feat(infra): k3s foundation — cert-manager, Longhorn config, in-cluster data tier

Adds the production cluster foundation (authored + applied live on node1): - cert-manager via the k3s HelmChart controller + letsencrypt staging/prod ClusterIssuers (HTTP-01 / Traefik). - Longhorn config for single-node (values: replica=1, default StorageClass, Retain) + backup-to-Hetzner-Object-Storage credential template. - In-cluster data tier (dezky-data): Postgres 16 (with Authentik+OCIS DB init), MongoDB 7, Redis 7 as StatefulSets on Longhorn, + secret template. - bootstrap.sh: install open-iscsi/nfs-common + enable iscsid (Longhorn prereq). - RUNBOOK.md: full reproducible node1 build order. Real secrets are generated on-box and kept in Bitwarden — never in git.
2026-06-08 18:39:31 +02:00
parent 65a68ee126
commit 153d7053ca
17 changed files with 733 additions and 1 deletions
@@ -0,0 +1,49 @@
+# fleet/data — in-cluster data tier
+
+PostgreSQL 16 (Authentik + OCIS), MongoDB 7 (portal/platform-api) and Redis 7
+(cache/sessions) as single-node StatefulSets on **Longhorn** volumes
+(`storageClassName: longhorn` — see `../longhorn/`), in the `dezky-data`
+namespace. Mirrors the dev docker-compose stack. Self-hosted on the box — no
+external/managed DBs (EU-sovereign).
+
+> Prereq: Longhorn must be installed and its `longhorn` StorageClass present
+> before applying these (the PVCs request it). See `../longhorn/README.md`.
+
+Stable in-cluster DNS:
+- `postgres.dezky-data.svc.cluster.local:5432`
+- `mongo.dezky-data.svc.cluster.local:27017`
+- `redis.dezky-data.svc.cluster.local:6379`
+
+## Apply
+
+```bash
+# 1) Secrets first (out-of-band — NOT in git). Generate values with openssl.
+cp secrets.example.yaml /tmp/data-secrets.yaml
+$EDITOR /tmp/data-secrets.yaml         # fill every REPLACE_* (openssl rand -hex 24)
+kubectl create namespace dezky-data --dry-run=client -o yaml | kubectl apply -f -
+kubectl apply -f /tmp/data-secrets.yaml && rm /tmp/data-secrets.yaml
+
+# 2) The data tier
+kubectl apply -k .
+
+# 3) Watch them come up
+kubectl -n dezky-data rollout status statefulset/postgres
+kubectl -n dezky-data rollout status statefulset/mongo
+kubectl -n dezky-data rollout status statefulset/redis
+kubectl -n dezky-data get pods,pvc
+```
+
+## Notes
+- **Postgres init runs once** (empty data dir): `postgres-init` ConfigMap
+  creates the `authentik` + `ocis` databases/roles using
+  `AUTHENTIK_DB_PASSWORD` / `OCIS_DB_PASSWORD` from the secret. If you change
+  those passwords later, alter the roles in SQL — re-init won't re-run on an
+  existing volume.
+- Store all generated passwords in **Bitwarden**. `AUTHENTIK_DB_PASSWORD` /
+  `OCIS_DB_PASSWORD` must match what you later give Authentik and OCIS.
+- **Backups:** Longhorn snapshots + backs these volumes up to Hetzner Object
+  Storage (S3) — see `../longhorn/README.md`. Block snapshots of a live DB are
+  crash-consistent at best, so also run `pg_dump`/`mongodump` CronJobs (added
+  next) into a Longhorn PVC; restore from those logical dumps, not the raw
+  data dirs.
+- Single replica each — fine for one node. HA/replicas are a later concern.
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: dezky-data
+
+# Non-secret resources only. Real secrets (secrets.example.yaml) are applied
+# out-of-band and deliberately NOT listed here — same pattern as apps/.
+resources:
+  - namespace.yaml
+  - postgres-init.yaml
+  - postgres.yaml
+  - mongodb.yaml
+  - redis.yaml
@@ -0,0 +1,78 @@
+# MongoDB 7 — portal / platform-api application data (mirrors the dev stack).
+# Single-node StatefulSet on k3s local-path storage. App DBs/collections are
+# created by the apps on first use; root creds come from mongo-secret.
