Merge pull request #8 from PostHog/feat/ducklake-minio-setup

Add DuckLake with MinIO object storage support

Author: EDsCODE

README.md

@@ -142,6 +142,136 @@ ATTACH 'ducklake:postgres:host=ducklake.example.com user=ducklake password=secre
 
 See [DuckLake documentation](https://ducklake.select/docs/stable/duckdb/usage/connecting) for more details.
 
+### Quick Start with Docker
+
+The easiest way to get started with DuckLake is using the included Docker Compose setup:
+
+```bash
+# Start PostgreSQL (metadata) and MinIO (object storage)
+docker compose up -d
+
+# Wait for services to be ready
+docker compose logs -f  # Look for "Bucket ducklake created successfully"
+
+# Start Duckgres with DuckLake configured
+./duckgres --config duckgres.yaml
+
+# Connect and start using DuckLake
+PGPASSWORD=postgres psql "host=localhost port=5432 user=postgres sslmode=require"
+```
+
+The `docker-compose.yaml` creates:
+
+**PostgreSQL** (metadata catalog):
+- Host: `localhost`
+- Port: `5433` (mapped to avoid conflicts)
+- Database: `ducklake`
+- User/Password: `ducklake` / `ducklake`
+
+**MinIO** (S3-compatible object storage):
+- S3 API: `localhost:9000`
+- Web Console: `http://localhost:9001`
+- Access Key: `minioadmin`
+- Secret Key: `minioadmin`
+- Bucket: `ducklake` (auto-created on startup)
+
+The included `duckgres.yaml` is pre-configured to use both services.
+
+### Object Storage Configuration
+
+DuckLake can store data files in S3-compatible object storage (AWS S3, MinIO, etc.). Two credential providers are supported:
+
+#### Option 1: Explicit Credentials (MinIO / Access Keys)
+
+```yaml
+ducklake:
+  metadata_store: "postgres:host=localhost port=5433 user=ducklake password=ducklake dbname=ducklake"
+  object_store: "s3://ducklake/data/"
+  s3_provider: "config"            # Explicit credentials (default if s3_access_key is set)
+  s3_endpoint: "localhost:9000"    # MinIO or custom S3 endpoint
+  s3_access_key: "minioadmin"
+  s3_secret_key: "minioadmin"
+  s3_region: "us-east-1"
+  s3_use_ssl: false
+  s3_url_style: "path"             # "path" for MinIO, "vhost" for AWS S3
+```
+
+#### Option 2: AWS Credential Chain (IAM Roles / Environment)
+
+For AWS S3 with IAM roles, environment variables, or config files:
+
+```yaml
+ducklake:
+  metadata_store: "postgres:host=localhost user=ducklake password=ducklake dbname=ducklake"
+  object_store: "s3://my-bucket/ducklake/"
+  s3_provider: "credential_chain"  # AWS SDK credential chain
+  s3_chain: "env;config"           # Which sources to check (optional)
+  s3_profile: "my-profile"         # AWS profile name (optional)
+  s3_region: "us-west-2"           # Override auto-detected region (optional)
+```
+
+The credential chain checks these sources in order:
+- `env` - Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
+- `config` - AWS config files (`~/.aws/credentials`, `~/.aws/config`)
+- `sts` - AWS STS assume role
+- `sso` - AWS Single Sign-On
+- `instance` - EC2 instance metadata (IAM roles)
+- `process` - External process credentials
+
+See [DuckDB S3 API docs](https://duckdb.org/docs/stable/core_extensions/httpfs/s3api#credential_chain-provider) for details.
+
+#### Environment Variables
+
+All S3 settings can be configured via environment variables:
+- `DUCKGRES_DUCKLAKE_OBJECT_STORE` - S3 path (e.g., `s3://bucket/path/`)
+- `DUCKGRES_DUCKLAKE_S3_PROVIDER` - `config` or `credential_chain`
+- `DUCKGRES_DUCKLAKE_S3_ENDPOINT` - S3 endpoint (for MinIO)
+- `DUCKGRES_DUCKLAKE_S3_ACCESS_KEY` - Access key ID
+- `DUCKGRES_DUCKLAKE_S3_SECRET_KEY` - Secret access key
+- `DUCKGRES_DUCKLAKE_S3_REGION` - AWS region
+- `DUCKGRES_DUCKLAKE_S3_USE_SSL` - Use HTTPS (true/false)
+- `DUCKGRES_DUCKLAKE_S3_URL_STYLE` - `path` or `vhost`
+- `DUCKGRES_DUCKLAKE_S3_CHAIN` - Credential chain sources
+- `DUCKGRES_DUCKLAKE_S3_PROFILE` - AWS profile name
+
+### Seeding Sample Data
+
+A seed script is provided to populate DuckLake with sample e-commerce and analytics data:
+
+```bash
+# Seed with default connection (localhost:5432, postgres/postgres)
+./scripts/seed_ducklake.sh
+
+# Seed with custom connection
+./scripts/seed_ducklake.sh --host 127.0.0.1 --port 5432 --user postgres --password postgres
+
+# Clean existing tables and reseed
+./scripts/seed_ducklake.sh --clean
+```
+
+The script creates the following tables:
+- `categories` - Product categories (5 rows)
+- `products` - E-commerce products (15 rows)
+- `customers` - Customer records (10 rows)
+- `orders` - Order headers (12 rows)
+- `order_items` - Order line items (20 rows)
+- `events` - Analytics events with JSON properties (15 rows)
+- `page_views` - Web analytics data (15 rows)
+
+Example queries after seeding:
+
+```sql
+-- Top products by price
+SELECT name, price FROM products ORDER BY price DESC LIMIT 5;
+
+-- Orders with customer info
+SELECT o.id, c.first_name, c.last_name, o.total_amount, o.status
+FROM orders o JOIN customers c ON o.customer_id = c.id;
+
+-- Event funnel analysis
+SELECT event_name, COUNT(*) FROM events GROUP BY event_name ORDER BY COUNT(*) DESC;
+```
+
 ## COPY Protocol
 
 Duckgres supports PostgreSQL's COPY protocol for efficient bulk data import and export:

docker-compose.yaml

@@ -0,0 +1,54 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: ducklake-metadata
+    environment:
+      POSTGRES_USER: ducklake
+      POSTGRES_PASSWORD: ducklake
+      POSTGRES_DB: ducklake
+    ports:
+      - "5433:5432"
+    volumes:
+      - ducklake-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ducklake -d ducklake"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  minio:
+    image: minio/minio:latest
+    container_name: ducklake-storage
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    ports:
+      - "9000:9000"   # S3 API
+      - "9001:9001"   # Web console
+    volumes:
+      - minio-data:/data
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  # Creates the ducklake bucket on startup
+  minio-init:
+    image: minio/mc:latest
+    container_name: ducklake-storage-init
+    depends_on:
+      minio:
+        condition: service_healthy
+    entrypoint: >
+      /bin/sh -c "
+      mc alias set minio http://minio:9000 minioadmin minioadmin;
+      mc mb minio/ducklake --ignore-existing;
+      mc anonymous set download minio/ducklake;
+      echo 'Bucket ducklake created successfully';
+      "
+
+volumes:
+  ducklake-data:
+  minio-data:

duckgres.example.yaml

@@ -38,6 +38,30 @@ ducklake:
   #   - "postgres:host=ducklake.example.com user=ducklake password=secret dbname=ducklake"
   # metadata_store: "postgres:host=localhost user=ducklake password=secret dbname=ducklake"
 
+  # S3-compatible object storage for data files (optional)
+  # If not specified, data is stored alongside the metadata
+  # object_store: "s3://bucket/path/"
+
+  # S3 credential provider: "config" (explicit) or "credential_chain" (AWS SDK)
+  # Default: "config" if s3_access_key is set, otherwise "credential_chain"
+  # s3_provider: "config"
+
+  # Option 1: Explicit credentials (for MinIO or when you have access keys)
+  # s3_endpoint: "localhost:9000"      # MinIO or custom S3 endpoint
+  # s3_access_key: "minioadmin"        # Access key ID
+  # s3_secret_key: "minioadmin"        # Secret access key
+  # s3_region: "us-east-1"             # AWS region (default: us-east-1)
+  # s3_use_ssl: false                  # Use HTTPS for S3 connections
+  # s3_url_style: "path"               # "path" or "vhost" (default: path)
+
+  # Option 2: AWS credential chain (for AWS S3 with IAM roles, env vars, etc.)
+  # Uses AWS SDK credential chain: env vars -> config files -> instance metadata
+  # See: https://duckdb.org/docs/stable/core_extensions/httpfs/s3api#credential_chain-provider
+  # s3_provider: "credential_chain"
+  # s3_chain: "env;config"             # Which sources to check (env, config, sts, sso, instance, process)
+  # s3_profile: "my-profile"           # AWS profile name (for config chain)
+  # s3_region: "us-west-2"             # Override auto-detected region
+
 # Rate limiting configuration (optional - these are the defaults)
 rate_limit:
   # Max failed auth attempts before banning an IP

go.mod

@@ -2,6 +2,11 @@ module github.com/posthog/duckgres
 
 go 1.25.4
 
+require (
+	github.com/duckdb/duckdb-go/v2 v2.5.3
+	gopkg.in/yaml.v3 v3.0.1
+)
+
 require (
 	github.com/apache/arrow-go/v18 v18.4.1 // indirect
 	github.com/duckdb/duckdb-go-bindings v0.1.23 // indirect
@@ -12,7 +17,6 @@ require (
 	github.com/duckdb/duckdb-go-bindings/windows-amd64 v0.1.23 // indirect
 	github.com/duckdb/duckdb-go/arrowmapping v0.0.26 // indirect
 	github.com/duckdb/duckdb-go/mapping v0.0.25 // indirect
-	github.com/duckdb/duckdb-go/v2 v2.5.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
@@ -28,5 +32,4 @@ require (
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/tools v0.36.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

