diff --git a/.gitignore b/.gitignore
index 9b15dfdc..71bcd867 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *.tfstate*
 .terraform
-terraform.tfvars
\ No newline at end of file
+terraform.tfvars
+settings.json
\ No newline at end of file
diff --git a/deployments/README.md b/deployments/README.md
deleted file mode 100644
index bd0bab18..00000000
--- a/deployments/README.md
+++ /dev/null
@@ -1 +0,0 @@
-This directory is not actively used and will be removed in the future
\ No newline at end of file
diff --git a/deployments/spacelift/dpe-k8s/main.tf b/deployments/spacelift/dpe-k8s/main.tf
index 7f9a8429..0b2e9b5d 100644
--- a/deployments/spacelift/dpe-k8s/main.tf
+++ b/deployments/spacelift/dpe-k8s/main.tf
@@ -196,3 +196,75 @@ resource "spacelift_aws_integration_attachment" "k8s-deployments-aws-integration
   read           = true
   write          = true
 }
+
+resource "spacelift_stack" "k8s-stack-deployments-testing" {
+  github_enterprise {
+    namespace = "Sage-Bionetworks-Workflows"
+    id        = "sage-bionetworks-workflows-gh"
+  }
+
+  depends_on = [
+    spacelift_space.dpe-space
+  ]
+
+  administrative          = false
+  autodeploy              = var.auto_deploy
+  branch                  = "ibcdpe-1004-airflow-ops"
+  description             = "Deployments internal to an EKS cluster"
+  name                    = "${var.k8s_stack_deployments_name}-testing"
+  project_root            = "deployments/stacks/dpe-k8s-deployments-testing"
+  repository              = "eks-stack"
+  terraform_version       = var.opentofu_version
+  terraform_workflow_tool = "OPEN_TOFU"
+  space_id                = spacelift_space.dpe-space.id
+  additional_project_globs = [
+    "deployments/"
+  ]
+}
+
+resource "spacelift_environment_variable" "k8s-stack-deployments-testing-environment-variables" {
+  for_each = local.k8s_stack_deployments_variables
+
+  stack_id   = spacelift_stack.k8s-stack-deployments-testing.id
+  name       = "TF_VAR_${each.key}"
+  value      = try(tostring(each.value), jsonencode(each.value))
+  write_only = false
+}
+
+resource "spacelift_context_attachment" "k8s-kubeconfig-hooks-testing" {
+  context_id = "kubernetes-deployments-kubeconfig"
+  stack_id   = spacelift_stack.k8s-stack-deployments-testing.id
+}
+
+resource "spacelift_stack_dependency" "k8s-stack-to-deployments-testing" {
+  stack_id            = spacelift_stack.k8s-stack-deployments-testing.id
+  depends_on_stack_id = spacelift_stack.k8s-stack.id
+}
+
+resource "spacelift_stack_dependency_reference" "dependency-references-testing" {
+  for_each = local.k8s_stack_to_deployment_variables
+
+  stack_dependency_id = spacelift_stack_dependency.k8s-stack-to-deployments-testing.id
+  output_name         = each.key
+  input_name          = each.value
+}
+
+resource "spacelift_stack_dependency_reference" "region-name-testing" {
+  stack_dependency_id = spacelift_stack_dependency.k8s-stack-to-deployments-testing.id
+  output_name         = "region"
+  input_name          = "REGION"
+}
+
+resource "spacelift_stack_dependency_reference" "cluster-name-testing" {
+  stack_dependency_id = spacelift_stack_dependency.k8s-stack-to-deployments-testing.id
+  output_name         = "cluster_name"
+  input_name          = "CLUSTER_NAME"
+}
+
+resource "spacelift_aws_integration_attachment" "k8s-deployments-aws-integration-attachment-testing" {
+
+  integration_id = var.aws_integration_id
+  stack_id       = spacelift_stack.k8s-stack-deployments-testing.id
+  read           = true
+  write          = true
+}
diff --git a/deployments/stacks/dpe-k8s-deployments-testing/data.tf b/deployments/stacks/dpe-k8s-deployments-testing/data.tf
new file mode 100644
index 00000000..c1724ceb
--- /dev/null
+++ b/deployments/stacks/dpe-k8s-deployments-testing/data.tf
@@ -0,0 +1,15 @@
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = var.cluster_name
+}
+
+data "aws_secretsmanager_secret" "spotinst_token" {
+  name = "spotinst_token"
+}
+
+data "aws_secretsmanager_secret_version" "secret_credentials" {
+  secret_id = data.aws_secretsmanager_secret.spotinst_token.id
+}
diff --git a/deployments/stacks/dpe-k8s-deployments-testing/main.tf b/deployments/stacks/dpe-k8s-deployments-testing/main.tf
new file mode 100644
index 00000000..aab2823a
--- /dev/null
+++ b/deployments/stacks/dpe-k8s-deployments-testing/main.tf
@@ -0,0 +1,20 @@
+module "postgres-cloud-native-operator" {
+  # source       = "spacelift.io/sagebionetworks/postgres-cloud-native/aws"
+  source = "../../../modules/postgres-cloud-native-operator/"
+  # version      = "0.2.1"
+  auto_deploy  = true
+  auto_prune   = true
+  git_revision = "ibcdpe-1004-airflow-ops"
+}
+
+
+# module "postgres-cloud-native" {
+#   # source       = "spacelift.io/sagebionetworks/postgres-cloud-native/aws"
+#   source = "../../../modules/postgres-cloud-native/"
+#   # version      = "0.2.1"
+#   auto_deploy          = true
+#   auto_prune           = true
+#   git_revision         = "ibcdpe-1004-airflow-ops"
+#   namespace            = "airflow"
+#   argo_deployment_name = "airflow-postgres-cloud-native"
+# }
diff --git a/deployments/stacks/dpe-k8s-deployments-testing/provider.tf b/deployments/stacks/dpe-k8s-deployments-testing/provider.tf
new file mode 100644
index 00000000..32049e25
--- /dev/null
+++ b/deployments/stacks/dpe-k8s-deployments-testing/provider.tf
@@ -0,0 +1,28 @@
+provider "aws" {
+  region = var.region
+}
+
+provider "kubernetes" {
+  config_path            = var.kube_config_path
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = var.kube_config_path
+  }
+}
+
+provider "spotinst" {
+  account = var.spotinst_account
+  token   = data.aws_secretsmanager_secret_version.secret_credentials.secret_string
+}
+
+provider "kubectl" {
+  config_path            = var.kube_config_path
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
diff --git a/deployments/stacks/dpe-k8s-deployments-testing/variables.tf b/deployments/stacks/dpe-k8s-deployments-testing/variables.tf
new file mode 100644
index 00000000..2828bba3
--- /dev/null
+++ b/deployments/stacks/dpe-k8s-deployments-testing/variables.tf
@@ -0,0 +1,62 @@
+variable "vpc_id" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "private_subnet_ids" {
+  description = "Private subnet IDs"
+  type        = list(string)
+}
+
+variable "node_security_group_id" {
+  description = "Node security group ID"
+  type        = string
+}
+
+variable "pod_to_node_dns_sg_id" {
+  description = "Pod to node DNS security group ID."
+  type        = string
+}
+
+variable "vpc_cidr_block" {
+  description = "VPC CIDR block"
+  type        = string
+}
+
+variable "kube_config_path" {
+  description = "Kube config path"
+  type        = string
+  default     = "~/.kube/config"
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "cluster_name" {
+  description = "EKS cluster name"
+  type        = string
+}
+
+variable "spotinst_account" {
+  description = "Spot.io account"
+  type        = string
+}
+
+variable "auto_deploy" {
+  description = "Automatically deploy the stack"
+  type        = bool
+}
+
+variable "auto_prune" {
+  description = "Automatically prune kubernetes resources"
+  type        = bool
+}
+
+variable "git_revision" {
+  description = "The git revision to deploy"
+  type        = string
+  default     = "main"
+}
diff --git a/deployments/stacks/dpe-k8s-deployments-testing/versions.tf b/deployments/stacks/dpe-k8s-deployments-testing/versions.tf
new file mode 100644
index 00000000..e3f8c566
--- /dev/null
+++ b/deployments/stacks/dpe-k8s-deployments-testing/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    spotinst = {
+      source = "spotinst/spotinst"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+}
diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf
index 57df99d3..591d81e0 100644
--- a/deployments/stacks/dpe-k8s-deployments/main.tf
+++ b/deployments/stacks/dpe-k8s-deployments/main.tf
@@ -13,7 +13,7 @@ module "sage-aws-eks-autoscaler" {
 module "victoria-metrics" {
   depends_on   = [module.argo-cd, module.sage-aws-eks-autoscaler]
   source       = "spacelift.io/sagebionetworks/victoria-metrics/aws"
-  version      = "0.4.7"
+  version      = "0.4.8"
   auto_deploy  = var.auto_deploy
   auto_prune   = var.auto_prune
   git_revision = var.git_revision
@@ -28,14 +28,14 @@ module "trivy-operator" {
   git_revision = var.git_revision
 }
 
