feat: PostgreSQL operator, Pomerium switched to managed database (#26)

apps/_index/values.apps.yml

@@ -49,6 +49,13 @@ applications:
  syncWave: -100
  deleteProtection: false
 
+- name: network-policies-postgresql-system
+ namespace: postgresql-system
+ path: apps/network-policies
+ type: helm
+ syncWave: -100
+ deleteProtection: false
+
 - name: network-policies-apps
  namespace: apps
  path: apps/network-policies
@@ -101,9 +108,29 @@ applications:
  valueFiles:
  - values.yml
 
+# - name: prometheus-crd
+# type: directory
+# syncWave: -87
+# deleteProtection: false
+# serverSideApply: true
+
+- name: postgresql-operator-crd
+ type: raw
+ syncWave: -85
+ namespace: postgresql-system
+ deleteProtection: false
+
+- name: postgresql-operator
+ type: helm
+ syncWave: -84
+ namespace: postgresql-system
+ deleteProtection: false
+ valueFiles:
+ - values.$env.yml
+
 - name: cert-manager-crd
  type: raw
- syncWave: -80
+ syncWave: -84
  namespace: cert-manager
  deleteProtection: false
 
@@ -130,16 +157,9 @@ applications:
  deleteProtection: false
  valueFiles:
  - values.$env.yml
- - values.yml
  secretValueFiles:
  - secrets.$env.yml
 
-# - name: prometheus-crd
-# type: directory
-# syncWave: -50
-# deleteProtection: false
-# serverSideApply: true
-
 - name: dns-primary
  type: helm
  path: apps/dns

apps/common/templates/_network-policies.tpl

@@ -76,3 +76,22 @@
  matchLabels:
  app.kubernetes.io/instance: kube-dns
 {{- end }}
+
+{{- define "common.pg-cluster-init" }}
+- ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ - protocol: TCP
+ port: 5353
+ - protocol: UDP
+ port: 5353
+ to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/instance: kube-dns
+{{- end }}

apps/network-policies/templates/network-policy-postgresql-clusters.yml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: postgresql-clusters
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+spec:
+ podSelector:
+ matchExpressions:
+ - key: cnpg.io/cluster
+ operator: Exists
+ - key: cnpg.io/podRole
+ operator: In
+ values:
+ - instance 
+ policyTypes:
+ - Ingress
+ ingress:
+ # Accept traffic from postgresql jobs in the same namespace
+ - ports:
+ - protocol: TCP
+ port: 5432
+ from:
+ - podSelector:
+ matchExpressions:
+ - key: cnpg.io/jobRole
+ operator: Exists
+
+ # Accept traffic from operator in postgresql-system namespace
+ - ports:
+ - protocol: TCP
+ port: 8000
+ from:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: postgresql-system
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: cloudnative-pg

apps/network-policies/templates/network-policy-postgresql-jobs.yml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: postgresql-jobs
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+spec:
+ podSelector:
+ matchExpressions:
+ - key: cnpg.io/jobRole
+ operator: Exists
+ policyTypes:
+ - Egress
+ egress:
+ {{- include "common.egress-kubeapi" . | indent 4 }}

apps/pomerium/Chart.yaml

@@ -7,6 +7,6 @@ dependencies:
  - name: common
  version: 1.0.0
  repository: file:https://../common
- - name: postgresql
- repository: https://charts.bitnami.com/bitnami
- version: 12.1.9
+ # - name: postgresql
+ #  repository: https://charts.bitnami.com/bitnami
+ #  version: 12.1.9

