From 0a61df48281797c917c314b07ec3bba0809a88c9 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Mon, 10 Jun 2024 16:16:07 -0600
Subject: [PATCH 01/12] feat: enable istio and netpols for everything

---
 bundle/uds-bundle.yaml                    | 19 +++++++++++++++++++
 bundle/uds-config.yaml                    | 19 -------------------
 chart/templates/peer-auth-exception.yaml  | 16 ----------------
 chart/templates/uds-package-postgres.yaml | 20 ++++++++++++++++++++
 chart/templates/uds-package.yaml          | 19 +++++++------------
 src/namespace/gitlab-ns.yaml              |  2 ++
 src/namespace/mattermost-ns.yaml          |  2 ++
 src/namespace/sonarqube-ns.yaml           |  2 ++
 tasks.yaml                                |  8 ++++++++
 tests/postgres/postgres-minimal.yaml      |  2 ++
 10 files changed, 62 insertions(+), 47 deletions(-)
 delete mode 100644 chart/templates/peer-auth-exception.yaml
 create mode 100644 chart/templates/uds-package-postgres.yaml

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index d9fa4c4..885ff9c 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -7,9 +7,11 @@ metadata:
   # x-release-please-end
 
 packages:
+  # this sets up the namespaces that we will need in order to configure the default databases (and corresponding secrets) that are setup below
   - name: dev-namespaces
     path: ../
     ref: 0.1.0
+
   - name: postgres-operator
     path: ../
     # x-release-please-start-version
@@ -22,3 +24,20 @@ packages:
             - name: POSTGRESQL
               description: "Configure postgres using CRs via the uds-postgres-config chart"
               path: postgresql
+              default:
+                enabled: true  # Set to false to not create the PostgreSQL resource
+                teamId: "uds"
+                volume:
+                  size: "10Gi"
+                numberOfInstances: 2
+                users:
+                  gitlab.gitlab: []  # database owner
+                  sonarqube.sonarqube: []  # database owner
+                  mattermost.mattermost: []  # database owner
+                databases:
+                  gitlabdb: gitlab.gitlab
+                  mattermostdb: mattermost.mattermost
+                  sonarqubedb: sonarqube.sonarqube
+                version: "13"
+                ingress:
+                  remoteGenerated: Anywhere
diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml
index 11b058f..e69de29 100644
--- a/bundle/uds-config.yaml
+++ b/bundle/uds-config.yaml
@@ -1,19 +0,0 @@
-variables:
-  postgres-operator:
-    postgresql:
-      enabled: true  # Set to false to not create the PostgreSQL resource
-      teamId: "uds"
-      volume:
-        size: "10Gi"
-      numberOfInstances: 2
-      users:
-        gitlab.gitlab: []  # database owner
-        sonarqube.sonarqube: []  # database owner
-        mattermost.mattermost: []  # database owner
-      databases:
-        gitlabdb: gitlab.gitlab
-        mattermostdb: mattermost.mattermost
-        sonarqubedb: sonarqube.sonarqube
-      version: "13"
-      ingress:
-        remoteGenerated: Anywhere
diff --git a/chart/templates/peer-auth-exception.yaml b/chart/templates/peer-auth-exception.yaml
deleted file mode 100644
index 50f41ba..0000000
--- a/chart/templates/peer-auth-exception.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
-apiVersion: security.istio.io/v1beta1
-kind: PeerAuthentication
-metadata:
-  name: postgres-istio-exceptions
-  namespace: {{ .Release.Namespace }}
-spec:
-  mtls:
-    mode: STRICT
-  selector:
-    matchLabels:
-      cluster-name: pg-cluster
-  portLevelMtls:
-    "5432":
-      mode: PERMISSIVE
-{{- end }}
diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
new file mode 100644
index 0000000..a8bd91d
--- /dev/null
+++ b/chart/templates/uds-package-postgres.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.postgresql.enabled }}
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: postgres
+  namespace: {{ .Release.Namespace }}
+spec:
+  network:
+    allow:
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+      {{- if .Values.postgresql.ingress }}
+      - direction: Ingress
+        selector:
+          cluster-name: pg-cluster
+        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index 52dc552..fc4c67e 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -1,24 +1,19 @@
-{{- if .Values.postgresql.enabled }}
 apiVersion: uds.dev/v1alpha1
 kind: Package
 metadata:
-  name: postgres
-  namespace: {{ .Release.Namespace }}
+  name: postgres-operator
+  namespace: postgres-operator
 spec:
   network:
     allow:
-      - direction: Ingress
-        remoteGenerated: IntraNamespace
       - direction: Egress
-        remoteGenerated: IntraNamespace
-      {{- if .Values.postgresql.ingress }}
-      - direction: Ingress
         selector:
+          app.kubernetes.io/name: postgres-operator
+        remoteNamespace: {{ .Release.Namespace }}
+        remoteSelector:
           cluster-name: pg-cluster
-        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
-      {{- end }}
+    
       - direction: Egress
         selector:
-          cluster-name: pg-cluster  
+          app.kubernetes.io/name: postgres-operator
         remoteGenerated: KubeAPI
-{{- end }}
diff --git a/src/namespace/gitlab-ns.yaml b/src/namespace/gitlab-ns.yaml
index e686029..3c35f71 100644
--- a/src/namespace/gitlab-ns.yaml
+++ b/src/namespace/gitlab-ns.yaml
@@ -2,3 +2,5 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: gitlab
+  labels:
+    istio-injection: enabled
diff --git a/src/namespace/mattermost-ns.yaml b/src/namespace/mattermost-ns.yaml
index 2761c1b..37f47ea 100644
--- a/src/namespace/mattermost-ns.yaml
+++ b/src/namespace/mattermost-ns.yaml
@@ -2,3 +2,5 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: mattermost
+  labels:
+    istio-injection: enabled
diff --git a/src/namespace/sonarqube-ns.yaml b/src/namespace/sonarqube-ns.yaml
index 2dc6f40..3dc4ed9 100644
--- a/src/namespace/sonarqube-ns.yaml
+++ b/src/namespace/sonarqube-ns.yaml
@@ -2,3 +2,5 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: sonarqube
+  labels:
+    istio-injection: enabled
diff --git a/tasks.yaml b/tasks.yaml
index 4fd15d6..a50e004 100644
--- a/tasks.yaml
+++ b/tasks.yaml
@@ -38,6 +38,14 @@ tasks:
       - task: dependencies:create
       - task: create:test-bundle
 
