# services/veles/postgres-statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: veles-postgres namespace: veles labels: app: veles-postgres spec: serviceName: veles-postgres replicas: 1 selector: matchLabels: app: veles-postgres persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain updateStrategy: type: RollingUpdate template: metadata: labels: app: veles-postgres annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-pre-populate-only: "true" vault.hashicorp.com/role: "veles" vault.hashicorp.com/agent-inject-secret-postgres-password: "kv/data/atlas/veles/veles-db" vault.hashicorp.com/agent-inject-template-postgres-password: | {{- with secret "kv/data/atlas/veles/veles-db" -}} {{ .Data.data.POSTGRES_PASSWORD }} {{- end -}} spec: serviceAccountName: veles-postgres priorityClassName: veles-core nodeSelector: veles.bstein.dev/node-pool: oceanus tolerations: - key: veles.bstein.dev/simulation operator: Equal value: "true" effect: NoSchedule securityContext: fsGroup: 999 seccompProfile: type: RuntimeDefault containers: - name: postgres image: postgres:15 ports: - name: postgres containerPort: 5432 protocol: TCP env: - name: PGDATA value: /var/lib/postgresql/data/pgdata - name: POSTGRES_USER value: veles - name: POSTGRES_PASSWORD_FILE value: /vault/secrets/postgres-password - name: POSTGRES_DB value: veles resources: requests: cpu: "2" memory: 8Gi limits: cpu: "4" memory: 16Gi securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data volumeClaimTemplates: - metadata: name: postgres-data labels: app: veles-postgres veles.bstein.dev/backup: longhorn spec: accessModes: ["ReadWriteOnce"] storageClassName: veles-oceanus-db resources: requests: storage: 100Gi