Sten
dd9819bdbe
feat(infra): drop in-cluster minio, add pg backup + PVC protection
...
AI Code Review / ai-review (pull_request) Successful in 7s
PROD: object storage moves to UpCloud Managed Object Storage (existing
drops bucket) instead of single-node in-cluster MinIO — durable,
UpCloud-replicated, no PVC to back up.
- Remove forte-drop-minio StatefulSet entirely.
- Add forte-drop-pg-backup CronJob: nightly pg_dump -> gzip -> upload to
s3://drops/_pgbackups/ (collision-proof prefix), 30-day retention.
Reuses forte-drop-secrets S3 creds (app user has s3:* on drops).
- PVC prune/delete protection on the postgres volumeClaimTemplate.
2026-05-29 09:28:51 +02:00
Sten
178bf8cc78
fix(infra): un-own forte-drop namespace from postgres app
...
AI Code Review / ai-review (pull_request) Successful in 6s
Follow-up to 47d1f1e
2026-05-28 16:13:31 +02:00
Sten
47d1f1ec39
fix(infra): drop bad postgres securityContext + un-own shared namespace
...
AI Code Review / ai-review (pull_request) Successful in 6s
Address Codex review on PR #17 :
[P1] Postgres official image's entrypoint requires root to chown a
fresh PVC, then drops to the postgres user via gosu. Forcing
runAsNonRoot+runAsUser=999 blocks the chown and initdb fails on a
fresh volume. Drop the securityContext; matches the existing
vaultwarden-postgresql pattern.
[P2] The forte-drop namespace was declared as a managed resource
in the postgres Application. Since minio lives in the same
namespace from a separate Application, an Argo prune of the pg
app would delete the namespace and cascade-delete minio. Remove
the Namespace resource; rely on syncOptions: CreateNamespace=true
on both apps (already set).
2026-05-28 16:13:08 +02:00
Sten
69848e42f0
fix(infra): pin minio/mc tags + add postgres securityContext + harden bootstrap script
...
AI Code Review / ai-review (pull_request) Successful in 15s
Address ai-review feedback on PR #17 :
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
no privilege escalation. Matches PSS restricted profile.
2026-05-28 16:05:48 +02:00
Sten
416615a9e0
feat(infra): add forte-drop sealed secrets
...
AI Code Review / ai-review (pull_request) Successful in 5s
Pg and minio credentials sealed against upc-dev sealed-secrets-controller.
2026-05-28 15:56:24 +02:00
Sten
3ce93017f9
feat(infra): forte-drop postgres + minio for upc-dev
...
AI Code Review / ai-review (pull_request) Successful in 34s
Two new ArgoCD Applications:
- forte-drop-postgresql: in-cluster Postgres 16 StatefulSet, 5Gi PVC,
POSTGRES_DB=drops, creds from forte-drop-pg-creds SealedSecret.
- forte-drop-minio: in-cluster MinIO StatefulSet, 20Gi PVC, bootstrap
Job creates the 'drops' bucket post-sync, creds from
forte-drop-minio-creds SealedSecret.
Both live in namespace 'forte-drop'. Mirrors the Vaultwarden pattern.
Sealed secrets are added in a follow-up commit by the maintainer:
kubeseal --fetch-cert > pub.pem
kubeseal --cert pub.pem --format yaml < private/forte-drop-pg-creds.yaml > \
infra/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
kubeseal --cert pub.pem --format yaml < private/forte-drop-minio-creds.yaml > \
infra/overlays/upc-dev/forte-drop-minio/resources/forte-drop-minio-creds-sealed.yaml
2026-05-28 14:33:19 +02:00
0582cd9917
policy
2026-05-27 23:23:21 +02:00
c49d03d7f7
onlySSO
2026-05-16 23:04:11 +02:00
d47dba2ae5
signups
2026-05-16 22:12:04 +02:00
cf9eb47ecf
script fix
2026-05-16 22:08:56 +02:00
3eca723f05
diffs
2026-05-16 22:05:02 +02:00
f36996da11
script fix
2026-05-16 21:57:44 +02:00
6bf7db21d0
registrar error
2026-05-16 21:55:44 +02:00
2641d55784
scopes
2026-05-16 21:53:36 +02:00
117297effc
sso vw
2026-05-16 21:47:59 +02:00
fda90f9e01
adminToken enc
2026-05-16 21:34:34 +02:00
1124377d97
adminToken
2026-05-16 21:29:14 +02:00
c0710b89bb
no signup
2026-05-16 21:15:38 +02:00
d7bda18aea
domain
2026-05-16 21:11:17 +02:00
2796e1b9d3
name
2026-05-16 21:09:04 +02:00
d7a0c26117
icon
2026-05-16 21:08:36 +02:00
693f2f9168
homepage
2026-05-16 21:07:29 +02:00
2509ef062c
domain restriction
2026-05-16 20:58:00 +02:00
957757e557
host
2026-05-16 20:51:44 +02:00
070799da05
bitw
2026-05-16 20:49:25 +02:00
1a2817e537
domain fix
2026-05-16 20:42:17 +02:00
b47b0035f5
smtp auth
2026-05-16 20:38:21 +02:00
d3fac4d43e
smtp port
2026-05-16 20:34:22 +02:00
c37bd3ef04
from
2026-05-16 20:30:32 +02:00
ad661ba3dd
allow signup
2026-05-16 20:27:36 +02:00
a9625f96e6
db secrets
2026-05-16 20:23:58 +02:00
cb64edc927
cleanup
2026-05-16 20:18:48 +02:00
ac1c242fb9
kust
2026-05-16 20:17:14 +02:00
4b29c07fd6
secret
2026-05-16 20:15:37 +02:00
52732626e5
ignorediffs
2026-05-16 20:10:19 +02:00
8634436dd4
StatefulSet
2026-05-16 20:07:17 +02:00
a8baa169e9
secrets vw
2026-05-16 20:00:22 +02:00
73ef3a6e12
pg fix
2026-05-16 19:49:38 +02:00
302705d374
icon
2026-05-16 19:45:19 +02:00
f3286ef77e
homepage vw
2026-05-16 19:44:17 +02:00
74f4f86770
vw apps
2026-05-16 19:34:42 +02:00
f2c56156bf
vw postgres
2026-05-16 18:10:14 +02:00
21fb50ba00
vw fixes
2026-05-16 15:55:18 +02:00
b90b630b06
comment
2026-05-16 15:52:10 +02:00
66de9b8a0a
replicas
2026-05-16 15:48:13 +02:00
716c552be9
ns
2026-05-16 15:44:04 +02:00
f048b47a0f
vaultwarden
2026-05-16 15:39:55 +02:00
66f40427ee
mappings
2026-05-15 15:47:25 +02:00
332881cbd0
fix
2026-05-14 23:47:14 +02:00
f363afa087
browser flow override
2026-05-14 23:43:40 +02:00
