Skip to content

helm: use StatefulSet with PVC for persistent storage#48

Merged
wasaga merged 9 commits intomainfrom
dmishin/helm-statefulset-pvc
Apr 10, 2026
Merged

helm: use StatefulSet with PVC for persistent storage#48
wasaga merged 9 commits intomainfrom
dmishin/helm-statefulset-pvc

Conversation

@wasaga
Copy link
Copy Markdown
Contributor

@wasaga wasaga commented Apr 9, 2026

Summary

  • Default workload is now a StatefulSet with a PVC, so databroker state and bootstrap config persist across pod restarts
  • Bootstrap config writes to the PVC (file:///data/bootstrap.dat) instead of a Kubernetes Secret, removing the need for secret-patch RBAC
  • Previous Deployment behavior is available via persistence.enabled: false for users with external storage (e.g. PostgreSQL)

New values.yaml options

Parameter Default Description
persistence.enabled true StatefulSet + PVC when true, Deployment when false
persistence.storageClass "" Storage class (empty = cluster default)
persistence.size 1Gi PVC size
persistence.accessModes [ReadWriteOnce] PVC access modes

Test plan

  • make test passes (35 unit tests via helm template + yq)
  • helm template . --set pomeriumZeroToken=t renders StatefulSet with PVC
  • helm template . --set pomeriumZeroToken=t --set persistence.enabled=false renders Deployment with secret-based bootstrap
  • Deploy to a test cluster and verify PVC is created and data persists across pod restart

@wasaga
helm: use StatefulSet with PVC for persistent storage
fffd338 
Switch the default workload from Deployment to StatefulSet with a
PersistentVolumeClaim, so databroker state and bootstrap config
survive pod restarts. Bootstrap config is now written to the PVC
instead of a Kubernetes Secret, removing the need for secret-patch
RBAC.

The previous Deployment behavior is preserved behind
`persistence.enabled: false` for users who don't need local storage
(e.g. when using an external databroker like PostgreSQL).

New values:
  persistence.enabled (default: true)
  persistence.storageClass
  persistence.size (default: 1Gi)
  persistence.accessModes (default: [ReadWriteOnce])
@wasaga wasaga requested review from a team as code owners April 9, 2026 23:46
@wasaga wasaga requested a review from kralicky April 9, 2026 23:46
wasaga added 2 commits April 9, 2026 19:54
@wasaga
helm: create namespace by default
a2fbc10 
Add createNamespace value (default: true) that renders a Namespace
resource, so users no longer need --create-namespace on install.
Set createNamespace: false if managing the namespace externally.
@wasaga
helm: bump pomerium to v0.32.5
98f89e6
@wasaga wasaga merged commit 16d43a5 into main Apr 10, 2026
2 checks passed
@wasaga wasaga deleted the dmishin/helm-statefulset-pvc branch April 10, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calebdoxsey calebdoxsey calebdoxsey approved these changes

@kralicky kralicky Awaiting requested review from kralicky kralicky is a code owner automatically assigned from pomerium/dev-backend

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wasaga @calebdoxsey