main.go

@@ -40,6 +40,22 @@ type RateLimitFileConfig struct {
 
 type DuckLakeFileConfig struct {
 	MetadataStore string `yaml:"metadata_store"` // e.g., "postgres:host=localhost user=ducklake password=secret dbname=ducklake"
+	ObjectStore   string `yaml:"object_store"`   // e.g., "s3://bucket/path/" for S3/MinIO storage
+
+	// S3 credential provider: "config" (explicit) or "credential_chain" (AWS SDK)
+	S3Provider string `yaml:"s3_provider"`
+
+	// Config provider settings (explicit credentials)
+	S3Endpoint  string `yaml:"s3_endpoint"`   // e.g., "localhost:9000" for MinIO
+	S3AccessKey string `yaml:"s3_access_key"` // S3 access key ID
+	S3SecretKey string `yaml:"s3_secret_key"` // S3 secret access key
+	S3Region    string `yaml:"s3_region"`     // S3 region (default: us-east-1)
+	S3UseSSL    bool   `yaml:"s3_use_ssl"`    // Use HTTPS for S3 connections
+	S3URLStyle  string `yaml:"s3_url_style"`  // "path" or "vhost" (default: path)
+
+	// Credential chain provider settings (AWS SDK credential chain)
+	S3Chain   string `yaml:"s3_chain"`   // e.g., "env;config" - which credential sources to check
+	S3Profile string `yaml:"s3_profile"` // AWS profile name for config chain
 }
 
 // loadConfigFile loads configuration from a YAML file
@@ -177,6 +193,34 @@ func main() {
 		if fileCfg.DuckLake.MetadataStore != "" {
 			cfg.DuckLake.MetadataStore = fileCfg.DuckLake.MetadataStore
 		}
+		if fileCfg.DuckLake.ObjectStore != "" {
+			cfg.DuckLake.ObjectStore = fileCfg.DuckLake.ObjectStore
+		}
+		if fileCfg.DuckLake.S3Provider != "" {
+			cfg.DuckLake.S3Provider = fileCfg.DuckLake.S3Provider
+		}
+		if fileCfg.DuckLake.S3Endpoint != "" {
+			cfg.DuckLake.S3Endpoint = fileCfg.DuckLake.S3Endpoint
+		}
+		if fileCfg.DuckLake.S3AccessKey != "" {
+			cfg.DuckLake.S3AccessKey = fileCfg.DuckLake.S3AccessKey
+		}
+		if fileCfg.DuckLake.S3SecretKey != "" {
+			cfg.DuckLake.S3SecretKey = fileCfg.DuckLake.S3SecretKey
+		}
+		if fileCfg.DuckLake.S3Region != "" {
+			cfg.DuckLake.S3Region = fileCfg.DuckLake.S3Region
+		}
+		cfg.DuckLake.S3UseSSL = fileCfg.DuckLake.S3UseSSL
+		if fileCfg.DuckLake.S3URLStyle != "" {
+			cfg.DuckLake.S3URLStyle = fileCfg.DuckLake.S3URLStyle
+		}
+		if fileCfg.DuckLake.S3Chain != "" {
+			cfg.DuckLake.S3Chain = fileCfg.DuckLake.S3Chain
+		}
+		if fileCfg.DuckLake.S3Profile != "" {
+			cfg.DuckLake.S3Profile = fileCfg.DuckLake.S3Profile
+		}
 	}
 
 	// Apply environment variables (override config file)
@@ -200,6 +244,36 @@ func main() {
 	if v := os.Getenv("DUCKGRES_DUCKLAKE_METADATA_STORE"); v != "" {
 		cfg.DuckLake.MetadataStore = v
 	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_OBJECT_STORE"); v != "" {
+		cfg.DuckLake.ObjectStore = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_PROVIDER"); v != "" {
+		cfg.DuckLake.S3Provider = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_ENDPOINT"); v != "" {
+		cfg.DuckLake.S3Endpoint = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_ACCESS_KEY"); v != "" {
+		cfg.DuckLake.S3AccessKey = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_SECRET_KEY"); v != "" {
+		cfg.DuckLake.S3SecretKey = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_REGION"); v != "" {
+		cfg.DuckLake.S3Region = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_USE_SSL"); v == "true" || v == "1" {
+		cfg.DuckLake.S3UseSSL = true
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_URL_STYLE"); v != "" {
+		cfg.DuckLake.S3URLStyle = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_CHAIN"); v != "" {
+		cfg.DuckLake.S3Chain = v
+	}
+	if v := os.Getenv("DUCKGRES_DUCKLAKE_S3_PROFILE"); v != "" {
+		cfg.DuckLake.S3Profile = v
+	}
 
 	// Apply CLI flags (highest priority)
 	if *host != "" {