# infrastructure/postgres/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: postgres namespace: postgres labels: app: postgres spec: serviceName: postgres-service replicas: 1 selector: matchLabels: app: postgres persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain updateStrategy: type: RollingUpdate template: metadata: labels: app: postgres spec: serviceAccountName: postgres-vault nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/worker operator: In values: ["true"] - key: hardware operator: In values: ["rpi4", "rpi5"] containers: - name: postgres image: postgres:15 ports: - name: postgres containerPort: 5432 protocol: TCP env: - name: PGDATA value: /var/lib/postgresql/data/pgdata - name: POSTGRES_USER value: postgres - name: POSTGRES_PASSWORD_FILE value: /mnt/vault/postgres_password - name: POSTGRES_DB value: postgres volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data - name: vault-secrets mountPath: /mnt/vault readOnly: true volumes: - name: vault-secrets csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: postgres-vault volumeClaimTemplates: - metadata: name: postgres-data spec: accessModes: ["ReadWriteOnce"] storageClassName: astreae resources: requests: storage: 100Gi