Deploy CloudNativePG operator + Cluster to k3s #13

New issue

Closed

opened 2026-03-02 21:11:52 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-02 21:11:52 +00:00

Owner

Copy link

Plan

plan-2026-02-26-tf-modularize-postgres -- Phase 2

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want CloudNativePG deployed to k3s with a shared PostgreSQL cluster
So that platform services can use managed Postgres instead of embedded SQLite

Context

Platform services (pal-e-docs, future apps) need a shared PostgreSQL instance. CloudNativePG (CNPG) is a Kubernetes operator that manages PostgreSQL clusters declaratively. This phase deploys the CNPG operator via Helm and creates a single-instance Cluster CRD via kubernetes_manifest.

Key decision: CNPG's admission webhook injects default PostgreSQL parameters (wal_receiver_timeout and wal_sender_timeout both set to 5min) into the Cluster spec. If these are not present in the Terraform manifest, every tofu apply produces a provider drift error. These must be pinned in the manifest.

File Targets

Files the agent should modify or create:

• terraform/main.tf -- add CNPG namespace, Helm release, and Cluster kubernetes_manifest
• terraform/versions.tf -- no changes expected (kubernetes provider already present)
• terraform/variables.tf -- add CNPG-related variables if needed
• terraform/outputs.tf -- add CNPG cluster outputs

Files the agent should NOT touch:

• salt/ -- host-level config, not relevant

Acceptance Criteria

• CNPG operator deployed via helm_release
• CNPG Cluster manifest created via kubernetes_manifest with single instance
• PostgreSQL parameters include wal_receiver_timeout = "5min" and wal_sender_timeout = "5min"
• tofu fmt passes
• tofu validate passes

Test Expectations

• tofu fmt -check exits 0
• tofu validate exits 0
• Run command: cd terraform && tofu fmt -check && tofu validate

Constraints

• IaC is OpenTofu (tofu not terraform)
• Follow existing patterns in main.tf: namespace -> helm_release -> kubernetes_manifest -> ingress
• Use local-path storageClass consistent with other resources
• Single-instance cluster (no HA needed for bootstrap platform)
• Pin CNPG Helm chart version for reproducibility

Checklist

• PR opened
• Tests pass (tofu fmt, tofu validate)
• No unrelated changes

Related

• plan-2026-02-26-tf-modularize-postgres -- parent plan

### Plan `plan-2026-02-26-tf-modularize-postgres` -- Phase 2 ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want CloudNativePG deployed to k3s with a shared PostgreSQL cluster So that platform services can use managed Postgres instead of embedded SQLite ### Context Platform services (pal-e-docs, future apps) need a shared PostgreSQL instance. CloudNativePG (CNPG) is a Kubernetes operator that manages PostgreSQL clusters declaratively. This phase deploys the CNPG operator via Helm and creates a single-instance Cluster CRD via `kubernetes_manifest`. Key decision: CNPG's admission webhook injects default PostgreSQL parameters (`wal_receiver_timeout` and `wal_sender_timeout` both set to `5min`) into the Cluster spec. If these are not present in the Terraform manifest, every `tofu apply` produces a provider drift error. These must be pinned in the manifest. ### File Targets Files the agent should modify or create: - `terraform/main.tf` -- add CNPG namespace, Helm release, and Cluster kubernetes_manifest - `terraform/versions.tf` -- no changes expected (kubernetes provider already present) - `terraform/variables.tf` -- add CNPG-related variables if needed - `terraform/outputs.tf` -- add CNPG cluster outputs Files the agent should NOT touch: - `salt/` -- host-level config, not relevant ### Acceptance Criteria - [ ] CNPG operator deployed via `helm_release` - [ ] CNPG `Cluster` manifest created via `kubernetes_manifest` with single instance - [ ] PostgreSQL parameters include `wal_receiver_timeout = "5min"` and `wal_sender_timeout = "5min"` - [ ] `tofu fmt` passes - [ ] `tofu validate` passes ### Test Expectations - [ ] `tofu fmt -check` exits 0 - [ ] `tofu validate` exits 0 - Run command: `cd terraform && tofu fmt -check && tofu validate` ### Constraints - IaC is OpenTofu (`tofu` not `terraform`) - Follow existing patterns in main.tf: namespace -> helm_release -> kubernetes_manifest -> ingress - Use `local-path` storageClass consistent with other resources - Single-instance cluster (no HA needed for bootstrap platform) - Pin CNPG Helm chart version for reproducibility ### Checklist - [ ] PR opened - [ ] Tests pass (`tofu fmt`, `tofu validate`) - [ ] No unrelated changes ### Related - `plan-2026-02-26-tf-modularize-postgres` -- parent plan

forgejo_admin referenced this issue from a commit 2026-03-02 21:14:38 +00:00

Fix CNPG admission webhook drift for WAL timeout parameters

forgejo_admin referenced this issue 2026-03-02 21:15:08 +00:00

Fix CNPG webhook drift for WAL timeout parameters #14

forgejo_admin referenced this issue from a commit 2026-03-02 21:21:04 +00:00

fix: include all 32 CNPG-injected parameters to prevent drift

forgejo_admin referenced this issue from a commit 2026-03-02 21:22:54 +00:00

fix: include all 32 CNPG-injected parameters to prevent drift

forgejo_admin referenced this issue 2026-03-02 21:23:09 +00:00

fix: pin all 32 CNPG-injected parameters to stop drift #15

forgejo_admin closed this issue 2026-03-03 04:15:40 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#13

No description provided.