History

hatiyildiz 119a1e53a0 docs(components): terminology pass across platform and product READMEs Bring per-component READMEs in line with the canonical glossary (docs/GLOSSARY.md). Substantive architectural content unchanged — this is a terminology + reference correctness pass. Placeholder rename: <tenant> → <org> in YAML / IaC examples across - platform/cnpg/README.md (Cluster + Pooler + ScheduledBackup) - platform/debezium/README.md (PostgreSQL connector + topic patterns) - platform/external-secrets/README.md (ExternalSecret / SecretStore) - platform/grafana/README.md (Instrumentation namespace) - platform/k8gb/README.md (Gslb + namespace + kubectl examples) - platform/keda/README.md (ScaledObject + Kafka triggers + Prometheus) - platform/opentofu/README.md (server resource example) - platform/velero/README.md (BackupStorageLocation buckets) - platform/vpa/README.md (VerticalPodAutoscaler examples) - platform/flux/README.md (kustomization name + tenants/ → organizations/) "Catalyst IDP" → "Catalyst console": - platform/crossplane/README.md (integration section retitled and rewritten — Crossplane is platform plumbing, not user-facing) - platform/gitea/README.md (architecture diagram + integration table) - platform/kyverno/README.md (rollout tracking surface) - products/fingate/README.md (TPP onboarding portal) "Bootstrap wizard" → "Catalyst bootstrap": - platform/openbao/README.md (bootstrap procedure rewritten — independent Raft per region clarified; cross-references docs/SECURITY.md §5) - platform/opentofu/README.md (Quick Start) Kyverno labels & prose: - openova.io/tenant → openova.io/organization (label rename for consistency; deployed clusters will add new label as a co-label during migration window) - "tenant labels" / "tenant namespace" prose updated to "Organization labels" / "Organization-labeled namespace" - Priority class names (tenant-high, tenant-default, tenant-batch) retained as deployed artifact names — rename pending in a separate migration ticket No banned-term hits remain in component READMEs (verified by grep in docs/GLOSSARY.md banned-terms table). Refs #37	2026-04-27 20:06:51 +02:00
..
README.md	docs(components): terminology pass across platform and product READMEs	2026-04-27 20:06:51 +02:00

hatiyildiz 119a1e53a0 docs(components): terminology pass across platform and product READMEs

Bring per-component READMEs in line with the canonical glossary
(docs/GLOSSARY.md). Substantive architectural content unchanged —
this is a terminology + reference correctness pass.

Placeholder rename: <tenant> → <org> in YAML / IaC examples across
- platform/cnpg/README.md           (Cluster + Pooler + ScheduledBackup)
- platform/debezium/README.md       (PostgreSQL connector + topic patterns)
- platform/external-secrets/README.md (ExternalSecret / SecretStore)
- platform/grafana/README.md        (Instrumentation namespace)
- platform/k8gb/README.md           (Gslb + namespace + kubectl examples)
- platform/keda/README.md           (ScaledObject + Kafka triggers + Prometheus)
- platform/opentofu/README.md       (server resource example)
- platform/velero/README.md         (BackupStorageLocation buckets)
- platform/vpa/README.md            (VerticalPodAutoscaler examples)
- platform/flux/README.md           (kustomization name + tenants/ → organizations/)

"Catalyst IDP" → "Catalyst console":
- platform/crossplane/README.md     (integration section retitled and
                                      rewritten — Crossplane is platform
                                      plumbing, not user-facing)
- platform/gitea/README.md          (architecture diagram + integration table)
- platform/kyverno/README.md        (rollout tracking surface)
- products/fingate/README.md        (TPP onboarding portal)

"Bootstrap wizard" → "Catalyst bootstrap":
- platform/openbao/README.md        (bootstrap procedure rewritten —
                                      independent Raft per region clarified;
                                      cross-references docs/SECURITY.md §5)
- platform/opentofu/README.md       (Quick Start)

Kyverno labels & prose:
- openova.io/tenant → openova.io/organization (label rename for
  consistency; deployed clusters will add new label as a co-label
  during migration window)
- "tenant labels" / "tenant namespace" prose updated to
  "Organization labels" / "Organization-labeled namespace"
- Priority class names (tenant-high, tenant-default, tenant-batch)
  retained as deployed artifact names — rename pending in a
  separate migration ticket

No banned-term hits remain in component READMEs (verified by grep
in docs/GLOSSARY.md banned-terms table).

