chore(deps): update registry.k8s.io/sig-storage/csi-node-driver-registrar docker tag to v2.12.0

argocd/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 images:
   - name: argocd
     newName: code.icb4dc0.de/infrastructure/images/argocd
-    newTag: v2.12.0
+    newTag: v2.12.2
 
 labels:
 - includeSelectors: true
@@ -26,7 +26,7 @@ helmCharts:
     repo: https://argoproj.github.io/argo-helm
     releaseName: argo-cd
     namespace: argo-system
-    version: "7.4.2"
+    version: "7.4.5"
     valuesFile: config/values.argo-cd.yaml
     apiVersions:
       - monitoring.coreos.com/v1

cert-manager/kustomization.yaml

@@ -12,7 +12,7 @@ resources:
 helmCharts:
   - name: cert-manager
     repo: https://charts.jetstack.io
-    version: "v1.15.2"
+    version: "v1.15.3"
     releaseName: cert-manager
     namespace: kube-system
     valuesFile: config/values.cert-manager.yaml

cnpg/kustomization.yaml

@@ -6,14 +6,17 @@ resources:
   - resources/secrets/ext-pgo-admin.yaml
   - resources/secrets/cnpg-backup-creds.yaml
   - resources/cluster.yaml
+  - resources/backup.yaml
+  - resources/pool.yaml
 
 helmCharts:
   - releaseName: cnpg
     name: cloudnative-pg
     repo: https://cloudnative-pg.github.io/charts
-    version: 0.21.6
+    version: 0.22.0
     valuesFile: config/values.cnpg.yaml
     namespace: postgres-system
+    includeCRDs: true
 
   - releaseName: ext-pgo
     name: ext-postgres-operator
@@ -21,3 +24,4 @@ helmCharts:
     version: 1.2.6
     valuesFile: config/values.ext-pgo.yaml
     namespace: postgres
+    includeCRDs: true

cnpg/resources/backup.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: daily-backup
+  namespace: postgres
+spec:
+  schedule: "0 1 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: app-cluster

cnpg/resources/cluster.yaml

@@ -6,13 +6,22 @@ metadata:
 spec:
   instances: 2
 
+  postgresql:
+    parameters:
+      max_connections: "150"
+
   managed:
     roles:
       - name: ext_pgo_admin
         ensure: present
+        login: true
         superuser: true
         createrole: true
         createdb: true
+        inherit: true
+        connectionLimit: -1
+        passwordSecret:
+          name: ext-pgo-admin
 
   storage:
     size: 10Gi
@@ -20,7 +29,8 @@ spec:
 
   backup:
     barmanObjectStore:
-      destinationPath: cnpg
+      destinationPath: "s3://cnpg/app-cluster/"
+      endpointURL: "http://garage.garage.svc:3900"
       s3Credentials:
         accessKeyId:
           name: cnpg-backup-creds
@@ -28,15 +38,20 @@ spec:
         secretAccessKey:
           name: cnpg-backup-creds
           key: ACCESS_SECRET_KEY
+        region:
+          name: cnpg-backup-creds
+          key: AWS_REGION
+      wal:
+        compression: snappy
     retentionPolicy: "30d"
 
   resources:
     requests:
       cpu: 100m
-      memory: 400Mi
+      memory: 600Mi
     limits:
       cpu: 500m
-      memory: 800Mi
+      memory: 900Mi
 
   affinity:
     enablePodAntiAffinity: true

cnpg/resources/pool.yaml

@@ -0,0 +1,18 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Pooler
+metadata:
+  name: app-cluster-pooler-rw
+  namespace: postgres
+spec:
+  cluster:
+    name: app-cluster
+
+  instances: 3
+  type: rw
+  pgbouncer:
+    poolMode: session
+    parameters:
+      max_client_conn: "1000"
+      default_pool_size: "10"
+  monitoring:
+    enablePodMonitor: true

coder/config/values.coder.yml

@@ -10,8 +10,8 @@ coder:
     - name: CODER_PG_CONNECTION_URL
       valueFrom:
         secretKeyRef:
-          name: default-cluster-pguser-coder
+          name: coder-db-credentials-coder
-          key: uri
+          key: PQ_URL
     - name: CODER_DISABLE_PASSWORD_AUTH
       value: "true"
     - name: CODER_OIDC_ISSUER_URL