apps/pomerium/secrets.lab.yml

@@ -7,12 +7,9 @@ secrets:
  sharedSecret: ENC[AES256_GCM,data:aL1Q0R8IJmm35ReJ8JGFYvH4UjFw6x4vFliQ0a7f8n0VADx5sQXfK9mwgig=,iv:27GLnXuesryXqXjJfEtr2NvuJUrcsjfYvLUaZnsIiP8=,tag:zXHYLlNcnAFLVUGNkqyHJw==,type:str]
  signingKey: ENC[AES256_GCM,data:QIgsvhZcnClPXwLxNRiCtdONngM//w13/yJzLaceMH1PTGnFVuuJp+Imgn2EeraR82qNza0rQpRrFpbMMhMMsUPLw0yT3oBkGSsx5aNOYfxJ9+o2LhOq/e/fR0eGhRTmZ0iMHHPeUVjFnIiqIxz61sAR247yWUk3ycbt/RjZehs28eSbmkcc3LlXmWiICRnNUUzVnw0V2mVfGq4ioCx+jISQDZ8AUetwWay/FqiwgiLwKUVPHwlSlGICNOMs5ZudFBBryxlMzGumqrFVcF+cGa73ysX2Rm0iPV4ZvR4Fs2qPkwY=,iv:8QsuxdSvzDx167idY5aFjsYZNVo7yEkC1Hu7i82PBXc=,tag:XZSFL3SydMbwqNXv6nZ6dw==,type:str]
 postgresql:
- global:
- postgresql:
- auth:
- username: ENC[AES256_GCM,data:90DOf4GMicc=,iv:HxsalXfpILDls722sqWMxSZbGygnput1eRy4D7iC04Q=,tag:P75/boXu7Y91Pu990YmqfA==,type:str]
- password: ENC[AES256_GCM,data:fl8uY3J8gchjaGfWUUHN4cWetrJEPMYxO98=,iv:zX9YhOPavt1JAYE0IWSTiasavkFioCyvVKOeFKTCls8=,tag:Ke8J+Mnu6LFN+/IEYVuEwg==,type:str]
- database: ENC[AES256_GCM,data:JYU=,iv:zf4nRSrJ0Tbs+VWWnZ5E0M3mzR7jFsO2/i0KQf9V+SI=,tag:Nyz05RL7XuzyVQ6mlthy4Q==,type:str]
+ username: ENC[AES256_GCM,data:XdW/sDsjbTI=,iv:ZDcSpJF0DLvVpFpM3e3XWIDCTcjknSkRSaUaTDI2ZmA=,tag:AWQ8+IUGq9K+IsF+K2bg1g==,type:str]
+ password: ENC[AES256_GCM,data:g5Y+8IPhQ6q5M4Tr6RiK0NRd3t+LBuWuoMo=,iv:OxE4OTfZKvWBKgtTUUtWKiOcU8xdCzAGdKEA1W3NCXk=,tag:KQHPU/0sXUb5IraO3ekOtg==,type:str]
+ database: ENC[AES256_GCM,data:MikK8wFxWFM=,iv:DNG3t8Oml5PhpW5f/icJZHQxIiDcRnR2yTTS8ESX52Y=,tag:EhFL863QZ7wKnF9VPpPEHg==,type:str]
 sops:
  kms: []
  gcp_kms: []
@@ -37,8 +34,8 @@ sops:
  Q3Z1aGtydnNpQmY2bEpyWlZkQlN4TE0K2b90gF3tVdd6ixkSLB0hoxLNHIpq3jEa
  oL7o84MIiORMnzM4t5/RT+N36FwIWlS2mzHsMGsneXbdXfZ+00g+Qw==