+  - name: dev
+    description: Deploy Valkey on existing cluster
+    actions:
+      - task: create-pg-package
+      - task: dependencies:create
+      - task: create-pg-test-bundle
+      - task: deploy:test-bundle
+
 # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names
 
   - name: test-package
diff --git a/tests/postgres/postgres-minimal.yaml b/tests/postgres/postgres-minimal.yaml
index 46d2289..1267e76 100644
--- a/tests/postgres/postgres-minimal.yaml
+++ b/tests/postgres/postgres-minimal.yaml
@@ -2,6 +2,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: acid
+  labels:
+    istio-injection: enabled
 ---
 apiVersion: acid.zalan.do/v1
 kind: postgresql

From 98ca520400cb9c4cb488086eb8efe8b52341a6c5 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Mon, 10 Jun 2024 16:23:18 -0600
Subject: [PATCH 02/12] fix kubeapi access

---
 chart/templates/uds-package-postgres.yaml | 7 +++++++
 chart/templates/uds-package.yaml          | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index a8bd91d..cb77889 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -9,12 +9,19 @@ spec:
     allow:
       - direction: Ingress
         remoteGenerated: IntraNamespace
+
       - direction: Egress
         remoteGenerated: IntraNamespace
+
       {{- if .Values.postgresql.ingress }}
       - direction: Ingress
         selector:
           cluster-name: pg-cluster
         {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
       {{- end }}
+
+      - direction: Egress
+        selector:
+          cluster-name: pg-cluster
+        remoteGenerated: KubeAPI
 {{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index fc4c67e..ebcefc7 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -12,7 +12,7 @@ spec:
         remoteNamespace: {{ .Release.Namespace }}
         remoteSelector:
           cluster-name: pg-cluster
-    
+
       - direction: Egress
         selector:
           app.kubernetes.io/name: postgres-operator

From f20bceb42bee9e1b6a94dde3d62ea5ae2d87cd04 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Mon, 10 Jun 2024 16:34:14 -0600
Subject: [PATCH 03/12] add more complex netpols

