From c0bf4dc9d18ecdc2f5e3b963cee6c068bdccbfe3 Mon Sep 17 00:00:00 2001
From: ansible <ansible@n0ball.tw>
Date: Tue, 10 Mar 2026 13:37:07 +0800
Subject: [PATCH] Update k8s manifests

---
 k8s/infrastructure/keycloak/helmrelease.yaml  |  2 +-
 k8s/infrastructure/kustomization.yaml         |  1 +
 k8s/infrastructure/observability/loki.yaml    |  4 ++++
 k8s/infrastructure/pgbouncer-external.yaml    | 23 +++++++++++++++++++
 .../sops/vaultwarden-db-secret.yaml           |  6 ++---
 k8s/pg-init/keycloak-db.yaml                  |  2 +-
 k8s/pg-init/vaultwarden-db.yaml               |  2 +-
 7 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100644 k8s/infrastructure/pgbouncer-external.yaml

diff --git a/k8s/infrastructure/keycloak/helmrelease.yaml b/k8s/infrastructure/keycloak/helmrelease.yaml
index 83bda1d..55b827d 100644
--- a/k8s/infrastructure/keycloak/helmrelease.yaml
+++ b/k8s/infrastructure/keycloak/helmrelease.yaml
@@ -26,7 +26,7 @@ spec:
     postgresql:
       enabled: false
     externalDatabase:
-      host: pgbouncer.internal
+      host: pgbouncer.default.svc.cluster.local
       port: 6432
       database: keycloak
       existingSecret: keycloak-db-secret
diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml
index 166b5e2..a26595f 100644
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - helmrepositories.yaml
+  - pgbouncer-external.yaml
   - sops
   - longhorn/helmrelease.yaml
   - cert-manager/helmrelease.yaml
diff --git a/k8s/infrastructure/observability/loki.yaml b/k8s/infrastructure/observability/loki.yaml
index 28e590d..4fbc9e8 100644
--- a/k8s/infrastructure/observability/loki.yaml
+++ b/k8s/infrastructure/observability/loki.yaml
@@ -44,3 +44,7 @@ spec:
       replicas: 0
     backend:
       replicas: 0
+    chunksCache:
+      enabled: false
+    resultsCache:
+      enabled: false
diff --git a/k8s/infrastructure/pgbouncer-external.yaml b/k8s/infrastructure/pgbouncer-external.yaml
new file mode 100644
index 0000000..6c9e7bf
--- /dev/null
+++ b/k8s/infrastructure/pgbouncer-external.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgbouncer
+  namespace: default
+spec:
+  ports:
+    - port: 6432
+      targetPort: 6432
+      protocol: TCP
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: pgbouncer
+  namespace: default
+subsets:
+  - addresses:
+      - ip: 192.168.51.201
+    ports:
+      - port: 6432
+        protocol: TCP
diff --git a/k8s/infrastructure/sops/vaultwarden-db-secret.yaml b/k8s/infrastructure/sops/vaultwarden-db-secret.yaml
index dc98069..277ecab 100644
--- a/k8s/infrastructure/sops/vaultwarden-db-secret.yaml
+++ b/k8s/infrastructure/sops/vaultwarden-db-secret.yaml
@@ -4,7 +4,7 @@ metadata:
     name: vaultwarden-db-secret
     namespace: vaultwarden
 stringData:
-    DATABASE_URL: ENC[AES256_GCM,data:2F8b0trMlUH9trR+ktKQUhlpPCls+D0HAvK6Y4Q0NPfBA+UVDj1IyquPZ0W2HUuiGQp9MYdi2GmZtHDfzJzHdRtZCxLVVQ314u/EmgbKVvmjmD9XXuoiIlvQ/5UEGi5BMC4HDb7kDh8=,iv:/UJ7twIJ5Bk0JhiRXVPyH63OUbKTCeUOTdA0J12Lfls=,tag:D5oRx38eRkVgUD61pRGU2A==,type:str]
+    DATABASE_URL: ENC[AES256_GCM,data:qbUNTLOg/d4BsErpjltYFRBuZPRCE1rd51XAmxXgkXVsnEJzHYtDZJ9JBsUbIJn7EAPiHwwFPy8rdRoJsr0hjSNMQay1szwx7CqjlzeC3sejWKeiP8gQ/pvyb+2bB/NHgfjRSd6kCO9CgduhAOvFWlWb1uUXQWpC9w==,iv:1KVGo7QcP/2KWo7+tWWYfmzs8LoJGjtTvfOrEItLfRM=,tag:LWCrT+06bZMQg637hVSoXA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +20,8 @@ sops:
             RkRDOTNCY3JpSWxTcCtsQ2tEU2k0MzgKjAbEwqpAkPjdKlILTUqCIiw/jjRTXGfQ
             kRiZNGfem40rw8pJ813Q5zw6SGE7hWoFw11k6PbiL59U/7cXSuRw/w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-10T05:17:09Z"
-    mac: ENC[AES256_GCM,data:BWd3f8rIIMdQRyh3ZO1Fg+KiNGDWtHH9lQE+gPiE2R8LTxHGxtX95qdbsAnocCdCjDgXEgNQnMPWwV1eLFQcIZgKQiawnEzjtNoXcdRLpdJDwLzQLTDhy79xQ7apmRMJ/VWJnGmPdtjWuXRuxV4KQ3S5ctUADMAb7YMqewigXnA=,iv:6M2QuR4Y/baL88U1Yz6XEipFiFMOG/X9ogqU7U3slSI=,tag:HHXpFduEwYf6W91QmAFeDw==,type:str]
+    lastmodified: "2026-03-10T05:35:22Z"
+    mac: ENC[AES256_GCM,data:qc6Kl6ezpLyt/Ed3J86IHS/QRhVjWQAGWZLOGZ3CO+9pDoQ6wkbhnCU8mpEa4TWWuRn/i/GLgWL6xyeuciSe7cWnrUQxe5bPkr6kfGeVaWhZdMXunpM2AUwCV3+4ujPeRemMrE+/YVrEjQMsPos3c0+4uugH3zkdEXH3zuK1ZCA=,iv:l3XLPskBSJluXqqT4DWFhlrvfF6kDrlH8Nqdzlu2Tzw=,tag:zgE2QV1SgYmSLvTpxufdDA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.4
diff --git a/k8s/pg-init/keycloak-db.yaml b/k8s/pg-init/keycloak-db.yaml
index a55c4c9..38af8f0 100644
--- a/k8s/pg-init/keycloak-db.yaml
+++ b/k8s/pg-init/keycloak-db.yaml
@@ -13,7 +13,7 @@ spec:
           image: postgres:17
           env:
             - name: PGHOST
-              value: pgbouncer.internal
+              value: pgbouncer.default.svc.cluster.local
             - name: PGPORT
               value: "6432"
             - name: PGUSER
diff --git a/k8s/pg-init/vaultwarden-db.yaml b/k8s/pg-init/vaultwarden-db.yaml
index 97af1f4..0e1f9f4 100644
--- a/k8s/pg-init/vaultwarden-db.yaml
+++ b/k8s/pg-init/vaultwarden-db.yaml
@@ -13,7 +13,7 @@ spec:
           image: postgres:17
           env:
             - name: PGHOST
-              value: pgbouncer.internal
+              value: pgbouncer.default.svc.cluster.local
             - name: PGPORT
               value: "6432"
             - name: PGUSER