coder/kustomization.yaml

@@ -7,12 +7,14 @@ resources:
   - "resources/namespace.yaml"
   - "resources/http_routes.yaml"
   - "resources/secret.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
 
 helmCharts:
   - name: coder
     repo: https://helm.coder.com/v2
     releaseName: coder
     namespace: coder
-    version: "2.14.1"
+    version: "2.14.2"
     valuesFile: config/values.coder.yml
     skipTests: true

coder/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: coder
+spec:
+  database: coder
+  dropOnDelete: false

coder/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: coder
+spec:
+  role: coder
+  database: coder
+  secretName: coder-db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@{{.Host}}:5432/{{.Database}}?sslmode=require&search_path=coder"

contour/crds/contour.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: contourconfigurations.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -120,6 +120,12 @@ spec:
                               defaults to 3.
                             format: int32
                             type: integer
+                          perHostMaxConnections:
+                            description: |-
+                              PerHostMaxConnections is the maximum number of connections
+                              that Envoy will allow to each individual host in a cluster.
+                            format: int32
+                            type: integer
                         type: object
                       dnsLookupFamily:
                         description: |-
@@ -600,9 +606,9 @@ spec:
                 description: |-
                   FeatureFlags defines toggle to enable new contour features.
                   Available toggles are:
-                  useEndpointSlices - configures contour to fetch endpoint data
+                  useEndpointSlices - Configures contour to fetch endpoint data
-                  from k8s endpoint slices. defaults to false and reading endpoint
+                  from k8s endpoint slices. defaults to true,
-                  data from the k8s endpoints.
+                  If false then reads endpoint data from the k8s endpoints.
                 items:
                   type: string
                 type: array
@@ -1141,8 +1147,10 @@ spec:
                   type:
                     description: |-
                       Defines the XDSServer to use for `contour serve`.
-                      Values: `contour` (default), `envoy`.
+                      Values: `envoy` (default), `contour (deprecated)`.
                       Other values will produce an error.
+                      Deprecated: this field will be removed in a future release when
+                      the `contour` xDS server implementation is removed.
                     type: string
                 type: object
             type: object
@@ -1360,7 +1368,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: contourdeployments.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -1814,6 +1822,8 @@ spec:
                             to container and the other way around.
                             When not set, MountPropagationNone is used.
                             This field is beta in 1.10.
+                            When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+                            (which defaults to None).
                           type: string
                         name:
                           description: This must match the Name of a Volume.
@@ -1823,6 +1833,21 @@ spec:
                             Mounted read-only if true, read-write otherwise (false or unspecified).
                             Defaults to false.
                           type: boolean
+                        recursiveReadOnly:
+                          description: |-
+                            RecursiveReadOnly specifies whether read-only mounts should be handled
+                            recursively.
+                            If ReadOnly is false, this field has no meaning and must be unspecified.
+                            If ReadOnly is true, and this field is set to Disabled, the mount is not made
+                            recursively read-only.  If this field is set to IfPossible, the mount is made
+                            recursively read-only, if it is supported by the container runtime.  If this
+                            field is set to Enabled, the mount is made recursively read-only if it is
+                            supported by the container runtime, otherwise the pod will not be started and
+                            an error will be generated to indicate the reason.
+                            If this field is set to IfPossible or Enabled, MountPropagation must be set to
+                            None (or be unspecified, which defaults to None).
+                            If this field is not specified, it is treated as an equivalent of Disabled.
+                          type: string
                         subPath:
                           description: |-
                             Path within the volume from which the container's volume should be mounted.
@@ -1950,6 +1975,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             path:
                               description: 'path is Optional: Used as the mounted
                                 root, rather than the full Ceph tree, default is /'
@@ -1971,10 +1997,15 @@ spec:
                                 More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2010,10 +2041,15 @@ spec:
                                 to OpenStack.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2078,11 +2114,17 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             name:
+                              default: ""
                               description: |-
                                 Name of the referent.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                This field is effectively required, but due to backwards compatibility is
+                                allowed to be empty. Instances of this type with an empty value here are
+                                almost certainly wrong.
                                 TODO: Add other useful fields. apiVersion, kind, uid?
+                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                               type: string
                             optional:
                               description: optional specify whether the ConfigMap
@@ -2115,10 +2157,15 @@ spec:
                                 secret object contains more than one secret, all secret references are passed.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2162,8 +2209,8 @@ spec:
                                 properties:
                                   fieldRef:
                                     description: 'Required: Selects a field of the
-                                      pod: only annotations, labels, name and namespace
