clusters
+      # storageClass: ""
+      
+      # Default monitoring configuration
+      monitoring:
+        enabled: true

manifest/charts/cloudnative-pg/helm-repository-cloudnative-pg.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cloudnative-pg
+  namespace: flux-system
+spec:
+  interval: 24h
+  url: https://cloudnative-pg.github.io/charts