fix: update the state of helm chart to match self-hosted configuration of 2025

This PR addresses many accumulated issues and overlaps with quite a few separate PRs that were submitted previously.

Author: aantti

build/supabase-0.2.0.tgz

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/supabase/Chart.yaml

@@ -40,21 +40,13 @@ spec:
               value: {{ .Values.analytics.environment.DB_HOST | quote }}
               {{- end }}
             - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  {{- if .Values.secret.db.secretRef }}
-                  name: {{ .Values.secret.db.secretRef }}
-                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
-                  {{- else }}
-                  name: {{ include "supabase.secret.db" . }}
-                  key: username
-                  {{- end }}
+              value: $(DB_USERNAME)
             - name: DB_PORT
               value: {{ .Values.analytics.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
           args:
             - |
-              until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do
+              until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do
               echo "Waiting for database to start..."
               sleep 2
               done
@@ -96,25 +88,25 @@ spec:
                   name: {{ include "supabase.secret.db" . }}
                   key: password_encoded
                   {{- end }}
-            - name: DB_DATABASE
+            - name:  LOGFLARE_PUBLIC_ACCESS_TOKEN
               valueFrom:
                 secretKeyRef:
-                  {{- if .Values.secret.db.secretRef }}
-                  name: {{ .Values.secret.db.secretRef }}
-                  key: {{ .Values.secret.db.secretRefKey.database | default "database" }}
+                  {{- if .Values.secret.analytics.secretRef }}
+                  name: {{ .Values.secret.analytics.secretRef }}
+                  key: {{ .Values.secret.analytics.secretRefKey.publicAccessToken | default "apiKey" }}
                   {{- else }}
-                  name: {{ include "supabase.secret.db" . }}
-                  key: database
+                  name: {{ include "supabase.secret.analytics" . }}
+                  key: publicAccessToken
                   {{- end }}
-            - name: LOGFLARE_API_KEY
+            - name: LOGFLARE_PRIVATE_ACCESS_TOKEN
               valueFrom:
                 secretKeyRef:
                   {{- if .Values.secret.analytics.secretRef }}
                   name: {{ .Values.secret.analytics.secretRef }}
-                  key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }}
+                  key: {{ .Values.secret.analytics.secretRefKey.privateAccessToken | default "apiKey" }}
                   {{- else }}
                   name: {{ include "supabase.secret.analytics" . }}
-                  key: apiKey
+                  key: privateAccessToken
                   {{- end }}
             {{- if .Values.analytics.bigQuery.enabled }}
             - name: GOOGLE_PROJECT_ID
@@ -124,10 +116,6 @@ spec:
             {{- else }}
             - name: POSTGRES_BACKEND_URL
               value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE)
-            - name: POSTGRES_BACKEND_SCHEMA
-              value: $(DB_SCHEMA)
-            - name: LOGFLARE_FEATURE_FLAG_OVERRIDE
-              value: $(FEATURE_FLAG_OVERRIDE)
             {{- end }}
           {{- with .Values.analytics.livenessProbe }}
           livenessProbe:
@@ -178,4 +166,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

charts/supabase/templates/analytics/deployment.yaml

@@ -39,22 +39,12 @@ spec:
               {{- else }}
               value: {{ .Values.auth.environment.DB_HOST | quote }}
               {{- end }}
-            - name: DB_USER
-              valueFrom:
-                secretKeyRef:
-                  {{- if .Values.secret.db.secretRef }}
-                  name: {{ .Values.secret.db.secretRef }}
-                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
-                  {{- else }}
-                  name: {{ include "supabase.secret.db" . }}
-                  key: username
-                  {{- end }}
             - name: DB_PORT
               value: {{ .Values.auth.environment.DB_PORT | quote }}
           command: ["/bin/sh", "-c"]
           args:
             - |
-              until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do
+              until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do
               echo "Waiting for database to start..."
               sleep 2
               done
@@ -178,4 +168,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

charts/supabase/templates/auth/deployment.yaml

@@ -10,13 +10,21 @@ data:
     \set jwt_secret `echo "$JWT_SECRET"`
     \set jwt_exp `echo "$JWT_EXP"`
 
-    ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :jwt_secret;
-    ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :jwt_exp;
-  99-logs.sql: |
+    ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
+    ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';
+  99-pooler.sql: |
     \set pguser `echo "$POSTGRES_USER"`
 
+    \c _supabase
+    create schema if not exists _supavisor;
+    alter schema _supavisor owner to :pguser;
+    \c postgres
+  99-logs.sql: |
+    \set pguser `echo "$POSTGRES_USER"`
+    \c _supabase
     create schema if not exists _analytics;
     alter schema _analytics owner to :pguser;
+    \c postgres
   99-realtime.sql: |
     \set pguser `echo "$POSTGRES_USER"`
 
@@ -31,6 +39,10 @@ data:
     ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
     ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
     ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';
+  97-_supabase.sql: |
+    \set pguser `echo "$POSTGRES_USER"`
+
+    CREATE DATABASE _supabase WITH OWNER :pguser;
   98-webhooks.sql: |
     BEGIN;
       -- Create pg_net extension
@@ -75,29 +87,29 @@ data:
           IF url IS NULL OR url = 'null' THEN
             RAISE EXCEPTION 'url argument is missing';
           END IF;
-    
+
           IF method IS NULL OR method = 'null' THEN
             RAISE EXCEPTION 'method argument is missing';
           END IF;
-    
+
           IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN
             headers = '{"Content-Type": "application/json"}'::jsonb;
           ELSE
             headers = TG_ARGV[2]::jsonb;
           END IF;
-    
+
           IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN
             params = '{}'::jsonb;
           ELSE
             params = TG_ARGV[3]::jsonb;
           END IF;
-    
+
           IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN
             timeout_ms = 1000;
           ELSE
             timeout_ms = TG_ARGV[4]::integer;
           END IF;
-    
+
           CASE
             WHEN method = 'GET' THEN
               SELECT http_get INTO request_id FROM net.http_get(
@@ -114,7 +126,7 @@ data:
                 'table', TG_TABLE_NAME,
                 'schema', TG_TABLE_SCHEMA
               );
-    
+
               SELECT http_post INTO request_id FROM net.http_post(
                 url,
                 payload,
@@ -125,12 +137,12 @@ data:
             ELSE
               RAISE EXCEPTION 'method argument % is invalid', method;
           END CASE;
-    
+
           INSERT INTO supabase_functions.hooks
             (hook_table_id, hook_name, request_id)
           VALUES
             (TG_RELID, TG_NAME, request_id);
-    
+
           RETURN NEW;
         END
       $function$;
@@ -240,4 +252,4 @@ data:
       REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
       GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
     COMMIT;
-{{- end }}
+{{- end }}

charts/supabase/templates/db/initdb.config.yaml

@@ -7,4 +7,4 @@ metadata:
     {{- include "supabase.labels" . | nindent 4 }}
 data:
   {{- toYaml .Values.db.config | nindent 2 }}
-{{- end }}
+{{- end }}

charts/supabase/templates/db/migration.config.yaml

@@ -14,4 +14,4 @@ spec:
       name: http
   selector:
     {{- include "supabase.db.selectorLabels" . | nindent 4 }}
-{{- end }}
+{{- end }}

charts/supabase/templates/db/service.yaml

@@ -11,4 +11,4 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

charts/supabase/templates/db/serviceaccount.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.db.enabled -}}
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "supabase.db.fullname" . }}
   labels:
@@ -39,8 +39,12 @@ spec:
               cp -r /docker-entrypoint-initdb.d/* /initdb.d/
               cp /custom-init-scripts/98-webhooks.sql /initdb.d/init-scripts/
               cp /custom-init-scripts/99-roles.sql /initdb.d/init-scripts/
+              cp /custom-init-scripts/99-jwt.sql /initdb.d/init-scripts/
+
               cp /custom-init-scripts/99-logs.sql /initdb.d/migrations/
               cp /custom-init-scripts/99-realtime.sql /initdb.d/migrations/
+              cp /custom-init-scripts/97-_supabase.sql /initdb.d/migrations/
+              cp /custom-init-scripts/99-pooler.sql /initdb.d/migrations/
 
               echo "Copying user-defined migration scripts..."
               cp /custom-migrations/* /initdb.d/migrations/ || echo "Skip migrations"
@@ -58,21 +62,15 @@ spec:
             {{- toYaml .Values.db.securityContext | nindent 12 }}
           image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.db.image.pullPolicy }}
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh", "-c", "pg_ctl -D /var/lib/postgres/data -w -t 60 -m fast stop"]
           env:
             {{- range $key, $value := .Values.db.environment }}
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  {{- if .Values.secret.db.secretRef }}
-                  name: {{ .Values.secret.db.secretRef }}
-                  key: {{ .Values.secret.db.secretRefKey.username | default "username" }}
-                  {{- else }}
-                  name: {{ include "supabase.secret.db" . }}
-                  key: username
-                  {{- end }}
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
@@ -113,6 +111,16 @@ spec:
                   name: {{ include "supabase.secret.db" . }}
                   key: database
                   {{- end }}
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.secret.jwt.secretRef }}
+                  name: {{ .Values.secret.jwt.secretRef }}
+                  key: {{ .Values.secret.jwt.secretRefKey.secret | default "database" }}
+                  {{- else }}
+                  name: {{ include "supabase.secret.jwt" . }}
+                  key: secret
+                  {{- end }}
           {{- with .Values.db.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}
@@ -123,7 +131,7 @@ spec:
           {{- end }}
           ports:
             - name: http
-              containerPort: 9999
+              containerPort: 5432
               protocol: TCP
           volumeMounts:
             - mountPath: /docker-entrypoint-initdb.d
@@ -170,4 +178,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

…ts/supabase/templates/db/deployment.yaml …s/supabase/templates/db/statefulset.yamlcharts/supabase/templates/db/deployment.yaml renamed to charts/supabase/templates/db/statefulset.yaml charts/supabase/templates/db/deployment.yaml renamed to charts/supabase/templates/db/statefulset.yaml

@@ -38,11 +38,21 @@ spec:
             {{- toYaml .Values.functions.securityContext | nindent 12 }}
           image: "{{ .Values.functions.image.repository }}:{{ .Values.functions.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.functions.image.pullPolicy }}
+          {{- if .Values.functions.envFrom }}
+          envFrom:
+            {{- toYaml .Values.functions.envFrom | nindent 12 }}
+          {{- end }}
           env:
             {{- range $key, $value := .Values.functions.environment }}
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
+
+            {{- if .Values.kong.enabled }}
+            - name: SUPABASE_URL
+              value: http://{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }}
+            {{- end }}
+
             - name: DB_HOSTNAME
               {{- if .Values.db.enabled }}
               value: {{ include "supabase.db.fullname" . }}
@@ -109,7 +119,7 @@ spec:
                   name: {{ include "supabase.secret.jwt" . }}
                   key: serviceKey
                   {{- end }}
-            - name: POSTGRES_BACKEND_URL
+            - name: SUPABASE_DB_URL
               value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE)?search_path=auth&sslmode=$(DB_SSL)
           {{- with .Values.functions.livenessProbe }}
           livenessProbe:
@@ -148,4 +158,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}