From 03647907bee76b6a2e1f00252adeeb41cc5d117e Mon Sep 17 00:00:00 2001
From: red <red@wicknet.dev>
Date: Sat, 21 Jun 2025 22:17:04 -0400
Subject: [PATCH] swap over to statefulset

---
 manifests/pleroma/jobs.yaml                 |  40 ++++++
 manifests/postgres/deployment.yaml          |  63 ----------
 manifests/postgres/poddisruptionbudget.yaml |  13 ++
 manifests/postgres/pvc.yaml                 |   2 +-
 manifests/postgres/service.yaml             |  18 +++
 manifests/postgres/statefulset.yaml         | 131 ++++++++++++++++++++
 6 files changed, 203 insertions(+), 64 deletions(-)
 create mode 100644 manifests/pleroma/jobs.yaml
 delete mode 100644 manifests/postgres/deployment.yaml
 create mode 100644 manifests/postgres/poddisruptionbudget.yaml
 create mode 100644 manifests/postgres/statefulset.yaml

diff --git a/manifests/pleroma/jobs.yaml b/manifests/pleroma/jobs.yaml
new file mode 100644
index 0000000..1a62836
--- /dev/null
+++ b/manifests/pleroma/jobs.yaml
@@ -0,0 +1,40 @@
+# sX/vQ3gaDErEFr9wuYqlaJ/yWdswBMkY4wczeq6t3bEgwo2Ia+vHcN9pbf7dBjahEihjkZ7jS5W48DIfmOFsug==
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: migrate
+  namespace: darkdork-dev
+spec:
+  template:
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: migrate
+          image: cr.forge.lan/darkdork-dev/pleroma:latest
+          command: [ "/bin/ash", "-c", "/opt/pleroma/bin/pleroma_ctl migrate" ]
+          env:
+            - name: DB_HOST
+              value: postgres
+            - name: DB_NAME
+              value: pleroma
+            - name: DB_USER
+              value: pleroma
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+          volumeMounts:
+            - name: pleroma-config-volume
+              mountPath: /etc/pleroma/config.exs
+              subPath: config.exs
+      restartPolicy: Never
+      volumes:
+      - name: pleroma-config-volume
+        configMap:
+          name: pleroma-config
+          defaultMode: 0640         # Pleroma is picky about config file permissions.
+      securityContext:
+        fsGroup: 1000               # Ensures pleroma can still read the config file
\ No newline at end of file
diff --git a/manifests/postgres/deployment.yaml b/manifests/postgres/deployment.yaml
deleted file mode 100644
index d4964e3..0000000
--- a/manifests/postgres/deployment.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: postgres
-  namespace: darkdork-dev
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: postgres
-  template:
-    metadata:
-      labels:
-        app: postgres
-    spec:
-      imagePullSecrets:
-        - name: registry-credentials
-      containers:
-        - name: postgres
-          image: postgres:17-alpine
-
-          imagePullPolicy: Always
-          volumeMounts:
-            - name: postgres-data-volume
-              mountPath: /var/lib/postgresql/data
-            - name: postgres-init-volume
-              mountPath: /docker-entrypoint-initdb.d
-            - name: postgres-config-volume
-              mountPath: /etc/postgresql/postgresql.conf
-              subPath: postgresql.conf
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgres
-                  key: postgres-password
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: postgres
-                  key: postgres-password
-          resources:
-            requests:
-              memory: "6Gi"
-              cpu: "1200m"
-            limits:
-              memory: "8Gi"
-              cpu: "1600m"
-      volumes:
-        - name: postgres-data-volume
-          persistentVolumeClaim:
-            claimName: postgres-pvc
-        - name: postgres-init-volume
-          configMap:
-            name: postgres-init
-            defaultMode: 0755
-        - name: postgres-config-volume
-          configMap:
-            name: postgres-config
----
diff --git a/manifests/postgres/poddisruptionbudget.yaml b/manifests/postgres/poddisruptionbudget.yaml
new file mode 100644
index 0000000..41186d3
--- /dev/null
+++ b/manifests/postgres/poddisruptionbudget.yaml
@@ -0,0 +1,13 @@
+---
+# poddisruptbudget to ensure avail during voluntary disruption
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: postgres-pdb
+  namespace: darkdork-dev
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app: postgres
+---
\ No newline at end of file
diff --git a/manifests/postgres/pvc.yaml b/manifests/postgres/pvc.yaml
index 195a1e4..6be1998 100644
--- a/manifests/postgres/pvc.yaml
+++ b/manifests/postgres/pvc.yaml
@@ -9,7 +9,7 @@ metadata:
 spec:
   storageClassName: longhorn-ssd
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
   resources:
     requests:
       storage: 10Gi
diff --git a/manifests/postgres/service.yaml b/manifests/postgres/service.yaml
index 8e254f3..087caf0 100644
--- a/manifests/postgres/service.yaml
+++ b/manifests/postgres/service.yaml
@@ -9,6 +9,24 @@ spec:
   - port: 5432
     targetPort: 5432
     protocol: TCP
+  clusterIP: None
   selector:
     app: postgres
+---
+# regular (non-headless) service for application access
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-svc
+  namespace: darkdork-dev
+  labels:
+    app: postgres
+spec:
+  selector:
+    app: postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+      name: postgres
+  type: ClusterIP
 ---
\ No newline at end of file
diff --git a/manifests/postgres/statefulset.yaml b/manifests/postgres/statefulset.yaml
new file mode 100644
index 0000000..a3c7c91
--- /dev/null
+++ b/manifests/postgres/statefulset.yaml
@@ -0,0 +1,131 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: darkdork-dev
+  labels:
+    app: postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      terminationGracePeriodSeconds: 30
+      imagePullSecrets:
+        - name: registry-credentials
+      securityContext:
+        fsGroup: 1000
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - postgres
+              topologyKey: kubernetes.io/hostname
+      containers:
+        - name: postgres
+          image: postgres:17-alpine
+          imagePullPolicy: Always
+          # securityContext:
+          #   runAsUser: 1001
+          #   runAsGroup: 1001
+          #   allowPrivilegeEscalation: false
+          volumeMounts:
+            - name: postgres-data-statefulset
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata # Using subPath to avoid permission issues
+            - name: postgres-init-volume
+              mountPath: /docker-entrypoint-initdb.d
+            - name: postgres-config-volume
+              mountPath: /etc/postgresql/postgresql.conf
+              subPath: postgresql.conf
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+            - name: POSTGRES_INITDB_ARGS
+              value: "-c config_file=/etc/postgresql/postgresql.conf"
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "8Gi"
+              cpu: "3000m"
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - postgres
+                - -d
+                - pleroma
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - postgres
+                - -d
+                - pleroma
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
+          startupProbe:
+            exec:
+              command:
+                - pg_isready
+                - -U
+                - postgres
+                - -d
+                - pleroma
+            initialDelaySeconds: 15
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 12
+      volumes:
+        - name: postgres-init-volume
+          configMap:
+            name: postgres-init
+            defaultMode: 0755
+        - name: postgres-config-volume
+          configMap:
+            name: postgres-config
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data-statefulset
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      storageClassName: longhorn-ssd
+      resources:
+        requests:
+          storage: 10Gi
\ No newline at end of file