secretumvault/deploy/k8s/07-postgresql.yaml

---
# PostgreSQL Deployment for SecretumVault dynamic secrets storage
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vault-postgresql-pvc
  namespace: secretumvault
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-postgresql
  namespace: secretumvault
  labels:
    app: vault-postgresql
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: vault-postgresql
  template:
    metadata:
      labels:
        app: vault-postgresql
    spec:
      containers:
      - name: postgresql
        image: postgres:15-alpine
        imagePullPolicy: IfNotPresent

        ports:
        - name: postgres
          containerPort: 5432
          protocol: TCP

        env:
        - name: POSTGRES_DB
          value: "secretumvault"
        - name: POSTGRES_USER
          value: "vault"
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: vault-postgresql-secret
              key: password
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata

        volumeMounts:
        - name: data
          mountPath: /var/lib/postgresql/data

        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - pg_isready -U vault -d secretumvault
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - pg_isready -U vault -d secretumvault
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "250m"

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: vault-postgresql-pvc

      terminationGracePeriodSeconds: 30

---
# PostgreSQL Service
apiVersion: v1
kind: Service
metadata:
  name: vault-postgresql
  namespace: secretumvault
  labels:
    app: vault-postgresql
spec:
  type: ClusterIP
  selector:
    app: vault-postgresql
  ports:
  - name: postgres
    port: 5432
    targetPort: postgres
    protocol: TCP

---
# Secret for PostgreSQL authentication
apiVersion: v1
kind: Secret
metadata:
  name: vault-postgresql-secret
  namespace: secretumvault
type: Opaque
stringData:
  password: "change-me-in-production"
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`---`
			`# PostgreSQL Deployment for SecretumVault dynamic secrets storage`
			`apiVersion: v1`
			`kind: PersistentVolumeClaim`
			`metadata:`
			`name: vault-postgresql-pvc`
			`namespace: secretumvault`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`resources:`
			`requests:`
			`storage: 10Gi`

			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: vault-postgresql`
			`namespace: secretumvault`
			`labels:`
			`app: vault-postgresql`
			`spec:`
			`replicas: 1`
			`strategy:`
			`type: Recreate`
			`selector:`
			`matchLabels:`
			`app: vault-postgresql`
			`template:`
			`metadata:`
			`labels:`
			`app: vault-postgresql`
			`spec:`
			`containers:`
			`- name: postgresql`
			`image: postgres:15-alpine`
			`imagePullPolicy: IfNotPresent`

			`ports:`
			`- name: postgres`
			`containerPort: 5432`
			`protocol: TCP`

			`env:`
			`- name: POSTGRES_DB`
			`value: "secretumvault"`
			`- name: POSTGRES_USER`
			`value: "vault"`
			`- name: POSTGRES_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: vault-postgresql-secret`
			`key: password`
			`- name: PGDATA`
			`value: /var/lib/postgresql/data/pgdata`

			`volumeMounts:`
			`- name: data`
			`mountPath: /var/lib/postgresql/data`

			`livenessProbe:`
			`exec:`
			`command:`
			`- /bin/sh`
			`- -c`
			`- pg_isready -U vault -d secretumvault`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`

			`readinessProbe:`
			`exec:`
			`command:`
			`- /bin/sh`
			`- -c`
			`- pg_isready -U vault -d secretumvault`
			`initialDelaySeconds: 10`
			`periodSeconds: 5`
			`timeoutSeconds: 3`
			`failureThreshold: 3`

			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "512Mi"`
			`cpu: "250m"`

			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop:`
			`- ALL`

			`volumes:`
			`- name: data`
			`persistentVolumeClaim:`
			`claimName: vault-postgresql-pvc`

			`terminationGracePeriodSeconds: 30`

			`---`
			`# PostgreSQL Service`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: vault-postgresql`
			`namespace: secretumvault`
			`labels:`
			`app: vault-postgresql`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: vault-postgresql`
			`ports:`
			`- name: postgres`
			`port: 5432`
			`targetPort: postgres`
			`protocol: TCP`

			`---`
			`# Secret for PostgreSQL authentication`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: vault-postgresql-secret`
			`namespace: secretumvault`
			`type: Opaque`
			`stringData:`
			`password: "change-me-in-production"`