titan-iac/services/veles/postgres-statefulset.yaml

# services/veles/postgres-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: veles-postgres
  namespace: veles
  labels:
    app: veles-postgres
spec:
  serviceName: veles-postgres
  replicas: 0
  selector:
    matchLabels:
      app: veles-postgres
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: veles-postgres
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/role: "veles"
        vault.hashicorp.com/agent-inject-secret-postgres-password: "kv/data/atlas/veles/veles-db"
        vault.hashicorp.com/agent-inject-template-postgres-password: |
          {{- with secret "kv/data/atlas/veles/veles-db" -}}
          {{ .Data.data.POSTGRES_PASSWORD }}
          {{- end -}}
    spec:
      serviceAccountName: veles-postgres
      priorityClassName: veles-core
      nodeSelector:
        veles.bstein.dev/node-pool: oceanus
      tolerations:
        - key: veles.bstein.dev/simulation
          operator: Equal
          value: "true"
          effect: NoSchedule
      securityContext:
        fsGroup: 999
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: postgres
          image: postgres:15
          ports:
            - name: postgres
              containerPort: 5432
              protocol: TCP
          env:
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
            - name: POSTGRES_USER
              value: veles
            - name: POSTGRES_PASSWORD_FILE
              value: /vault/secrets/postgres-password
            - name: POSTGRES_DB
              value: veles
          resources:
            requests:
              cpu: "2"
              memory: 8Gi
            limits:
              cpu: "4"
              memory: 16Gi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop: ["ALL"]
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
  volumeClaimTemplates:
    - metadata:
        name: postgres-data
        labels:
          app: veles-postgres
          veles.bstein.dev/backup: longhorn
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: veles-oceanus-db
        resources:
          requests:
            storage: 100Gi