  -----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-01-25T16:37:12Z"
- mac: ENC[AES256_GCM,data:f3SY1/P8o34EiqfWa/13LgYCgmWbZIxXvAtOShSNiG05tbBwQbVuO3vX7E2TvCT8j0CTWuyatzUdu5Yx05ynCv/8+dxghJO4shpppPFadJtMyhR2MUj50sVwXMTKb6T5XJq7yo5UEEGQYcgaSwGayZoXc6LEQcC04A/70wF0Uws=,iv:qZwG99dVnO/wScGxtW7qPWk2yK26LYsXr/cBZqRetUE=,tag:LCyU3zQeBtGh8RlUi+qV/A==,type:str]
+ lastmodified: "2023-11-09T12:13:27Z"
+ mac: ENC[AES256_GCM,data:TC07TrSoXWS6oX+DWavQFlmqxPH5acYYdNHJpEX2wVTZbiSQ0b5Tj0/AajTCSBfEAdm5CofJ7sDFx8vt/AAL8L69bDhaBstfqYVlOXMeZg9ej3Iaxq03+u9JE79vVTInxgkLdzQoyjBbQ6YZP+sp+U1smLv7q+NpyDCaAUAljRA=,iv:0DmRHyIpkkRrbqROkL9Irv1JvXFSLlYuwtjJb61rk/o=,tag:xTLwzw/b5HfChkH20C2HYQ==,type:str]
  pgp:
  - created_at: "2023-01-20T10:43:59Z"
  enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAgINnlaCTeflak8s5X+13fa0DFe3c/4dKFToKdQkxcpD8\r\noEbUaXB05AnTCaR96IHKJ3L71cXAza/s2Po0ftrl4IE67BaRYsiy3nwtb4VB9R03\r\nC80tgI8RwizQnUHGJo8ZNWQNPIi2VBdFvfxgn6bkiNq48TkWfP1hlXHk9OAecTjG\r\nN+S5ukAbrtVTLOE2QXOFQaSwouKn2zlt+seO0/Lv/VofKN5Un5h9a3rTVf0vZv/e\r\nqELg6qoco65Lv4BC+9axuO/XRdeKCGLlQ6gR+P85sYKVGz0KIq+2qvn0FvAI4FYS\r\noLumDqNh/0DGT5c2w5MAMdulGgM3ApSNTayNZcRmjrNRKp65y99P8KuUj97XIxAe\r\ndCgkctJiLWh48pKNjIQnPU2nyUVrF/gnFHUId8MDPeTGjxRM8544fCiykWODn+EM\r\ng03S3MzXvXOk/TrjLx8vlcvlIinUMrp6YASX2xZCSq9keeW0CSYlroSyFgErbuZ6\r\nUXjqun7d9Qe3/kqUjgiy63KaW7y/W0DCCzSqvHYRRkvr5mFXbLeYp4LhosJpp9m4\r\nVy1WO5kLDTu7ZFNgsuV8AA3QWLb3iDMO/stVnEdYtXh9HzvdVpJ/h1e7eURaFgnF\r\n5FIvyqq1n4PQCONEF5t70EWjPTQMHgxOpNPm8IzbkK3o5mq7qXimj7Nb/L0+mQLS\r\nXgHeefFAApjYxljcqDx09mm/29WxakMyCLikM5vzbTO6vHZhFfA/PzWX+CrXJLHE\r\nYXMlIwOKGkigmS7pqhgt2o+p3pUJ0MWTdpQfMD9+TVx1bHlMO3qqPG6qwYZ+7W4=\r\n=DbKf\r\n-----END PGP MESSAGE-----\r\n"

