diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md index b0821b7..c6bd7a0 100644 --- a/docs/REFERENCE.md +++ b/docs/REFERENCE.md @@ -1087,6 +1087,7 @@ ingress: database: type: postgresql + host: vaultwarden-postgresql # StatefulSet in overlay existingSecret: prod-db-creds storage: @@ -1099,8 +1100,10 @@ storage: **Endpoints**: - Web UI: `https://bitwarden.forteapps.net` +**Database**: Standalone PostgreSQL 16 StatefulSet (`vaultwarden-postgresql`) deployed in overlay with 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately. + **Secrets**: -- `prod-db-creds` — PostgreSQL credentials + SMTP credentials +- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials - `vaultwarden-tls` — auto-managed by cert-manager ### AI Code Review (ai-review) diff --git a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml index 01a969c..8d6e150 100644 --- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml +++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - vaultwarden.yaml - vaultwarden-db-secret-sealed.yaml +- postgresql.yaml diff --git a/infra/overlays/upc-dev/vaultwarden/postgresql.yaml b/infra/overlays/upc-dev/vaultwarden/postgresql.yaml new file mode 100644 index 0000000..8ed617e --- /dev/null +++ b/infra/overlays/upc-dev/vaultwarden/postgresql.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden-postgresql + namespace: vaultwarden + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database +spec: + type: ClusterIP + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: vaultwarden-postgresql + namespace: vaultwarden + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database +spec: + serviceName: vaultwarden-postgresql + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + template: + metadata: + labels: + app.kubernetes.io/name: postgresql + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/component: database + spec: + containers: + - name: postgresql + image: postgres:16-alpine + ports: + - name: tcp-postgresql + containerPort: 5432 + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: prod-db-creds + key: pgusername + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: prod-db-creds + key: pgpassword + - name: POSTGRES_DB + value: vaultwarden + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + livenessProbe: + exec: + command: + - pg_isready + - -U + - $(POSTGRES_USER) + - -d + - vaultwarden + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - pg_isready + - -U + - $(POSTGRES_USER) + - -d + - vaultwarden + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/infra/values/upc-dev/vaultwarden-values.yaml b/infra/values/upc-dev/vaultwarden-values.yaml index 78a7c14..ac956c7 100644 --- a/infra/values/upc-dev/vaultwarden-values.yaml +++ b/infra/values/upc-dev/vaultwarden-values.yaml @@ -1,5 +1,8 @@ database: type: postgresql + host: vaultwarden-postgresql + port: "5432" + dbName: vaultwarden existingSecret: prod-db-creds existingSecretUserKey: pgusername existingSecretPasswordKey: pgpassword