feat(persistence): allow setting optional schema for postgres and mysql database

Signed-off-by: Jonathan Pollert <jona.pollert@gmail.com>

Author: jnt0r

.features/pending/persistence-schema.md

@@ -0,0 +1,6 @@
+Description: You can now configure a specific postgres database schema for Argo Persistence in the controller config map.
+Authors: [Jonathan Pollert](https://github.com/jnt0r)
+Component: General
+Issues: 2452
+
+Added support for custom database schemas to improve data isolation and security in shared environments. This allows Argo to operate within a designated logical schema rather than the default. Note: This feature is not applicable to MySQL, as it does not support logical schemas; for MySQL users, database names should continue to be used for application separation.

config/config.go

@@ -389,6 +389,8 @@ func (c DatabaseConfig) GetHostname() string {
 // PostgreSQLConfig contains PostgreSQL-specific database configuration
 type PostgreSQLConfig struct {
 	DatabaseConfig
+	// Schema is the name of the schema to use in the database. If not set, the default schema of the database will be used
+	Schema string `json:"schema"`
 	// SSL enables SSL connection to the database
 	SSL bool `json:"ssl,omitempty"`
 	// SSLMode specifies the SSL mode (disable, require, verify-ca, verify-full)

docs/workflow-archive.md

@@ -97,3 +97,13 @@ Example:
 
     persistence:
       archive: false
+
+## Customizing PostgreSQL Database Schema
+
+To change the schema for the tables in PostgreSQL, set `schema:` to the desired schema in the `persistence` section of [your configuration](workflow-controller-configmap.yaml). 
+Only available on PostgreSQL.
+
+Example:
+
+    persistence:
+      schema: argo

docs/workflow-controller-configmap.md

@@ -197,18 +197,19 @@ PostgreSQLConfig contains PostgreSQL-specific database configuration
 
 ### Fields
 
-|    Field Name    |                                                         Field Type                                                          |                                     Description                                      |
-|------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|
-| `Host`           | `string`                                                                                                                    | Host is the database server hostname                                                 |
-| `Port`           | `int`                                                                                                                       | Port is the database server port                                                     |
-| `Database`       | `string`                                                                                                                    | Database is the name of the database to connect to                                   |
-| `TableName`      | `string`                                                                                                                    | TableName is the name of the table to use, must be set                               |
-| `UsernameSecret` | [`apiv1.SecretKeySelector`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core) | UsernameSecret references a secret containing the database username                  |
-| `PasswordSecret` | [`apiv1.SecretKeySelector`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core) | PasswordSecret references a secret containing the database password                  |
-| `SSL`            | `bool`                                                                                                                      | SSL enables SSL connection to the database                                           |
-| `SSLMode`        | `string`                                                                                                                    | SSLMode specifies the SSL mode (disable, require, verify-ca, verify-full)            |
-| `AzureToken`     | [`AzureTokenConfig`](#azuretokenconfig)                                                                                     | AzureToken specifies if the password should be fetched as an Azure token             |
-| `AWSRDSToken`    | [`AWSRDSTokenConfig`](#awsrdstokenconfig)                                                                                   | AWSRDSToken specifies if the password should be fetched as an AWS RDS IAM auth token |
+|    Field Name    |                                                         Field Type                                                          |                                                     Description                                                      |
+|------------------|-----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| `Host`           | `string`                                                                                                                    | Host is the database server hostname                                                                                 |
+| `Port`           | `int`                                                                                                                       | Port is the database server port                                                                                     |
+| `Database`       | `string`                                                                                                                    | Database is the name of the database to connect to                                                                   |
+| `TableName`      | `string`                                                                                                                    | TableName is the name of the table to use, must be set                                                               |
+| `UsernameSecret` | [`apiv1.SecretKeySelector`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core) | UsernameSecret references a secret containing the database username                                                  |
+| `PasswordSecret` | [`apiv1.SecretKeySelector`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#secretkeyselector-v1-core) | PasswordSecret references a secret containing the database password                                                  |
+| `Schema`         | `string`                                                                                                                    | Schema is the name of the schema to use in the database. If not set, the default schema of the database will be used |
+| `SSL`            | `bool`                                                                                                                      | SSL enables SSL connection to the database                                                                           |
+| `SSLMode`        | `string`                                                                                                                    | SSLMode specifies the SSL mode (disable, require, verify-ca, verify-full)                                            |
+| `AzureToken`     | [`AzureTokenConfig`](#azuretokenconfig)                                                                                     | AzureToken specifies if the password should be fetched as an Azure token                                             |
+| `AWSRDSToken`    | [`AWSRDSTokenConfig`](#awsrdstokenconfig)                                                                                   | AWSRDSToken specifies if the password should be fetched as an AWS RDS IAM auth token                                 |
 
