add source code and readme

2025-12-24 14:35:17 +01:00
parent 7c92e1e610
commit 74324d5a1b
331 changed files with 39272 additions and 1 deletions
--- a/manifests/infrastructure/postgresql/cilium-cnpg-policies.yaml
+++ b/manifests/infrastructure/postgresql/cilium-cnpg-policies.yaml
@@ -0,0 +1,85 @@
+---
+# Comprehensive CloudNativePG network policy for single-operator deployment
+# This allows the Helm-deployed operator in postgresql-system to manage the cluster
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: cnpg-comprehensive-access
+  namespace: postgresql-system
+spec:
+  description: "Allow CloudNativePG operator and cluster communication"
+  endpointSelector:
+    matchLabels:
+      cnpg.io/cluster: postgres-shared  # Apply to postgres-shared cluster pods
+  ingress:
+    # Allow operator in same namespace to manage cluster
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP  # PostgreSQL database
+            - port: "8000"
+              protocol: TCP  # CloudNativePG health endpoint
+            - port: "9187" 
+              protocol: TCP  # PostgreSQL metrics
+    # Allow cluster-wide access for applications and monitoring
+    - fromEntities:
+        - cluster
+        - host
+        - remote-node
+        - kube-apiserver  # Explicitly allow API server (used for service port-forward)
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP  # PostgreSQL database access
+            - port: "9187"
+              protocol: TCP  # Metrics collection
+    # Allow pod-to-pod communication within cluster (replication)
+    - fromEndpoints:
+        - matchLabels:
+            cnpg.io/cluster: postgres-shared
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP  # PostgreSQL replication
+            - port: "8000"
+              protocol: TCP  # Health checks between replicas
+---
+# Allow CloudNativePG operator to reach webhook endpoints
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: cnpg-operator-webhook-access
+  namespace: postgresql-system
+spec:
+  description: "Allow CloudNativePG operator webhook communication"
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: cloudnative-pg  # Helm-deployed operator
+  ingress:
+    # Allow Kubernetes API server to reach webhook
+    - fromEntities:
+        - host
+        - cluster
+      toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP  # CloudNativePG webhook port
+  egress:
+    # Allow operator to reach PostgreSQL pods for management
+    - toEndpoints:
+        - matchLabels:
+            cnpg.io/cluster: postgres-shared
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+            - port: "8000"
+              protocol: TCP
+    # Allow operator to reach Kubernetes API
+    - toEntities:
+        - cluster
+        - host
+        - remote-node