+                                      pod: only annotations, labels, name, namespace
-                                      are supported.'
+                                      and uid are supported.'
                                     properties:
                                       apiVersion:
                                         description: Version of the schema the FieldPath
@@ -2222,6 +2269,7 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         emptyDir:
                           description: |-
@@ -2313,6 +2361,7 @@ spec:
                                       items:
                                         type: string
                                       type: array
+                                      x-kubernetes-list-type: atomic
                                     dataSource:
                                       description: |-
                                         dataSource field can be used to specify either:
@@ -2457,11 +2506,13 @@ spec:
                                                 items:
                                                   type: string
                                                 type: array
+                                                x-kubernetes-list-type: atomic
                                             required:
                                             - key
                                             - operator
                                             type: object
                                           type: array
+                                          x-kubernetes-list-type: atomic
                                         matchLabels:
                                           additionalProperties:
                                             type: string
@@ -2489,7 +2540,7 @@ spec:
                                         If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
                                         set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
                                         exists.
-                                        More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
+                                        More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
                                         (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
                                       type: string
                                     volumeMode:
@@ -2533,6 +2584,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             wwids:
                               description: |-
                                 wwids Optional: FC volume world wide identifiers (wwids)
@@ -2540,6 +2592,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         flexVolume:
                           description: |-
@@ -2576,10 +2629,15 @@ spec:
                                 scripts.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2760,6 +2818,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             readOnly:
                               description: |-
                                 readOnly here will force the ReadOnly setting in VolumeMounts.
@@ -2770,10 +2829,15 @@ spec:
                                 target and initiator authentication
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -2944,11 +3008,13 @@ spec:
                                                   items:
                                                     type: string
                                                   type: array
+                                                  x-kubernetes-list-type: atomic
                                               required:
                                               - key
                                               - operator
                                               type: object
                                             type: array
+                                            x-kubernetes-list-type: atomic
                                           matchLabels:
                                             additionalProperties:
                                               type: string
@@ -3027,11 +3093,17 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                       name:
+                                        default: ""
                                         description: |-
                                           Name of the referent.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          This field is effectively required, but due to backwards compatibility is
+                                          allowed to be empty. Instances of this type with an empty value here are
+                                          almost certainly wrong.
                                           TODO: Add other useful fields. apiVersion, kind, uid?
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                         type: string
                                       optional:
                                         description: optional specify whether the
@@ -3054,7 +3126,7 @@ spec:
                                             fieldRef:
                                               description: 'Required: Selects a field
                                                 of the pod: only annotations, labels,
-                                                name and namespace are supported.'
+                                                name, namespace and uid are supported.'
                                               properties:
                                                 apiVersion:
                                                   description: Version of the schema
@@ -3118,6 +3190,7 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                     type: object
                                   secret:
                                     description: secret information about the secret
@@ -3161,11 +3234,17 @@ spec:
                                           - path
                                           type: object
                                         type: array
+                                        x-kubernetes-list-type: atomic
                                       name:
+                                        default: ""
                                         description: |-
                                           Name of the referent.
-                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          This field is effectively required, but due to backwards compatibility is
+                                          allowed to be empty. Instances of this type with an empty value here are
+                                          almost certainly wrong.
                                           TODO: Add other useful fields. apiVersion, kind, uid?
+                                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                          TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                         type: string
                                       optional:
