Skip to content

Fixing bootstrapping issues with migrations. #2047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fixing bootstrapping issues with migrations. #2047

wants to merge 1 commit into from

Conversation

siennathesane
Copy link

@siennathesane siennathesane commented Jun 8, 2025
edited
Loading

What kind of change does this PR introduce?

Big fix for #1729, #1848, #1983, and #2040 with an additional type fix.

What is the current behavior?

The auth service cannot be deployed in a net new environment on PostgreSQL 17.

What is the new behavior?

The service is running properly with PostgreSQL 17 in a cleanroom environment.

Additional context

Here is a redacted version of the terraform I used to deploy it with. I used my own container build with these fixes, ghcr.io/siennathesane/auth:v2.175.0, that you can use to verify the fix is valid, if you want.

locals {
  f2-auth-db-namespace = "auth"
}

resource "kubernetes_service_account" "f2-auth" {
  metadata {
    name      = "f2-auth"
    namespace = var.namespace
  }
}

resource "kubernetes_manifest" "f2-auth-db" {
  manifest = {
    "apiVersion" = "postgresql.cnpg.io/v1"
    "kind"       = "Database"
    "metadata" = {
      "name"      = "f2-auth-db"
      "namespace" = var.namespace
    }
    "spec" = {
      "cluster" = {
        "name" =  kubernetes_manifest.f2-cluster.object.metadata.name
      }
      "allowConnections" = true
      "name"             = local.f2-auth-db-namespace
      "owner"            = kubernetes_secret_v1.f2-auth-db.data.username
      "schemas" = [{
        "name"  = local.f2-auth-db-namespace
        "owner" = kubernetes_secret_v1.f2-auth-db.data.username
      }]
    }
  }
}

resource "kubernetes_config_map_v1" "f2-auth-initdb" {
  metadata {
    name      = "sql-commands"
    namespace = var.namespace
  }

  data = {
    "script.sql" = <<-EOT
    ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} WITH LOGIN CREATEROLE CREATEDB REPLICATION BYPASSRLS;
    GRANT ${kubernetes_secret_v1.f2-auth-db.data.username} TO postgres;
    CREATE SCHEMA IF NOT EXISTS ${local.f2-auth-db-namespace} AUTHORIZATION ${kubernetes_secret_v1.f2-auth-db.data.username};
    GRANT CREATE ON DATABASE postgres TO ${kubernetes_secret_v1.f2-auth-db.data.username};
    ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} SET search_path = '${local.f2-auth-db-namespace}';
    EOT
  }
}

resource "kubernetes_secret_v1" "f2-auth-db" {
  metadata {
    name      = "auth-db"
    namespace = var.namespace
    labels = {
      "cnpg.io/reload" = "true"
    }
  }

  data = {
    username = "[REDACTED]"
    password = random_password.f2-auth-db-password.result
    database = "auth"
  }

  type = "kubernetes.io/basic-auth"
}

resource "kubernetes_secret_v1" "f2-auth-jwt" {
  metadata {
    name      = "auth-jwt"
    namespace = var.namespace
  }

  data = {
    anonKey    = "[REDACTED]"
    secret     = "[REDACTED]"
    serviceKey = "[REDACTED]"
  }

  type = "Opaque"
}

resource "random_password" "f2-auth-db-password" {
  length           = 16
  special          = false
}

resource "kubernetes_deployment_v1" "f2-auth" {
  depends_on = [kubernetes_manifest.f2-auth-db]

  timeouts {
    create = "2m"
  }

  metadata {
    name = "f2auth"
    labels = {
      "f2.pub/app" = "auth-${var.environment}"
    }
    namespace = var.namespace
  }

  spec {
    replicas = 1

    selector {
      match_labels = {
        "f2.pub/app" = "auth-${var.environment}"
      }
    }

    template {
      metadata {
        labels = {
          "f2.pub/app" = "auth-${var.environment}"
        }
      }

      spec {
        image_pull_secrets { name = var.ghcr-pull-secret-name }

        init_container {
          name    = "init-db"
          image   = "postgres:17-alpine"
          command = ["psql", "-f", "/sql/script.sql"]

          env {
            name  = "PGHOST"
            value = "${kubernetes_manifest.f2-cluster.object.metadata.name}-rw"
          }

          env {
            name  = "PGPORT"
            value = "5432"
          }

          env {
            name  = "PGDATABASE"
            value = kubernetes_secret_v1.f2-auth-db.data.database
          }

          env {
            name  = "PGUSER"
            value = kubernetes_secret_v1.f2-auth-db.data.username
          }

          env {
            name  = "PGPASSWORD"
            value = kubernetes_secret_v1.f2-auth-db.data.password
          }

          volume_mount {
            name       = "sql-volume"
            mount_path = "/sql"
          }
        }

        volume {
          name = "sql-volume"

          config_map {
            name = kubernetes_config_map_v1.f2-auth-initdb.metadata[0].name
          }
        }

        container {
          image = "ghcr.io/siennathesane/auth:${var.goauth-version}"
          image_pull_policy = "Always"
          name  = "auth"

          resources {
            limits = {
              cpu    = "0.5"
              memory = "512Mi"
            }
            requests = {
              cpu    = "250m"
              memory = "50Mi"
            }
          }

          port {
            name           = "http"
            container_port = 9999
            protocol       = "TCP"
          }

          env {
            name  = "GOTRUE_DB_DRIVER"
            value = "postgres"
          }
          env {
            name  = "DB_NAMESPACE"
            value = "auth"
          }
          env {
            name  = "DATABASE_URL"
            value = "postgres://${kubernetes_secret_v1.f2-auth-db.data.username}:[REDACTED]@${ kubernetes_manifest.f2-cluster.object.metadata.name}-rw:5432/${kubernetes_secret_v1.f2-auth-db.data.database}"
          }
          env {
            name = "GOTRUE_JWT_SECRET"
            value_from {
              secret_key_ref {
                name = "auth-jwt"
                key  = "secret"
              }
            }
          }
          env {
            name  = "API_EXTERNAL_URL"
            value = "http://[REDACTED]"
          }
          env {
            name  = "GOTRUE_SITE_URL"
            value = "http://[REDACTED]"
          }
          env {
            name  = "GOTRUE_API_HOST"
            value = "0.0.0.0"
          }
          env {
            name  = "PORT"
            value = "9999"
          }
        }
      }
    }
  }
}

Closes #1729
Closes #1848
Closes #1983
Closes #2040

@siennathesane siennathesane requested a review from a team as a code owner June 8, 2025 21:04
@siennathesane
Copy link
Author

@kangmingtay can you please review this so it can get merged? It's an ongoing issue for a lot for people.

@siennathesane
applying migration patches.
25697bc 
Signed-off-by: Sienna Satterwhite <[email protected]>
@siennathesane siennathesane force-pushed the bugfix/bootstrapping branch from ca5c731 to 25697bc Compare June 10, 2025 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Issue with migrations
1 participant
@siennathesane