forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 33 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add Terraform-managed Postgres DB secret for pal-e-docs namespace #23

Merged
forgejo_admin merged 2 commits from 22-paledocs-db-secret into main 2026-03-06 17:30:02 +00:00
Conversation 0 Commits 2 Files changed 2 +27
forgejo_admin commented 2026-03-06 17:17:09 +00:00
Owner
Copy link

Summary

  • Creates a kubernetes_secret_v1.paledocs_db_url resource in the pal-e-docs namespace containing the DATABASE_URL for the paledocs Postgres user
  • Adds the corresponding paledocs_db_password sensitive variable
  • Follows the established pattern used by cnpg_s3_creds

Changes

  • terraform/variables.tf -- added paledocs_db_password variable (type = string, sensitive = true)
  • terraform/main.tf -- added kubernetes_secret_v1.paledocs_db_url resource in the CNPG section, after cnpg_s3_creds

Test Plan

  • tofu fmt -check passes
  • tofu validate passes
  • tofu plan shows only the new secret resource (1 to add, 0 to change, 0 to destroy)
  • After apply, verify: kubectl get secret paledocs-db-url -n pal-e-docs -o jsonpath='{.data.DATABASE_URL}' | base64 -d
  • Lucas must add paledocs_db_password to k3s.tfvars before applying

tofu plan output (targeted)

  # kubernetes_secret_v1.paledocs_db_url will be created
  + resource "kubernetes_secret_v1" "paledocs_db_url" {
      + data                           = (sensitive value)
      + id                             = (known after apply)
      + type                           = "Opaque"
      + wait_for_service_account_token = true

      + metadata {
          + generation       = (known after apply)
          + name             = "paledocs-db-url"
          + namespace        = "pal-e-docs"
          + resource_version = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

  • plan-2026-02-26-tf-modularize-postgres -- Phase 3, Part A
  • Forgejo issue: #22
## Summary - Creates a `kubernetes_secret_v1.paledocs_db_url` resource in the `pal-e-docs` namespace containing the `DATABASE_URL` for the paledocs Postgres user - Adds the corresponding `paledocs_db_password` sensitive variable - Follows the established pattern used by `cnpg_s3_creds` ## Changes - `terraform/variables.tf` -- added `paledocs_db_password` variable (`type = string`, `sensitive = true`) - `terraform/main.tf` -- added `kubernetes_secret_v1.paledocs_db_url` resource in the CNPG section, after `cnpg_s3_creds` ## Test Plan - [x] `tofu fmt -check` passes - [x] `tofu validate` passes - [x] `tofu plan` shows only the new secret resource (1 to add, 0 to change, 0 to destroy) - [ ] After apply, verify: `kubectl get secret paledocs-db-url -n pal-e-docs -o jsonpath='{.data.DATABASE_URL}' | base64 -d` - [ ] Lucas must add `paledocs_db_password` to `k3s.tfvars` before applying ### tofu plan output (targeted) ``` # kubernetes_secret_v1.paledocs_db_url will be created + resource "kubernetes_secret_v1" "paledocs_db_url" { + data = (sensitive value) + id = (known after apply) + type = "Opaque" + wait_for_service_account_token = true + metadata { + generation = (known after apply) + name = "paledocs-db-url" + namespace = "pal-e-docs" + resource_version = (known after apply) + uid = (known after apply) } } Plan: 1 to add, 0 to change, 0 to destroy. ``` ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - `plan-2026-02-26-tf-modularize-postgres` -- Phase 3, Part A - Forgejo issue: #22
Creates kubernetes_secret_v1.paledocs_db_url containing the DATABASE_URL
for the paledocs user to connect to the CNPG cluster cross-namespace.
Follows the established pattern used by cnpg_s3_creds.

Closes #22

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace hardcoded namespace string with a data source reference to
match the pattern used by other secrets in main.tf. The namespace
is managed by pal-e-services, so a data lookup is appropriate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
forgejo_admin deleted branch 22-paledocs-db-secret 2026-03-06 17:30:02 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!23
No description provided.