---
 bundle/uds-bundle.yaml                    | 11 +++++++++++
 chart/templates/uds-package-postgres.yaml |  7 +++++++
 chart/templates/uds-package.yaml          | 18 ++++++++++++++++++
 chart/values.yaml                         |  9 +++++++++
 4 files changed, 45 insertions(+)

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index 885ff9c..6fc8104 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -41,3 +41,14 @@ packages:
                 version: "13"
                 ingress:
                   remoteGenerated: Anywhere
+            - name: ACID_PG_CLUSTER_NETWORKING
+              description: "Allow connectivity to the acid pg cluster for testing (see tests/ folder)"
+              path: custom
+              default:
+                - direction: Egress
+                  selector:
+                    app.kubernetes.io/name: postgres-operator
+                  remoteNamespace: acid
+                  remoteSelector:
+                    cluster-name: pg-cluster
+                  description: "Egress to a non-default pg cluster"
diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index cb77889..ec8038b 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -20,6 +20,13 @@ spec:
         {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
       {{- end }}
 
+      - direction: Ingress
+        selector:
+          app.kubernetes.io/name: postgres-operator
+        remoteNamespace: postgres-operator
+        remoteSelector:
+          app.kubernetes.io/name: postgres-operator
+
       - direction: Egress
         selector:
           cluster-name: pg-cluster
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index ebcefc7..ccb4252 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -6,14 +6,32 @@ metadata:
 spec:
   network:
     allow:
+      {{- if .Values.postgresql.enabled }}
       - direction: Egress
         selector:
           app.kubernetes.io/name: postgres-operator
         remoteNamespace: {{ .Release.Namespace }}
         remoteSelector:
           cluster-name: pg-cluster
+      {{- end }}
 
       - direction: Egress
         selector:
           app.kubernetes.io/name: postgres-operator
         remoteGenerated: KubeAPI
+
+      # Custom rules for other scenarios (such as connecting to a non-default pg cluster)
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 3cc79d9..836ad40 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -19,3 +19,12 @@ postgresql:
 #     remoteNamespace: tempo
 #     remoteSelector:
 #      app.kubernetes.io/name: tempo
+
+custom: []
+  # - direction: Egress
+  #   selector:
+  #     app.kubernetes.io/name: postgres-operator
+  #   remoteNamespace: acid
+  #   remoteSelector:
+  #     cluster-name: pg-cluster
+  #   description: "Egress to a non-default pg cluster"

From ccde86e181d628ebff59121b8793207ed52e5a95 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 08:55:14 -0600
Subject: [PATCH 04/12] feedback

---
 tasks.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks.yaml b/tasks.yaml
index a50e004..d3f70d7 100644
--- a/tasks.yaml
+++ b/tasks.yaml
@@ -39,7 +39,7 @@ tasks:
       - task: create:test-bundle
 
   - name: dev
-    description: Deploy Valkey on existing cluster
+    description: Deploy Postgres Operator on existing cluster
     actions:
       - task: create-pg-package
       - task: dependencies:create

From bc601b4562b266d4f91db930df707daa2e8edda8 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 10:53:24 -0600
Subject: [PATCH 05/12] make ingress an array

---
 bundle/uds-bundle.yaml                      | 10 +++++++++-
 chart/templates/uds-package-postgres.yaml   |  4 ++--
 chart/values.yaml                           |  8 ++++----
 tests/postgres/db-seed-cross-namespace.yaml |  2 ++
 tests/postgres/db-seed.yaml                 |  2 ++
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index 6fc8104..6b36d42 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -40,7 +40,15 @@ packages:
                   sonarqubedb: sonarqube.sonarqube
                 version: "13"
                 ingress:
-                  remoteGenerated: Anywhere
+                  - remoteNamespace: gitlab
+                    remoteSelector:
+                      app: gitlab
+                  - remoteNamespace: mattermost
+                    remoteSelector:
+                      app: mattermost
+                  - remoteNamespace: sonarqube
+                    remoteSelector:
+                      app: sonarqube
             - name: ACID_PG_CLUSTER_NETWORKING
               description: "Allow connectivity to the acid pg cluster for testing (see tests/ folder)"
               path: custom
diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index ec8038b..e256009 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -13,11 +13,11 @@ spec:
       - direction: Egress
         remoteGenerated: IntraNamespace
 
