vw postgres

docs/REFERENCE.md

@@ -1087,6 +1087,7 @@ ingress:
 
 database:
   type: postgresql
+  host: vaultwarden-postgresql  # StatefulSet in overlay
   existingSecret: prod-db-creds
 
 storage:
@@ -1099,8 +1100,10 @@ storage:
 **Endpoints**:
 - Web UI: `https://bitwarden.forteapps.net`
 
+**Database**: Standalone PostgreSQL 16 StatefulSet (`vaultwarden-postgresql`) deployed in overlay with 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
+
 **Secrets**:
-- `prod-db-creds` — PostgreSQL credentials + SMTP credentials
+- `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
 - `vaultwarden-tls` — auto-managed by cert-manager
 
 ### AI Code Review (ai-review)

infra/overlays/upc-dev/vaultwarden/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - vaultwarden.yaml
 - vaultwarden-db-secret-sealed.yaml
+- postgresql.yaml

infra/overlays/upc-dev/vaultwarden/postgresql.yaml

@@ -0,0 +1,102 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden-postgresql
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+    app.kubernetes.io/component: database
+spec:
+  type: ClusterIP
+  ports:
+  - name: tcp-postgresql
+    port: 5432
+    targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: vaultwarden-postgresql
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: postgresql
+    app.kubernetes.io/instance: vaultwarden
+    app.kubernetes.io/component: database
+spec:
+  serviceName: vaultwarden-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postgresql
+      app.kubernetes.io/instance: vaultwarden
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postgresql
+        app.kubernetes.io/instance: vaultwarden
+        app.kubernetes.io/component: database
+    spec:
+      containers:
+      - name: postgresql
+        image: postgres:16-alpine
+        ports:
+        - name: tcp-postgresql
+          containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: prod-db-creds
+              key: pgusername
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: prod-db-creds
+              key: pgpassword
+        - name: POSTGRES_DB
+          value: vaultwarden
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+        livenessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - $(POSTGRES_USER)
+            - -d
+            - vaultwarden
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - $(POSTGRES_USER)
+            - -d
+            - vaultwarden
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi

infra/values/upc-dev/vaultwarden-values.yaml

@@ -1,5 +1,8 @@
 database:
   type: postgresql
+  host: vaultwarden-postgresql
+  port: "5432"
+  dbName: vaultwarden
   existingSecret: prod-db-creds
   existingSecretUserKey: pgusername
   existingSecretPasswordKey: pgpassword