--- apiVersion: apps/v1 kind: StatefulSet metadata: name: postgres spec: revisionHistoryLimit: 0 serviceName: postgres selector: matchLabels: app: postgres replicas: 1 template: metadata: labels: app: postgres annotations: prometheus.io/port: '9187' prometheus.io/scrape: 'true' spec: containers: - name: postgres image: mirror.gcr.io/library/postgres:15 imagePullPolicy: Always env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secrets key: POSTGRES_PASSWORD - name: POSTGRES_USER valueFrom: fieldRef: fieldPath: metadata.namespace - name: POSTGRES_DB valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data - name: postgres-init mountPath: /docker-entrypoint-initdb.d volumes: - name: postgres-init configMap: name: postgres-init-config volumeClaimTemplates: - metadata: name: postgres-data spec: storageClassName: ceph-rbd accessModes: - ReadWriteOnce resources: requests: storage: 2Gi --- apiVersion: codemowers.cloud/v1beta1 kind: SecretClaim metadata: name: postgres-secrets spec: size: 32 mapping: - key: POSTGRES_PASSWORD value: "%(plaintext)s" - key: EXPORTER_PASSWORD value: "%(plaintext)s" --- apiVersion: v1 kind: Service metadata: name: postgres spec: ports: - protocol: TCP port: 5432 selector: app: postgres --- apiVersion: v1 kind: ConfigMap metadata: name: postgres-init-config data: initdb.sql: | -- create a read-only monitoring user for exporters CREATE USER exporter WITH PASSWORD 'exporter'; -- grant metrics/monitoring related permissions GRANT pg_read_all_stats TO exporter; GRANT SELECT ON pg_catalog.pg_replication_slots TO exporter; GRANT CONNECT ON DATABASE "${POSTGRES_DB:-postgres}" TO exporter;