apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
  namespace: container-mom
spec:
  serviceName: postgres
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      securityContext:
        runAsUser: 1000810000
        runAsGroup: 1000810000
        fsGroup: 1000810000
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: postgres
        image: postgres:15-alpine
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        ports:
        - containerPort: 5432
          name: postgres
        env:
        - name: POSTGRES_DB
          value: container_mom_development
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: username
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-credentials
              key: password
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
          subPath: postgres-data
      volumes:
      - name: postgres-data
        emptyDir: {}  # Ephemeral storage for development
---
apiVersion: v1
kind: Service
metadata:
  name: postgres
  namespace: container-mom
spec:
  ports:
  - port: 5432
    targetPort: postgres
    name: postgres
  selector:
    app: postgres
  clusterIP: None  # Headless service for StatefulSet