PostgreSQL Database
Classifyre requires a PostgreSQL (14+) database to store application configuration, scan schedules, runner execution logs, and detected security findings.
Our official Helm chart supports three deployment modes for the database, configured via the postgres.mode value:
- Embedded Database (default, for test/evaluation)
- External Database (recommended for production)
- CloudNativePG (CNPG) Operator (for cloud-native high availability)
Database Modes
Embedded
Embedded PostgreSQL (postgres.mode: embedded)
In embedded mode, the Helm chart deploys a single PostgreSQL pod within your cluster namespace.
- Usecase: Evaluations, sales demos, and local development.
- Persistence: Enabled by default via a PersistentVolumeClaim (
postgres.embedded.persistence.size: 20Gi). - Configuration Group:
postgres.embedded.*
postgres:
mode: embedded
embedded:
image:
repository: postgres
tag: "18"
persistence:
enabled: true
size: 20GiNot for Production: Embedded mode runs a single database pod without replicas, automated backups, or high availability. Do not use this mode for production workloads.
Connection Security (SSL)
You can enforce SSL mode for the connection between the NestJS API and the database using postgres.connection.sslMode.
Available options:
disable(default for local environments/embedded mode)require(establishes SSL but does not verify CA)verify-ca(verifies the server CA certificate)verify-full(verifies both the server CA certificate and host name matches)
postgres:
connection:
sslMode: requireCredentials Management
For security, we highly recommend storing database passwords in pre-created Kubernetes Secrets rather than passing them in plain-text inside your Helm values file.
Using standard Kubernetes Secrets
Provide the name of the secret and the key hosting the password:
postgres:
external:
existingSecret: "my-custom-secret"
existingSecretPasswordKey: "postgres-password"Direct connection URI override
Alternatively, you can supply a pre-formatted DATABASE_URL string inside an existing secret:
postgres:
external:
existingSecret: "my-custom-secret"
existingSecretUrlKey: "DATABASE_URL"