-      {{- if .Values.postgresql.ingress }}
+      {{- range .Values.postgresql.ingress }}
       - direction: Ingress
         selector:
           cluster-name: pg-cluster
-        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
+        {{- . | toYaml | nindent 8 }}
       {{- end }}
 
       - direction: Ingress
diff --git a/chart/values.yaml b/chart/values.yaml
index 836ad40..2642ab8 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -13,12 +13,12 @@ postgresql:
 #     yourdb: youruser
 #   version: "13"
 #   ingress:
-#     remoteGenerated: Anywhere
+#     - remoteGenerated: Anywhere
 # or
 #   ingress:
-#     remoteNamespace: tempo
-#     remoteSelector:
-#      app.kubernetes.io/name: tempo
+#     - remoteNamespace: tempo
+#       remoteSelector:
+#         app.kubernetes.io/name: tempo
 
 custom: []
   # - direction: Egress
diff --git a/tests/postgres/db-seed-cross-namespace.yaml b/tests/postgres/db-seed-cross-namespace.yaml
index 189a2da..8b4db87 100644
--- a/tests/postgres/db-seed-cross-namespace.yaml
+++ b/tests/postgres/db-seed-cross-namespace.yaml
@@ -16,6 +16,8 @@ kind: Job
 metadata:
   name: db-seed-job
   namespace: gitlab
+  labels:
+    app: gitlab
 spec:
   template:
     spec:
diff --git a/tests/postgres/db-seed.yaml b/tests/postgres/db-seed.yaml
index c9d540a..cb8b844 100644
--- a/tests/postgres/db-seed.yaml
+++ b/tests/postgres/db-seed.yaml
@@ -16,6 +16,8 @@ kind: Job
 metadata:
   name: db-seed-job
   namespace: acid
+  labels:
+    app: acid
 spec:
   template:
     spec:

From a923a9e2766f06956de0f6c07cf3f7b997f9ddcd Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 10:55:38 -0600
Subject: [PATCH 06/12] add a note about the istio injection label

---
 src/namespace/gitlab-ns.yaml         | 2 ++
 src/namespace/mattermost-ns.yaml     | 2 ++
 src/namespace/sonarqube-ns.yaml      | 2 ++
 tests/postgres/postgres-minimal.yaml | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/src/namespace/gitlab-ns.yaml b/src/namespace/gitlab-ns.yaml
index 3c35f71..db56d20 100644
--- a/src/namespace/gitlab-ns.yaml
+++ b/src/namespace/gitlab-ns.yaml
@@ -2,5 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: gitlab
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
   labels:
     istio-injection: enabled
diff --git a/src/namespace/mattermost-ns.yaml b/src/namespace/mattermost-ns.yaml
index 37f47ea..711a65f 100644
--- a/src/namespace/mattermost-ns.yaml
+++ b/src/namespace/mattermost-ns.yaml
@@ -2,5 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: mattermost
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
   labels:
     istio-injection: enabled
diff --git a/src/namespace/sonarqube-ns.yaml b/src/namespace/sonarqube-ns.yaml
index 3dc4ed9..c67ab2d 100644
--- a/src/namespace/sonarqube-ns.yaml
+++ b/src/namespace/sonarqube-ns.yaml
@@ -2,5 +2,7 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: sonarqube
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
   labels:
     istio-injection: enabled
diff --git a/tests/postgres/postgres-minimal.yaml b/tests/postgres/postgres-minimal.yaml
index 1267e76..8ff1f6d 100644
--- a/tests/postgres/postgres-minimal.yaml
+++ b/tests/postgres/postgres-minimal.yaml
@@ -2,6 +2,8 @@ kind: Namespace
 apiVersion: v1
 metadata:
   name: acid
+  # This label is only needed for testing!
+  # In a real deployment this namespace would be controlled by a UDS Package / the UDS Operator
   labels:
     istio-injection: enabled
 ---

From a45be5ef07ca56f88743a66495f4e9843f76c97a Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 14:13:35 -0600
Subject: [PATCH 07/12] fix helm range