-module "airflow" {
-  depends_on   = [module.victoria-metrics, module.argo-cd, module.sage-aws-eks-autoscaler]
-  source       = "spacelift.io/sagebionetworks/airflow/aws"
-  version      = "0.3.1"
-  auto_deploy  = var.auto_deploy
-  auto_prune   = var.auto_prune
-  git_revision = var.git_revision
-}
+# module "airflow" {
+#   depends_on   = [module.victoria-metrics, module.argo-cd, module.sage-aws-eks-autoscaler]
+#   source       = "spacelift.io/sagebionetworks/airflow/aws"
+#   version      = "0.3.1"
+#   auto_deploy  = var.auto_deploy
+#   auto_prune   = var.auto_prune
+#   git_revision = var.git_revision
+# }
 
 module "argo-cd" {
   depends_on = [module.sage-aws-eks-autoscaler]
diff --git a/main.tf b/main.tf
index fcdc2390..b1ce7b66 100644
--- a/main.tf
+++ b/main.tf
@@ -10,7 +10,7 @@
 # }
 
 locals {
-  git_branch = "main"
+  git_branch = "ibcdpe-1004-airflow-ops"
 }
 
 resource "spacelift_stack" "root_administrative_stack" {
diff --git a/modules/apache-airflow/main.tf b/modules/apache-airflow/main.tf
index 9546d371..ad6cb18f 100644
--- a/modules/apache-airflow/main.tf
+++ b/modules/apache-airflow/main.tf
@@ -5,7 +5,7 @@
 
 resource "kubernetes_namespace" "airflow" {
   metadata {
-    name = "airflow"
+    name = var.namespace
   }
 }
 
@@ -18,7 +18,7 @@ resource "random_password" "airflow" {
 resource "kubernetes_secret" "airflow_webserver_secret" {
   metadata {
     name      = "airflow-webserver-secret"
-    namespace = "airflow"
+    namespace = var.namespace
   }
 
   data = {
@@ -28,10 +28,26 @@ resource "kubernetes_secret" "airflow_webserver_secret" {
   depends_on = [kubernetes_namespace.airflow]
 }
 
+resource "random_password" "airflow-admin-user" {
+  length  = 32
+  special = false
+}
+
+resource "kubernetes_secret" "airflow-admin-user-secret" {
+  metadata {
+    name      = "airflow-admin-user-secret"
+    namespace = var.namespace
+  }
+
+  data = {
+    "password" = random_password.airflow-admin-user.result
+    "username" = "admin"
+  }
+
+  depends_on = [kubernetes_namespace.airflow]
+}
 
-# TODO: Should a long-term deployment use a managed RDS instance?
-# https://github.com/apache/airflow/blob/main/chart/values.yaml#L2321-L2329
-resource "kubectl_manifest" "argo-deployment" {
+resource "kubectl_manifest" "airflow-deployment" {
   depends_on = [kubernetes_namespace.airflow]
 
   yaml_body = <<YAML
@@ -60,6 +76,6 @@ spec:
     ref: values
   destination:
     server: 'https://kubernetes.default.svc'
-    namespace: airflow
+    namespace: ${var.namespace}
 YAML
 }
diff --git a/modules/apache-airflow/templates/values.yaml b/modules/apache-airflow/templates/values.yaml
index 6baeee04..d7352cf7 100644
--- a/modules/apache-airflow/templates/values.yaml
+++ b/modules/apache-airflow/templates/values.yaml
@@ -368,7 +368,7 @@ data:
   # data:
   #   connection: base64_encoded_connection_string
 
