Ronni Baslund
153d7053ca
ci / typecheck (map[dir:apps/website name:website]) (push) Failing after 10m58s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Failing after 11m56s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 14m0s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
Adds the production cluster foundation (authored + applied live on node1): - cert-manager via the k3s HelmChart controller + letsencrypt staging/prod ClusterIssuers (HTTP-01 / Traefik). - Longhorn config for single-node (values: replica=1, default StorageClass, Retain) + backup-to-Hetzner-Object-Storage credential template. - In-cluster data tier (dezky-data): Postgres 16 (with Authentik+OCIS DB init), MongoDB 7, Redis 7 as StatefulSets on Longhorn, + secret template. - bootstrap.sh: install open-iscsi/nfs-common + enable iscsid (Longhorn prereq). - RUNBOOK.md: full reproducible node1 build order. Real secrets are generated on-box and kept in Bitwarden — never in git.
fleet/data — in-cluster data tier
PostgreSQL 16 (Authentik + OCIS), MongoDB 7 (portal/platform-api) and Redis 7
(cache/sessions) as single-node StatefulSets on Longhorn volumes
(storageClassName: longhorn — see ../longhorn/), in the dezky-data
namespace. Mirrors the dev docker-compose stack. Self-hosted on the box — no
external/managed DBs (EU-sovereign).
Prereq: Longhorn must be installed and its
longhornStorageClass present before applying these (the PVCs request it). See../longhorn/README.md.
Stable in-cluster DNS:
postgres.dezky-data.svc.cluster.local:5432mongo.dezky-data.svc.cluster.local:27017redis.dezky-data.svc.cluster.local:6379
Apply
# 1) Secrets first (out-of-band — NOT in git). Generate values with openssl.
cp secrets.example.yaml /tmp/data-secrets.yaml
$EDITOR /tmp/data-secrets.yaml # fill every REPLACE_* (openssl rand -hex 24)
kubectl create namespace dezky-data --dry-run=client -o yaml | kubectl apply -f -
kubectl apply -f /tmp/data-secrets.yaml && rm /tmp/data-secrets.yaml
# 2) The data tier
kubectl apply -k .
# 3) Watch them come up
kubectl -n dezky-data rollout status statefulset/postgres
kubectl -n dezky-data rollout status statefulset/mongo
kubectl -n dezky-data rollout status statefulset/redis
kubectl -n dezky-data get pods,pvc
Notes
- Postgres init runs once (empty data dir):
postgres-initConfigMap creates theauthentik+ocisdatabases/roles usingAUTHENTIK_DB_PASSWORD/OCIS_DB_PASSWORDfrom the secret. If you change those passwords later, alter the roles in SQL — re-init won't re-run on an existing volume. - Store all generated passwords in Bitwarden.
AUTHENTIK_DB_PASSWORD/OCIS_DB_PASSWORDmust match what you later give Authentik and OCIS. - Backups: Longhorn snapshots + backs these volumes up to Hetzner Object
Storage (S3) — see
../longhorn/README.md. Block snapshots of a live DB are crash-consistent at best, so also runpg_dump/mongodumpCronJobs (added next) into a Longhorn PVC; restore from those logical dumps, not the raw data dirs. - Single replica each — fine for one node. HA/replicas are a later concern.