projecthelena · JesusPaz · Feb 14, 2026 · Feb 14, 2026
diff --git a/charts/warden/Chart.yaml b/charts/warden/Chart.yaml
@@ -16,8 +16,3 @@ keywords:
 maintainers:
   - name: Project Helena
     email: jesus@projecthelena.com
-dependencies:
-  - name: postgresql
-    version: "~16"
-    repository: https://charts.bitnami.com/bitnami
-    condition: database.postgres.enabled
diff --git a/charts/warden/README.md b/charts/warden/README.md
@@ -26,24 +26,22 @@ database:
       size: 1Gi
 ```
 
-### Internal PostgreSQL (subchart)
+### Internal PostgreSQL
 
-Deploys a Bitnami PostgreSQL pod alongside Warden. Requires `helm dependency update` first.
-
-```sh
-helm dependency update charts/warden
-```
+Deploys a PostgreSQL StatefulSet alongside Warden using the official `postgres:18` image.
 
 ```yaml
 database:
   type: postgres
   postgres:
     enabled: true
-postgresql:
-  auth:
-    username: warden
-    password: "my-secret-password"
-    database: warden
+    auth:
+      username: warden
+      password: "my-secret-password"   # auto-generated if omitted
+      database: warden
+    persistence:
+      enabled: true
+      size: 5Gi
 ```
 
 ### External PostgreSQL

diff --git a/charts/warden/templates/deployment.yaml b/charts/warden/templates/deployment.yaml
@@ -80,13 +80,11 @@ spec:
                   name: {{ $fullName }}
                   key: db-url
             {{- else }}
-            - name: PG_PASSWORD
+            - name: DB_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-postgresql
-                  key: password
-            - name: DB_URL
-              value: "postgres://{{ .Values.postgresql.auth.username }}:$(PG_PASSWORD)@{{ .Release.Name }}-postgresql:5432/{{ .Values.postgresql.auth.database }}?sslmode=disable"
+                  name: {{ $fullName }}-postgresql
+                  key: db-url
             {{- end }}
             {{- end }}
             - name: COOKIE_SECURE

diff --git a/charts/warden/templates/postgresql-secret.yaml b/charts/warden/templates/postgresql-secret.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.database.postgres.enabled }}
+{{- $fullName := include "warden.fullname" . -}}
+{{- $secretName := printf "%s-postgresql" $fullName -}}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- $rawPassword := "" -}}
+{{- if .Values.database.postgres.auth.password -}}
+  {{- $rawPassword = .Values.database.postgres.auth.password -}}
+{{- else if and $existingSecret (index $existingSecret.data "password") -}}
+  {{- $rawPassword = (index $existingSecret.data "password" | b64dec) -}}
+{{- else -}}
+  {{- $rawPassword = (randAlphaNum 16) -}}
+{{- end -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "warden.labels" . | nindent 4 }}
+    app.kubernetes.io/component: postgresql
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+data:
+  password: {{ $rawPassword | b64enc }}
+  db-url: {{ printf "postgres://%s:%s@%s-postgresql:%v/%s?sslmode=disable" .Values.database.postgres.auth.username $rawPassword $fullName (int .Values.database.postgres.service.port) .Values.database.postgres.auth.database | b64enc }}
+{{- end }}
diff --git a/charts/warden/templates/postgresql-service.yaml b/charts/warden/templates/postgresql-service.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.database.postgres.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "warden.fullname" . }}-postgresql
+  labels:
+    {{- include "warden.labels" . | nindent 4 }}
+    app.kubernetes.io/component: postgresql
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: postgresql
+      port: {{ .Values.database.postgres.service.port }}
+      targetPort: postgresql
+  selector:
+    {{- include "warden.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: postgresql
+{{- end }}
diff --git a/charts/warden/templates/postgresql-statefulset.yaml b/charts/warden/templates/postgresql-statefulset.yaml
@@ -0,0 +1,69 @@
+{{- if .Values.database.postgres.enabled }}
+{{- $fullName := include "warden.fullname" . -}}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ $fullName }}-postgresql
+  labels:
+    {{- include "warden.labels" . | nindent 4 }}
+    app.kubernetes.io/component: postgresql
+    {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  serviceName: {{ $fullName }}-postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "warden.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: postgresql
+  template:
+    metadata:
+      labels:
+        {{- include "warden.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: "{{ .Values.database.postgres.image.repository }}:{{ .Values.database.postgres.image.tag }}"