                                         description: optional field specify whether
@@ -3204,6 +3283,7 @@ spec:
                                     type: object
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                           type: object
                         quobyte:
                           description: quobyte represents a Quobyte mount on the host
@@ -3274,6 +3354,7 @@ spec:
                               items:
                                 type: string
                               type: array
+                              x-kubernetes-list-type: atomic
                             pool:
                               description: |-
                                 pool is the rados pool name.
@@ -3294,10 +3375,15 @@ spec:
                                 More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3341,10 +3427,15 @@ spec:
                                 sensitive information. If this is not provided, Login operation will fail.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3429,6 +3520,7 @@ spec:
                                 - path
                                 type: object
                               type: array
+                              x-kubernetes-list-type: atomic
                             optional:
                               description: optional field specify whether the Secret
                                 or its keys must be defined
@@ -3460,10 +3552,15 @@ spec:
                                 credentials.  If not specified, default values will be attempted.
                               properties:
                                 name:
+                                  default: ""
                                   description: |-
                                     Name of the referent.
-                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
                                     TODO: Add other useful fields. apiVersion, kind, uid?
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
                                   type: string
                               type: object
                               x-kubernetes-map-type: atomic
@@ -3805,6 +3902,12 @@ spec:
                                   Service; defaults to 3.
                                 format: int32
                                 type: integer
+                              perHostMaxConnections:
+                                description: |-
+                                  PerHostMaxConnections is the maximum number of connections
+                                  that Envoy will allow to each individual host in a cluster.
+                                format: int32
+                                type: integer
                             type: object
                           dnsLookupFamily:
                             description: |-
@@ -4285,9 +4388,9 @@ spec:
                     description: |-
                       FeatureFlags defines toggle to enable new contour features.
                       Available toggles are:
-                      useEndpointSlices - configures contour to fetch endpoint data
+                      useEndpointSlices - Configures contour to fetch endpoint data
-                      from k8s endpoint slices. defaults to false and reading endpoint
+                      from k8s endpoint slices. defaults to true,
-                      data from the k8s endpoints.
+                      If false then reads endpoint data from the k8s endpoints.
                     items:
                       type: string
                     type: array
@@ -4828,8 +4931,10 @@ spec:
                       type:
                         description: |-
                           Defines the XDSServer to use for `contour serve`.
-                          Values: `contour` (default), `envoy`.
+                          Values: `envoy` (default), `contour (deprecated)`.
                           Other values will produce an error.
+                          Deprecated: this field will be removed in a future release when
+                          the `contour` xDS server implementation is removed.
                         type: string
                     type: object
                 type: object
@@ -4923,7 +5028,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: extensionservices.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -4968,6 +5073,39 @@ spec:
             description: ExtensionServiceSpec defines the desired state of an ExtensionService
               resource.
             properties:
+              circuitBreakerPolicy:
+                description: |-
+                  CircuitBreakerPolicy specifies the circuit breaker budget across the extension service.
+                  If defined this overrides the global circuit breaker budget.
+                properties:
+                  maxConnections:
+                    description: The maximum number of connections that a single Envoy
+                      instance allows to the Kubernetes Service; defaults to 1024.
+                    format: int32
+                    type: integer
+                  maxPendingRequests:
+                    description: The maximum number of pending requests that a single
+                      Envoy instance allows to the Kubernetes Service; defaults to
+                      1024.
+                    format: int32
+                    type: integer
+                  maxRequests:
+                    description: The maximum parallel requests a single Envoy instance
+                      allows to the Kubernetes Service; defaults to 1024
+                    format: int32
+                    type: integer
+                  maxRetries:
+                    description: The maximum number of parallel retries a single Envoy
+                      instance allows to the Kubernetes Service; defaults to 3.
+                    format: int32
+                    type: integer
+                  perHostMaxConnections:
+                    description: |-
+                      PerHostMaxConnections is the maximum number of connections
+                      that Envoy will allow to each individual host in a cluster.
+                    format: int32
+                    type: integer
+                type: object
               loadBalancerPolicy:
                 description: |-
                   The policy for load balancing GRPC service requests. Note that the
@@ -5371,7 +5509,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: httpproxies.projectcontour.io
 spec:
   preserveUnknownFields: false
@@ -8226,6 +8364,7 @@ spec:
                           x-kubernetes-list-type: atomic
                       type: object
                     type: array
+                    x-kubernetes-list-type: atomic
                 type: object
             type: object
         required:
@@ -8241,7 +8380,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: tlscertificatedelegations.projectcontour.io
 spec:
   preserveUnknownFields: false