-  metadataSecretName: ~
+  metadataSecretName: pg-user-secret
   # When providing secret names and using the same database for metadata and
   # result backend, for Airflow < 2.4.0 it is necessary to create a separate
   # secret for result backend but with a db+ scheme prefix.
@@ -880,7 +880,7 @@ createUserJob:
     - "-r"
     - "{{ .Values.webserver.defaultUser.role }}"
     - "-u"
-    - "{{ .Values.webserver.defaultUser.username }}"
+    - "${AIRFLOW_USERNAME}"
     - "-e"
     - "{{ .Values.webserver.defaultUser.email }}"
     - "-f"
@@ -888,7 +888,7 @@ createUserJob:
     - "-l"
     - "{{ .Values.webserver.defaultUser.lastName }}"
     - "-p"
-    - "{{ .Values.webserver.defaultUser.password }}"
+    - "${AIRFLOW_PASSWORD}"
 
   # Annotations on the create user job pod
   annotations: {}
@@ -952,7 +952,17 @@ createUserJob:
   useHelmHooks: false
   applyCustomEnv: true
 
-  env: []
+  env:
+  - name: AIRFLOW_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: airflow-admin-user-secret
+        key: username
+  - name: AIRFLOW_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: airflow-admin-user-secret
+        key: password
 
   resources: {}
   #  limits:
@@ -1138,6 +1148,7 @@ webserver:
   #     memory: 128Mi
 
   # Create initial user.
+  # TODO: Create the initial user via a random secret
   defaultUser:
     enabled: true
     role: Admin
@@ -2077,7 +2088,7 @@ cleanup:
 # Configuration for postgresql subchart
 # Not recommended for production
 postgresql:
-  enabled: true
+  enabled: false
   image:
     tag: "11"
   auth:
diff --git a/modules/apache-airflow/variables.tf b/modules/apache-airflow/variables.tf
index 07ea3c7a..1a263d40 100644
--- a/modules/apache-airflow/variables.tf
+++ b/modules/apache-airflow/variables.tf
@@ -15,3 +15,8 @@ variable "git_revision" {
   type        = string
   default     = "main"
 }
+
+variable "namespace" {
+  description = "The namespace to deploy into"
+  type        = string
+}
\ No newline at end of file
diff --git a/modules/main.tf b/modules/main.tf
index 5737c690..81729dfd 100644
--- a/modules/main.tf
+++ b/modules/main.tf
@@ -66,7 +66,7 @@ locals {
       description        = "Helm chart deployment for a single node Victoria Metrics instance"
       project_root       = "modules/victoria-metrics"
       space_id           = "root"
-      version_number     = "0.4.7"
+      version_number     = "0.4.9"
     }
 
     trivy-operator = {
@@ -100,7 +100,7 @@ locals {
       description        = "Helm chart deployment for apache airflow."
       project_root       = "modules/apache-airflow"
       space_id           = "root"
-      version_number     = "0.3.1"
+      version_number     = "0.3.3"
     }
 
     argo-cd = {
@@ -120,6 +120,39 @@ locals {
       version_number     = "0.3.1"
     }
 
