Fixing bootstrapping issues with migrations. (#2047)

## What kind of change does this PR introduce?

Big fix for #1729, #1848, #1983, and #2040 with an additional type fix.

## What is the current behavior?

The auth service cannot be deployed in a net new environment on
PostgreSQL 17.

## What is the new behavior?

The service is running properly with PostgreSQL 17 in a cleanroom
environment.

## Additional context

Here is a redacted version of the terraform I used to deploy it with. I
used my own container build with these fixes,
`ghcr.io/siennathesane/auth:v2.175.0`, that you can use to verify the
fix is valid, if you want.

```hcl
locals {
  f2-auth-db-namespace = "auth"
}

resource "kubernetes_service_account" "f2-auth" {
  metadata {
    name      = "f2-auth"
    namespace = var.namespace
  }
}

resource "kubernetes_manifest" "f2-auth-db" {
  manifest = {
    "apiVersion" = "postgresql.cnpg.io/v1"
    "kind"       = "Database"
    "metadata" = {
      "name"      = "f2-auth-db"
      "namespace" = var.namespace
    }
    "spec" = {
      "cluster" = {
        "name" =  kubernetes_manifest.f2-cluster.object.metadata.name
      }
      "allowConnections" = true
      "name"             = local.f2-auth-db-namespace
      "owner"            = kubernetes_secret_v1.f2-auth-db.data.username
      "schemas" = [{
        "name"  = local.f2-auth-db-namespace
        "owner" = kubernetes_secret_v1.f2-auth-db.data.username
      }]
    }
  }
}

resource "kubernetes_config_map_v1" "f2-auth-initdb" {
  metadata {
    name      = "sql-commands"
    namespace = var.namespace
  }

  data = {
    "script.sql" = <<-EOT
    ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} WITH LOGIN CREATEROLE CREATEDB REPLICATION BYPASSRLS;
    GRANT ${kubernetes_secret_v1.f2-auth-db.data.username} TO postgres;
    CREATE SCHEMA IF NOT EXISTS ${local.f2-auth-db-namespace} AUTHORIZATION ${kubernetes_secret_v1.f2-auth-db.data.username};
    GRANT CREATE ON DATABASE postgres TO ${kubernetes_secret_v1.f2-auth-db.data.username};
    ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} SET search_path = '${local.f2-auth-db-namespace}';
    EOT
  }
}

resource "kubernetes_secret_v1" "f2-auth-db" {
  metadata {
    name      = "auth-db"
    namespace = var.namespace
    labels = {
      "cnpg.io/reload" = "true"
    }
  }

  data = {
    username = "[REDACTED]"
    password = random_password.f2-auth-db-password.result
    database = "auth"
  }

  type = "kubernetes.io/basic-auth"
}

resource "kubernetes_secret_v1" "f2-auth-jwt" {
  metadata {
    name      = "auth-jwt"
    namespace = var.namespace
  }

  data = {
    anonKey    = "[REDACTED]"
    secret     = "[REDACTED]"
    serviceKey = "[REDACTED]"
  }

  type = "Opaque"
}

resource "random_password" "f2-auth-db-password" {
  length           = 16
  special          = false
}

resource "kubernetes_deployment_v1" "f2-auth" {
  depends_on = [kubernetes_manifest.f2-auth-db]

  timeouts {
    create = "2m"
  }

  metadata {
    name = "f2auth"
    labels = {
      "f2.pub/app" = "auth-${var.environment}"
    }
    namespace = var.namespace
  }

  spec {
    replicas = 1

    selector {
      match_labels = {
        "f2.pub/app" = "auth-${var.environment}"
      }
    }

    template {
      metadata {
        labels = {
          "f2.pub/app" = "auth-${var.environment}"
        }
      }

      spec {
        image_pull_secrets { name = var.ghcr-pull-secret-name }

        init_container {
          name    = "init-db"
          image   = "postgres:17-alpine"
          command = ["psql", "-f", "/sql/script.sql"]

          env {
            name  = "PGHOST"
            value = "${kubernetes_manifest.f2-cluster.object.metadata.name}-rw"
          }

          env {
            name  = "PGPORT"
            value = "5432"
          }

          env {
            name  = "PGDATABASE"
            value = kubernetes_secret_v1.f2-auth-db.data.database
          }

          env {
            name  = "PGUSER"
            value = kubernetes_secret_v1.f2-auth-db.data.username
          }

          env {
            name  = "PGPASSWORD"
            value = kubernetes_secret_v1.f2-auth-db.data.password
          }

          volume_mount {
            name       = "sql-volume"
            mount_path = "/sql"
          }
        }

        volume {
          name = "sql-volume"

          config_map {
            name = kubernetes_config_map_v1.f2-auth-initdb.metadata[0].name
          }
        }

        container {
          image = "ghcr.io/siennathesane/auth:${var.goauth-version}"
          image_pull_policy = "Always"
          name  = "auth"

          resources {
            limits = {
              cpu    = "0.5"
              memory = "512Mi"
            }
            requests = {
              cpu    = "250m"
              memory = "50Mi"
            }
          }

          port {
            name           = "http"
            container_port = 9999
            protocol       = "TCP"
          }

          env {
            name  = "GOTRUE_DB_DRIVER"
            value = "postgres"
          }
          env {
            name  = "DB_NAMESPACE"
            value = "auth"
          }
          env {
            name  = "DATABASE_URL"
            value = "postgres://${kubernetes_secret_v1.f2-auth-db.data.username}:[REDACTED]@${ kubernetes_manifest.f2-cluster.object.metadata.name}-rw:5432/${kubernetes_secret_v1.f2-auth-db.data.database}"
          }
          env {
            name = "GOTRUE_JWT_SECRET"
            value_from {
              secret_key_ref {
                name = "auth-jwt"
                key  = "secret"
              }
            }
          }
          env {
            name  = "API_EXTERNAL_URL"
            value = "http://[REDACTED]"
          }
          env {
            name  = "GOTRUE_SITE_URL"
            value = "http://[REDACTED]"
          }
          env {
            name  = "GOTRUE_API_HOST"
            value = "0.0.0.0"
          }
          env {
            name  = "PORT"
            value = "9999"
          }
        }
      }
    }
  }
}
```

