apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgresql
  namespace: authentik
spec:
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  podManagementPolicy: OrderedReady
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: postgresql
  serviceName: postgresql
  template:
    metadata:
      labels:
        app: postgresql
    spec:
      containers:
      - env:
        - name: POSTGRES_USER
          value: authentik
        - name: POSTGRES_DB
          value: authentik
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              key: POSTGRES_PASSWORD
              name: authentik-secrets
        - name: PGDATA
          value: /var/lib/postgresql/data
        image: postgres:17-alpine
        imagePullPolicy: IfNotPresent
        name: postgresql
        ports:
        - containerPort: 5432
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - pg_isready
            - -U
            - authentik
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          name: pg-data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 999
        runAsGroup: 999
        runAsUser: 999
      terminationGracePeriodSeconds: 30
      volumes:
      - name: pg-data
        persistentVolumeClaim:
          claimName: authentik-pg-pvc
  updateStrategy:
    rollingUpdate:
      partition: 0
    type: RollingUpdate