apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ include "invy.fullname" . }}-db
  labels:
    {{- include "invy.labels" . | nindent 4 }}
    app.kubernetes.io/component: database
spec:
  serviceName: {{ include "invy.fullname" . }}-db-headless
  replicas: 1
  selector:
    matchLabels:
      {{- include "invy.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: database
  template:
    metadata:
      labels:
        {{- include "invy.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: database
    spec:
      securityContext:
        fsGroup: 999
      initContainers:
      - name: fix-permissions
        image: busybox:latest
        command: 
        - sh
        - -c
        - |
          chown -R 999:999 /var/lib/postgresql/data || true
          chmod 700 /var/lib/postgresql/data || true
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
        securityContext:
          runAsUser: 0
      containers:
      - name: postgres
        securityContext:
          runAsUser: 999
          runAsNonRoot: true
        image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}"
        imagePullPolicy: {{ .Values.postgres.image.pullPolicy }}
        ports:
        - name: postgres
          containerPort: {{ .Values.postgres.port }}
          protocol: TCP
        env:
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: {{ include "invy.fullname" . }}-secrets
              key: postgres-user
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: {{ include "invy.fullname" . }}-secrets
              key: postgres-password
        - name: POSTGRES_DB
          valueFrom:
            secretKeyRef:
              name: {{ include "invy.fullname" . }}-secrets
              key: postgres-database
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
        - name: postgres-run
          mountPath: /var/run/postgresql
        - name: init-script
          mountPath: /docker-entrypoint-initdb.d
        resources:
          {{- toYaml .Values.postgres.resources | nindent 12 }}
        # Health probes aligned with tasko-chart approach
        # Use TCP localhost instead of Unix socket to avoid permission issues
        # Fixed shell variable expansion: $POSTGRES_USER not $(POSTGRES_USER)
        startupProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -h 127.0.0.1 -p 5432 -U "$POSTGRES_USER"
          initialDelaySeconds: 10
          periodSeconds: 5
          timeoutSeconds: 5
          failureThreshold: 30  # Allow up to 150s for slow NFS startup
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -h 127.0.0.1 -p 5432 -U "$POSTGRES_USER"
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -h 127.0.0.1 -p 5432 -U "$POSTGRES_USER"
          initialDelaySeconds: 5
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3
      volumes:
      - name: init-script
        configMap:
          name: {{ include "invy.fullname" . }}-db-schema
      - name: postgres-run
        emptyDir: {}
  {{- if .Values.postgres.persistence.enabled }}
  volumeClaimTemplates:
  - metadata:
      name: postgres-data
    spec:
      accessModes:
        - {{ .Values.postgres.persistence.accessMode }}
      {{- if .Values.postgres.persistence.storageClass }}
      storageClassName: {{ .Values.postgres.persistence.storageClass }}
      {{- end }}
      resources:
        requests:
          storage: {{ .Values.postgres.persistence.size }}
  {{- else }}
      - name: postgres-data
        emptyDir: {}
  {{- end }}