diff --git a/charts/supabase/Chart.yaml b/charts/supabase/Chart.yaml index d7b9a1f..b83d342 100644 --- a/charts/supabase/Chart.yaml +++ b/charts/supabase/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/supabase/templates/analytics/deployment.yaml b/charts/supabase/templates/analytics/deployment.yaml index 3f11bb9..3c4f585 100644 --- a/charts/supabase/templates/analytics/deployment.yaml +++ b/charts/supabase/templates/analytics/deployment.yaml @@ -42,8 +42,13 @@ spec: - name: DB_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] @@ -72,23 +77,43 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_PASSWORD_ENC valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password_encoded + {{- end }} - name: DB_DATABASE valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: LOGFLARE_API_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.analytics.secretRef }} + name: {{ .Values.secret.analytics.secretRef }} + key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }} + {{- else }} name: {{ include "supabase.secret.analytics" . }} key: apiKey + {{- end }} {{- if .Values.analytics.bigQuery.enabled }} - name: GOOGLE_PROJECT_ID value: {{ .Values.analytics.bigQuery.projectId | quote }} diff --git a/charts/supabase/templates/auth/deployment.yaml b/charts/supabase/templates/auth/deployment.yaml index b2ee0b4..f383045 100644 --- a/charts/supabase/templates/auth/deployment.yaml +++ b/charts/supabase/templates/auth/deployment.yaml @@ -42,8 +42,13 @@ spec: - name: DB_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: DB_PORT value: {{ .Values.auth.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] @@ -72,18 +77,33 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_PASSWORD_ENC valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password_encoded + {{- end }} - name: DB_NAME valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: GOTRUE_DB_DATABASE_URL value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?search_path=auth&sslmode=$(DB_SSL) - name: GOTRUE_DB_DRIVER @@ -91,18 +111,33 @@ spec: - name: GOTRUE_JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret + {{- end }} - name: GOTRUE_SMTP_USER valueFrom: secretKeyRef: + {{- if .Values.secret.smtp.secretRef }} + name: {{ .Values.secret.smtp.secretRef }} + key: {{ .Values.secret.smtp.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.smtp" . }} key: username + {{- end }} - name: GOTRUE_SMTP_PASS valueFrom: secretKeyRef: + {{- if .Values.secret.smtp.secretRef }} + name: {{ .Values.secret.smtp.secretRef }} + key: {{ .Values.secret.smtp.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.smtp" . }} key: password + {{- end }} {{- with .Values.auth.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} diff --git a/charts/supabase/templates/db/deployment.yaml b/charts/supabase/templates/db/deployment.yaml index 13da44b..75f3c8e 100644 --- a/charts/supabase/templates/db/deployment.yaml +++ b/charts/supabase/templates/db/deployment.yaml @@ -66,28 +66,53 @@ spec: - name: POSTGRES_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: PGPASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: PGDATABASE valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: POSTGRES_DB valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} {{- with .Values.db.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} diff --git a/charts/supabase/templates/functions/deployment.yaml b/charts/supabase/templates/functions/deployment.yaml index 3bf7a7d..2272689 100644 --- a/charts/supabase/templates/functions/deployment.yaml +++ b/charts/supabase/templates/functions/deployment.yaml @@ -52,33 +52,63 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_PASSWORD_ENC valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password_encoded + {{- end }} - name: DB_DATABASE valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret + {{- end }} - name: SUPABASE_ANON_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: anonKey + {{- end }} - name: SUPABASE_SERVICE_ROLE_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: serviceKey + {{- end }} - name: POSTGRES_BACKEND_URL value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE)?search_path=auth&sslmode=$(DB_SSL) {{- with .Values.functions.livenessProbe }} diff --git