 ## AzureTokenConfig
 

docs/workflow-controller-configmap.yaml

@@ -292,6 +292,7 @@ data:
       host: localhost
       port: 5432
       database: postgres
+      schema: argo
       tableName: argo_workflows
       # the database secrets must be in the same namespace of the controller
       userNameSecret:
@@ -367,6 +368,7 @@ data:
       host: localhost
       port: 5432
       database: postgres  # Can be the same database as persistence
+      schema: argo
       # the database secrets must be in the same namespace as the controller
       userNameSecret:
         name: argo-postgres-config

hack/db/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -24,10 +25,10 @@ import (
 var (
 	session db.Session
 	dbType  sqldb.DBType
+	dsn     string
 )
 
 func main() {
-	var dsn string
 	rootCmd := &cobra.Command{
 		Use:   "db",
 		Short: "CLI for developers to use when working on the DB locally",
@@ -51,7 +52,11 @@ func NewMigrateCommand() *cobra.Command {
 		Use:   "migrate",
 		Short: "Force DB migration for given cluster/table",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return persistsqldb.Migrate(cmd.Context(), session, cluster, table, dbType)
+			schema, err := schemaFromDSN(dsn)
+			if err != nil {
+				return err
+			}
+			return persistsqldb.Migrate(cmd.Context(), session, cluster, schema, table, dbType)
 		},
 	}
 	migrationCmd.Flags().StringVar(&cluster, "cluster", "default", "Cluster name")
@@ -120,6 +125,14 @@ func createDBSession(dsn string) (db.Session, sqldb.DBType, error) {
 	}
 }
 
+func schemaFromDSN(dsn string) (string, error) {
+	u, err := url.Parse(dsn)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(u.Query().Get("search_path")), nil
+}
+
 func randomPhase() wfv1.WorkflowPhase {
 	phases := []wfv1.WorkflowPhase{
 		wfv1.WorkflowSucceeded,

persist/sqldb/migrate.go

@@ -12,8 +12,8 @@ const (
 	versionTable = "schema_history"
 )
 
-func Migrate(ctx context.Context, session db.Session, clusterName, tableName string, dbType sqldb.DBType) (err error) {
-	return sqldb.Migrate(ctx, session, dbType, versionTable, []sqldb.Change{
+func Migrate(ctx context.Context, session db.Session, clusterName, schema string, tableName string, dbType sqldb.DBType) (err error) {
+	return sqldb.Migrate(ctx, session, dbType, schema, versionTable, []sqldb.Change{
 		sqldb.AnsiSQLChange(`create table if not exists ` + tableName + ` (
     id varchar(128) ,
     name varchar(256),

persist/sqldb/sqldb.go

@@ -17,3 +17,11 @@ func GetTableName(persistConfig *config.PersistConfig) (string, error) {
 	}
 	return tableName, nil
 }
+
+func GetSchema(persistConfig *config.PersistConfig) string {
+	var schemaName string
+	if persistConfig.PostgreSQL != nil {
+		schemaName = persistConfig.PostgreSQL.Schema
+	}
+	return schemaName
+}

util/sqldb/migrate.go

@@ -22,11 +22,20 @@ func ByType(dbType DBType, changes TypedChanges) Change {
 	return nil
 }
 
-func Migrate(ctx context.Context, session db.Session, dbType DBType, versionTableName string, changes []Change) error {
+func Migrate(ctx context.Context, session db.Session, dbType DBType, schema string, versionTableName string, changes []Change) error {
 	ctx, logger := logging.RequireLoggerFromContext(ctx).WithField("dbType", dbType).InContext(ctx)
 	logger.Info(ctx, "Migrating database schema")
 
 	{
+		// Create the schema in the postgres database. MySQL does not have a concept of schema separate from database, so we skip this step for MySQL
+		if dbType == Postgres && schema != "" {
+			_, err := session.SQL().Exec(fmt.Sprintf("create schema if not exists %s", schema))
+
+			if err != nil {
+				return err
+			}
+		}
+
 		// poor mans SQL migration
 		_, err := session.SQL().Exec(fmt.Sprintf("create table if not exists %s(schema_version int not null, primary key(schema_version))", versionTableName))
 		if err != nil {

util/sqldb/session_test.go

@@ -2,8 +2,11 @@ package sqldb
 
 import (
 	"context"
+	"database/sql"
+	"fmt"
 	"net/netip"
 	"runtime"
+	"strconv"
 	"testing"
 	"time"
 
