CloudNative-PG

CloudNative-PG is the PostgreSQL operator that runs the platform’s main database cluster. It owns the lifecycle of every Postgres database that other apps depend on — Authentik, Forgejo, Grafana, Airflow, and so on all share this single CNPG cluster, each in their own logical database.

Deployment

Field	Value
Flux path	`flux-clusters/stefanzhelev/apps/cloudnative-pg`
Base path	`flux-apps/cloudnative-pg`
Namespace	`cnpg-system` (operator), `cnpg` (cluster)
Sync wave	3
Depends on	external-secrets-config, tofu-controller

What it deploys

HelmRelease for the cloudnative-pg operator chart 0.23.0 in cnpg-system
A Cluster CR in the cnpg namespace defining a 3-instance PostgreSQL 17 cluster
ExternalSecret pulling the superuser credentials from Vault
Terraform CR (via Tofu Controller) that creates databases and users for downstream apps

Configuration highlights

PostgreSQL version: 17
Instances: 3 with topology spread across the stateful-ha node pool for HA
Storage: 50Gi per instance
Per-pod resources: 250m CPU / 512Mi memory
Connection pooling and tuning: sized for the combined load of every CNPG-backed app on the platform
Provisioning model: downstream apps get their own database and role through a Terraform CR rather than direct SQL — keeps everything declarative

Integrations

Vault: superuser secret lives in Vault and is synced into the namespace by ExternalSecrets
Tofu Controller: databases and roles for every consuming app are provisioned through a Terraform CR rather than imperative SQL
Consumers: Authentik, Forgejo, Grafana, Airflow

Key commands

# Check the operator
kubectl get pods -n cnpg-system

# Check the cluster
kubectl get cluster -n cnpg
kubectl get pods -n cnpg

# Inspect cluster status
kubectl cnpg status -n cnpg <cluster-name>

# Get the read-write service
kubectl get svc -n cnpg | grep postgresql-rw

# Connect as a specific app's user
kubectl exec -n cnpg -it <cluster>-1 -- psql -U <app-user> <app-db>