a/charts/supabase/templates/kong/deployment.yaml b/charts/supabase/templates/kong/deployment.yaml index 173c470..fcedfbb 100644 --- a/charts/supabase/templates/kong/deployment.yaml +++ b/charts/supabase/templates/kong/deployment.yaml @@ -44,24 +44,44 @@ spec: - name: SUPABASE_ANON_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: anonKey + {{- end }} - name: SUPABASE_SERVICE_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: serviceKey + {{- end }} {{- if .Values.secret.dashboard }} - name: DASHBOARD_USERNAME valueFrom: secretKeyRef: + {{- if .Values.secret.dashboard.secretRef }} + name: {{ .Values.secret.dashboard.secretRef }} + key: {{ .Values.secret.dashboard.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.dashboard" . }} key: username + {{- end }} - name: DASHBOARD_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.dashboard.secretRef }} + name: {{ .Values.secret.dashboard.secretRef }} + key: {{ .Values.secret.dashboard.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.dashboard" . }} key: password + {{- end }} {{- end }} {{- with .Values.kong.livenessProbe }} livenessProbe: diff --git a/charts/supabase/templates/meta/deployment.yaml b/charts/supabase/templates/meta/deployment.yaml index 254371a..2dac17b 100644 --- a/charts/supabase/templates/meta/deployment.yaml +++ b/charts/supabase/templates/meta/deployment.yaml @@ -46,13 +46,23 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_NAME valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: PG_META_DB_HOST value: $(DB_HOST) - name: PG_META_DB_PORT diff --git a/charts/supabase/templates/realtime/deployment.yaml b/charts/supabase/templates/realtime/deployment.yaml index dcc0c04..4083a46 100644 --- a/charts/supabase/templates/realtime/deployment.yaml +++ b/charts/supabase/templates/realtime/deployment.yaml @@ -42,8 +42,13 @@ spec: - name: DB_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] @@ -74,23 +79,43 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_NAME valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret + {{- end }} - name: API_JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret + {{- end }} {{- with .Values.realtime.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} diff --git a/charts/supabase/templates/rest/deployment.yaml b/charts/supabase/templates/rest/deployment.yaml index 226527b..e877fa6 100644 --- a/charts/supabase/templates/rest/deployment.yaml +++ b/charts/supabase/templates/rest/deployment.yaml @@ -46,30 +46,55 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_PASSWORD_ENC valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password_encoded + {{- end }} - name: DB_NAME valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: PGRST_DB_URI value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?sslmode=$(DB_SSL) - name: PGRST_JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret - - name: JWT_EXPIRY + {{- end }} + - name: PGRST_APP_SETTINGS_JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} - key: expiry + key: secret + {{- end }} {{- with .Values.rest.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} diff --git a/charts/supabase/templates/secrets/_helpers.tpl b/charts/supabase/templates/secrets/_helpers.tpl index 1b167a8..61d74ec 100644 --- a/charts/supabase/templates/secrets/_helpers.tpl +++ b/charts/supabase/templates/secrets/_helpers.tpl @@ -39,3 +39,19 @@ Expand the name of the s3 secret. {{- define "supabase.secret.s3" -}} {{- printf "%s-s3" (include "supabase.fullname" .) }} {{- end -}} + +{{/* +Check if both s3 keys are valid +*/}} +{{- define "supabase.secret.s3.isValid" -}} +{{- $isValid := "false" -}} +{{- if .Values.secret.s3.keyId -}} +{{- if .Values.secret.s3.accessKey -}} +{{- printf "true" -}} +{{- else -}} +{{- printf "false" -}} +{{- end -}} +{{- else -}} +{{- printf "false" -}} +{{- end -}} +{{- end -}} diff --git a/charts/supabase/templates/secrets/analytics.yaml b/charts/supabase/templates/secrets/analytics.yaml index 83e7b42..b80f4f7 100644 --- a/charts/supabase/templates/secrets/analytics.yaml +++ b/charts/supabase/templates/secrets/analytics.yaml @@ -1,4 +1,4 @@ -{{- if .Values.secret.analytics }} +{{- if not .Values.secret.analytics.