---
 chart/templates/uds-package-postgres.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index e256009..5f2bd0b 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -17,7 +17,7 @@ spec:
       - direction: Ingress
         selector:
           cluster-name: pg-cluster
-        {{- . | toYaml | nindent 8 }}
+        {{ . | toYaml | nindent 8 }}
       {{- end }}
 
       - direction: Ingress

From cc6ba2e4d07f8f2715669588ef675658ed0cac4f Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 17:04:54 -0600
Subject: [PATCH 08/12] fix remote namespaces per feedback

---
 bundle/uds-bundle.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index 6b36d42..601b306 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -41,14 +41,8 @@ packages:
                 version: "13"
                 ingress:
                   - remoteNamespace: gitlab
-                    remoteSelector:
-                      app: gitlab
                   - remoteNamespace: mattermost
-                    remoteSelector:
-                      app: mattermost
                   - remoteNamespace: sonarqube
-                    remoteSelector:
-                      app: sonarqube
             - name: ACID_PG_CLUSTER_NETWORKING
               description: "Allow connectivity to the acid pg cluster for testing (see tests/ folder)"
               path: custom

From 2e06cc3167ecaab3683119c85e6497cc403bc659 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 20:11:15 -0600
Subject: [PATCH 09/12] support kindIs

---
 bundle/uds-bundle.yaml                    | 4 +---
 chart/templates/uds-package-postgres.yaml | 7 +++++++
 chart/values.yaml                         | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
index 601b306..6fc8104 100644
--- a/bundle/uds-bundle.yaml
+++ b/bundle/uds-bundle.yaml
@@ -40,9 +40,7 @@ packages:
                   sonarqubedb: sonarqube.sonarqube
                 version: "13"
                 ingress:
-                  - remoteNamespace: gitlab
-                  - remoteNamespace: mattermost
-                  - remoteNamespace: sonarqube
+                  remoteGenerated: Anywhere
             - name: ACID_PG_CLUSTER_NETWORKING
               description: "Allow connectivity to the acid pg cluster for testing (see tests/ folder)"
               path: custom
diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index 5f2bd0b..568976a 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -13,12 +13,19 @@ spec:
       - direction: Egress
         remoteGenerated: IntraNamespace
 
+    {{- if kindIs "slice" .Values.postgresql.ingress -}}
       {{- range .Values.postgresql.ingress }}
       - direction: Ingress
         selector:
           cluster-name: pg-cluster
         {{ . | toYaml | nindent 8 }}
       {{- end }}
+    {{- else }}
+      - direction: Ingress
+        selector:
+          cluster-name: pg-cluster
+        {{- .Values.postgresql.ingress | toYaml | nindent 8 }}
+    {{- end }}
 
       - direction: Ingress
         selector:
diff --git a/chart/values.yaml b/chart/values.yaml
index 2642ab8..dc74311 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,5 +1,6 @@
 postgresql:
   enabled: false
+  ingress: []
 
 #   teamId: "uds"
 #   volume:

From f79f87228e398a8d1e35f2429d121a15119081c7 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 20:36:06 -0600
Subject: [PATCH 10/12] flip namespaces

---
 chart/templates/postgres-minimal.yaml     | 2 +-
 chart/templates/postgres-svc.yaml         | 2 +-
 chart/templates/uds-package-postgres.yaml | 4 ++--
 chart/templates/uds-package.yaml          | 4 ++--
 common/zarf.yaml                          | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/chart/templates/postgres-minimal.yaml b/chart/templates/postgres-minimal.yaml
index 43bf16a..b57d40c 100644
--- a/chart/templates/postgres-minimal.yaml
+++ b/chart/templates/postgres-minimal.yaml
@@ -3,7 +3,7 @@ apiVersion: acid.zalan.do/v1
 kind: postgresql
 metadata:
   name: pg-cluster
-  namespace: {{ .Release.Namespace }}
+  namespace: postgres
 spec:
   teamId: {{ .Values.postgresql.teamId | quote }}
   volume:
diff --git a/chart/templates/postgres-svc.yaml b/chart/templates/postgres-svc.yaml
index d2d033c..46df14f 100644
--- a/chart/templates/postgres-svc.yaml
+++ b/chart/templates/postgres-svc.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: pg-cluster-headless
-  namespace: {{ .Release.Namespace }}
+  namespace: postgres
 spec:
   clusterIP: None
   ports:
diff --git a/chart/templates/uds-package-postgres.yaml b/chart/templates/uds-package-postgres.yaml
index 568976a..43b0b53 100644
--- a/chart/templates/uds-package-postgres.yaml
+++ b/chart/templates/uds-package-postgres.yaml
@@ -3,7 +3,7 @@ apiVersion: uds.dev/v1alpha1
 kind: Package
 metadata:
   name: postgres
-  namespace: {{ .Release.Namespace }}
+  namespace: postgres
 spec:
   network:
     allow:
@@ -30,7 +30,7 @@ spec:
       - direction: Ingress
         selector:
           app.kubernetes.io/name: postgres-operator
-        remoteNamespace: postgres-operator
+        remoteNamespace: {{ .Release.Namespace }}
         remoteSelector:
           app.kubernetes.io/name: postgres-operator
 