apps/pomerium/secrets.prod.yml

@@ -9,12 +9,9 @@ secrets:
  sharedSecret: ENC[AES256_GCM,data:dHDAJPR50ydEns1hzXsuy51+xZenspYVHsoj3a/F/aa5tjh8f1SO764H+Go=,iv:2hs04NiskJUPmNOkzAYHTk9GJbB5XAuV8ZwvirBS6B4=,tag:L/ddwOykZxDtQFMWEigdSw==,type:str]
  signingKey: ENC[AES256_GCM,data:e2Njc1lWaig948otkGB9s70XNDFxgWJVgGPLyizn61PGSis7b36IVkPQpCUv9cXKjvyc6wNPre6Pu/Cviof5Ga7iAkHJ16mqzJH3cXB+++FqlkJioe6zpp+SetTR7BiNbloiLk4wRDD0IkuW7WFV5+/XyKYPQCiUOWMxKYJxhUxZVnU9oFw6Fjs2pLBQp/cyu8enT3x/gKkFi4alb6+Rjuw2z0AweRfHK0SL6LxJl3pxuOiidSYHyaMP0qoHDjbj6+7nuuRNDmiysy9OFTx8D9ydzkS++WvjXwrqFJUfU9ShVM4=,iv:m337JQ61m6RLSOCGXVCsEnksoIfS1vlYR2V2LS+S030=,tag:LRjQ7MMUbbk+9MR/acZO/g==,type:str]
 postgresql:
- global:
- postgresql:
- auth:
- username: ENC[AES256_GCM,data:GLaKfFbIPBI=,iv:I6q1tfB3sbK1YatCU4va6qPzECXOMQqiS7Cs4dh7SRg=,tag:+rTOWAzrmFS3nXlM0lrtOQ==,type:str]
- password: ENC[AES256_GCM,data:ezFcPPWRTzcX7cSg64Hd3hAubm3v6dzuKw==,iv:KKPorWQSHVBqQGku1iHNfScZqvE4jUHrIvWF0grv0KU=,tag:NdxzxwbtBXBn3kAbIiiXxA==,type:str]
- database: ENC[AES256_GCM,data:D4c=,iv:PAZWEMowsmYd3j58pQtCsdRuwNkBkA+aah4H78NNTKU=,tag:RF7pXudBxGX3kB+JNg1oyg==,type:str]
+ username: ENC[AES256_GCM,data:iUeaHfLZxJQ=,iv:nZqq9DAlMtSLbbf56ywDs71qOhqkrnE+YHNIgD6yj/g=,tag:zN4HXuBoBX09bh7SWdA8oQ==,type:str]
+ password: ENC[AES256_GCM,data:Xu4CYBUTY69S8tOK/gIZXrpLsatCSS3OHQ==,iv:YehK6t9aWAVvGB/vBLNy94r0wTtULufSrPvT2DxI6Dk=,tag:WX4OJ4jpx4HYyY0sWKbzAg==,type:str]
+ database: ENC[AES256_GCM,data:rx8=,iv:ARI02fW731vxVYWXTmziJ0z/S6eJU9VOu9zVlQd5Qq4=,tag:x3ik1RLPuywQzc2oO//Fmw==,type:str]
 sops:
  kms: []
  gcp_kms: []
@@ -39,8 +36,8 @@ sops:
  YnNLN3NES0cxT0s4VjJXYzlRNTBIOFUKtwzQj2FT++kgxZPuGwxKgIYV0T/jQ2I6
  87VKFDqmkCZ5HKAxwLKNf8sbhOAuy/LiNTVG8jpNXBSthdCtdbvLsw==
  -----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-02-13T23:19:57Z"
- mac: ENC[AES256_GCM,data:VJGhRwQhb50Rgm34Rk5ghJdJDKFfdyaxrjgupLkdSbvQ06GiU5xndHR1hWn2Hrj0er0sU4VYOuBnBuhEXUeKcEFRMUBseGvxS4kZUBfO5yzE1/xmb1L6UXl2WHiEhrHDKTwPi1nRq8Czod0Pt7JAP8FppDaZNo81wvreybYkAzI=,iv:ELR9s3zHG7aMmW7zewkl7zAzuMsqVL06btXkp3JPi6A=,tag:OMqq+LTD0UvilYu8LZCiFg==,type:str]
+ lastmodified: "2023-11-09T12:24:33Z"
+ mac: ENC[AES256_GCM,data:4eH/soAjjorIINyABGmNxISfEIxS/mrh9Vs4TqthwkDlO+UoH/VDemn2E19TwQab0gjTpDHIgKs8Y7b9/Ym2C6nlIPqLT4ELDs5KKt1ewSP5f4WXFg7Kzel6zVm3RDe4cv3HjcV/2ZSqZK6AOW+3wAeEhTU2+lftIChFz6BI9zg=,iv:zz50QD9S5XPT+kQE4CZPuUPZpM1/ZDITjQn5jC1ryR4=,tag:cDz7qOStNrJV6stHnrh/fA==,type:str]
  pgp:
  - created_at: "2023-02-13T23:03:02Z"
  enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ/7B1IgsScENrQSJpBg7V+ZeVa1vANllezLkQed4iNxMLHM\r\nI/bJaQonDzErk/TPsr5UT+c2LxBe2jRTEhmq6dho73aubnCSKLAtLt7FaNdVPcIO\r\nGHwVaNHIq+hXLw3f91PRF5XU+PPQA7reYi+ZkMN0HxkmCQbIyTO0m9SjPUUU1ZOD\r\nvDcRmB640jNwaOtgtL14GEHbek/rUxL9mfFP3EbbnR9SW8KOky9zFaLANd6DTeMX\r\n8ESYp7UNcmMFQ9Ayl9c59EJ5zz9H8lT2n35UPVrXq8uvpTH9C3CK337j+uo6pvNB\r\nsSLqh7h4m7CwiiQRzrHnNgLt8u+Xl9JeqIgNIFHX1PuZu3SaTF3YuKPTIn3bPm6e\r\nuW/B1i4ZhNyY6mh0bOhZ0RQRFGr4qSFSZIZF2UaL4zUX49jVS2sae3EMUickjTJ6\r\nH2ivZe7JsPpHtw+GOoKUIKju5osHMIzUrYkeKRgYR68E2/ORJDQgW0Z4b4bq67ZH\r\nHXBRYwlDM7sJ6wuyj0NiIV83IwTq7nYiB/ngP2weHAFLUz7SUK+UxR/5qScBluZT\r\nY4kMgLh4LhwM4AmUOUxnL9S3L2W2dCuKfJjYCagmDlrWS781BRFcU5HuYFiITRM+\r\nQtH4edHZJIQEnxXbQbrlwcQ+Vvchk/hN6Fj02+fucg7E5ESe1NaJqPRfyvZgtZvS\r\nXgEDkwJLzZDxmBvZFyM2deduDgwFyx6e8G55DCAKK+FB6lADtwAhtIpcL8JRb9dP\r\n9WGyICVdvcOthkGVLLYfpIYLDS3uCOSwLuDhm8jm31McMRioilm93SYm3NfhQWM=\r\n=zPAG\r\n-----END PGP MESSAGE-----\r\n"