+    postgres-cloud-native-database = {
+      github_enterprise = {
+        namespace = "Sage-Bionetworks-Workflows"
+        id        = "sage-bionetworks-workflows-gh"
+      }
+      repository = "eks-stack"
+
+      name               = "postgres-cloud-native"
+      terraform_provider = "aws"
+      administrative     = false
+      branch             = var.git_branch
+      description        = "Helm chart deployment for a postgres database instance using the postgres-cloud-native-operator."
+      project_root       = "modules/postgres-cloud-native"
+      space_id           = "root"
+      version_number     = "0.3.0"
+    }
+
+    postgres-cloud-native-operator = {
+      github_enterprise = {
+        namespace = "Sage-Bionetworks-Workflows"
+        id        = "sage-bionetworks-workflows-gh"
+      }
+      repository = "eks-stack"
+
+      name               = "postgres-cloud-native"
+      terraform_provider = "aws"
+      administrative     = false
+      branch             = var.git_branch
+      description        = "Helm chart deployment for postgres-cloud-native operator."
+      project_root       = "modules/postgres-cloud-native-operator"
+      space_id           = "root"
+      version_number     = "0.3.0"
+    }
     private-workerpool = {
       github_enterprise = {
         namespace = "Sage-Bionetworks-Workflows"
diff --git a/modules/postgres-cloud-native-operator/README.md b/modules/postgres-cloud-native-operator/README.md
new file mode 100644
index 00000000..eb4d3077
--- /dev/null
+++ b/modules/postgres-cloud-native-operator/README.md
@@ -0,0 +1,24 @@
+# Purpose
+The purpose of this module is to deploy the `Cloudnative PG` helm chart <https://github.com/cloudnative-pg/charts/tree/main>.
+This will deploy both the operator.
+
+The `database` deployment is a part of another module. This allows us to add a single
+operator to a cluster and deploy 1 or more databases to that cluster.
+
+
+## Future work to expand the capabilities
+- Setting up backups to S3: https://cloudnative-pg.io/documentation/current/backup/
+- Moving to database only node groups: https://cloudnative-pg.io/documentation/current/architecture/#postgresql-architecture
+
+
+Reading:
+- https://www.cncf.io/blog/2023/09/29/recommended-architectures-for-postgresql-in-kubernetes/
+  - "The next level is to separate the Kubernetes worker nodes for PostgreSQL workloads from the other workloads’, using Kubernetes’ native scheduling capabilities, such as affinity, anti-affinity, node selectors and taints. You’ll still insist on the same storage, but you can get more predictability in terms of CPU and memory usage."
+- Assign database persistent volumes to an expandable storage class
+
+
+# How many databases should I use?
+
+From their documentation:
+
+"Our recommendation is to dedicate a single PostgreSQL cluster (intended as primary and multiple standby servers) to a single database, entirely managed by a single microservice application."
\ No newline at end of file
diff --git a/modules/postgres-cloud-native-operator/main.tf b/modules/postgres-cloud-native-operator/main.tf
new file mode 100644
index 00000000..85f941c8
--- /dev/null
+++ b/modules/postgres-cloud-native-operator/main.tf
@@ -0,0 +1,44 @@
+locals {
+  git_revision = "ibcdpe-1004-airflow-ops"
+}
+
+resource "kubernetes_namespace" "cnpg-system" {
+  metadata {
+    name = "cnpg-system"
+  }
+}
+
+resource "kubectl_manifest" "argo-deployment-operator" {
+  depends_on = [kubernetes_namespace.cnpg-system]
+
+  yaml_body = <<YAML
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgres-cloud-native-operator
+  namespace: argocd
+spec:
+  project: default
+  syncPolicy:
+  %{if var.auto_deploy}
+    automated:
+      prune: ${var.auto_prune}
+  %{endif}
+    syncOptions:
+    - ServerSideApply=true
+  sources:
+  - repoURL: 'https://cloudnative-pg.github.io/charts'
+    chart: cloudnative-pg
+    targetRevision: 0.21.6
+    helm:
+      releaseName: cloudnative-pg
+      valueFiles:
+      - $values/modules/postgres-cloud-native-operator/templates/operator-values.yaml
+  - repoURL: 'https://github.com/Sage-Bionetworks-Workflows/eks-stack.git'
+    targetRevision: ${local.git_revision}
+    ref: values
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: cnpg-system
+YAML
+}
diff --git a/modules/postgres-cloud-native-operator/templates/operator-values.yaml b/modules/postgres-cloud-native-operator/templates/operator-values.yaml
new file mode 100644
index 00000000..3298a422
--- /dev/null
+++ b/modules/postgres-cloud-native-operator/templates/operator-values.yaml
@@ -0,0 +1,611 @@
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/cloudnative-pg/cloudnative-pg
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+hostNetwork: false
+dnsPolicy: ""
+
+crds:
+  # -- Specifies whether the CRDs should be created when installing the chart.
+  create: true
+
+# -- The webhook configuration.
+webhook:
+  port: 9443
+  mutating:
+    create: true
+    failurePolicy: Fail
+  validating:
+    create: true
+    failurePolicy: Fail
+  livenessProbe:
+    initialDelaySeconds: 3
+  readinessProbe:
+    initialDelaySeconds: 3
+
+# -- Operator configuration.
+config:
+  # -- Specifies whether the secret should be created.
+  create: true
+  # -- The name of the configmap/secret to use.
+  name: cnpg-controller-manager-config
+  # -- Specifies whether it should be stored in a secret, instead of a configmap.
+  secret: false
+  # -- The content of the configmap/secret, see
+  # https://cloudnative-pg.io/documentation/current/operator_conf/#available-options
+  # for all the available options.
+  data: {}
+  # INHERITED_ANNOTATIONS: categories
+  # INHERITED_LABELS: environment, workload, app
+  # WATCH_NAMESPACE: namespace-a,namespace-b
+
+# -- Additinal arguments to be added to the operator's args list.
+additionalArgs: []
+
+# -- Array containing extra environment variables which can be templated.
+# For example:
+#  - name: RELEASE_NAME
+#    value: "{{ .Release.Name }}"
+#  - name: MY_VAR
+#    value: "mySpecialKey"
+additionalEnv: []
+
+serviceAccount:
+  # -- Specifies whether the service account should be created.
+  create: true
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+rbac:
+  # -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
+  create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
+
+# -- Annotations to be added to all other resources.
+commonAnnotations: {}
+# -- Annotations to be added to the pod.
+podAnnotations: {}
+# -- Labels to be added to the pod.
+podLabels: {}
+
+# -- Container Security Context.
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - "ALL"
+
+# -- Security Context for the whole pod.
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  # fsGroup: 2000
+
+# -- Priority indicates the importance of a Pod relative to other Pods.
+priorityClassName: ""
+
+service:
+  type: ClusterIP
+  # -- DO NOT CHANGE THE SERVICE NAME as it is currently used to generate the certificate
+  # and can not be configured
+  name: cnpg-webhook-service
+  port: 443
+
+resources: {}
+  # If you want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  #
+  # limits:
+  #   cpu: 100m
+  #   memory: 200Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 100Mi
+
+# -- Nodeselector for the operator to be installed.
+nodeSelector: {}
+
+# -- Tolerations for the operator to be installed.
+tolerations: []
+
+# -- Affinity for the operator to be installed.
+affinity: {}
+
+monitoring:
+
+  # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
+  podMonitorEnabled: true
+  # -- Metrics relabel configurations to apply to samples before ingestion.
+  podMonitorMetricRelabelings: []
+  # -- Relabel configurations to apply to samples before scraping.
+  podMonitorRelabelings: []
+  # -- Additional labels for the podMonitor