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index ccb4252..a1bd1d9 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -2,7 +2,7 @@ apiVersion: uds.dev/v1alpha1
 kind: Package
 metadata:
   name: postgres-operator
-  namespace: postgres-operator
+  namespace: {{ .Release.Namespace }}
 spec:
   network:
     allow:
@@ -10,7 +10,7 @@ spec:
       - direction: Egress
         selector:
           app.kubernetes.io/name: postgres-operator
-        remoteNamespace: {{ .Release.Namespace }}
+        remoteNamespace: postgres
         remoteSelector:
           cluster-name: pg-cluster
       {{- end }}
diff --git a/common/zarf.yaml b/common/zarf.yaml
index 92181a6..2d48617 100644
--- a/common/zarf.yaml
+++ b/common/zarf.yaml
@@ -9,7 +9,7 @@ components:
     required: true
     charts:
       - name: uds-postgres-config
-        namespace: postgres
+        namespace: postgres-operator
         version: 0.1.0
         localPath: ../chart
       - name: postgres-operator

From 023f8e0f012586c629da1b655946e1b19a08ebfe Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 20:52:57 -0600
Subject: [PATCH 11/12] shim Helm namespace

---
 common/zarf.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/zarf.yaml b/common/zarf.yaml
index 2d48617..abfb215 100644
--- a/common/zarf.yaml
+++ b/common/zarf.yaml
@@ -20,6 +20,11 @@ components:
           - ../values/values.yaml
     actions:
       onDeploy:
+        before:
+          # this shims postgres operator versions v0.11.1-uds.1 and below to the new config chart namespace layout
+          - cmd: ./zarf tools kubectl annotate postgresql -n postgres pg-cluster meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate service -n postgres pg-cluster-headless meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate package -n postgres postgres meta.helm.sh/release-namespace=postgres-operator || true
         after:
           - description: Validate Postgres Operator Package
             maxTotalSeconds: 300

From 6aedddee36c3091491d10795a5b08ab9e477c945 Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Tue, 11 Jun 2024 21:01:52 -0600
Subject: [PATCH 12/12] add --overwrite

---
 common/zarf.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/common/zarf.yaml b/common/zarf.yaml
index abfb215..0b9a708 100644
--- a/common/zarf.yaml
+++ b/common/zarf.yaml
@@ -22,9 +22,9 @@ components:
       onDeploy:
         before:
           # this shims postgres operator versions v0.11.1-uds.1 and below to the new config chart namespace layout
-          - cmd: ./zarf tools kubectl annotate postgresql -n postgres pg-cluster meta.helm.sh/release-namespace=postgres-operator || true
-          - cmd: ./zarf tools kubectl annotate service -n postgres pg-cluster-headless meta.helm.sh/release-namespace=postgres-operator || true
-          - cmd: ./zarf tools kubectl annotate package -n postgres postgres meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate --overwrite postgresql -n postgres pg-cluster meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate --overwrite service -n postgres pg-cluster-headless meta.helm.sh/release-namespace=postgres-operator || true
+          - cmd: ./zarf tools kubectl annotate --overwrite package -n postgres postgres meta.helm.sh/release-namespace=postgres-operator || true
         after:
           - description: Validate Postgres Operator Package
             maxTotalSeconds: 300