chore(ascoachingogvaner): cut over to static v1.1.0, drop dead CNPG db config#1584
Merged
Merged
Conversation
…rsion ascoachingogvaner was converted to a fully static site (devantler-tech/ascoachingogvaner#9, released v1.1.0), removing its CloudNativePG Cluster (ascoaching-db) and admin-code secret. The platform overlay still referenced the now-absent database: - Remove the CNPG Cluster/ascoaching-db patch from the hetzner provider kustomization-patch. Once the tenant OCI artifact no longer ships the Cluster, this patch target matches nothing and the kustomize build fails ("no matches for Id"), stalling tenant reconciliation. The HTTPRoute hostname patch is kept. - Tighten the base CiliumNetworkPolicy: drop the cnpg-system ingress (8000/5432), the postgres-exporter metrics ingress (9187), and the intra-namespace + kube-apiserver rules that existed only for the DB. Gateway ingress is corrected from 3000 to 8080 to match the static nginx container (the SvelteKit :3000 server is gone). DNS egress kept. Hold until the ascoachingogvaner OCIRepository tag advances to 1.1.0; coordinates with #1582. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the platform’s Hetzner overlay and base NetworkPolicy for the ascoachingogvaner tenant to reflect its conversion to a fully static site, removing now-obsolete CloudNativePG-related configuration that would otherwise break Flux/Kustomize reconciliation once the DB resources disappear from the tenant artifact.
Changes:
- Removes the Hetzner-provider Flux
Kustomization.spec.patchesentry that targeted the removedpostgresql.cnpg.io/Cluster(ascoaching-db). - Simplifies the tenant
CiliumNetworkPolicyby dropping DB-only ingress/egress rules and updating gateway ingress to the new app port.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
k8s/providers/hetzner/apps/ascoachingogvaner/patches/kustomization-patch.yaml |
Removes the now-dead CNPG Cluster patch while keeping the HTTPRoute hostname patch. |
k8s/bases/apps/ascoachingogvaner/networkpolicy.yaml |
Drops DB-specific network rules and changes gateway ingress port to 8080 for the static nginx site. |
…er-drop-cnpg-config
…over) Advance the pinned manifests artifact from 1.0.1 to 1.1.0 so this PR flips the artifact and the overlay atomically. image-automation cannot do this (it pushes directly to protected main and has never landed a commit), so the tag is bumped here. The $imagepolicy setter marker is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
devantler
changed the title
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 1.2.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Cuts the ascoachingogvaner tenant over to the fully static site (devantler-tech/ascoachingogvaner#9, released v1.1.0) and removes the platform-side config that existed only for the now-deleted database. This is an atomic cutover — the artifact pin and the overlay flip together in a single merge:
sync.yaml— bump OCIRepositoryref.tag1.0.1 → 1.1.0(the static release;manifests:1.1.0is published in GHCR). The$imagepolicysetter marker is preserved.kustomization-patch.yaml— remove thepostgresql.cnpg.io/Clusterascoaching-dbpatch (HTTPRoute hostname patch kept).networkpolicy.yaml(CiliumNetworkPolicy) — drop the DB-only rules (cnpg-system 8000/5432, monitoring 9187, intra-namespace ingress/egress, kube-apiserver egress) and correct the gateway-ingress port 3000 → 8080 (the static app is unprivileged nginx on 8080). DNS egress kept.Why atomic
Splitting these breaks prod:
no matches for Id …Cluster.ascoaching-db→ tenant build fails.flux-image-automationcannot advance the tag itself — it pushes directly to protectedmainand has never landed a commit — so the bump is done here.Merging rolls the static site live and, via
prune: true, deletes the CNPGCluster/ascoaching-db(intended by #9; irreversible DB teardown).Coordination
Validation
Both pass on this branch (rebased on current
main):ksail --config ksail.prod.yaml workload validate→ ✔ 260 files validatedksail workload validate→ ✔ 260 files validated