+  podMonitorAdditionalLabels: {}
+
+  grafanaDashboard:
+    create: false
+    # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+    namespace: ""
+    # -- The name of the ConfigMap containing the dashboard.
+    configMapName: "cnpg-grafana-dashboard"
+    # -- Label that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabel: "grafana_dashboard"
+    # -- Label value that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabelValue: "1"
+    # -- Labels that ConfigMaps should have to get configured in Grafana.
+    labels: {}
+    # -- Annotations that ConfigMaps can have to get configured in Grafana.
+    annotations: {}
+
+# Default monitoring queries
+monitoringQueriesConfigMap:
+  # -- The name of the default monitoring configmap.
+  name: cnpg-default-monitoring
+  # -- A string representation of a YAML defining monitoring queries.
+  queries: |
+    backends:
+      query: |
+       SELECT sa.datname
+           , sa.usename
+           , sa.application_name
+           , states.state
+           , COALESCE(sa.count, 0) AS total
+           , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds
+           FROM ( VALUES ('active')
+               , ('idle')
+               , ('idle in transaction')
+               , ('idle in transaction (aborted)')
+               , ('fastpath function call')
+               , ('disabled')
+               ) AS states(state)
+           LEFT JOIN (
+               SELECT datname
+                   , state
+                   , usename
+                   , COALESCE(application_name, '') AS application_name
+                   , COUNT(*)
+                   , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs
+               FROM pg_catalog.pg_stat_activity
+               GROUP BY datname, state, usename, application_name
+           ) sa ON states.state = sa.state
+           WHERE sa.usename IS NOT NULL
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - usename:
+            usage: "LABEL"
+            description: "Name of the user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - state:
+            usage: "LABEL"
+            description: "State of the backend"
+        - total:
+            usage: "GAUGE"
+            description: "Number of backends"
+        - max_tx_duration_seconds:
+            usage: "GAUGE"
+            description: "Maximum duration of a transaction in seconds"
+
+    backends_waiting:
+      query: |
+       SELECT count(*) AS total
+       FROM pg_catalog.pg_locks blocked_locks
+       JOIN pg_catalog.pg_locks blocking_locks
+         ON blocking_locks.locktype = blocked_locks.locktype
+         AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database
+         AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation
+         AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page
+         AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple
+         AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid
+         AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid
+         AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid
+         AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid
+         AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid
+         AND blocking_locks.pid != blocked_locks.pid
+       JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid
+       WHERE NOT blocked_locks.granted
+      metrics:
+        - total:
+            usage: "GAUGE"
+            description: "Total number of backends that are currently waiting on other queries"
+
+    pg_database:
+      query: |
+        SELECT datname
+          , pg_catalog.pg_database_size(datname) AS size_bytes
+          , pg_catalog.age(datfrozenxid) AS xid_age
+          , pg_catalog.mxid_age(datminmxid) AS mxid_age
+        FROM pg_catalog.pg_database
+        WHERE datallowconn
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - size_bytes:
+            usage: "GAUGE"
+            description: "Disk space used by the database"
+        - xid_age:
+            usage: "GAUGE"
+            description: "Number of transactions from the frozen XID to the current one"
+        - mxid_age:
+            usage: "GAUGE"
+            description: "Number of multiple transactions (Multixact) from the frozen XID to the current one"
+
+    pg_postmaster:
+      query: |
+        SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time
+        FROM pg_catalog.pg_postmaster_start_time()
+      metrics:
+        - start_time:
+            usage: "GAUGE"
+            description: "Time at which postgres started (based on epoch)"
+
+    pg_replication:
+      query: "SELECT CASE WHEN (
+                NOT pg_catalog.pg_is_in_recovery()
+                OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn())
+              THEN 0
+              ELSE GREATEST (0,
+                EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp())))
+              END AS lag,
+              pg_catalog.pg_is_in_recovery() AS in_recovery,
+              EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up,
+              (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas"
+      metrics:
+        - lag:
+            usage: "GAUGE"
+            description: "Replication lag behind primary in seconds"
+        - in_recovery:
+            usage: "GAUGE"
+            description: "Whether the instance is in recovery"
+        - is_wal_receiver_up:
+            usage: "GAUGE"
+            description: "Whether the instance wal_receiver is up"
+        - streaming_replicas:
+            usage: "GAUGE"
+            description: "Number of streaming replicas connected to the instance"
+
+    pg_replication_slots:
+      query: |
+        SELECT slot_name,
+          slot_type,
+          database,
+          active,
+          (CASE pg_catalog.pg_is_in_recovery()
+            WHEN TRUE THEN pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_last_wal_receive_lsn(), restart_lsn)
+            ELSE pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn)
+          END) as pg_wal_lsn_diff
+        FROM pg_catalog.pg_replication_slots
+        WHERE NOT temporary
+      metrics:
+        - slot_name:
+            usage: "LABEL"
+            description: "Name of the replication slot"
+        - slot_type:
+            usage: "LABEL"
+            description: "Type of the replication slot"
+        - database:
+            usage: "LABEL"
+            description: "Name of the database"
+        - active:
+            usage: "GAUGE"
+            description: "Flag indicating whether the slot is active"
+        - pg_wal_lsn_diff:
+            usage: "GAUGE"
+            description: "Replication lag in bytes"
+
+    pg_stat_archiver:
+      query: |
+        SELECT archived_count
+          , failed_count
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure
+          , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time
+          , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_archiver
+      metrics:
+        - archived_count:
+            usage: "COUNTER"
+            description: "Number of WAL files that have been successfully archived"
+        - failed_count:
+            usage: "COUNTER"
+            description: "Number of failed attempts for archiving WAL files"
+        - seconds_since_last_archival:
+            usage: "GAUGE"
+            description: "Seconds since the last successful archival operation"
+        - seconds_since_last_failure:
+            usage: "GAUGE"
+            description: "Seconds since the last failed archival operation"
+        - last_archived_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving succeeded"
+        - last_failed_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving failed"