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -8,6 +8,10 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.analytics }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} {{ $key }}: {{ $value | b64enc }} {{- end }} {{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/secrets/dashboard.yaml b/charts/supabase/templates/secrets/dashboard.yaml index f81ef57..cd99197 100644 --- a/charts/supabase/templates/secrets/dashboard.yaml +++ b/charts/supabase/templates/secrets/dashboard.yaml @@ -1,4 +1,5 @@ {{- if .Values.secret.dashboard }} +{{- if not .Values.secret.dashboard.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -8,6 +9,11 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.dashboard }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} {{ $key }}: {{ $value | b64enc }} {{- end }} {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/secrets/db.yaml b/charts/supabase/templates/secrets/db.yaml index 1a6a26e..8cd9791 100644 --- a/charts/supabase/templates/secrets/db.yaml +++ b/charts/supabase/templates/secrets/db.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.secret.db.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -7,6 +8,11 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.db }} +{{- if $value }} +{{- if or (eq (typeOf $value) "string") (eq (typeOf $value) "numeric") }} {{ $key }}: {{ $value | b64enc }} +{{- end }} +{{- end }} {{- end }} password_encoded: {{ .Values.secret.db.password | urlquery | b64enc }} +{{- end }} diff --git a/charts/supabase/templates/secrets/jwt.yaml b/charts/supabase/templates/secrets/jwt.yaml index 5622d23..0b190a1 100644 --- a/charts/supabase/templates/secrets/jwt.yaml +++ b/charts/supabase/templates/secrets/jwt.yaml @@ -1,4 +1,5 @@ {{- if .Values.secret.jwt }} +{{- if not .Values.secret.jwt.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -8,6 +9,11 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.jwt }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} {{ $key }}: {{ $value | toString | b64enc }} {{- end }} {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/secrets/s3.yaml b/charts/supabase/templates/secrets/s3.yaml index 1752e65..7421da4 100644 --- a/charts/supabase/templates/secrets/s3.yaml +++ b/charts/supabase/templates/secrets/s3.yaml @@ -1,4 +1,5 @@ {{- if .Values.secret.s3 }} +{{- if not .Values.secret.s3.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -8,6 +9,11 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.s3 }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} {{ $key }}: {{ $value | toString | b64enc }} {{- end }} {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/secrets/smtp.yaml b/charts/supabase/templates/secrets/smtp.yaml index 38b70b7..05c3579 100644 --- a/charts/supabase/templates/secrets/smtp.yaml +++ b/charts/supabase/templates/secrets/smtp.yaml @@ -1,4 +1,5 @@ {{- if .Values.secret.smtp }} +{{- if not .Values.secret.smtp.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -8,6 +9,11 @@ metadata: type: Opaque data: {{- range $key, $value := .Values.secret.smtp }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} {{ $key }}: {{ $value | b64enc }} {{- end }} {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/storage/deployment.yaml b/charts/supabase/templates/storage/deployment.yaml index 5fe6d5d..b045429 100644 --- a/charts/supabase/templates/storage/deployment.yaml +++ b/charts/supabase/templates/storage/deployment.yaml @@ -43,8 +43,13 @@ spec: - name: DB_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] @@ -102,50 +107,90 @@ spec: - name: DB_PASSWORD valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password + {{- end }} - name: DB_PASSWORD_ENC valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: password_encoded + {{- end }} - name: DB_NAME valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: database + {{- end }} - name: DATABASE_URL value: $(DB_DRIVER)://$(DB_USER):$(DB_PASSWORD_ENC)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)?search_path=auth&sslmode=$(DB_SSL) - name: PGRST_JWT_SECRET valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: secret + {{- end }} - name: ANON_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: anonKey + {{- end }} - name: SERVICE_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: serviceKey + {{- end }} {{- if .Values.imgproxy.enabled }} - name: IMGPROXY_URL