Closes #1729 
Closes #1848 
Closes #1983
Closes #2040

Signed-off-by: Sienna Satterwhite <[email protected]>
Co-authored-by: Chris Stockton <[email protected]>

Author: siennathesane

migrations/20221003041349_add_mfa_schema.up.sql

@@ -1,8 +1,8 @@
 -- see: https://stackoverflow.com/questions/7624919/check-if-a-user-defined-type-already-exists-in-postgresql/48382296#48382296
 do $$ begin
-    create type factor_type as enum('totp', 'webauthn');
-    create type factor_status as enum('unverified', 'verified');
-    create type aal_level as enum('aal1', 'aal2', 'aal3');
+    create type {{ index .Options "Namespace" }}.factor_type as enum('totp', 'webauthn');
+    create type {{ index .Options "Namespace" }}.factor_status as enum('unverified', 'verified');
+    create type {{ index .Options "Namespace" }}.aal_level as enum('aal1', 'aal2', 'aal3');
 exception
     when duplicate_object then null;
 end $$;
@@ -12,8 +12,8 @@ create table if not exists {{ index .Options "Namespace" }}.mfa_factors(
        id uuid not null,
        user_id uuid not null,
        friendly_name text null,
-       factor_type factor_type not null,
-       status factor_status not null,
+       factor_type {{ index .Options "Namespace" }}.factor_type not null,
+       status {{ index .Options "Namespace" }}.factor_status not null,
        created_at timestamptz not null,
        updated_at timestamptz not null,
        secret text null,

migrations/20221003041400_add_aal_and_factor_id_to_sessions.up.sql

@@ -1,3 +1,3 @@
 -- add factor_id to sessions
  alter table {{ index .Options "Namespace" }}.sessions add column if not exists factor_id uuid null;
- alter table {{ index .Options "Namespace" }}.sessions add column if not exists aal aal_level null;
+ alter table {{ index .Options "Namespace" }}.sessions add column if not exists aal {{ index .Options "Namespace" }}.aal_level null;

migrations/20221208132122_backfill_email_last_sign_in_at.up.sql

@@ -9,5 +9,5 @@ update {{ index .Options "Namespace" }}.identities
     created_at = '2022-11-25' and
     updated_at = '2022-11-25' and
     provider = 'email' and
-    id = user_id::text;
+    id::text = user_id::text;
 end $$;

migrations/20230322519590_add_flow_state_table.up.sql

@@ -1,14 +1,14 @@
 -- see: https://stackoverflow.com/questions/7624919/check-if-a-user-defined-type-already-exists-in-postgresql/48382296#48382296
 do $$ begin
-    create type code_challenge_method as enum('s256', 'plain');
+    create type {{ index .Options "Namespace" }}.code_challenge_method as enum('s256', 'plain');
 exception
     when duplicate_object then null;
 end $$;
 create table if not exists {{ index .Options "Namespace" }}.flow_state(
        id uuid primary key,
        user_id uuid null,
        auth_code text not null,
-       code_challenge_method code_challenge_method not null,
+       code_challenge_method {{ index .Options "Namespace" }}.code_challenge_method not null,
        code_challenge text not null,
        provider_type text not null,
        provider_access_token text null,

migrations/20240427152123_add_one_time_tokens_table.up.sql

@@ -1,5 +1,5 @@
 do $$ begin
-  create type one_time_token_type as enum (
+  create type {{ index .Options "Namespace" }}.one_time_token_type as enum (
     'confirmation_token',
     'reauthentication_token',
     'recovery_token',
@@ -16,7 +16,7 @@ do $$ begin
   create table if not exists {{ index .Options "Namespace" }}.one_time_tokens (
     id uuid primary key,
     user_id uuid not null references {{ index .Options "Namespace" }}.users on delete cascade,
-    token_type one_time_token_type not null,
+    token_type {{ index .Options "Namespace" }}.one_time_token_type not null,
     token_hash text not null,
     relates_to text not null,
     created_at timestamp without time zone not null default now(),