+        - last_archived_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Archived WAL start LSN"
+        - last_failed_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Last failed WAL LSN"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_bgwriter:
+      runonserver: "<17.0.0"
+      query: |
+        SELECT checkpoints_timed
+          , checkpoints_req
+          , checkpoint_write_time
+          , checkpoint_sync_time
+          , buffers_checkpoint
+          , buffers_clean
+          , maxwritten_clean
+          , buffers_backend
+          , buffers_backend_fsync
+          , buffers_alloc
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - checkpoint_write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds"
+        - checkpoint_sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds"
+        - buffers_checkpoint:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints"
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_backend:
+            usage: "COUNTER"
+            description: "Number of buffers written directly by a backend"
+        - buffers_backend_fsync:
+            usage: "COUNTER"
+            description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+
+    pg_stat_bgwriter_17:
+      runonserver: ">=17.0.0"
+      name: pg_stat_bgwriter
+      query: |
+        SELECT buffers_clean
+          , maxwritten_clean
+          , buffers_alloc
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_checkpointer:
+      runonserver: ">=17.0.0"
+      query: |
+        SELECT num_timed AS checkpoints_timed
+          , num_requested AS checkpoints_req
+          , restartpoints_timed
+          , restartpoints_req
+          , restartpoints_done
+          , write_time
+          , sync_time
+          , buffers_written
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_checkpointer
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - restartpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it"
+        - restartpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested restartpoints that have been performed"
+        - restartpoints_done:
+            usage: "COUNTER"
+            description: "Number of restartpoints that have been performed"
+        - write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds"
+        - sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds"
+        - buffers_written:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints and restartpoints"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_database:
+      query: |
+        SELECT datname
+          , xact_commit
+          , xact_rollback
+          , blks_read
+          , blks_hit
+          , tup_returned
+          , tup_fetched
+          , tup_inserted
+          , tup_updated
+          , tup_deleted
+          , conflicts
+          , temp_files
+          , temp_bytes
+          , deadlocks
+          , blk_read_time
+          , blk_write_time
+        FROM pg_catalog.pg_stat_database
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of this database"
+        - xact_commit:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been committed"
+        - xact_rollback:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been rolled back"
+        - blks_read:
+            usage: "COUNTER"
+            description: "Number of disk blocks read in this database"
+        - blks_hit:
+            usage: "COUNTER"
+            description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)"
+        - tup_returned:
+            usage: "COUNTER"
+            description: "Number of rows returned by queries in this database"
+        - tup_fetched:
+            usage: "COUNTER"
+            description: "Number of rows fetched by queries in this database"
+        - tup_inserted:
+            usage: "COUNTER"
+            description: "Number of rows inserted by queries in this database"
+        - tup_updated:
+            usage: "COUNTER"
+            description: "Number of rows updated by queries in this database"
+        - tup_deleted:
+            usage: "COUNTER"
+            description: "Number of rows deleted by queries in this database"
+        - conflicts:
+            usage: "COUNTER"
+            description: "Number of queries canceled due to conflicts with recovery in this database"
+        - temp_files:
+            usage: "COUNTER"
+            description: "Number of temporary files created by queries in this database"
+        - temp_bytes:
+            usage: "COUNTER"
+            description: "Total amount of data written to temporary files by queries in this database"
+        - deadlocks:
+            usage: "COUNTER"
+            description: "Number of deadlocks detected in this database"
+        - blk_read_time:
+            usage: "COUNTER"
+            description: "Time spent reading data file blocks by backends in this database, in milliseconds"
+        - blk_write_time:
+            usage: "COUNTER"
+            description: "Time spent writing data file blocks by backends in this database, in milliseconds"
+
+    pg_stat_replication:
+      primary: true
+      query: |
+       SELECT usename
+         , COALESCE(application_name, '') AS application_name
+         , COALESCE(client_addr::text, '') AS client_addr
+         , COALESCE(client_port::text, '') AS client_port
+         , EXTRACT(EPOCH FROM backend_start) AS backend_start
+         , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes
+         , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes
+         , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds
+       FROM pg_catalog.pg_stat_replication
+      metrics:
+        - usename:
+            usage: "LABEL"
+            description: "Name of the replication user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - client_addr:
+            usage: "LABEL"
+            description: "Client IP address"
+        - client_port:
+            usage: "LABEL"
+            description: "Client TCP port"
+        - backend_start:
+            usage: "COUNTER"
+            description: "Time when this process was started"
+        - backend_xmin_age:
+            usage: "COUNTER"
+            description: "The age of this standby's xmin horizon"
+        - sent_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location sent on this connection"
+        - write_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location written to disk by this standby server"
+        - flush_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server"
+        - replay_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server"
+        - write_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it"
+        - flush_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it"
+        - replay_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it"
+
+    pg_settings:
+      query: |
+        SELECT name,
+        CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting
+        FROM pg_catalog.pg_settings
+        WHERE vartype IN ('integer', 'real', 'bool')
+        ORDER BY 1
+      metrics:
+        - name:
+            usage: "LABEL"
+            description: "Name of the setting"
+        - setting:
+            usage: "GAUGE"
+            description: "Setting value"
+
diff --git a/modules/postgres-cloud-native-operator/variables.tf b/modules/postgres-cloud-native-operator/variables.tf
new file mode 100644
index 00000000..07ea3c7a
--- /dev/null
+++ b/modules/postgres-cloud-native-operator/variables.tf
@@ -0,0 +1,17 @@
+variable "auto_deploy" {
+  description = "Auto deploy through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "auto_prune" {
+  description = "Auto prune through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "git_revision" {