value: http://{{ include "supabase.imgproxy.fullname" . }}:{{ .Values.imgproxy.service.port | int }} {{- end }} - {{- if .Values.secret.s3 }} + {{- if eq (include "supabase.secret.s3.isValid" .) "true" }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: + {{- if .Values.secret.s3.secretRef }} + name: {{ .Values.secret.s3.secretRef }} + key: {{ .Values.secret.s3.secretRefKey.keyId | default "keyId" }} + {{- else }} name: {{ include "supabase.secret.s3" . }} key: keyId + {{- end }} - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.s3.secretRef }} + name: {{ .Values.secret.s3.secretRef }} + key: {{ .Values.secret.s3.secretRefKey.keyId | default "accessKey" }} + {{- else }} name: {{ include "supabase.secret.s3" . }} key: accessKey + {{- end }} {{- end }} {{- if .Values.minio.enabled }} - name: GLOBAL_S3_ENDPOINT diff --git a/charts/supabase/templates/studio/deployment.yaml b/charts/supabase/templates/studio/deployment.yaml index 2d4ddc7..dc4d9f8 100644 --- a/charts/supabase/templates/studio/deployment.yaml +++ b/charts/supabase/templates/studio/deployment.yaml @@ -50,13 +50,23 @@ spec: - name: SUPABASE_ANON_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.anonKey | default "anonKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: anonKey + {{- end }} - name: SUPABASE_SERVICE_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.serviceKey | default "serviceKey" }} + {{- else }} name: {{ include "supabase.secret.jwt" . }} key: serviceKey + {{- end }} {{- if .Values.analytics.enabled }} - name: LOGFLARE_URL value: http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }} diff --git a/charts/supabase/templates/test/db.yaml b/charts/supabase/templates/test/db.yaml index 4863f7a..296bcc3 100644 --- a/charts/supabase/templates/test/db.yaml +++ b/charts/supabase/templates/test/db.yaml @@ -28,8 +28,13 @@ spec: - name: DB_USER valueFrom: secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.username | default "username" }} + {{- else }} name: {{ include "supabase.secret.db" . }} key: username + {{- end }} - name: DB_PORT value: {{ .Values.auth.environment.DB_PORT | quote }} image: postgres:15-alpine diff --git a/charts/supabase/templates/test/secretrefs.yaml b/charts/supabase/templates/test/secretrefs.yaml new file mode 100644 index 0000000..51245ac --- /dev/null +++ b/charts/supabase/templates/test/secretrefs.yaml @@ -0,0 +1,79 @@ +{{- if .Values.debug }} +{{- if .Values.debug.secretRef }} +{{- if .Values.secret.jwt.secretRef }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.jwt.secretRef }} + labels: + {{- include "supabase.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install +type: Opaque +data: + anonKey: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKaGJtOXVJaXdLSUNBZ0lDSnBjM01pT2lBaWMzVndZV0poYzJVdFpHVnRieUlzQ2lBZ0lDQWlhV0YwSWpvZ01UWTBNVGMyT1RJd01Dd0tJQ0FnSUNKbGVIQWlPaUF4TnprNU5UTTFOakF3Q24wLmRjX1g1aVJfVlBfcVQwenNpeWpfSV9PWjJUOUZ0UlUyQkJOV044QnU0R0U= + serviceKey: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKelpYSjJhV05sWDNKdmJHVWlMQW9nSUNBZ0ltbHpjeUk2SUNKemRYQmhZbUZ6WlMxa1pXMXZJaXdLSUNBZ0lDSnBZWFFpT2lBeE5qUXhOelk1TWpBd0xBb2dJQ0FnSW1WNGNDSTZJREUzT1RrMU16VTJNREFLZlEuRGFZbE5Fb1VyckVuMklnN3RxaWJTLVBISzV2Z3VzYmNibzdYMzZYVnQ0UQ== + secret: eW91ci1zdXBlci1zZWNyZXQtand0LXRva2VuLXdpdGgtYXQtbGVhc3QtMzItY2hhcmFjdGVycy1sb25n +{{- end }} +{{- if .Values.secret.smtp.secretRef }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.smtp.secretRef }} + labels: + {{- include "supabase.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install +type: Opaque +data: + username: eW91ci1tYWlsQGV4YW1wbGUuY29t + password: ZXhhbXBsZTEyMzQ1Ng== +{{- end }} +{{- if .Values.secret.dashboard.secretRef }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.dashboard.secretRef }} + labels: + {{- include "supabase.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install +type: Opaque +data: + username: c3VwYWJhc2U= + password: dGhpc19wYXNzd29yZF9pc19pbnNlY3VyZV9hbmRfc2hvdWxkX2JlX3VwZGF0ZWQ= +{{- end }} +{{- if .Values.secret.db.secretRef }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.db.secretRef }} + labels: + {{- include "supabase.