rallly-selfhosted/kubernetes/postgres.yaml

# kubernetes/postgres.yaml
apiVersion: v1
kind: Service
metadata:
  name: postgres
  namespace: default
spec:
  ports:
    - port: 5432
  selector:
    app: postgres
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
  namespace: default
spec:
  selector:
    matchLabels:
      app: postgres
  serviceName: "postgres"
  replicas: 1
  template:
    metadata:
      labels:
        app: postgres
    spec:
      securityContext:
        # Run as standard Postgres user (UID 999)
        fsGroup: 999
        runAsNonRoot: true
        runAsUser: 999
      containers:
        - name: postgres
          image: postgres:15-alpine
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
          env:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: rallly-secrets
                  key: POSTGRES_USER
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: rallly-secrets
                  key: POSTGRES_PASSWORD
            - name: POSTGRES_DB
              value: rallly
          ports:
            - containerPort: 5432
              name: postgres
          # Health Probes
          livenessProbe:
            exec:
              command:
                - /bin/sh
                - -c
                - pg_isready -U rallly
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            exec:
              command:
                - /bin/sh
                - -c
                - pg_isready -U rallly
            initialDelaySeconds: 10
            periodSeconds: 5
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
          resources:
            limits:
              cpu: "2"
              memory: 2Gi
            requests:
              cpu: 500m
              memory: 1Gi
  volumeClaimTemplates:
    - metadata:
        name: postgres-data
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            # Note: Adjust storage size based on your data retention needs.
            storage: 1Gi