Skip to content

Commit c7adee3

Browse files
Merge pull request #100 from CodeForPhilly/releases/k8s-manifests
Deploy releases/k8s-manifests 8e8e1d5
2 parents 200f2e1 + 8e8e1d5 commit c7adee3

File tree

64 files changed

+2859
-13
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

64 files changed

+2859
-13
lines changed

.github/workflows/k8s-deploy.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -50,19 +50,6 @@ jobs:
5050
) | tee -a /tmp/kube.log
5151
fi
5252
53-
- name: 'Apply manifests: namespaced resources'
54-
run: |
55-
(
56-
find . \
57-
-maxdepth 1 \
58-
-type d \
59-
-not -name '_' \
60-
-not -name '.*' \
61-
-print0 \
62-
| sort -z \
63-
| xargs -r0 -n 1 kubectl apply -Rf
64-
) | tee -a /tmp/kube.log
65-
6653
- name: 'Apply manifests: generated regcred secrets'
6754
run: |
6855
@@ -81,6 +68,19 @@ jobs:
8168
EOF
8269
done <<< "$(find . -maxdepth 1 -type d -not -name '_' -not -name '.*')"
8370
71+
- name: 'Apply manifests: namespaced resources'
72+
run: |
73+
(
74+
find . \
75+
-maxdepth 1 \
76+
-type d \
77+
-not -name '_' \
78+
-not -name '.*' \
79+
-print0 \
80+
| sort -z \
81+
| xargs -r0 -n 1 kubectl apply -Rf
82+
) | tee -a /tmp/kube.log
83+
8484
- name: 'Apply manifests: deleted resources'
8585
run: |
8686
for manifest_path in $(git diff-tree --name-only --diff-filter=D -r HEAD^ HEAD); do
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: squadquest-supabase-reader
5+
rules:
6+
- apiGroups:
7+
- ''
8+
resources:
9+
- nodes
10+
- namespaces
11+
- pods
12+
verbs:
13+
- list
14+
- watch
15+
- apiGroups:
16+
- ''
17+
resourceNames:
18+
- squadquest-supabase-*
19+
resources:
20+
- pods/log
21+
verbs:
22+
- get
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRoleBinding
3+
metadata:
4+
name: squadquest-supabase-view
5+
roleRef:
6+
apiGroup: rbac.authorization.k8s.io
7+
kind: ClusterRole
8+
name: squadquest-supabase-reader
9+
subjects:
10+
- kind: ServiceAccount
11+
name: squadquest-supabase-supabase-vector
12+
namespace: squadquest-supabase

