postgres
Provisions a dedicated database on a shared PostgreSQL instance.
type: postgres
expected_outputs:
- host
- port
- name
- database
- username
- passwordprovisioners.yaml
(view on GitHub)
:
- uri: template://default-provisioners/postgres
type: postgres
description: Provisions a dedicated database on a shared PostgreSQL instance.
init: |
randomDatabase: db-{{ randAlpha 8 }}
randomUsername: user-{{ randAlpha 8 }}
randomPassword: {{ randAlphaNum 16 | quote }}
state: |
service: pg-{{ .SourceWorkload }}-{{ substr 0 8 .Guid | lower }}
database: {{ dig "database" .Init.randomDatabase .State | quote }}
username: {{ dig "username" .Init.randomUsername .State | quote }}
password: {{ dig "password" .Init.randomPassword .State | quote }}
outputs: |
host: {{ .State.service }}
port: 5432
name: {{ .State.database }}
database: {{ .State.database }}
username: {{ .State.username }}
password: {{ encodeSecretRef .State.service "password" }}
manifests: |
- apiVersion: v1
kind: Secret
metadata:
name: {{ .State.service }}
{{ if ne .Namespace "" }}
namespace: {{ .Namespace }}
{{ end }}
annotations:
k8s.score.dev/source-workload: {{ .SourceWorkload }}
k8s.score.dev/resource-uid: {{ .Uid }}
k8s.score.dev/resource-guid: {{ .Guid }}
labels:
app.kubernetes.io/managed-by: score-k8s
app.kubernetes.io/name: {{ .State.service }}
app.kubernetes.io/instance: {{ .State.service }}
data:
password: {{ .State.password | b64enc }}
- apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .State.service }}
{{ if ne .Namespace "" }}
namespace: {{ .Namespace }}
{{ end }}
annotations:
k8s.score.dev/source-workload: {{ .SourceWorkload }}
k8s.score.dev/resource-uid: {{ .Uid }}
k8s.score.dev/resource-guid: {{ .Guid }}
labels:
app.kubernetes.io/managed-by: score-k8s
app.kubernetes.io/name: {{ .State.service }}
app.kubernetes.io/instance: {{ .State.service }}
spec:
replicas: 1
serviceName: {{ .State.service }}
selector:
matchLabels:
app.kubernetes.io/instance: {{ .State.service }}
template:
metadata:
labels:
app.kubernetes.io/managed-by: score-k8s
app.kubernetes.io/name: {{ .State.service }}
app.kubernetes.io/instance: {{ .State.service }}
annotations:
k8s.score.dev/source-workload: {{ .SourceWorkload }}
k8s.score.dev/resource-uid: {{ .Uid }}
k8s.score.dev/resource-guid: {{ .Guid }}
spec:
automountServiceAccountToken: false
containers:
- name: postgres-db
image: mirror.gcr.io/postgres:17-alpine
ports:
- name: postgres
containerPort: 5432
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
- name: POSTGRES_USER
value: {{ .State.username | quote }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .State.service }}
key: password
- name: POSTGRES_DB
value: {{ .State.database | quote }}
volumeMounts:
- name: pv-data
mountPath: /var/lib/postgresql/data
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
privileged: false
capabilities:
drop:
- ALL
readinessProbe:
exec:
command:
- pg_isready
- -U
- {{ .State.username | quote }}
- -d
- {{ .State.database | quote }}
periodSeconds: 3
securityContext:
runAsNonRoot: true
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
volumeClaimTemplates:
- metadata:
name: pv-data
annotations:
k8s.score.dev/source-workload: {{ .SourceWorkload }}
k8s.score.dev/resource-uid: {{ .Uid }}
k8s.score.dev/resource-guid: {{ .Guid }}
labels:
app.kubernetes.io/managed-by: score-k8s
app.kubernetes.io/name: {{ .State.service }}
app.kubernetes.io/instance: {{ .State.service }}
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
- apiVersion: v1
kind: Service
metadata:
name: {{ .State.service }}
{{ if ne .Namespace "" }}
namespace: {{ .Namespace }}
{{ end }}
annotations:
k8s.score.dev/source-workload: {{ .SourceWorkload }}
k8s.score.dev/resource-uid: {{ .Uid }}
k8s.score.dev/resource-guid: {{ .Guid }}
labels:
app.kubernetes.io/managed-by: score-k8s
app.kubernetes.io/name: {{ .State.service }}
app.kubernetes.io/instance: {{ .State.service }}
spec:
selector:
app.kubernetes.io/instance: {{ .State.service }}
type: ClusterIP
ports:
- port: 5432
targetPort: 5432
expected_outputs:
- host
- port
- name
- database
- username
- password