dragonfly-operator/kustomization.yaml

@@ -9,7 +9,7 @@ images:
   newTag: v0.16.0
 - name: dragonfly-operator
   newName: docker.dragonflydb.io/dragonflydb/operator
-  newTag: v1.1.6
+  newTag: v1.1.7
 
 
 resources:

ente/kustomization.yaml

@@ -10,10 +10,10 @@ images:
     newTag: cdbf8c5f0971cb383df03c6b2f72ffb85387beef
   - name: photos
     newName: code.icb4dc0.de/infrastructure/images/ente/photos
-    newTag: v0.9.16
+    newTag: v0.9.27
   - name: cast
     newName: code.icb4dc0.de/infrastructure/images/ente/cast
-    newTag: v0.9.16
+    newTag: v0.9.27
 
 labels:
 - includeSelectors: true
@@ -23,6 +23,8 @@ labels:
 
 resources:
 - resources/namespace.yaml
+- resources/museum/db/db.yaml
+- resources/museum/db/user.yaml
 - resources/museum/deployment.yaml
 - resources/museum/service.yaml
 - resources/photos/deployment.yaml

ente/resources/museum/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: ente
+spec:
+  database: ente
+  dropOnDelete: false

ente/resources/museum/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: ente
+spec:
+  role: ente
+  database: ente-ente
+  secretName: ente-db-credentials
+  privileges: OWNER

ente/resources/museum/deployment.yaml

@@ -23,23 +23,23 @@ spec:
           - name: ENTE_DB_HOST
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-ente
+                name: ente-db-credentials-ente-ente
-                key: host
+                key: HOST
           - name: ENTE_DB_NAME
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-ente
+                name: ente-db-credentials-ente-ente
-                key: dbname
+                key: DATABASE_NAME
           - name: ENTE_DB_USER
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-ente
+                name: ente-db-credentials-ente-ente
-                key: user
+                key: LOGIN
           - name: ENTE_DB_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-ente
+                name: ente-db-credentials-ente-ente
-                key: password
+                key: PASSWORD
           - name: ENTE_DB_SSLMODE
             value: require
         resources:

fider/kustomization.yaml

@@ -11,6 +11,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_routes.yaml"

fider/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: fider
+spec:
+  database: fider
+  dropOnDelete: false

fider/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: fider
+spec:
+  role: fider
+  database: fider
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

fider/resources/deployment.yaml

@@ -26,6 +26,11 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-credentials-fider
+                  key: PQ_URL
           envFrom:
             - secretRef:
                 name: fider-config

fider/resources/http_routes.yaml

@@ -28,10 +28,56 @@ spec:
   parentRefs:
   - name: contour
     namespace: projectcontour
+    sectionName: https
   hostnames:
   - fider.icb4dc0.de
-  - login.fider.icb4dc0.de
+  rules:
-  - community.buildr.icb4dc0.de
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: fider-login-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: fider-login
+  hostnames:
+  - fider.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: inetmock-fider-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: inetmock-fider-community
+  hostnames:
+  - community.inetmock.icb4dc0.de
+  rules:
+  - backendRefs:
+    - name: fider
+      port: 3000
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: buildr-fider-https
+spec:
+  parentRefs:
+  - name: contour
+    namespace: projectcontour
+    sectionName: buildr-fider-community
+  hostnames:
   - community.inetmock.icb4dc0.de
   rules:
   - backendRefs:

forgejo/config/values.forgejo.yaml

@@ -91,9 +91,9 @@ gitea:
       STORAGE_TYPE: minio
     database:
       DB_TYPE: postgres
-      HOST: default-cluster-primary.postgres.svc
+      HOST: app-cluster-pooler-rw.postgres.svc
       NAME: forgejo
-      USER: forgejo
+      USER: forgejo-6a95jj
       SSL_MODE: require
       log_sql: "false"
     cache:

forgejo/kustomization.yaml

@@ -12,12 +12,14 @@ labels:
 images:
   - name: act_runner
     newName: code.forgejo.org/forgejo/runner
-    newTag: "3.5.0"
+    newTag: "3.5.1"
   - name: dind
     newName: docker
-    newTag: 27.1.1-dind
+    newTag: 27.1.2-dind
 
