ldraney/pal-e-platform
1
0
Fork 0
Code Issues 104 Pull requests 7 Projects Releases Packages Wiki Activity Actions

Remove app-level CNPG resources from platform (Phase 2b cleanup) #16

New issue
Closed
opened 2026-03-02 21:45:08 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-02 21:45:08 +00:00
Contributor
Copy link

Plan

plan-2026-02-26-tf-modularize-postgres -- Phase 2b (cleanup platform)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want app-level CNPG resources removed from the platform repo
So that the platform only owns the operator and shared infra, and app-level concerns live in pal-e-services

Context

The platform repo currently deploys both the CNPG operator (shared infra) and the pal-e-docs-specific Postgres cluster, backup schedule, and credentials (app-level). This violates the platform/service boundary. App-level CNPG resources (cluster, scheduled backup, app credentials) should be managed by pal-e-services, not pal-e-platform. The operator, shared namespace, shared S3 bucket, and shared IAM stay in platform.

File Targets

Files the agent should modify:

  • terraform/main.tf -- remove 4 resource blocks (cnpg_cluster, cnpg_scheduled_backup, cnpg_superuser, paledocs_db_credentials)
  • terraform/variables.tf -- remove 3 variables (paledocs_db_username, paledocs_db_password, cnpg_superuser_password)
  • terraform/outputs.tf -- remove 2 outputs (cnpg_cluster_name, postgres_internal_dsn), keep cnpg_namespace
  • terraform/k3s.tfvars.example -- remove 2 lines (paledocs_db_password, cnpg_superuser_password)

Files the agent should NOT touch:

  • terraform/providers.tf -- no changes needed
  • terraform/versions.tf -- no changes needed
  • Anything under salt/ -- host-level, unrelated

Acceptance Criteria

  • kubernetes_manifest.cnpg_cluster resource block is removed from main.tf
  • kubernetes_manifest.cnpg_scheduled_backup resource block is removed from main.tf
  • kubernetes_secret_v1.cnpg_superuser resource block is removed from main.tf
  • kubernetes_secret_v1.paledocs_db_credentials resource block is removed from main.tf
  • Variables paledocs_db_username, paledocs_db_password, cnpg_superuser_password removed from variables.tf
  • Outputs cnpg_cluster_name, postgres_internal_dsn removed from outputs.tf
  • Output cnpg_namespace is preserved in outputs.tf
  • paledocs_db_password and cnpg_superuser_password removed from k3s.tfvars.example
  • All shared infra resources (helm_release.cnpg, namespaces, MinIO bucket/IAM, cnpg_s3_creds) are preserved
  • No dangling references -- removed resources are not referenced by kept resources
  • tofu fmt passes
  • tofu validate passes

Test Expectations

  • tofu fmt -check returns 0
  • tofu validate returns success
  • No references to removed resources remain in kept code
  • Run command: tofu fmt -check && tofu validate (in terraform/ directory)

Constraints

  • IaC is OpenTofu (tofu not terraform)
  • Do NOT run tofu plan or tofu state rm -- those happen after merge on main workdir
  • Remote is forgejo (not origin)
  • Run tofu fmt and tofu validate before pushing

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • plan-2026-02-26-tf-modularize-postgres -- Terraform modularization of Postgres
### Plan `plan-2026-02-26-tf-modularize-postgres` -- Phase 2b (cleanup platform) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want app-level CNPG resources removed from the platform repo So that the platform only owns the operator and shared infra, and app-level concerns live in pal-e-services ### Context The platform repo currently deploys both the CNPG operator (shared infra) and the pal-e-docs-specific Postgres cluster, backup schedule, and credentials (app-level). This violates the platform/service boundary. App-level CNPG resources (cluster, scheduled backup, app credentials) should be managed by pal-e-services, not pal-e-platform. The operator, shared namespace, shared S3 bucket, and shared IAM stay in platform. ### File Targets Files the agent should modify: - `terraform/main.tf` -- remove 4 resource blocks (cnpg_cluster, cnpg_scheduled_backup, cnpg_superuser, paledocs_db_credentials) - `terraform/variables.tf` -- remove 3 variables (paledocs_db_username, paledocs_db_password, cnpg_superuser_password) - `terraform/outputs.tf` -- remove 2 outputs (cnpg_cluster_name, postgres_internal_dsn), keep cnpg_namespace - `terraform/k3s.tfvars.example` -- remove 2 lines (paledocs_db_password, cnpg_superuser_password) Files the agent should NOT touch: - `terraform/providers.tf` -- no changes needed - `terraform/versions.tf` -- no changes needed - Anything under `salt/` -- host-level, unrelated ### Acceptance Criteria - [ ] `kubernetes_manifest.cnpg_cluster` resource block is removed from main.tf - [ ] `kubernetes_manifest.cnpg_scheduled_backup` resource block is removed from main.tf - [ ] `kubernetes_secret_v1.cnpg_superuser` resource block is removed from main.tf - [ ] `kubernetes_secret_v1.paledocs_db_credentials` resource block is removed from main.tf - [ ] Variables `paledocs_db_username`, `paledocs_db_password`, `cnpg_superuser_password` removed from variables.tf - [ ] Outputs `cnpg_cluster_name`, `postgres_internal_dsn` removed from outputs.tf - [ ] Output `cnpg_namespace` is preserved in outputs.tf - [ ] `paledocs_db_password` and `cnpg_superuser_password` removed from k3s.tfvars.example - [ ] All shared infra resources (helm_release.cnpg, namespaces, MinIO bucket/IAM, cnpg_s3_creds) are preserved - [ ] No dangling references -- removed resources are not referenced by kept resources - [ ] `tofu fmt` passes - [ ] `tofu validate` passes ### Test Expectations - [ ] `tofu fmt -check` returns 0 - [ ] `tofu validate` returns success - [ ] No references to removed resources remain in kept code - Run command: `tofu fmt -check && tofu validate` (in terraform/ directory) ### Constraints - IaC is OpenTofu (`tofu` not `terraform`) - Do NOT run `tofu plan` or `tofu state rm` -- those happen after merge on main workdir - Remote is `forgejo` (not `origin`) - Run `tofu fmt` and `tofu validate` before pushing ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `plan-2026-02-26-tf-modularize-postgres` -- Terraform modularization of Postgres
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-dashboard-metric-names
netpol-westside-ror
spec-board-centric-renderer
457-add-dns-and-caddy-config-for-myvibes-wor
411-remove-deprecated-pal-e-app-references-f
412-remove-deprecated-westside-admin-referen
fix-gem-bin-path
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#16
No description provided.