Skip to Content
DeploymentPostgreSQL Database

PostgreSQL Database

Classifyre requires a PostgreSQL (14+) database to store application configuration, scan schedules, runner execution logs, and detected security findings.

Our official Helm chart supports three deployment modes for the database, configured via the postgres.mode value:

  1. Embedded Database (default, for test/evaluation)
  2. External Database (recommended for production)
  3. CloudNativePG (CNPG) Operator (for cloud-native high availability)

Database Modes

Embedded PostgreSQL (postgres.mode: embedded)

In embedded mode, the Helm chart deploys a single PostgreSQL pod within your cluster namespace.

  • Usecase: Evaluations, sales demos, and local development.
  • Persistence: Enabled by default via a PersistentVolumeClaim (postgres.embedded.persistence.size: 20Gi).
  • Configuration Group: postgres.embedded.*
postgres:
  mode: embedded
  embedded:
    image:
      repository: postgres
      tag: "18"
    persistence:
      enabled: true
      size: 20Gi

Not for Production: Embedded mode runs a single database pod without replicas, automated backups, or high availability. Do not use this mode for production workloads.


Connection Security (SSL)

You can enforce SSL mode for the connection between the NestJS API and the database using postgres.connection.sslMode.

Available options:

  • disable (default for local environments/embedded mode)
  • require (establishes SSL but does not verify CA)
  • verify-ca (verifies the server CA certificate)
  • verify-full (verifies both the server CA certificate and host name matches)
postgres:
  connection:
    sslMode: require

Credentials Management

For security, we highly recommend storing database passwords in pre-created Kubernetes Secrets rather than passing them in plain-text inside your Helm values file.

Using standard Kubernetes Secrets

Provide the name of the secret and the key hosting the password:

postgres:
  external:
    existingSecret: "my-custom-secret"
    existingSecretPasswordKey: "postgres-password"

Direct connection URI override

Alternatively, you can supply a pre-formatted DATABASE_URL string inside an existing secret:

postgres:
  external:
    existingSecret: "my-custom-secret"
    existingSecretUrlKey: "DATABASE_URL"
Last updated on