apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-session-db
  namespace: bakery-ia
  labels:
    app: demo-session-db
    component: database
    app.kubernetes.io/name: demo-session-db
    app.kubernetes.io/part-of: bakery-forecasting-platform
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: demo-session-db
  template:
    metadata:
      labels:
        app: demo-session-db
        component: database
    spec:
      securityContext:
        fsGroup: 70
      initContainers:
      - name: fix-tls-permissions
        image: busybox:1.36
        securityContext:
          runAsUser: 0
        command: ['sh', '-c']
        args:
        - |
          cp /tls-source/* /tls/
          chmod 600 /tls/server-key.pem
          chmod 644 /tls/server-cert.pem /tls/ca-cert.pem
          chown 70:70 /tls/*
          ls -la /tls/
        volumeMounts:
        - name: tls-certs-source
          mountPath: /tls-source
          readOnly: true
        - name: tls-certs-writable
          mountPath: /tls
      containers:
      - name: postgres
        image: postgres:17-alpine
        ports:
        - containerPort: 5432
          name: postgres
        envFrom:
        - configMapRef:
            name: bakery-config
        env:
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: database-secrets
              key: DEMO_SESSION_DB_USER
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: database-secrets
              key: DEMO_SESSION_DB_PASSWORD
        - name: POSTGRES_DB
          value: demo_session_db
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        volumeMounts:
        - name: demo-session-db-data
          mountPath: /var/lib/postgresql/data
        - name: tls-certs-writable
          mountPath: /tls
          readOnly: true
        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "200m"
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB"
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 6
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - exec pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB"
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 6
      volumes:
      - name: demo-session-db-data
        persistentVolumeClaim:
          claimName: demo-session-db-pvc
      - name: tls-certs-source
        secret:
          secretName: postgres-tls
          items:
          - key: server-cert.pem
            path: server-cert.pem
          - key: server-key.pem
            path: server-key.pem
          - key: ca-cert.pem
            path: ca-cert.pem
      - name: tls-certs-writable
        emptyDir: {}


---
apiVersion: v1
kind: Service
metadata:
  name: demo-session-db-service
  namespace: bakery-ia
  labels:
    app: demo-session-db
    component: database
    app.kubernetes.io/name: demo-session-db-service
    app.kubernetes.io/part-of: bakery-forecasting-platform
spec:
  type: ClusterIP
  selector:
    app: demo-session-db
  ports:
  - name: postgres
    port: 5432
    targetPort: 5432

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: demo-session-db-pvc
  namespace: bakery-ia
  labels:
    app: demo-session-db
    component: database
    app.kubernetes.io/name: demo-session-db-pvc
    app.kubernetes.io/part-of: bakery-forecasting-platform
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard