f3s/immich/helm-chart/templates/postgres.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

# PostgreSQL Deployment for Immich
# Requires PostgreSQL 16+ with pgvector extension
apiVersion: apps/v1
kind: Deployment
metadata:
  name: immich-postgres
  namespace: services
spec:
  replicas: 1
  # Recreate (not RollingUpdate) so the old pod is fully terminated before
  # the new one starts. The hostPath PV points at an NFS-backed directory
  # mounted on every r-node, so RWO is not actually enforced across nodes:
  # under RollingUpdate the new pod can start on a different node and grab
  # the same data dir while the old pod still holds postgres' file locks,
  # producing "could not write to file postmaster.pid: Unknown error 512".
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: immich-postgres
  template:
    metadata:
      labels:
        app: immich-postgres
    spec:
      initContainers:
      - name: nfs-check-data
        image: busybox:stable
        command:
        - sh
        - -c
        - |
          test -f /mnt/.nfs-sentinel || (
            echo "ERROR: NFS sentinel missing at /mnt/.nfs-sentinel"
            echo "refusing to start; node likely has NFS unmounted"
            echo "pod would otherwise bind-mount the local-XFS shadow"
            exit 1
          )
        volumeMounts:
        - name: postgres-data
          mountPath: /mnt
          readOnly: true
      containers:
      - name: postgres
        image: tensorchord/pgvecto-rs:pg16-v0.3.0
        ports:
        - containerPort: 5432
        env:
        - name: POSTGRES_DB
          value: immich
        - name: POSTGRES_USER
          value: immich
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: immich-db-secret
              key: password
        resources:
          requests:
            cpu: 100m
            memory: 512Mi
          limits:
            memory: 2Gi
        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - pg_isready -U immich -d immich
          initialDelaySeconds: 60
          periodSeconds: 30
          timeoutSeconds: 10
          failureThreshold: 6
        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - pg_isready -U immich -d immich
          initialDelaySeconds: 15
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 6
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
      volumes:
      - name: postgres-data
        persistentVolumeClaim:
          claimName: immich-postgres-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: immich-postgres
  namespace: services
spec:
  selector:
    app: immich-postgres
  ports:
    - protocol: TCP
      port: 5432
      targetPort: 5432