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongo
+  namespace: dezky-data
+spec:
+  clusterIP: None          # headless: stable DNS mongo.dezky-data:27017
+  selector:
+    app: mongo
+  ports:
+    - name: mongo
+      port: 27017
+      targetPort: 27017
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mongo
+  namespace: dezky-data
+spec:
+  serviceName: mongo
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongo
+  template:
+    metadata:
+      labels:
+        app: mongo
+    spec:
+      containers:
+        - name: mongo
+          image: mongo:7
+          args: ["--bind_ip_all"]
+          ports:
+            - containerPort: 27017
+          env:
+            - name: MONGO_INITDB_ROOT_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: mongo-secret
+                  key: root-username
+            - name: MONGO_INITDB_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mongo-secret
+                  key: root-password
+          volumeMounts:
+            - name: data
+              mountPath: /data/db
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              memory: 1Gi
+          readinessProbe:
+            exec:
+              command: ["mongosh", "--quiet", "--eval", "db.adminCommand('ping')"]
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          livenessProbe:
+            exec:
+              command: ["mongosh", "--quiet", "--eval", "db.adminCommand('ping')"]
+            initialDelaySeconds: 30
+            periodSeconds: 20
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 20Gi
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dezky-data
+  labels:
+    app.kubernetes.io/part-of: dezky
@@ -0,0 +1,20 @@
+# Runs once, on first Postgres init (empty data dir), via the official image's
+# /docker-entrypoint-initdb.d hook. Creates the per-service databases + roles
+# Authentik and OCIS need. Passwords come from the postgres-secret env (see
+# secrets.example.yaml) — never hard-code them here.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init
+  namespace: dezky-data
+data:
+  10-extra-databases.sh: |
+    #!/bin/bash
+    set -euo pipefail
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+      CREATE ROLE authentik LOGIN PASSWORD '${AUTHENTIK_DB_PASSWORD}';
+      CREATE DATABASE authentik OWNER authentik;
+
+      CREATE ROLE ocis LOGIN PASSWORD '${OCIS_DB_PASSWORD}';
+      CREATE DATABASE ocis OWNER ocis;
+    EOSQL
@@ -0,0 +1,82 @@
+# PostgreSQL 16 — shared RDBMS for Authentik + OCIS (mirrors the dev stack).
+# Single-node StatefulSet on k3s local-path storage. Logical dumps for backup
+# are added by a pg_dump CronJob (Restic captures the dump dir on the host).
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: dezky-data
+spec:
+  clusterIP: None          # headless: stable DNS postgres.dezky-data:5432
+  selector:
+    app: postgres
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: dezky-data
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      # No fsGroup needed: the postgres image entrypoint runs as root and
+      # chowns PGDATA to the postgres user before stepping down.
+      containers:
+        - name: postgres
+          image: postgres:16-alpine
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_USER
+              value: postgres
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata   # subdir avoids lost+found clash
+          envFrom:
+            - secretRef:
+                name: postgres-secret    # POSTGRES_PASSWORD, AUTHENTIK_DB_PASSWORD, OCIS_DB_PASSWORD
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+            - name: init
+              mountPath: /docker-entrypoint-initdb.d
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              memory: 1Gi
+          readinessProbe:
+            exec:
+              command: ["pg_isready", "-U", "postgres"]
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            exec:
+              command: ["pg_isready", "-U", "postgres"]
+            initialDelaySeconds: 30
+            periodSeconds: 20
+      volumes:
+        - name: init
+          configMap:
+            name: postgres-init
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 10Gi
@@ -0,0 +1,78 @@
+# Redis 7 — cache / session store (Authentik, and available to the apps).
+# Password-protected (requirepass) even in-cluster; AOF persistence on a small
+# local-path volume so sessions survive restarts.
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: dezky-data
+spec:
+  clusterIP: None          # headless: stable DNS redis.dezky-data:6379
+  selector:
+    app: redis
+  ports:
+    - name: redis
+      port: 6379
+      targetPort: 6379
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: dezky-data
+spec:
+  serviceName: redis
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:7-alpine
+          command: ["redis-server"]
+          args:
+            - "--requirepass"
+            - "$(REDIS_PASSWORD)"
+            - "--appendonly"
+            - "yes"
+          ports:
+            - containerPort: 6379
+          env:
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: redis-secret
+                  key: REDIS_PASSWORD
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+          readinessProbe:
+            exec:
+              command: ["sh", "-c", 'redis-cli -a "$REDIS_PASSWORD" ping']
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", 'redis-cli -a "$REDIS_PASSWORD" ping']
+            initialDelaySeconds: 15
+            periodSeconds: 20
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 2Gi
@@ -0,0 +1,39 @@
+# SECRET TEMPLATE for the data tier — copy, fill, apply OUT-OF-BAND.
+# NEVER commit real values. Excluded from kustomization.yaml on purpose.
+#
+#   cp secrets.example.yaml /tmp/data-secrets.yaml
+#   # fill every REPLACE_* (openssl rand -hex 24)
+#   kubectl apply -f /tmp/data-secrets.yaml && rm /tmp/data-secrets.yaml
+#
+# Record these in Bitwarden — losing them locks you out of the DBs. The
+# AUTHENTIK_DB_PASSWORD / OCIS_DB_PASSWORD must match what you give Authentik
+# and OCIS in their own configs.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-secret
+  namespace: dezky-data
+type: Opaque
+stringData:
+  POSTGRES_PASSWORD: REPLACE_superuser_pw      # openssl rand -hex 24
+  AUTHENTIK_DB_PASSWORD: REPLACE_authentik_pw  # openssl rand -hex 24
+  OCIS_DB_PASSWORD: REPLACE_ocis_pw            # openssl rand -hex 24
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mongo-secret
+  namespace: dezky-data
+type: Opaque
+stringData:
+  root-username: dezky
+  root-password: REPLACE_mongo_root_pw         # openssl rand -hex 24
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis-secret
+  namespace: dezky-data
+type: Opaque
+stringData:
+  REDIS_PASSWORD: REPLACE_redis_pw             # openssl rand -hex 24