vw apps

docs/REFERENCE.md

@@ -1100,7 +1100,7 @@ storage:
 **Endpoints**:
 - Web UI: `https://bitwarden.forteapps.net`
 
-**Database**: Standalone PostgreSQL 16 StatefulSet (`vaultwarden-postgresql`) deployed in overlay with 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
+**Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
 
 **Secrets**:
 - `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials

infra/overlays/upc-dev/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
+- vaultwarden-postgresql
 - vaultwarden
 
 # No patches needed — base already has "upc-dev" paths

infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vaultwarden-postgresql.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- postgresql.yaml
+- vaultwarden-db-secret-sealed.yaml

infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden-postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/name: vaultwarden-postgresql
+    app.kubernetes.io/part-of: security
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vaultwarden
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true

infra/overlays/upc-dev/vaultwarden/kustomization.yaml

@@ -2,5 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - vaultwarden.yaml
-- vaultwarden-db-secret-sealed.yaml
-- postgresql.yaml

infra/overlays/upc-dev/vaultwarden/vaultwarden.yaml

@@ -1,9 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vaultwarden
----
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata: