☀ projected k8s-manifests-github from d748fc6

Source-holobranch: k8s-manifests-github
Source-commit: d748fc6
Source: d748fc6

.github/workflows/k8s-deploy.yml

@@ -50,19 +50,6 @@ jobs:
           ) | tee -a /tmp/kube.log
         fi
 
-    - name: 'Apply manifests: namespaced resources'
-      run: |
-        (
-          find . \
-            -maxdepth 1 \
-            -type d \
-            -not -name '_' \
-            -not -name '.*' \
-            -print0 \
-          | sort -z \
-          | xargs -r0 -n 1 kubectl apply -Rf
-        ) | tee -a /tmp/kube.log
-
     - name: 'Apply manifests: generated regcred secrets'
       run: |
 
@@ -81,6 +68,19 @@ jobs:
         EOF
         done <<< "$(find . -maxdepth 1 -type d -not -name '_' -not -name '.*')"
 
+    - name: 'Apply manifests: namespaced resources'
+      run: |
+        (
+          find . \
+            -maxdepth 1 \
+            -type d \
+            -not -name '_' \
+            -not -name '.*' \
+            -print0 \
+          | sort -z \
+          | xargs -r0 -n 1 kubectl apply -Rf
+        ) | tee -a /tmp/kube.log
+
     - name: 'Apply manifests: deleted resources'
       run: |
         for manifest_path in $(git diff-tree --name-only --diff-filter=D -r HEAD^ HEAD); do

_/ClusterRole/squadquest-supabase-reader.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: squadquest-supabase-reader
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+      - namespaces
+      - pods
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resourceNames:
+      - squadquest-supabase-*
+    resources:
+      - pods/log
+    verbs:
+      - get

_/ClusterRoleBinding/squadquest-supabase-view.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: squadquest-supabase-view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: squadquest-supabase-reader
+subjects:
+  - kind: ServiceAccount
+    name: squadquest-supabase-supabase-vector
+    namespace: squadquest-supabase

_/Namespace/squadquest-supabase.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: squadquest-supabase

choose-native-plants/Deployment/choose-native-plants.yaml

@@ -37,6 +37,9 @@ spec:
                   key: password
                   name: mongo
                   optional: false
+          envFrom:
+            - secretRef:
+                name: pac-api
           image: 'mongo:5.0.6'
           imagePullPolicy: IfNotPresent
           name: choose-native-plants-db

squadquest-supabase/ConfigMap/squadquest-supabase-supabase-db-initdb.yaml

@@ -0,0 +1,245 @@
+apiVersion: v1
+data:
+  98-webhooks.sql: |
+    BEGIN;
+      -- Create pg_net extension
+      CREATE EXTENSION IF NOT EXISTS pg_net SCHEMA extensions;
+      -- Create supabase_functions schema
+      CREATE SCHEMA supabase_functions AUTHORIZATION supabase_admin;
+      GRANT USAGE ON SCHEMA supabase_functions TO postgres, anon, authenticated, service_role;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON TABLES TO postgres, anon, authenticated, service_role;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON FUNCTIONS TO postgres, anon, authenticated, service_role;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA supabase_functions GRANT ALL ON SEQUENCES TO postgres, anon, authenticated, service_role;
+      -- supabase_functions.migrations definition
+      CREATE TABLE supabase_functions.migrations (
+        version text PRIMARY KEY,
+        inserted_at timestamptz NOT NULL DEFAULT NOW()
+      );
+      -- Initial supabase_functions migration
+      INSERT INTO supabase_functions.migrations (version) VALUES ('initial');
+      -- supabase_functions.hooks definition
+      CREATE TABLE supabase_functions.hooks (
+        id bigserial PRIMARY KEY,
+        hook_table_id integer NOT NULL,
+        hook_name text NOT NULL,
+        created_at timestamptz NOT NULL DEFAULT NOW(),
+        request_id bigint
+      );
+      CREATE INDEX supabase_functions_hooks_request_id_idx ON supabase_functions.hooks USING btree (request_id);
+      CREATE INDEX supabase_functions_hooks_h_table_id_h_name_idx ON supabase_functions.hooks USING btree (hook_table_id, hook_name);
+      COMMENT ON TABLE supabase_functions.hooks IS 'Supabase Functions Hooks: Audit trail for triggered hooks.';
+      CREATE FUNCTION supabase_functions.http_request()
+        RETURNS trigger
+        LANGUAGE plpgsql
+        AS $function$
+        DECLARE
+          request_id bigint;
+          payload jsonb;
+          url text := TG_ARGV[0]::text;
+          method text := TG_ARGV[1]::text;
+          headers jsonb DEFAULT '{}'::jsonb;
+          params jsonb DEFAULT '{}'::jsonb;
+          timeout_ms integer DEFAULT 1000;
+        BEGIN
+          IF url IS NULL OR url = 'null' THEN
+            RAISE EXCEPTION 'url argument is missing';
+          END IF;
+
+          IF method IS NULL OR method = 'null' THEN
+            RAISE EXCEPTION 'method argument is missing';
+          END IF;
+
+          IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN
+            headers = '{"Content-Type": "application/json"}'::jsonb;
+          ELSE
+            headers = TG_ARGV[2]::jsonb;
+          END IF;
+
+          IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN
+            params = '{}'::jsonb;
+          ELSE
+            params = TG_ARGV[3]::jsonb;
+          END IF;
+
+          IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN
+            timeout_ms = 1000;
+          ELSE
+            timeout_ms = TG_ARGV[4]::integer;
+          END IF;
+
+          CASE
+            WHEN method = 'GET' THEN
+              SELECT http_get INTO request_id FROM net.http_get(
+                url,
+                params,
+                headers,
+                timeout_ms
+              );
+            WHEN method = 'POST' THEN
+              payload = jsonb_build_object(
+                'old_record', OLD,
+                'record', NEW,
+                'type', TG_OP,
+                'table', TG_TABLE_NAME,
+                'schema', TG_TABLE_SCHEMA
+              );
+
+              SELECT http_post INTO request_id FROM net.http_post(
+                url,
+                payload,
+                params,
+                headers,
+                timeout_ms
+              );
+            ELSE
+              RAISE EXCEPTION 'method argument % is invalid', method;
+          END CASE;
+
+          INSERT INTO supabase_functions.hooks
+            (hook_table_id, hook_name, request_id)
+          VALUES
+            (TG_RELID, TG_NAME, request_id);
+
+          RETURN NEW;
+        END
+      $function$;
+      -- Supabase super admin
+      DO
+      $$
+      BEGIN
+        IF NOT EXISTS (
+          SELECT 1
+          FROM pg_roles
+          WHERE rolname = 'supabase_functions_admin'
+        )
+        THEN
+          CREATE USER supabase_functions_admin NOINHERIT CREATEROLE LOGIN NOREPLICATION;
+        END IF;
+      END
+      $$;
+      GRANT ALL PRIVILEGES ON SCHEMA supabase_functions TO supabase_functions_admin;
+      GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA supabase_functions TO supabase_functions_admin;
+      GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA supabase_functions TO supabase_functions_admin;
+      ALTER USER supabase_functions_admin SET search_path = "supabase_functions";
+      ALTER table "supabase_functions".migrations OWNER TO supabase_functions_admin;
+      ALTER table "supabase_functions".hooks OWNER TO supabase_functions_admin;
+      ALTER function "supabase_functions".http_request() OWNER TO supabase_functions_admin;
+      GRANT supabase_functions_admin TO postgres;
+      -- Remove unused supabase_pg_net_admin role
+      DO
+      $$
+      BEGIN
+        IF EXISTS (
+          SELECT 1
+          FROM pg_roles
+          WHERE rolname = 'supabase_pg_net_admin'
+        )
+        THEN
+          REASSIGN OWNED BY supabase_pg_net_admin TO supabase_admin;
+          DROP OWNED BY supabase_pg_net_admin;
+          DROP ROLE supabase_pg_net_admin;
+        END IF;
+      END
+      $$;
+      -- pg_net grants when extension is already enabled
+      DO
+      $$
+      BEGIN
+        IF EXISTS (
+          SELECT 1
+          FROM pg_extension
+          WHERE extname = 'pg_net'
+        )
+        THEN
+          GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+          ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+          ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+          ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+          ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+          REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+          REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+          GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+          GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+        END IF;
+      END
+      $$;
+      -- Event trigger for pg_net
+      CREATE OR REPLACE FUNCTION extensions.grant_pg_net_access()
+      RETURNS event_trigger
+      LANGUAGE plpgsql
+      AS $$
+      BEGIN
+        IF EXISTS (
+          SELECT 1
+          FROM pg_event_trigger_ddl_commands() AS ev
+          JOIN pg_extension AS ext
+          ON ev.objid = ext.oid
+          WHERE ext.extname = 'pg_net'
+        )
+        THEN
+          GRANT USAGE ON SCHEMA net TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+          ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+          ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SECURITY DEFINER;
+          ALTER function net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+          ALTER function net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) SET search_path = net;
+          REVOKE ALL ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+          REVOKE ALL ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) FROM PUBLIC;
+          GRANT EXECUTE ON FUNCTION net.http_get(url text, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+          GRANT EXECUTE ON FUNCTION net.http_post(url text, body jsonb, params jsonb, headers jsonb, timeout_milliseconds integer) TO supabase_functions_admin, postgres, anon, authenticated, service_role;
+        END IF;
+      END;
+      $$;
+      COMMENT ON FUNCTION extensions.grant_pg_net_access IS 'Grants access to pg_net';
+      DO
+      $$
+      BEGIN
+        IF NOT EXISTS (
+          SELECT 1
+          FROM pg_event_trigger
+          WHERE evtname = 'issue_pg_net_access'
+        ) THEN
+          CREATE EVENT TRIGGER issue_pg_net_access ON ddl_command_end WHEN TAG IN ('CREATE EXTENSION')
+          EXECUTE PROCEDURE extensions.grant_pg_net_access();
+        END IF;
+      END
+      $$;
+      INSERT INTO supabase_functions.migrations (version) VALUES ('20210809183423_update_grants');
+      ALTER function supabase_functions.http_request() SECURITY DEFINER;
+      ALTER function supabase_functions.http_request() SET search_path = supabase_functions;
+      REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
+      GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
+    COMMIT;
+  99-jwt.sql: |
+    \set jwt_secret `echo "$JWT_SECRET"`
+    \set jwt_exp `echo "$JWT_EXP"`
+
+    ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :jwt_secret;
+    ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :jwt_exp;
+  99-logs.sql: |
+    \set pguser `echo "$POSTGRES_USER"`
+
+    create schema if not exists _analytics;
+    alter schema _analytics owner to :pguser;
+  99-realtime.sql: |
+    \set pguser `echo "$POSTGRES_USER"`
+
+    create schema if not exists _realtime;
+    alter schema _realtime owner to :pguser;
+  99-roles.sql: |
+    -- NOTE: change to your own passwords for production environments
+    \set pgpass `echo "$POSTGRES_PASSWORD"`
+
+    ALTER USER authenticator WITH PASSWORD :'pgpass';
+    ALTER USER pgbouncer WITH PASSWORD :'pgpass';
+    ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
+    ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
+    ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: squadquest-supabase
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: supabase
+    helm.sh/chart: supabase-0.1.3
+  name: squadquest-supabase-supabase-db-initdb
+  namespace: squadquest-supabase

squadquest-supabase/ConfigMap/squadquest-supabase-supabase-db-migrations.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data: {}
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: squadquest-supabase
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: supabase
+    helm.sh/chart: supabase-0.1.3
+  name: squadquest-supabase-supabase-db-migrations
+  namespace: squadquest-supabase