apps/pomerium/templates/cluster-role-binding.yml

@@ -1,9 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+ name: {{ $.Release.Name }}-controller
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: pomerium-controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole

apps/pomerium/templates/cluster-role.yml

@@ -1,9 +1,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+ name: {{ $.Release.Name }}-controller
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: pomerium-controller
 rules:
 - apiGroups:
  - ""

apps/pomerium/templates/custom-network-policy-postgresql-cluster.yml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ .Release.Name }}-postgresql
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+spec:
+ podSelector:
+ matchExpressions:
+ - key: cnpg.io/cluster
+ operator: In
+ values: 
+ - {{ $.Release.Name }}
+ policyTypes:
+ - Ingress
+ ingress:
+ # Accept traffic from pomerium
+ - ports:
+ - protocol: TCP
+ port: 5432
+ from:
+ - podSelector:
+ matchLabels:
+ app.kubernetes.io/name: pomerium
+ app.kubernetes.io/instance: {{ .Release.Name }}
+

apps/pomerium/templates/custom-postgresql-cluster.yml

@@ -0,0 +1,21 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+ name: {{ $.Release.Name }}
+spec:
+ instances: 2
+
+ bootstrap:
+ initdb:
+ database: {{ .Values.postgresql.database }}
+ owner: {{ .Values.postgresql.username }}
+ secret:
+ name: {{ .Release.Name }}-postgresql-cluster
+
+ storage:
+ pvcTemplate:
+ accessModes: {{ .Values.postgresql.accessModes }} 
+ storageClassName: {{ .Values.postgresql.storageClass }}
+ resources:
+ requests:
+ storage: {{ .Values.postgresql.size }}

