titan-iac/infrastructure/postgres/statefulset.yaml

# infrastructure/postgres/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
  namespace: postgres
  labels:
    app: postgres
spec:
  serviceName: postgres-service
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: postgres
    spec:
      serviceAccountName: postgres-vault
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/worker
                    operator: In
                    values: ["true"]
                  - key: hardware
                    operator: In
                    values: ["rpi4", "rpi5"]
      containers:
        - name: postgres
          image: postgres:15
          ports:
            - name: postgres
              containerPort: 5432
              protocol: TCP
          env:
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD_FILE
              value: /mnt/vault/postgres_password
            - name: POSTGRES_DB
              value: postgres
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
            - name: vault-secrets
              mountPath: /mnt/vault
              readOnly: true
        - name: postgres-exporter
          image: quay.io/prometheuscommunity/postgres-exporter:v0.15.0
          ports:
            - name: metrics
              containerPort: 9187
              protocol: TCP
          env:
            - name: DATA_SOURCE_URI
              value: "localhost:5432/postgres?sslmode=disable"
            - name: DATA_SOURCE_USER
              value: postgres
            - name: DATA_SOURCE_PASS_FILE
              value: /mnt/vault/postgres_password
          volumeMounts:
            - name: vault-secrets
              mountPath: /mnt/vault
              readOnly: true
      volumes:
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: postgres-vault
  volumeClaimTemplates:
    - metadata:
        name: postgres-data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: astreae
        resources:
          requests:
            storage: 100Gi