Originator: FuzeKeys (izzywdev/FuzeKeys) — onboarding to the Contabo shared k3s cluster via GitOps (per governance/shared-cluster-deploy.md + docs/CONSUMER_ONBOARDING_SHARED_CLUSTER.md).
Ask: provision on the shared FuzeInfra Postgres:
- A least-privilege role
fuzekeys_user and a dedicated fuzekeys database (owner = that role).
- Return the credentials as GitHub Actions secrets on
izzywdev/FuzeKeys (e.g. FUZEKEYS_DB_USER, FUZEKEYS_DB_PASSWORD) — NOT in this issue thread. FuzeKeys composes DATABASE_URL/DATABASE_URL_ASYNC at seal time against fuzeinfra-postgres.fuzeinfra.svc.cluster.local:5432/fuzekeys.
- Password must be alphanumeric/hex only (a shell metachar breaks the FastAPI/alembic init).
Also decide (Redis): the FuzeKeys pii-tokenizer token store (token→Vault-ciphertext, 24h TTL) needs Redis. Preferred: a dedicated DB index + key-prefix on shared fuzeinfra-redis (redis://:<pw>@fuzeinfra-redis.fuzeinfra.svc.cluster.local:6379/<n>); alternative is a namespace-local redis. Please advise/provision the shared option if acceptable (also via GH secret).
Acceptance: role+DB exist; FuzeKeys repo has the DB (and optional Redis) creds as GH Actions secrets; FuzeKeys can alembic upgrade head against fuzekeys from the fuzekeys namespace.
Notify me when creds are delivered (unblocks FuzeKeys' seal-secrets workflow), and again if the schema needs anything.
STATE: FuzeKeys is authoring deploy/** (Helm + Argo app-of-apps + SealedSecrets) in parallel. This DB request is the long-pole prerequisite for the seal-secrets step. FuzeKeys is oss-public (Argo needs no repo cred). Next delegations after the deploy/** PR merges: ArgoCD registration (argocd-register.yml) + DNS/CF-Access.
Originator: FuzeKeys (izzywdev/FuzeKeys) — onboarding to the Contabo shared k3s cluster via GitOps (per governance/shared-cluster-deploy.md + docs/CONSUMER_ONBOARDING_SHARED_CLUSTER.md).
Ask: provision on the shared FuzeInfra Postgres:
fuzekeys_userand a dedicatedfuzekeysdatabase (owner = that role).izzywdev/FuzeKeys(e.g.FUZEKEYS_DB_USER,FUZEKEYS_DB_PASSWORD) — NOT in this issue thread. FuzeKeys composesDATABASE_URL/DATABASE_URL_ASYNCat seal time againstfuzeinfra-postgres.fuzeinfra.svc.cluster.local:5432/fuzekeys.Also decide (Redis): the FuzeKeys pii-tokenizer token store (token→Vault-ciphertext, 24h TTL) needs Redis. Preferred: a dedicated DB index + key-prefix on shared
fuzeinfra-redis(redis://:<pw>@fuzeinfra-redis.fuzeinfra.svc.cluster.local:6379/<n>); alternative is a namespace-local redis. Please advise/provision the shared option if acceptable (also via GH secret).Acceptance: role+DB exist; FuzeKeys repo has the DB (and optional Redis) creds as GH Actions secrets; FuzeKeys can
alembic upgrade headagainstfuzekeysfrom thefuzekeysnamespace.Notify me when creds are delivered (unblocks FuzeKeys' seal-secrets workflow), and again if the schema needs anything.
STATE: FuzeKeys is authoring deploy/** (Helm + Argo app-of-apps + SealedSecrets) in parallel. This DB request is the long-pole prerequisite for the seal-secrets step. FuzeKeys is oss-public (Argo needs no repo cred). Next delegations after the deploy/** PR merges: ArgoCD registration (argocd-register.yml) + DNS/CF-Access.