 resources:
+  - resources/db/db.yaml
+  - resources/db/user.yaml
   - resources/secrets/admin-credentials.yaml
   - resources/secrets/infra-credentials.yaml
   - resources/secrets/meili-credentials.yaml
@@ -46,7 +48,7 @@ helmCharts:
     repo: oci://codeberg.org/forgejo-contrib
     releaseName: forgejo
     namespace: forgejo
-    version: "8.1.1"
+    version: "8.2.0"
     valuesFile: config/values.forgejo.yaml
     skipTests: true
     apiVersions:
@@ -55,6 +57,6 @@ helmCharts:
     repo: https://meilisearch.github.io/meilisearch-kubernetes
     releaseName: forgejo-indexer
     namespace: forgejo
-    version: "0.9.0"
+    version: "0.9.1"
     valuesFile: config/values.meilisearch.yaml
     skipTests: true

forgejo/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: forgejo
+spec:
+  database: forgejo
+  dropOnDelete: false

forgejo/resources/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: forgejo
+spec:
+  role: forgejo
+  database: forgejo
+  secretName: forgejo-db-credentials
+  privileges: OWNER

hcloud/kustomization.yaml

@@ -19,5 +19,5 @@ helmCharts:
     repo: https://charts.hetzner.cloud
     releaseName: hcloud-csi-driver
     namespace: kube-system
-    version: "2.8.0"
+    version: "2.9.0"
     valuesFile: config/values.csi.yaml

hedgedoc/kustomization.yaml

@@ -16,6 +16,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_routes.yaml"

hedgedoc/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: hedgedoc
+spec:
+  database: hedgedoc
+  dropOnDelete: false

hedgedoc/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: hedgedoc
+spec:
+  role: hedgedoc
+  database: hedgedoc
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

hedgedoc/resources/deployment.yaml

@@ -19,8 +19,8 @@ spec:
           - name: CMD_DB_URL
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-hedgedoc
+                name: db-credentials-hedgedoc
-                key: uri
+                key: PQ_URL
           - name: NODE_EXTRA_CA_CERTS
             value: /certs/ca.crt
         envFrom:

kube-prometheus/config/values.prometheus.yaml

@@ -15,24 +15,9 @@ prometheus:
     retention: 7d
     nodeSelector:
       kubernetes.io/arch: arm64
-    serviceMonitorNamespaceSelector:
+    serviceMonitorSelectorNilUsesHelmValues: false
-      matchLabels:
+    podMonitorSelectorNilUsesHelmValues: false
-        prometheus: default
+    ruleSelectorNilUsesHelmValues: false
-    serviceMonitorSelector:
-      matchLabels:
-        prometheus: default
-    ruleSelector:
-      matchLabels:
-        prometheus: default
-    ruleNamespaceSelector:
-      matchLabels:
-        prometheus: default
-    podMonitorSelector:
-      matchLabels:
-        prometheus: default
-    podMonitorNamespaceSelector:
-      matchLabels:
-        prometheus: default
     resources:
       requests:
         memory: 1500Mi
@@ -89,17 +74,17 @@ grafana:
     enabled: false
   envFromSecrets:
     - name: grafana-auth
-    - name: grafana-db
+    - name: db-credentials-grafana
   grafana.ini:
     server:
       domain: grafana.icb4dc0.de
       root_url: "https://%(domain)s"
     database:
       type: postgres
-      host: default-cluster-primary.postgres.svc:5432
+      host: app-cluster-pooler-rw.postgres.svc:5432
-      name: grafana
+      name: "${DATABASE_NAME}"
-      user: "${GF_DB_USER}"
+      user: "${LOGIN}"
-      password: "${GF_DB_PASSWORD}"
+      password: "${PASSWORD}"
       ssl_mode: require
     auth:
       disable_login_form: true

kube-prometheus/kustomization.yaml

@@ -7,6 +7,8 @@ resources:
   - resources/secret.grafana-admin.yaml
   - resources/secret.auth.yaml
   - resources/secret.db.yaml
+  - resources/db/db.yaml
+  - resources/db/user.yaml
   - resources/http_routes.grafana.yaml
 
 helmCharts:
@@ -15,5 +17,5 @@ helmCharts:
     includeCRDs: true
     namespace: observability-system
     releaseName: prometheus
-    version: "61.7.2"
+    version: "62.3.0"
     valuesFile: config/values.prometheus.yaml

kube-prometheus/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: grafana
+spec:
+  database: grafana
+  dropOnDelete: false

kube-prometheus/resources/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: grafana
+spec:
+  role: grafana
+  database: grafana
+  secretName: db-credentials
+  privileges: OWNER