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install +type: Opaque +data: + username: cG9zdGdyZXM= + password: ZXhhbXBsZTEyMzQ1Ng== + database: cG9zdGdyZXM= +{{- end }} +{{- if .Values.secret.analytics.secretRef }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.analytics.secretRef }} + labels: + {{- include "supabase.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-install +type: Opaque +data: + apiKey: eW91ci1zdXBlci1zZWNyZXQtYW5kLWxvbmctbG9nZmxhcmUta2V5 +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/vector/deployment.yaml b/charts/supabase/templates/vector/deployment.yaml index 5dae5fd..911ff08 100644 --- a/charts/supabase/templates/vector/deployment.yaml +++ b/charts/supabase/templates/vector/deployment.yaml @@ -52,8 +52,13 @@ spec: - name: LOGFLARE_API_KEY valueFrom: secretKeyRef: + {{- if .Values.secret.analytics.secretRef }} + name: {{ .Values.secret.analytics.secretRef }} + key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }} + {{- else }} name: {{ include "supabase.secret.analytics" . }} key: apiKey + {{- end }} {{- end }} {{- with .Values.vector.livenessProbe }} livenessProbe: diff --git a/charts/supabase/values.example.yaml b/charts/supabase/values.example.yaml index 835c8b1..c8f46e0 100644 --- a/charts/supabase/values.example.yaml +++ b/charts/supabase/values.example.yaml @@ -138,6 +138,9 @@ vector: path: /health port: 9001 initialDelaySeconds: 3 + ## Vector requires logs from the control plane to function. + ## This is normally stored in /var/log/pods + ## Modify these values according to your environment. volumeMounts: - name: pod-logs mountPath: /var/log/pods diff --git a/charts/supabase/values.yaml b/charts/supabase/values.yaml index d4dca75..62dbe13 100644 --- a/charts/supabase/values.yaml +++ b/charts/supabase/values.yaml @@ -21,29 +21,65 @@ secret: anonKey: "" serviceKey: "" secret: "" - expiry: 3600 + # specify existing secret, which takes precedence over variables above + secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + anonKey: anonKey + serviceKey: serviceKey + secret: secret # database credentials # these fields must be provided even if using external database db: username: "" password: "" database: "" + # specify existing secret, which takes precedence over variables above + secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + username: username + password: password + database: database # analytics Logflare API key analytics: apiKey: "" + # specify existing secret, which takes precedence over variable above + secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + apiKey: apiKey # smtp will be used to reference secret including smtp credentials smtp: # username: "" # password: "" + # specify existing secret, which takes precedence over variables above + # secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + username: username + password: password # secret used to access the studio dashboard # leave it empty to disable dashboard authentication dashboard: # username: "" # password: "" + # specify existing secret, which takes precedence over variables above + # secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + username: username + password: password # S3 credentials for storage object bucket s3: # keyId: "" # accessKey: "" + # specify existing secret, which takes precedence over variables above + # secretRef: "" + # override secret keys for existing secret refs + secretRefKey: + keyId: keyId + accessKey: accessKey # Optional: Postgres Database # A standalone Postgres database configured to work with Supabase services. @@ -87,6 +123,7 @@ db: POSTGRES_HOST: /var/run/postgresql PGPORT: "5432" POSTGRES_PORT: "5432" + JWT_EXP: 3600 # POSTGRES_HOST_AUTH_METHOD: md5 # Enable SSL for postgres by specifying paths for mounted certificate key pair # POSTGRES_SSL_CERT: /path/to/ssl/server.crt @@ -174,6 +211,8 @@ studio: STUDIO_PORT: "3000" SUPABASE_PUBLIC_URL: http://example.com NEXT_PUBLIC_ENABLE_LOGS: "true" + # Set value to bigquery to use Big Query backend for analytics + NEXT_ANALYTICS_BACKEND_PROVIDER: postgres # postgres, bigquery # volumeMounts: # - name: volume_name # mountPath: /path/to/my/secret @@ -348,6 +387,7 @@ rest: PGRST_DB_SCHEMAS: public,storage,graphql_public PGRST_DB_ANON_ROLE: anon PGRST_DB_USE_LEGACY_GUCS: false + PGRST_APP_SETTINGS_JWT_EXP: 3600 # volumeMounts: # - name: volume_name # mountPath: /path/to/my/secret