apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
spec:
  revisionHistoryLimit: 0
  serviceName: postgres
  selector:
    matchLabels:
      app: postgres
  replicas: 1
  template:
    metadata:
      labels:
        app: postgres
      annotations:
        prometheus.io/port: '9187'
        prometheus.io/scrape: 'true'
    spec:
      containers:
      - name: postgres
        image: mirror.gcr.io/library/postgres:15
        imagePullPolicy: Always
        env:
        - name: POSTGRES_APPUSER
          value: "kspace_wiki"
        - name: POSTGRES_APP_DB
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgres-root-password
              key: POSTGRES_PASSWORD
        - name: POSTGRES_APPUSER_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgres-appuser-password
              key: password
        - name: EXPORTER_PASSWORD
          valueFrom:
            secretKeyRef:
              name: postgres-expoter-password
              key: EXPORTER_PASSWORD
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql
        - name: postgres-init
          mountPath: /docker-entrypoint-initdb.d
      volumes:
        - name: postgres-init
          configMap:
            name: postgres-init-config
  volumeClaimTemplates:
  - metadata:
      name: postgres-data
    spec:
      storageClassName: ceph-rbd
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
  name: postgres
spec:
  ports:
    - protocol: TCP
      port: 5432
  selector:
    app: postgres
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: postgres-root-password
spec:
  size: 32
  mapping:
    - key: POSTGRES_PASSWORD
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: postgres-appuser-password
spec:
  size: 32
  mapping:
    - key: password
      value: "%(plaintext)s"
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
  name: postgres-expoter-password
spec:
  size: 32
  mapping:
    - key: EXPORTER_PASSWORD
      value: "%(plaintext)s"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: postgres-init-config
data:
  initdb.sh: |
    #!/usr/bin/env bash
    set -e

    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
      CREATE USER exporter WITH PASSWORD '$EXPORTER_PASSWORD';
      GRANT pg_read_all_stats TO exporter;
      GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter;
      GRANT CONNECT ON DATABASE postgres TO exporter;

      CREATE DATABASE "$POSTGRES_APP_DB";
      CREATE USER "$POSTGRES_APPUSER" WITH PASSWORD '$POSTGRES_APPUSER_PASSWORD';
      GRANT ALL PRIVILEGES ON database "$POSTGRES_APP_DB" TO "$POSTGRES_APPUSER";
    EOSQL