linkwarden/kustomization.yaml

@@ -11,10 +11,12 @@ labels:
 images:
   - name: linkwarden
     newName: ghcr.io/linkwarden/linkwarden
-    newTag: "v2.6.2"
+    newTag: "v2.7.1"
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_routes.yaml"

linkwarden/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: linkwarden
+spec:
+  database: linkwarden
+  dropOnDelete: false

linkwarden/resources/db/user.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: linkwarden
+spec:
+  role: linkwarden
+  database: linkwarden
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require&pgbouncer=true"
+    PQ_MIGRATE_URL: "postgresql://{{.Role}}:{{.Password}}@{{.Host}}:5432/{{.Database}}?sslmode=require"

linkwarden/resources/deployment.yaml

@@ -30,8 +30,8 @@ spec:
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-linkwarden
+                  name: db-credentials-linkwarden
-                  key: uri
+                  key: PQ_MIGRATE_URL
       containers:
         - name: linkwarden
           image: linkwarden
@@ -41,8 +41,8 @@ spec:
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-linkwarden
+                  name: db-credentials-linkwarden
-                  key: uri
+                  key: PQ_URL
           envFrom:
             - secretRef:
                 name: linkwarden-config

nocodb/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: nocodb
 images:
 - name: nocodb
   newName: docker.io/nocodb/nocodb
-  newTag: 0.252.0
+  newTag: 0.255.0
 
 labels:
 - includeSelectors: true
@@ -16,6 +16,8 @@ labels:
 
 resources:
 - resources/namespace.yaml
+- resources/db/db.yaml
+- resources/db/user.yaml
 - resources/dragonfly.yaml
 - resources/pvc.yaml
 - resources/deployment.yaml

nocodb/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: noco
+spec:
+  database: noco
+  dropOnDelete: false

nocodb/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: noco
+spec:
+  role: noco
+  database: noco
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    NC_DB_JSON: '{"client": "pg","connection": {"host": "app-cluster-pooler-rw.postgres.svc","port": 5432,"user": "{{.Role}}","password": "{{.Password}}","database": "{{.Database}}","ssl": {"ca": "-----BEGIN CERTIFICATE-----\nMIIBkjCCATigAwIBAgIQDfi4fTFY2eKrhN88nKEUDTAKBggqhkjOPQQDAjApMREw\nDwYDVQQLEwhwb3N0Z3JlczEUMBIGA1UEAxMLYXBwLWNsdXN0ZXIwHhcNMjQwODE0\nMTg0MzIzWhcNMjQxMTEyMTg0MzIzWjApMREwDwYDVQQLEwhwb3N0Z3JlczEUMBIG\nA1UEAxMLYXBwLWNsdXN0ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQotXOi\nx9tfnUaG7A6T6x5YuBgKCvBAGw7q0C0teHWRIxSaoaiD6KV21juVpAgKoZckXA8x\niZW0GUHOoAUrCV7Ao0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB\n/zAdBgNVHQ4EFgQUuMEs3ztFClbC2agTqXkfkB1GHjkwCgYIKoZIzj0EAwIDSAAw\nRQIgK6FHhGYZ/FwxG8dDq2czVLvLCs+yozZZhNuhZBeT8v0CIQDhwRgJNeMxKtRS\nu3ziF4E4aniICEqa/To3Lvaa1cJJiQ==\n-----END CERTIFICATE-----","key": "","cert": "","rejectUnauthorized": false}}}'

nocodb/resources/deployment.yaml

@@ -19,6 +19,12 @@ spec:
       containers:
         - name: nocodb
           image: nocodb
+          env:
+            - name: NC_DB_JSON
+              valueFrom:
+                secretKeyRef:
+                  name: db-credentials-noco
+                  key: NC_DB_JSON
           envFrom:
             - secretRef:
                 name: nocodb-config

s3-csi/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: registrar
     newName: registry.k8s.io/sig-storage/csi-node-driver-registrar
-    newTag: v2.11.1
+    newTag: v2.12.0
   - name: provisioner
     newName: registry.k8s.io/sig-storage/csi-provisioner
     newTag: v3.6.4

umami/kustomization.yaml

@@ -16,6 +16,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_route.yaml"