_/Namespace/squadquest-supabase.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
apiVersion: v1
2+
kind: Namespace
3+
metadata:
4+
name: squadquest-supabase
Lines changed: 245 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,245 @@
1+
apiVersion: v1
2+
data:
3+
98-webhooks.sql: |
4+
BEGIN;
5+
-- Create pg_net extension
6+
CREATE EXTENSION IF NOT EXISTS pg_net SCHEMA extensions;
7+
-- Create supabase_functions schema
8+
CREATE SCHEMA supabase_functions AUTHORIZATION supabase_admin;
9+
GRANT USAGE ON SCHEMA supabase_functions TO postgres, anon, authenticated, service_role;
10+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role;
11+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role;
12+
ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role;
13+
-- supabase_functions.migrations definition
14+
CREATE TABLE supabase_functions.migrations (
15+
version text PRIMARY KEY,
16+
inserted_at timestamptz NOT NULL DEFAULT NOW()
17+
);
18+
-- Initial supabase_functions migration
19+
INSERT INTO supabase_functions.migrations (version) VALUES ('initial');
20+
-- supabase_functions.hooks definition
21+
CREATE TABLE supabase_functions.hooks (
22+
id bigserial PRIMARY KEY,
23+
hook_table_id integer NOT NULL,
24+
hook_name text NOT NULL,
25+
created_at timestamptz NOT NULL DEFAULT NOW(),
26+
request_id bigint
27+
);
28+
CREATE INDEX supabase_functions_hooks_request_id_idx ON supabase_functions.hooks USING btree (request_id);
29+
CREATE INDEX supabase_functions_hooks_h_table_id_h_name_idx ON supabase_functions.hooks USING btree (hook_table_id, hook_name);
30+
COMMENT ON TABLE supabase_functions.hooks IS 'Supabase Functions Hooks: Audit trail for triggered hooks.';
31+
CREATE FUNCTION supabase_functions.http_request()
32+
RETURNS trigger
33+
LANGUAGE plpgsql
34+
AS $function$
35+
DECLARE
36+
request_id bigint;
37+
payload jsonb;
38+
url text := TG_ARGV[0]::text;
39+
method text := TG_ARGV[1]::text;
40+
headers jsonb DEFAULT '{}'::jsonb;
41+
params jsonb DEFAULT '{}'::jsonb;
42+
timeout_ms integer DEFAULT 1000;
43+
BEGIN
44+
IF url IS NULL OR url = 'null' THEN
45+
RAISE EXCEPTION 'url argument is missing';
46+
END IF;
47+
48+
IF method IS NULL OR method = 'null' THEN
49+
RAISE EXCEPTION 'method argument is missing';
50+
END IF;
51+
52+
IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN
53+
headers = '{"Content-Type": "application/json"}'::jsonb;
54+
ELSE
55+
headers = TG_ARGV[2]::jsonb;
56+
END IF;
57+
58+
IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN
59+
params = '{}'::jsonb;
60+
ELSE
61+
params = TG_ARGV[3]::jsonb;
62+
END IF;
63+
64+
IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN
65+
timeout_ms = 1000;
66+
ELSE
67+
timeout_ms = TG_ARGV[4]::integer;
68+
END IF;
69+
70+
CASE
71+
WHEN method = 'GET' THEN
72+
SELECT http_get INTO request_id FROM net.http_get(
73+
url,
74+
params,
75+
headers,
76+
timeout_ms
77+
);
78+
WHEN method = 'POST' THEN
79+
payload = jsonb_build_object(
80+
'old_record', OLD,
81+
'record', NEW,
82+
'type', TG_OP,
83+
'table', TG_TABLE_NAME,
84+
'schema', TG_TABLE_SCHEMA
85+
);
86+
87+
SELECT http_post INTO request_id FROM net.http_post(
88+
url,
89+
payload,
90+
params,
91+
headers,
92+
timeout_ms
93+
);
94+
ELSE
95+
RAISE EXCEPTION 'method argument % is invalid', method;
96+
END CASE;
97+
98+
INSERT INTO supabase_functions.hooks
99+
(hook_table_id, hook_name, request_id)
100+
VALUES
101+
(TG_RELID, TG_NAME, request_id);
102+
103+
RETURN NEW;
104+
END
105+
$function$;
106+
-- Supabase super admin
107+
DO
108+
$$
109+
BEGIN
110+
IF NOT EXISTS (
111+
SELECT 1
112+
FROM pg_roles
113+
WHERE rolname = 'supabase_functions_admin'
114+
)
115+
THEN
116+
CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
117+
END IF;
118+
END
119+
$$;
120+
GRANT ALL PRIVILEGES ON SCHEMA supabase_functions TO supabase_functions_admin;
121+
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA supabase_functions TO supabase_functions_admin;
122+
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA supabase_functions TO supabase_functions_admin;
123+
ALTER USER supabase_functions_admin SET search_path = "supabase_functions";
124+
ALTER table "supabase_functions".migrations OWNER TO supabase_functions_admin;
125+
ALTER table "supabase_functions".hooks OWNER TO supabase_functions_admin;
126+
ALTER function "supabase_functions".http_request() OWNER TO supabase_functions_admin;
127+
GRANT supabase_functions_admin TO postgres;
128+
-- Remove unused supabase_pg_net_admin role
129+
