From 75a165b474ce1df4cc039b1cbba5f27d339ba98e Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Mon, 29 Dec 2025 20:51:49 +0900
Subject: [PATCH] REFACTOR(postgresql): rename pg-cnpg namespace and folder

- Rename to postgresql
- Standardize naming convention
---
 postgresql/argocd/postgresql-cnpg.yaml   | 39 ++++++++++++
 postgresql/kustomization.yaml            | 20 +++++++
 postgresql/manifests/cluster.yaml        | 75 ++++++++++++++++++++++++
 postgresql/manifests/vault-database.yaml | 11 ++++
 postgresql/vault/app-user-secret.yaml    | 23 ++++++++
 postgresql/vault/superuser-secret.yaml   | 23 ++++++++
 postgresql/vault/vault-user-secret.yaml  | 23 ++++++++
 7 files changed, 214 insertions(+)
 create mode 100644 postgresql/argocd/postgresql-cnpg.yaml
 create mode 100644 postgresql/kustomization.yaml
 create mode 100644 postgresql/manifests/cluster.yaml
 create mode 100644 postgresql/manifests/vault-database.yaml
 create mode 100644 postgresql/vault/app-user-secret.yaml
 create mode 100644 postgresql/vault/superuser-secret.yaml
 create mode 100644 postgresql/vault/vault-user-secret.yaml

diff --git a/postgresql/argocd/postgresql-cnpg.yaml b/postgresql/argocd/postgresql-cnpg.yaml
new file mode 100644
index 0000000..2ce9ff7
--- /dev/null
+++ b/postgresql/argocd/postgresql-cnpg.yaml
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgresql
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://github.com/Mayne0213/databases.git
+    targetRevision: main
+    path: postgresql
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: postgresql
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+      - ServerSideApply=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
diff --git a/postgresql/kustomization.yaml b/postgresql/kustomization.yaml
new file mode 100644
index 0000000..5a3d23d
--- /dev/null
+++ b/postgresql/kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: postgresql
+
+resources:
+  # Vault External Secrets
+  - vault/app-user-secret.yaml
+  - vault/superuser-secret.yaml
+  - vault/vault-user-secret.yaml
+  # - vault/backup-s3-secret.yaml  # Disabled - using Velero instead
+
+  # CNPG Cluster
+  - manifests/cluster.yaml
+  - manifests/vault-database.yaml
+
+  # PodMonitor is auto-created by CNPG operator via cluster.spec.monitoring.enablePodMonitor
+
+  # Scheduled Backup - Disabled, using Velero instead
+  # - manifests/scheduled-backup.yaml
diff --git a/postgresql/manifests/cluster.yaml b/postgresql/manifests/cluster.yaml
new file mode 100644
index 0000000..0545a81
--- /dev/null
+++ b/postgresql/manifests/cluster.yaml
@@ -0,0 +1,75 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgresql
+  namespace: postgresql
+spec:
+  # PostgreSQL version
+  imageName: ghcr.io/cloudnative-pg/postgresql:16.6
+
+  # Number of instances
+  instances: 3  # 1 primary + 2 replicas for HA
+
+  # Storage configuration - using local-path
+  storage:
+    storageClass: local-path
+    size: 10Gi
+
+  # Resource requests and limits
+  resources:
+    requests:
+      memory: "512Mi"
+      cpu: "150m"
+    limits:
+      memory: "2Gi"
+      # cpu: no limit to prevent throttling
+
+  # PostgreSQL configuration
+  postgresql:
+    parameters:
+      max_connections: "200"
+      shared_buffers: "512MB"
+      effective_cache_size: "1536MB"
+      maintenance_work_mem: "128MB"
+      checkpoint_completion_target: "0.9"
+      wal_buffers: "16MB"
+      default_statistics_target: "100"
+      random_page_cost: "1.1"
+      effective_io_concurrency: "200"
+      work_mem: "2621kB"
+      min_wal_size: "1GB"
+      max_wal_size: "4GB"
+
+  # Bootstrap configuration
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+      secret:
+        name: postgresql-app-user
+
+  # Monitoring
+  monitoring:
+    enablePodMonitor: true
+    customQueriesConfigMap:
+      - name: cnpg-default-monitoring
+        key: queries
+    # Add pod labels to metrics for Grafana dashboard compatibility
+    podMonitorRelabelings:
+      # Add cluster label from pod label
+      - sourceLabels: [__meta_kubernetes_pod_label_cnpg_io_cluster]
+        targetLabel: cluster
+      # Add instance role label
+      - sourceLabels: [__meta_kubernetes_pod_label_cnpg_io_instanceRole]
+        targetLabel: role
+
+  # Backup disabled - using Velero for backups instead
+
+  # Affinity to spread replicas across nodes
+  affinity:
+    podAntiAffinityType: required
+
+  # Enable superuser access
+  enableSuperuserAccess: true
+  superuserSecret:
+    name: postgresql-superuser
diff --git a/postgresql/manifests/vault-database.yaml b/postgresql/manifests/vault-database.yaml
new file mode 100644
index 0000000..d10e0b3
--- /dev/null
+++ b/postgresql/manifests/vault-database.yaml
@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: vault
+  namespace: postgresql
+spec:
+  cluster:
+    name: postgresql
+  name: vault
+  owner: vault
+  ensure: present
diff --git a/postgresql/vault/app-user-secret.yaml b/postgresql/vault/app-user-secret.yaml
new file mode 100644
index 0000000..97bb65c
--- /dev/null
+++ b/postgresql/vault/app-user-secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-app-user
+  namespace: postgresql
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-app-user
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: app
+        password: "{{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: databases/postgresql
+        property: APP_PASSWORD
diff --git a/postgresql/vault/superuser-secret.yaml b/postgresql/vault/superuser-secret.yaml
new file mode 100644
index 0000000..d40ecee
--- /dev/null
+++ b/postgresql/vault/superuser-secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-superuser
+  namespace: postgresql
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-superuser
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: postgres
+        password: "{{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: databases/postgresql
+        property: POSTGRES_PASSWORD
diff --git a/postgresql/vault/vault-user-secret.yaml b/postgresql/vault/vault-user-secret.yaml
new file mode 100644
index 0000000..3bdbfcc
--- /dev/null
+++ b/postgresql/vault/vault-user-secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-vault-user
+  namespace: postgresql
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: postgresql-vault-user
+    creationPolicy: Owner
+    template:
+      type: kubernetes.io/basic-auth
+      data:
+        username: vault
+        password: "{{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: databases/postgresql
+        property: VAULT_PASSWORD