titan-iac/infrastructure/postgres/statefulset.yaml

# infrastructure/postgres/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
  namespace: postgres
  labels:
    app: postgres
spec:
  serviceName: postgres-service
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: postgres
    spec:
      serviceAccountName: postgres-vault
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: In
                    values: ["true"]
                  - key: hardware
                    operator: In
                    values: ["rpi4", "rpi5"]
      containers:
        - name: postgres
          image: postgres:15
          ports:
            - name: postgres
              containerPort: 5432
              protocol: TCP
          env:
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD_FILE
              value: /mnt/vault/postgres_password
            - name: POSTGRES_DB
              value: postgres
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
            - name: vault-secrets
              mountPath: /mnt/vault
              readOnly: true
        - name: postgres-exporter
          image: quay.io/prometheuscommunity/postgres-exporter:v0.15.0
          ports:
            - name: metrics
              containerPort: 9187
              protocol: TCP
          env:
            - name: DATA_SOURCE_URI
              value: "localhost:5432/postgres?sslmode=disable"
            - name: DATA_SOURCE_USER
              value: postgres
            - name: DATA_SOURCE_PASS_FILE
              value: /mnt/vault/postgres_password
          volumeMounts:
            - name: vault-secrets
              mountPath: /mnt/vault
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: postgres-vault
  volumeClaimTemplates:
    - metadata:
        name: postgres-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: astreae
        resources:
          requests:
            storage: 100Gi
platform: move postgres to infrastructure 2026-01-13 17:53:04 -03:00			`# infrastructure/postgres/statefulset.yaml`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`apiVersion: apps/v1`
			`kind: StatefulSet`
			`metadata:`
			`name: postgres`
			`namespace: postgres`
			`labels:`
			`app: postgres`
			`spec:`
			`serviceName: postgres-service`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: postgres`
			`persistentVolumeClaimRetentionPolicy:`
			`whenDeleted: Retain`
			`whenScaled: Retain`
			`updateStrategy:`
			`type: RollingUpdate`
			`template:`
			`metadata:`
			`labels:`
			`app: postgres`
			`spec:`
postgres: add flux + vault csi 2026-01-13 12:35:59 -03:00			`serviceAccountName: postgres-vault`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`nodeSelector:`
			`node-role.kubernetes.io/worker: "true"`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: node-role.kubernetes.io/worker`
			`operator: In`
			`values: ["true"]`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4", "rpi5"]`
			`containers:`
			`- name: postgres`
			`image: postgres:15`
			`ports:`
			`- name: postgres`
			`containerPort: 5432`
			`protocol: TCP`
			`env:`
			`- name: PGDATA`
			`value: /var/lib/postgresql/data/pgdata`
			`- name: POSTGRES_USER`
			`value: postgres`
postgres: add flux + vault csi 2026-01-13 12:35:59 -03:00			`- name: POSTGRES_PASSWORD_FILE`
			`value: /mnt/vault/postgres_password`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`- name: POSTGRES_DB`
			`value: postgres`
			`volumeMounts:`
			`- name: postgres-data`
			`mountPath: /var/lib/postgresql/data`
postgres: add flux + vault csi 2026-01-13 12:35:59 -03:00			`- name: vault-secrets`
			`mountPath: /mnt/vault`
			`readOnly: true`
monitoring: add postgres metrics and update overview 2026-01-22 18:23:17 -03:00			`- name: postgres-exporter`
			`image: quay.io/prometheuscommunity/postgres-exporter:v0.15.0`
			`ports:`
			`- name: metrics`
			`containerPort: 9187`
			`protocol: TCP`
			`env:`
			`- name: DATA_SOURCE_URI`
			`value: "localhost:5432/postgres?sslmode=disable"`
			`- name: DATA_SOURCE_USER`
			`value: postgres`
			`- name: DATA_SOURCE_PASS_FILE`
			`value: /mnt/vault/postgres_password`
			`volumeMounts:`
			`- name: vault-secrets`
			`mountPath: /mnt/vault`
			`readOnly: true`
postgres: add flux + vault csi 2026-01-13 12:35:59 -03:00			`volumes:`
			`- name: vault-secrets`
			`csi:`
			`driver: secrets-store.csi.k8s.io`
			`readOnly: true`
			`volumeAttributes:`
			`secretProviderClass: postgres-vault`
services: scaffold postgres and vaultwarden manifests 2026-01-02 01:12:35 -03:00			`volumeClaimTemplates:`
			`- metadata:`
			`name: postgres-data`
			`spec:`
			`accessModes: ["ReadWriteOnce"]`
			`storageClassName: astreae`
			`resources:`
			`requests:`
			`storage: 100Gi`