+  description = "The git revision to deploy"
+  type        = string
+  default     = "main"
+}
diff --git a/modules/postgres-cloud-native-operator/versions.tf b/modules/postgres-cloud-native-operator/versions.tf
new file mode 100644
index 00000000..c35c044f
--- /dev/null
+++ b/modules/postgres-cloud-native-operator/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+}
diff --git a/modules/postgres-cloud-native/README.md b/modules/postgres-cloud-native/README.md
new file mode 100644
index 00000000..bfa988d3
--- /dev/null
+++ b/modules/postgres-cloud-native/README.md
@@ -0,0 +1,16 @@
+# Purpose
+The purpose of this module is to deploy the `Cloudnative PG` helm chart <https://github.com/cloudnative-pg/charts/tree/main>.
+This will deploy both the operator and a database cluster.
+
+
+Future work:
+
+- Since each microservice/application is meant to recieve it's own database the deployment model within this module should be changed slightly to install the operator at a cluster level, with each application having its own database.
+
+
+
+# How many databases??
+
+From their documentation:
+
+"Our recommendation is to dedicate a single PostgreSQL cluster (intended as primary and multiple standby servers) to a single database, entirely managed by a single microservice application."
\ No newline at end of file
diff --git a/modules/postgres-cloud-native/main.tf b/modules/postgres-cloud-native/main.tf
new file mode 100644
index 00000000..419cef7f
--- /dev/null
+++ b/modules/postgres-cloud-native/main.tf
@@ -0,0 +1,71 @@
+locals {
+  git_revision = "ibcdpe-1004-airflow-ops"
+}
+
+resource "kubectl_manifest" "argo-deployment-database" {
+  depends_on = [
+    kubernetes_secret.connection-secret
+  ]
+  yaml_body = <<YAML
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${var.argo_deployment_name}
+  namespace: argocd
+spec:
+  project: default
+  syncPolicy:
+  %{if var.auto_deploy}
+    automated:
+      prune: ${var.auto_prune}
+  %{endif}
+    syncOptions:
+    - ServerSideApply=true
+  sources:
+  - repoURL: 'https://cloudnative-pg.github.io/charts'
+    chart: cluster
+    targetRevision: 0.0.9
+    helm:
+      releaseName: ${var.argo_deployment_name}
+      valueFiles:
+      - $values/modules/postgres-cloud-native/templates/cluster-values.yaml
+  - repoURL: 'https://github.com/Sage-Bionetworks-Workflows/eks-stack.git'
+    targetRevision: ${local.git_revision}
+    ref: values
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: ${var.namespace}
+YAML
+}
+
+resource "random_password" "pg-password" {
+  length  = 64
+  special = false
+}
+
+resource "kubernetes_secret" "connection-secret" {
+  metadata {
+    name      = "pg-user-secret"
+    namespace = var.namespace
+    labels = {
+      "cnpg.io/reload"  = "true"
+      "cnpg.io/cluster" = var.argo_deployment_name
+    }
+  }
+
+  type = "kubernetes.io/basic-auth"
+
+
+  data = {
+    "dbname"     = "application-database"
+    "host"       = "${var.argo_deployment_name}-cluster-rw.${var.namespace}"
+    "jdbc-uri"   = "jdbc:postgresql://${var.argo_deployment_name}-cluster-rw.${var.namespace}:5432/application-database?password=${random_password.pg-password.result}&user=application-database"
+    "password"   = random_password.pg-password.result
+    "pgpass"     = "${var.argo_deployment_name}-cluster-rw:5432:application-database:application-database:${random_password.pg-password.result}"
+    "port"       = "5432"
+    "uri"        = "postgresql://application-database:${random_password.pg-password.result}@${var.argo_deployment_name}-cluster-rw.${var.namespace}:5432/application-database"
+    "user"       = "application-database"
+    "username"   = "application-database"
+    "connection" = "postgresql://application-database:${random_password.pg-password.result}@${var.argo_deployment_name}-cluster-rw.${var.namespace}:5432/application-database"
+  }
+}
diff --git a/modules/postgres-cloud-native/templates/cluster-values.yaml b/modules/postgres-cloud-native/templates/cluster-values.yaml
new file mode 100644
index 00000000..78d40be5
--- /dev/null
+++ b/modules/postgres-cloud-native/templates/cluster-values.yaml
@@ -0,0 +1,313 @@
+# -- Override the name of the chart
+nameOverride: ""
+# -- Override the full name of the chart
+fullnameOverride: ""
+
+###
+# -- Type of the CNPG database. Available types:
+# * `postgresql`
+# * `postgis`
+type: postgresql
+
+###
+# -- Cluster mode of operation. Available modes:
+# * `standalone` - default mode. Creates new or updates an existing CNPG cluster.
+# * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO
+# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup.
+mode: standalone
+
+recovery:
+  ##
+  # -- Available recovery methods:
+  # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
+  # * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported).
+  # * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
+  #        migrate databases to CloudNativePG, even from outside Kubernetes. # TODO
+  method: backup
+
+  ## -- Point in time recovery target. Specify one of the following:
+  pitrTarget:
+    # -- Time in RFC3339 format
+    time: ""
+
+  ##
+  # -- Backup Recovery Method
+  backupName: ""  # Name of the backup to recover from. Required if method is `backup`.
+
+  ##
+  # -- The original cluster name when used in backups. Also known as serverName.
+  clusterName: ""
+  # -- Overrides the provider specific default endpoint. Defaults to:
+  # S3: https://s3.<region>.amazonaws.com"
+  # Leave empty if using the default S3 endpoint
+  endpointURL: ""
+  # -- Specifies a CA bundle to validate a privately signed certificate.
+  endpointCA:
+    # -- Creates a secret with the given value if true, otherwise uses an existing secret.
+    create: false
+    name: ""
+    key: ""
+    value: ""
+  # -- Overrides the provider specific default path. Defaults to:
+  # S3: s3://<bucket><path>
+  # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
+  # Google: gs://<bucket><path>
+  destinationPath: ""
+  # -- One of `s3`, `azure` or `google`
+  provider: s3
+  s3:
+    region: ""
+    bucket: ""
+    path: "/"
+    accessKey: ""
+    secretKey: ""
+  azure:
+    path: "/"
+    connectionString: ""
+    storageAccount: ""
+    storageKey: ""
+    storageSasToken: ""
+    containerName: ""
+    serviceName: blob
+    inheritFromAzureAD: false
+  google:
+    path: "/"
+    bucket: ""
+    gkeEnvironment: false
+    applicationCredentials: ""
+  secret:
+    # -- Whether to create a secret for the backup credentials
+    create: true
+    # -- Name of the backup credentials secret
+    name: ""
+
+
+cluster:
+  # -- Number of instances
+  instances: 3
+
+  # -- Name of the container image, supporting both tags (<image>:<tag>) and digests for deterministic and repeatable deployments:
+  # <image>:<tag>@sha256:<digestValue>
+  imageName: ""  # Default value depends on type (postgresql/postgis/timescaledb)
+
+  # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
+  # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+  imagePullPolicy: IfNotPresent
+
+  # -- The list of pull secrets to be used to pull the images.
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference
+  imagePullSecrets: []
+
+  storage:
+    size: 8Gi
+    storageClass: ""
+
+  # -- The UID of the postgres user inside the image, defaults to 26
+  postgresUID: 26
+
+  # -- The GID of the postgres user inside the image, defaults to 26
+  postgresGID: 26
+
+  # -- Resources requirements of every generated Pod.
+  # Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information.
+  # We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS.
+  # See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/
+  resources: {}
+    # limits:
+    #   cpu: 2000m
+    #   memory: 8Gi
+    # requests:
+    #   cpu: 2000m
