apiVersion: apps/v1 kind: Deployment metadata: name: postgres namespace: honeydue labels: app.kubernetes.io/name: postgres app.kubernetes.io/part-of: honeydue spec: replicas: 1 strategy: type: Recreate # ReadWriteOnce PVC — can't attach to two pods selector: matchLabels: app.kubernetes.io/name: postgres template: metadata: labels: app.kubernetes.io/name: postgres app.kubernetes.io/part-of: honeydue spec: serviceAccountName: postgres # Note: postgres image entrypoint requires root initially to set up # permissions, then drops to the postgres user. runAsNonRoot is not set # here because of this requirement. This differs from prod which uses # managed Neon PostgreSQL (no container to secure). securityContext: fsGroup: 999 seccompProfile: type: RuntimeDefault containers: - name: postgres image: postgres:17-alpine ports: - containerPort: 5432 protocol: TCP securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] env: - name: POSTGRES_DB valueFrom: configMapKeyRef: name: honeydue-config key: POSTGRES_DB - name: POSTGRES_USER valueFrom: configMapKeyRef: name: honeydue-config key: POSTGRES_USER - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: honeydue-secrets key: POSTGRES_PASSWORD - name: PGDATA value: /var/lib/postgresql/data/pgdata volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data - name: run mountPath: /var/run/postgresql - name: tmp mountPath: /tmp resources: requests: cpu: 100m memory: 128Mi limits: cpu: "1" memory: 1Gi readinessProbe: exec: command: ["pg_isready", "-U", "honeydue"] initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 livenessProbe: exec: command: ["pg_isready", "-U", "honeydue"] initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 volumes: - name: postgres-data persistentVolumeClaim: claimName: postgres-data - name: run emptyDir: {} - name: tmp emptyDir: sizeLimit: 64Mi