secretumvault/deploy/k8s/06-surrealdb.yaml

---
# SurrealDB StatefulSet for SecretumVault storage
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault-surrealdb
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  serviceName: vault-surrealdb
  replicas: 1
  selector:
    matchLabels:
      app: vault-surrealdb
  template:
    metadata:
      labels:
        app: vault-surrealdb
      annotations:
        prometheus.io/scrape: "false"
    spec:
      containers:
      - name: surrealdb
        image: surrealdb/surrealdb:latest
        imagePullPolicy: IfNotPresent

        ports:
        - name: ws
          containerPort: 8000
          protocol: TCP

        # SurrealDB command with authentication enabled
        args:
        - "start"
        - "--bind"
        - "0.0.0.0:8000"
        - "--user"
        - "vault"
        - "--pass"
        - "$(SURREAL_PASSWORD)"
        - "--log"
        - "info"

        env:
        - name: SURREAL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: vault-surrealdb-secret
              key: password
        - name: RUST_LOG
          value: "info"

        volumeMounts:
        - name: data
          mountPath: /var/lib/surrealdb

        livenessProbe:
          tcpSocket:
            port: ws
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3

        readinessProbe:
          tcpSocket:
            port: ws
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3

        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "250m"

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

      terminationGracePeriodSeconds: 30

  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 5Gi

---
# SurrealDB Service (headless for direct pod access)
apiVersion: v1
kind: Service
metadata:
  name: vault-surrealdb
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  clusterIP: None
  selector:
    app: vault-surrealdb
  ports:
  - name: ws
    port: 8000
    targetPort: ws

---
# SurrealDB Client Service (for connecting vault)
apiVersion: v1
kind: Service
metadata:
  name: vault-surrealdb-client
  namespace: secretumvault
  labels:
    app: vault-surrealdb
spec:
  type: ClusterIP
  selector:
    app: vault-surrealdb
  ports:
  - name: ws
    port: 8000
    targetPort: ws
    protocol: TCP

---
# Secret for SurrealDB authentication
apiVersion: v1
kind: Secret
metadata:
  name: vault-surrealdb-secret
  namespace: secretumvault
type: Opaque
stringData:
  password: "change-me-in-production"
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`---`
			`# SurrealDB StatefulSet for SecretumVault storage`
			`apiVersion: apps/v1`
			`kind: StatefulSet`
			`metadata:`
			`name: vault-surrealdb`
			`namespace: secretumvault`
			`labels:`
			`app: vault-surrealdb`
			`spec:`
			`serviceName: vault-surrealdb`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: vault-surrealdb`
			`template:`
			`metadata:`
			`labels:`
			`app: vault-surrealdb`
			`annotations:`
			`prometheus.io/scrape: "false"`
			`spec:`
			`containers:`
			`- name: surrealdb`
			`image: surrealdb/surrealdb:latest`
			`imagePullPolicy: IfNotPresent`

			`ports:`
			`- name: ws`
			`containerPort: 8000`
			`protocol: TCP`

			`# SurrealDB command with authentication enabled`
			`args:`
			`- "start"`
			`- "--bind"`
			`- "0.0.0.0:8000"`
			`- "--user"`
			`- "vault"`
			`- "--pass"`
			`- "$(SURREAL_PASSWORD)"`
			`- "--log"`
			`- "info"`

			`env:`
			`- name: SURREAL_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: vault-surrealdb-secret`
			`key: password`
			`- name: RUST_LOG`
			`value: "info"`

			`volumeMounts:`
			`- name: data`
			`mountPath: /var/lib/surrealdb`

			`livenessProbe:`
			`tcpSocket:`
			`port: ws`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`

			`readinessProbe:`
			`tcpSocket:`
			`port: ws`
			`initialDelaySeconds: 10`
			`periodSeconds: 5`
			`timeoutSeconds: 3`
			`failureThreshold: 3`

			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "512Mi"`
			`cpu: "250m"`

			`securityContext:`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop:`
			`- ALL`

			`terminationGracePeriodSeconds: 30`

			`volumeClaimTemplates:`
			`- metadata:`
			`name: data`
			`spec:`
			`accessModes: [ "ReadWriteOnce" ]`
			`resources:`
			`requests:`
			`storage: 5Gi`

			`---`
			`# SurrealDB Service (headless for direct pod access)`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: vault-surrealdb`
			`namespace: secretumvault`
			`labels:`
			`app: vault-surrealdb`
			`spec:`
			`clusterIP: None`
			`selector:`
			`app: vault-surrealdb`
			`ports:`
			`- name: ws`
			`port: 8000`
			`targetPort: ws`

			`---`
			`# SurrealDB Client Service (for connecting vault)`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: vault-surrealdb-client`
			`namespace: secretumvault`
			`labels:`
			`app: vault-surrealdb`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: vault-surrealdb`
			`ports:`
			`- name: ws`
			`port: 8000`
			`targetPort: ws`
			`protocol: TCP`

			`---`
			`# Secret for SurrealDB authentication`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: vault-surrealdb-secret`
			`namespace: secretumvault`
			`type: Opaque`
			`stringData:`
			`password: "change-me-in-production"`