+    #   memory: 8Gi
+
+  priorityClassName: ""
+
+  # -- Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated. It can be switchover (default) or in-place (restart).
+  primaryUpdateMethod: switchover
+
+  # -- Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated: it can be automated (unsupervised - default) or manual (supervised)
+  primaryUpdateStrategy: unsupervised
+
+  # -- The instances' log level, one of the following values: error, warning, info (default), debug, trace
+  logLevel: "info"
+
+  # -- Affinity/Anti-affinity rules for Pods.
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration
+  affinity:
+    topologyKey: topology.kubernetes.io/zone
+
+  # -- The configuration for the CA and related certificates.
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration
+  certificates: {}
+
+  # -- When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password.
+  # If the secret is not present, the operator will automatically create one.
+  # When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created,
+  # and then blank the password of the postgres user by setting it to NULL.
+  enableSuperuserAccess: true
+  superuserSecret: ""
+
+  # -- This feature enables declarative management of existing roles, as well as the creation of new roles if they are not
+  # already present in the database.
+  # See: https://cloudnative-pg.io/documentation/current/declarative_role_management/
+  # TODO: Role management
+  roles: []
+  #   - name: airflow-pg
+  #     ensure: present
+  #     comment: Service account for airflow
+  #     login: true
+  #     superuser: false
+      # inRoles:
+      #   - pg_monitor
+      #   - pg_signal_backend
+
+  monitoring:
+    # -- Whether to enable monitoring
+    enabled: true
+    podMonitor:
+      # -- Whether to enable the PodMonitor
+      enabled: true
+    prometheusRule:
+      # -- Whether to enable the PrometheusRule automated alerts
+      enabled: true
+      # -- Exclude specified rules
+      excludeRules: []
+        # - CNPGClusterZoneSpreadWarning
+    # -- Custom Prometheus metrics
+    customQueries: []
+      # - name: "pg_cache_hit_ratio"
+      #   query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;"
+      #   metrics:
+      #     - datname:
+      #         usage: "LABEL"
+      #         description: "Name of the database"
+      #     - ratio:
+      #         usage: GAUGE
+      #         description: "Cache hit ratio"
+
+  # -- Configuration of the PostgreSQL server.
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration
+  postgresql: {}
+    # max_connections: 300
+
+  # -- BootstrapInitDB is the configuration of the bootstrap process when initdb is used.
+  # See: https://cloudnative-pg.io/documentation/current/bootstrap/
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb
+  # TODO: Verify user/db setup works properly
+  initdb:
+    database: application-database
+    owner: "" # Defaults to the database name
+    secret: 
+      name: "pg-user-secret" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
+    # postInitSQL:
+    #   - CREATE EXTENSION IF NOT EXISTS vector;
+
+  additionalLabels: {}
+  annotations: {}
+
+
+backups:
+  # -- You need to configure backups manually, so backups are disabled by default.
+  enabled: false
+
+  # -- Overrides the provider specific default endpoint. Defaults to:
+  # S3: https://s3.<region>.amazonaws.com"
+  endpointURL: ""  # Leave empty if using the default S3 endpoint
+  # -- Specifies a CA bundle to validate a privately signed certificate.
+  endpointCA:
+    # -- Creates a secret with the given value if true, otherwise uses an existing secret.
+    create: false
+    name: ""
+    key: ""
+    value: ""
+
+  # -- Overrides the provider specific default path. Defaults to:
+  # S3: s3://<bucket><path>
+  # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
+  # Google: gs://<bucket><path>
+  destinationPath: ""
+  # -- One of `s3`, `azure` or `google`
+  provider: s3
+  s3:
+    region: ""
+    bucket: ""
+    path: "/"
+    accessKey: ""
+    secretKey: ""
+  azure:
+    path: "/"
+    connectionString: ""
+    storageAccount: ""
+    storageKey: ""
+    storageSasToken: ""
+    containerName: ""
+    serviceName: blob
+    inheritFromAzureAD: false
+  google:
+    path: "/"
+    bucket: ""
+    gkeEnvironment: false
+    applicationCredentials: ""
+  secret:
+    # -- Whether to create a secret for the backup credentials
+    create: true
+    # -- Name of the backup credentials secret
+    name: ""
+
+  wal:
+    # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: gzip
+    # -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: AES256
+    # -- Number of WAL files to be archived or restored in parallel.
+    maxParallel: 1
+  data:
+    # -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: gzip
+    # -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: AES256
+    # -- Number of data files to be archived or restored in parallel.
+    jobs: 2
+
+  scheduledBackups:
+    -
+      # -- Scheduled backup name
+      name: daily-backup
+      # -- Schedule in cron format
+      schedule: "0 0 0 * * *"
+      # -- Backup owner reference
+      backupOwnerReference: self
+      # -- Backup method, can be `barmanObjectStore` (default) or `volumeSnapshot`
+      method: barmanObjectStore
+
+  # -- Retention policy for backups
+  retentionPolicy: "30d"
+
+
+pooler:
+  # -- Whether to enable PgBouncer
+  enabled: false
+  # -- PgBouncer type of service to forward traffic to.
+  type: rw
+  # -- PgBouncer pooling mode
+  poolMode: transaction
+  # -- Number of PgBouncer instances
+  instances: 3
+  # -- PgBouncer configuration parameters
+  parameters:
+    max_client_conn: "1000"
+    default_pool_size: "25"
+
+  monitoring:
+    # -- Whether to enable monitoring
+    enabled: false
+    podMonitor:
+        # -- Whether to enable the PodMonitor
+      enabled: true
+
+  # -- Custom PgBouncer deployment template.
+  # Use to override image, specify resources, etc.
+  template: {}
+
diff --git a/modules/postgres-cloud-native/variables.tf b/modules/postgres-cloud-native/variables.tf
new file mode 100644
index 00000000..770d80bd
--- /dev/null
+++ b/modules/postgres-cloud-native/variables.tf
@@ -0,0 +1,27 @@
+variable "auto_deploy" {
+  description = "Auto deploy through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "auto_prune" {
+  description = "Auto prune through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "git_revision" {
+  description = "The git revision to deploy"
+  type        = string
+  default     = "main"
+}
+
+variable "argo_deployment_name" {
+  description = "The name of the ArgoCD deployment, must be globally unique"
+  type        = string
+}
+
+variable "namespace" {
+  description = "The namespace to deploy into"
+  type        = string
+}
diff --git a/modules/postgres-cloud-native/versions.tf b/modules/postgres-cloud-native/versions.tf
new file mode 100644
index 00000000..c35c044f
--- /dev/null
+++ b/modules/postgres-cloud-native/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+}
diff --git a/modules/victoria-metrics/templates/values.yaml b/modules/victoria-metrics/templates/values.yaml
index 3c4ffc64..b50a54b9 100644
--- a/modules/victoria-metrics/templates/values.yaml
+++ b/modules/victoria-metrics/templates/values.yaml
@@ -798,6 +798,10 @@ grafana:
         gnetId: 17813
         revision: 2
         datasource: VictoriaMetrics
+      cloudnativepg:
+        gnetId: 20417
+        revision: 3
+        datasource: VictoriaMetrics
 
   defaultDashboardsTimezone: utc
 
@@ -1143,7 +1147,7 @@ crds:
 
 ## install prometheus operator crds
 prometheus-operator-crds:
-  enabled: false
+  enabled: true
 
 # -- Add extra objects dynamically to this chart
 extraObjects: []