DO
130+
$$
131+
BEGIN
132+
IF EXISTS (
133+
SELECT 1
134+
FROM pg_roles
135+
WHERE rolname = 'supabase_pg_net_admin'
136+
)
137+
THEN
138+
REASSIGN OWNED BY supabase_pg_net_admin TO supabase_admin;
139+
DROP OWNED BY supabase_pg_net_admin;
140+
DROP ROLE supabase_pg_net_admin;
141+
END IF;
142+
END
143+
$$;
144+
-- pg_net grants when extension is already enabled
145+
DO
146+
$$
147+
BEGIN
148+
IF EXISTS (
149+
SELECT 1
150+
FROM pg_extension
151+
WHERE extname = 'pg_net'
152+
)
153+
THEN
154+
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
155+
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
156+
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
157+
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
158+
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
159+
REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
160+
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
161+
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
162+
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
163+
END IF;
164+
END
165+
$$;
166+
-- Event trigger for pg_net
167+
CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access()
168+
RETURNS event_trigger
169+
LANGUAGE plpgsql
170+
AS $$
171+
BEGIN
172+
IF EXISTS (
173+
SELECT 1
174+
FROM pg_event_trigger_ddl_commands() AS ev
175+
JOIN pg_extension AS ext
176+
ON ev.objid = ext.oid
177+
WHERE ext.extname = 'pg_net'
178+
)
179+
THEN
180+
GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
181+
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
182+
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
183+
ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
184+
ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
185+
REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
186+
REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
187+
GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
188+
GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
189+
END IF;
190+
END;
191+
$$;
192+
COMMENT ON FUNCTION extensions.grant_pg_net_access IS 'Grants access to pg_net';
193+
DO
194+
$$
195+
BEGIN
196+
IF NOT EXISTS (
197+
SELECT 1
198+
FROM pg_event_trigger
199+
WHERE evtname = 'issue_pg_net_access'
200+
) THEN
201+
CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end WHEN TAG IN ('CREATE EXTENSION')
202+
EXECUTE PROCEDURE extensions.grant_pg_net_access();
203+
END IF;
204+
END
205+
$$;
206+
INSERT INTO supabase_functions.migrations (version) VALUES ('20210809183423_update_grants');
207+
ALTER function supabase_functions.http_request() SECURITY DEFINER;
208+
ALTER function supabase_functions.http_request() SET search_path = supabase_functions;
209+
REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
210+
GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
211+
COMMIT;
212+
99-jwt.sql: |
213+
\set jwt_secret `echo "$JWT_SECRET"`
214+
\set jwt_exp `echo "$JWT_EXP"`
215+
216+
ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :jwt_secret;
217+
ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :jwt_exp;
218+
99-logs.sql: |
219+
\set pguser `echo "$POSTGRES_USER"`
220+
221+
create schema if not exists _analytics;
222+
alter schema _analytics owner to :pguser;
223+
99-realtime.sql: |
224+
\set pguser `echo "$POSTGRES_USER"`
225+
226+
create schema if not exists _realtime;
227+
alter schema _realtime owner to :pguser;
228+
99-roles.sql: |
229+
-- NOTE: change to your own passwords for production environments
230+
\set pgpass `echo "$POSTGRES_PASSWORD"`
231+
232+
ALTER USER authenticator WITH PASSWORD :'pgpass';
233+
ALTER USER pgbouncer WITH PASSWORD :'pgpass';
234+
ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
235+
ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
236+
ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';
237+
kind: ConfigMap
238+
metadata:
239+
labels:
240+
app.kubernetes.io/instance: squadquest-supabase
241+
app.kubernetes.io/managed-by: Helm
242+
app.kubernetes.io/name: supabase
243+
helm.sh/chart: supabase-0.1.3
244+
name: squadquest-supabase-supabase-db-initdb
245+
namespace: squadquest-supabase
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
apiVersion: v1
2+
data: {}
3+
kind: ConfigMap
4+
metadata:
5+
labels:
6+
app.kubernetes.io/instance: squadquest-supabase
7+
app.kubernetes.io/managed-by: Helm
8+
app.kubernetes.io/name: supabase
9+
helm.sh/chart: supabase-0.1.3
10+
name: squadquest-supabase-supabase-db-migrations
11+
namespace: squadquest-supabase

0 commit comments

Comments
 (0)