apps/pomerium/templates/custom-secret-postgresql-cluster.yml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Release.Name }}-postgresql-cluster
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+type: kubernetes.io/basic-auth
+# Password cannot be changed because PostgreSQL will not update it after the database is created
+immutable: true
+data:
+ username: {{ .Values.postgresql.username | b64enc }}
+ password: {{ .Values.postgresql.password | b64enc }}

apps/pomerium/templates/custom-secret-postgresql.yml → apps/pomerium/templates/custom-secret-postgresql-connection.yml

@@ -1,12 +1,12 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Release.Name }}-postgresql-connection
- namespace: {{ $.Release.Namespace }}
- labels:
- {{- include "common.resource-labels" . | indent 4 }}
-type: Opaque
-# Password cannot be changed because PostgreSQL will not update it after the database is created
-immutable: true
-stringData:
- connection: "postgresql:https://{{ .Values.postgresql.global.postgresql.auth.username }}:{{ .Values.postgresql.global.postgresql.auth.password }}@{{ .Release.Name }}-postgresql.{{ .Release.Namespace }}.svc.cluster.local/{{ .Values.postgresql.global.postgresql.auth.database }}"
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Release.Name }}-postgresql-connection
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+type: Opaque
+# Password cannot be changed because PostgreSQL will not update it after the database is created
+immutable: true
+stringData:
+ connection: "postgresql:https://{{ .Values.postgresql.username }}:{{ .Values.postgresql.password }}@{{ .Release.Name }}-rw.{{ .Release.Namespace }}.svc.cluster.local/{{ .Values.postgresql.database }}"

apps/pomerium/templates/deployment.yml

@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: pomerium
+ name: {{ $.Release.Name }}
  namespace: {{ $.Release.Namespace }}
 spec:
  replicas: {{ .Values.replicas | default 1 }}

apps/pomerium/templates/ingress-class.yml

@@ -5,7 +5,7 @@ metadata:
  {{- include "common.resource-labels" . | indent 4 }}
  annotations:
  ingressclass.kubernetes.io/is-default-class: {{ .Values.isDefaultIngressClass | default false | quote }}
- name: pomerium
+ name: {{ $.Release.Name }}
  namespace: {{ $.Release.Namespace }}
 spec:
  controller: pomerium.io/ingress-controller

apps/pomerium/templates/service-account.yml

@@ -3,5 +3,5 @@ kind: ServiceAccount
 metadata:
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: pomerium-controller
+ name: {{ $.Release.Name }}-controller
  namespace: {{ $.Release.Namespace }}

apps/pomerium/templates/service.yml

@@ -3,7 +3,7 @@ kind: Service
 metadata:
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: pomerium-metrics
+ name: {{ $.Release.Name }}-metrics
  namespace: {{ $.Release.Namespace }}
 spec:
  ports:
@@ -24,7 +24,7 @@ metadata:
  annotations:
  metallb.universe.tf/allow-shared-ip: {{ .Release.Name }}
  metallb.universe.tf/loadBalancerIPs: {{ .Values.loadBalancerIp }}
- name: pomerium-proxy
+ name: {{ $.Release.Name }}-proxy
  namespace: {{ $.Release.Namespace }}
 spec:
  ports:

apps/pomerium/values.lab.yml

@@ -14,15 +14,8 @@ resources:
  memory: 512Mi
 
 postgresql:
- image:
- tag: 15.3.0-debian-11-r24
- volumePermissions:
- enabled: true
- primary:
- livenessProbe:
- initialDelaySeconds: 900
- persistence:
- size: 10Gi
- storageClass: local-path-provisioner-services-db
- accessModes:
- - ReadWriteMany
+ # New cluster
+ size: 10Gi
+ storageClass: local-path-provisioner-services-db
+ accessModes:
+ - ReadWriteMany