fix: update postgres cert expiry, add cloudflare token secret

1password/index.ts

@@ -4,6 +4,7 @@ import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 
 type OnePasswordSecret = {
+  id?: string;
   name: string;
   namespace: string;
   itemPath: string;
@@ -24,7 +25,7 @@ export class OnePassword extends Construct {
     );
 
     secrets.forEach((secret) => {
-      new Manifest(this, secret.name, {
+      new Manifest(this, secret.id ?? secret.name, {
         provider: options.provider,
         manifest: {
           apiVersion: "onepassword.com/v1",

1password/secrets.json

@@ -29,6 +29,12 @@
     "namespace": "cert-manager",
     "itemPath": "vaults/Lab/items/Cloudflare"
   },
+  {
+    "name": "cloudflare-token",
+    "id": "cloudflare-ddns-api-token",
+    "namespace": "cloudflare-system",
+    "itemPath": "vaults/Lab/items/Cloudflare"
+  },
   {
     "name": "authentik-postgres",
     "namespace": "authentik-system",

helm/values/gitea.values.yaml

@@ -40,7 +40,7 @@ gitea:
     database:
       DB_TYPE: postgres
       HOST: postgres-cluster-rw.postgres-system.svc.cluster.local:5432
-      NAME: giteadb
+      NAME: gitea
       USER: gitea
     cache:
       ADAPTER: memcache

postgres/index.ts

@@ -80,6 +80,8 @@ export class PostgresCluster extends Construct {
             algorithm: "ECDSA",
             size: 384,
           },
+          duration: "52560h", // 6 years
+          renewBefore: "8760h", // 1 year before expiration
           issuerRef: {
             name: "selfsigned-issuer",
             kind: "Issuer",
@@ -142,6 +144,8 @@ export class PostgresCluster extends Construct {
             "postgres-cluster-r.postgres-system.svc.cluster.local",
             "postgres.dogar.dev",
           ],
+          duration: "4380h", // 6 months
+          renewBefore: "720h", // 30 days before expiration
           issuerRef: {
             name: `${caNames.server}-issuer`,
             kind: "Issuer",
@@ -169,6 +173,8 @@ export class PostgresCluster extends Construct {
             algorithm: "ECDSA",
             size: 256,
           },
+          duration: "52560h", // 6 years
+          renewBefore: "8760h", // 1 year before expiration
           issuerRef: {
             name: "selfsigned-issuer",
             kind: "Issuer",
@@ -226,6 +232,8 @@ export class PostgresCluster extends Construct {
           secretName: certNames.client,
           usages: ["client auth"],
           commonName: "streaming_replica",
+          duration: "4380h", // 6 months
+          renewBefore: "720h", // 30 days before expiration
           issuerRef: {
             name: "postgres-client-ca-issuer",
             kind: "Issuer",
@@ -251,6 +259,8 @@ export class PostgresCluster extends Construct {
               secretName: `${user}-client-cert`,
               usages: ["client auth"],
               commonName: user,
+              duration: "4380h", // 6 months
+              renewBefore: "720h", // 30 days before expiration
               issuerRef: {
                 name: "postgres-client-ca-issuer",
                 kind: "Issuer",