@@ -12,6 +15,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
+	testmysql "github.com/testcontainers/testcontainers-go/modules/mysql"
 	testpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
 	"github.com/testcontainers/testcontainers-go/wait"
 	"github.com/upper/db/v4"
@@ -85,6 +89,43 @@ func setupPostgresContainer(ctx context.Context, t *testing.T) (config.DBConfig,
 	return dbConfig, termContainerFn, nil
 }
 
+func setupMySQLContainerWithDatabase(ctx context.Context, t *testing.T, database string) (config.DBConfig, func(), error) {
+	mysqlContainer, err := testmysql.Run(ctx,
+		"mysql:8.4.5",
+		testmysql.WithDatabase(database),
+		testmysql.WithUsername(userName),
+		testmysql.WithPassword(password),
+	)
+	if err != nil {
+		return config.DBConfig{}, nil, err
+	}
+
+	host, err := mysqlContainer.Host(ctx)
+	require.NoError(t, err)
+	portS, err := mysqlContainer.MappedPort(ctx, "3306/tcp")
+	require.NoError(t, err)
+	port, err := strconv.Atoi(portS.Port())
+	require.NoError(t, err)
+
+	cfg := config.DBConfig{
+		MySQL: &config.MySQLConfig{
+			DatabaseConfig: config.DatabaseConfig{
+				Database: database,
+				Host:     host,
+				Port:     port,
+			},
+		},
+	}
+
+	termContainerFn := func() {
+		if err := testcontainers.TerminateContainer(mysqlContainer); err != nil {
+			t.Logf("failed to terminate container: %s", err)
+		}
+	}
+
+	return cfg, termContainerFn, nil
+}
+
 func TestSessionReconnect(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.Skip("This test uses the Linux container image and therefore cannot be performed on the Windows platform")
@@ -130,3 +171,57 @@ func TestSessionReconnect(t *testing.T) {
 	<-doneChan
 	cancel()
 }
+
+func TestPostgresSessionUsesSchema(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("This test uses the Linux container image and therefore cannot be performed on the Windows platform")
+	}
+
+	ctx := logging.TestContext(t.Context())
+	cfg, cleanup, err := setupPostgresContainer(ctx, t)
+	require.NoError(t, err)
+	defer cleanup()
+
+	createSQLDB, err := sql.Open("postgres", fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable", cfg.PostgreSQL.Host, cfg.PostgreSQL.Port, userName, password, cfg.PostgreSQL.Database))
+	require.NoError(t, err)
+	defer createSQLDB.Close()
+
+	_, err = createSQLDB.ExecContext(ctx, "CREATE SCHEMA IF NOT EXISTS myschema")
+	require.NoError(t, err)
+
+	cfg.PostgreSQL.Schema = "myschema"
+	session, dbType, err := CreateDBSessionWithCreds(cfg, userName, password)
+	require.NoError(t, err)
+	require.Equal(t, Postgres, dbType)
+	defer session.Close()
+
+	var currentSchema string
+	row, err := session.SQL().QueryRow("SELECT current_schema()")
+	require.NoError(t, err)
+	err = row.Scan(&currentSchema)
+	require.NoError(t, err)
+	require.Equal(t, "myschema", currentSchema)
+}
+
+func TestMySQLSessionUsesSchema(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("This test uses the Linux container image and therefore cannot be performed on the Windows platform")
+	}
+
+	ctx := logging.TestContext(t.Context())
+	cfg, cleanup, err := setupMySQLContainerWithDatabase(ctx, t, dbName)
+	require.NoError(t, err)
+	defer cleanup()
+
+	session, dbType, err := CreateDBSessionWithCreds(cfg, userName, password)
+	require.NoError(t, err)
+	require.Equal(t, MySQL, dbType)
+	defer session.Close()
+
+	var currentDatabase string
+	row, err := session.SQL().QueryRow("SELECT DATABASE()")
+	require.NoError(t, err)
+	err = row.Scan(&currentDatabase)
+	require.NoError(t, err)
+	require.Equal(t, dbName, currentDatabase)
+}