Refs #37

2026-04-27 20:06:51 +02:00

README.md

docs(components): terminology pass across platform and product READMEs

2026-04-27 20:06:51 +02:00

README.md

CNPG (CloudNative PostgreSQL)

PostgreSQL operator for OpenOva platform.

Status: Accepted | Updated: 2026-01-17

Overview

CloudNative PostgreSQL (CNPG) provides production-grade PostgreSQL with:

Kubernetes-native operator
WAL streaming for multi-region DR
Automated backups to MinIO/S3
High availability with automatic failover

Architecture

Single Region

flowchart TB
    subgraph Cluster["CNPG Cluster"]
        Primary[Primary]
        Replica1[Replica 1]
        Replica2[Replica 2]
    end

    subgraph Backup["Backup"]
        MinIO[MinIO]
    end

    Primary -->|"WAL Stream"| Replica1
    Primary -->|"WAL Stream"| Replica2
    Primary -->|"WAL Archive"| MinIO

Multi-Region DR

flowchart TB
    subgraph Region1["Region 1 (Primary)"]
        PG1[CNPG Primary]
    end

    subgraph Region2["Region 2 (DR)"]
        PG2[CNPG Standby]
    end

    subgraph Backup["Backup"]
        MinIO[MinIO]
    end

    PG1 -->|"WAL Streaming"| PG2
    PG1 -->|"WAL Archive"| MinIO
    PG2 -->|"WAL Restore"| MinIO

Configuration

Cluster Definition

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: <org>-postgres
  namespace: databases
spec:
  instances: 3

  postgresql:
    parameters:
      max_connections: "200"
      shared_buffers: 256MB

  storage:
    size: 10Gi
    storageClass: <storage-class>

  backup:
    barmanObjectStore:
      destinationPath: s3://cnpg-backups/<org>
      endpointURL: http://minio.storage.svc:9000
      s3Credentials:
        accessKeyId:
          name: minio-credentials
          key: access-key
        secretAccessKey:
          name: minio-credentials
          key: secret-key
      wal:
        compression: gzip
    retentionPolicy: "30d"

  monitoring:
    enablePodMonitor: true

DR Replica (Region 2)

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: <org>-postgres-dr
  namespace: databases
spec:
  instances: 1

  replica:
    enabled: true
    source: <org>-postgres

  externalClusters:
    - name: <org>-postgres
      connectionParameters:
        host: postgres.region1.<domain>
        user: streaming_replica
      password:
        name: pg-replica-credentials
        key: password

Backup Strategy

Type	Schedule	Retention
WAL Archive	Continuous	7 days
Base Backup	Daily 2 AM	30 days
Point-in-Time	On-demand	Per backup

Scheduled Backup

apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
  name: <org>-daily-backup
  namespace: databases
spec:
  schedule: "0 2 * * *"
  backupOwnerReference: self
  cluster:
    name: <org>-postgres

Failover

Automatic (Within Region)

CNPG automatically promotes replicas when primary fails.

Manual (Cross-Region)

# Promote DR cluster
kubectl cnpg promote <org>-postgres-dr -n databases

Monitoring

Metric	Description
`cnpg_pg_replication_lag`	Replication lag in seconds
`cnpg_pg_database_size_bytes`	Database size
`cnpg_pg_stat_activity_count`	Active connections

PgBouncer Integration

Connection pooling with PgBouncer:

apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
  name: <org>-pooler
  namespace: databases
spec:
  cluster:
    name: <org>-postgres
  instances: 2
  type: rw
  pgbouncer:
    poolMode: transaction
    parameters:
      max_client_conn: "1000"
      default_pool_size: "20"

Part of OpenOva