+          imagePullPolicy: {{ .Values.database.postgres.image.pullPolicy }}
+          ports:
+            - name: postgresql
+              containerPort: 5432
+          env:
+            - name: POSTGRES_USER
+              value: {{ .Values.database.postgres.auth.username | quote }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $fullName }}-postgresql
+                  key: password
+            - name: POSTGRES_DB
+              value: {{ .Values.database.postgres.auth.database | quote }}
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+          resources:
+            {{- toYaml .Values.database.postgres.resources | nindent 12 }}
+      {{- if not .Values.database.postgres.persistence.enabled }}
+      volumes:
+        - name: data
+          emptyDir: {}
+      {{- end }}
+  {{- if .Values.database.postgres.persistence.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - {{ .Values.database.postgres.persistence.accessMode }}
+        resources:
+          requests:
+            storage: {{ .Values.database.postgres.persistence.size }}
+        {{- if .Values.database.postgres.persistence.storageClass }}
+        storageClassName: {{ .Values.database.postgres.persistence.storageClass | quote }}
+        {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/warden/values.schema.json b/charts/warden/values.schema.json
@@ -160,7 +160,43 @@
         "postgres": {
           "type": "object",
           "properties": {
-            "enabled": { "type": "boolean" }
+            "enabled": { "type": "boolean" },
+            "image": {
+              "type": "object",
+              "properties": {
+                "repository": { "type": "string" },
+                "tag": { "type": "string" },
+                "pullPolicy": { "type": "string" }
+              },
+              "additionalProperties": false
+            },
+            "auth": {
+              "type": "object",
+              "properties": {
+                "username": { "type": "string" },
+                "password": { "type": "string" },
+                "database": { "type": "string" }
+              },
+              "additionalProperties": false
+            },
+            "persistence": {
+              "type": "object",
+              "properties": {
+                "enabled": { "type": "boolean" },
+                "size": { "type": "string" },
+                "accessMode": { "type": "string" },
+                "storageClass": { "type": "string" }
+              },
+              "additionalProperties": false
+            },
+            "resources": { "type": "object" },
+            "service": {
+              "type": "object",
+              "properties": {
+                "port": { "type": "integer" }
+              },
+              "additionalProperties": false
+            }
           },
           "additionalProperties": false
         },
@@ -177,14 +213,6 @@
       },
       "additionalProperties": false
     },
-    "postgresql": {
-      "type": "object",
-      "additionalProperties": true
-    },
-    "global": {
-      "type": "object",
-      "additionalProperties": true
-    },
     "env": {
       "type": "object",
       "additionalProperties": { "type": "string" }

diff --git a/charts/warden/values.yaml b/charts/warden/values.yaml
@@ -85,9 +85,34 @@ database:
       size: 1Gi
       storageClass: ""
 
-  # Internal PostgreSQL subchart (only when type=postgres)
+  # Internal PostgreSQL (only when type=postgres)
   postgres:
     enabled: false
+    image:
+      repository: postgres
+      tag: "18"
+      pullPolicy: IfNotPresent
+    auth:
+      username: warden
+      # Auto-generated (alphanumeric) when empty. If set manually, avoid
+      # URL-unsafe characters (@, :, /, ?, #) as the value is embedded
+      # in a postgres:// connection string.
+      password: ""
+      database: warden
+    persistence:
+      enabled: true
+      size: 5Gi
+      accessMode: ReadWriteOnce
+      storageClass: ""
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
+    service:
+      port: 5432
 
   # External PostgreSQL (only when type=postgres)
   external:
@@ -96,15 +121,6 @@ database:
     existingSecret: ""
     existingSecretKey: "db-url"
 
-# Bitnami PostgreSQL subchart values
-# Only used when database.postgres.enabled=true
-# Password is auto-generated by the subchart and stored in a Secret.
-# Set postgresql.auth.password explicitly only if you need a known value.
-postgresql:
-  auth:
-    username: warden
-    database: warden
-
 env: {}
 extraEnv: []