# PersistentVolumeClaims for privacyIDEA (namespace: mfa)
#
# privacyidea-data — /etc/privacyidea/
#   Holds: enckey, audit signing keys, and any runtime PI config.
#   PI auto-generates missing key material here on first start.
#   Run enckey-bootstrap.sh after first deploy to extract keys into
#   KeePassXC and K8s Secrets (disaster recovery copies).
#
# privacyidea-logs — /var/log/privacyidea/
#   Application log files; separate PVC keeps data PVC clean.
#
# Adjust storage sizes before production deployment.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: privacyidea-data
  namespace: mfa
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
spec:
  accessModes: [ReadWriteOnce]
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: privacyidea-logs
  namespace: mfa
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
spec:
  accessModes: [ReadWriteOnce]
  resources:
    requests:
      storage: 2Gi