umami/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: umami
+spec:
+  database: umami
+  dropOnDelete: false

umami/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: umami
+spec:
+  role: umami
+  database: umami
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@{{.Host}}:5432/{{.Database}}"

umami/resources/deployment.yaml

@@ -25,8 +25,8 @@ spec:
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-umami
+                  name: db-credentials-umami
-                  key: uri
+                  key: PQ_URL
           envFrom:
             - configMapRef:
                 name: umami-config
@@ -53,8 +53,8 @@ spec:
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-umami
+                  name: db-credentials-umami
-                  key: uri
+                  key: PQ_URL
           envFrom:
             - configMapRef:
                 name: umami-config

vaultwarden/kustomization.yaml

@@ -12,10 +12,12 @@ labels:
 images:
   - name: vaultwarden
     newName: ghcr.io/dani-garcia/vaultwarden
-    newTag: "1.31.0-alpine"
+    newTag: "1.32.0-alpine"
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/pvc.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"

vaultwarden/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: vaultwarden
+spec:
+  database: vaultwarden
+  dropOnDelete: false

vaultwarden/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: vaultwarden
+spec:
+  role: vaultwarden
+  database: vaultwarden
+  secretName: vaultwarden-db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

vaultwarden/resources/deployment.yaml

@@ -24,8 +24,8 @@ spec:
           - name: DATABASE_URL
             valueFrom:
               secretKeyRef:
-                name: default-cluster-pguser-vaultwarden
+                name: vaultwarden-db-credentials-vaultwarden
-                key: uri
+                key: PQ_URL
         resources:
           limits:
             memory: "128Mi"

vikunja/kustomization.yaml

@@ -19,6 +19,8 @@ labels:
 
 resources:
   - resources/namespace.yaml
+  - resources/db/db.yaml
+  - resources/db/user.yaml
   - resources/api/dragonfly.yaml
   - resources/api/pvc.yaml
   - resources/api/deployment.yaml

vikunja/resources/api/deployment.yaml

@@ -30,25 +30,22 @@ spec:
             - name: VIKUNJA_DATABASE_SSLMODE
               value: require
             - name: VIKUNJA_DATABASE_HOST
-              valueFrom:
+              value: app-cluster-pooler-rw.postgres.svc
-                secretKeyRef:
-                  name: default-cluster-pguser-vikunja
-                  key: host
             - name: VIKUNJA_DATABASE_DATABASE
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-vikunja
+                  name: db-credentials-vikunja
-                  key: dbname
+                  key: DATABASE_NAME
             - name: VIKUNJA_DATABASE_USER
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-vikunja
+                  name: db-credentials-vikunja
-                  key: user
+                  key: LOGIN
             - name: VIKUNJA_DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: default-cluster-pguser-vikunja
+                  name: db-credentials-vikunja
-                  key: password
+                  key: PASSWORD
             - name: GOMEMLIMIT
               valueFrom:
                 resourceFieldRef:

vikunja/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: vikunja
+spec:
+  database: vikunja
+  dropOnDelete: false

vikunja/resources/db/user.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: vikunja
+spec:
+  role: vikunja
+  database: vikunja
+  secretName: db-credentials
+  privileges: OWNER

zipline/kustomization.yaml

@@ -16,6 +16,8 @@ labels:
 
 resources:
   - "resources/namespace.yaml"
+  - "resources/db/db.yaml"
+  - "resources/db/user.yaml"
   - "resources/deployment.yaml"
   - "resources/service.yaml"
   - "resources/http_route.yaml"

zipline/resources/db/db.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: zipline
+spec:
+  database: zipline
+  dropOnDelete: false

zipline/resources/db/user.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: zipline
+spec:
+  role: zipline
+  database: zipline
+  secretName: db-credentials
+  privileges: OWNER
+  secretTemplate:
+    PQ_URL: "postgresql://{{.Role}}:{{.Password}}@app-cluster-pooler-rw.postgres.svc:5432/{{.Database}}?sslmode=require"

zipline/resources/deployment.yaml

@@ -16,6 +16,12 @@ spec:
       containers:
       - name: zipline
         image: zipline
+        env:
+          - name: CORE_DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: db-credentials-zipline
+                key: PQ_URL
         envFrom:
           - secretRef:
               name: zipline-config