diff --git a/build/supabase-0.2.0.tgz b/build/supabase-0.2.0.tgz new file mode 100644 index 00000000..126813a3 Binary files /dev/null and b/build/supabase-0.2.0.tgz differ diff --git a/charts/supabase/Chart.yaml b/charts/supabase/Chart.yaml index 92a3b4de..f373aa28 100644 --- a/charts/supabase/Chart.yaml +++ b/charts/supabase/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/supabase/templates/analytics/deployment.yaml b/charts/supabase/templates/analytics/deployment.yaml index 3c4f585c..22d6bbd1 100644 --- a/charts/supabase/templates/analytics/deployment.yaml +++ b/charts/supabase/templates/analytics/deployment.yaml @@ -40,21 +40,13 @@ spec: value: {{ .Values.analytics.environment.DB_HOST | quote }} {{- end }} - name: DB_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} + value: $(DB_USERNAME) - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] args: - | - until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do + until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do echo "Waiting for database to start..." sleep 2 done @@ -70,10 +62,12 @@ spec: - name: {{ $key }} value: {{ $value | quote }} {{- end }} - {{- if .Values.db.enabled }} - name: DB_HOSTNAME - value: {{ include "supabase.db.fullname" . }} - {{- end }} + {{- if .Values.db.enabled }} + value: {{ include "supabase.db.fullname" . | quote }} + {{- else }} + value: {{ .Values.auth.environment.DB_HOST | quote }} + {{- end }} - name: DB_PASSWORD valueFrom: secretKeyRef: @@ -94,25 +88,25 @@ spec: name: {{ include "supabase.secret.db" . }} key: password_encoded {{- end }} - - name: DB_DATABASE + - name: LOGFLARE_PUBLIC_ACCESS_TOKEN valueFrom: secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- if .Values.secret.analytics.secretRef }} + name: {{ .Values.secret.analytics.secretRef }} + key: {{ .Values.secret.analytics.secretRefKey.publicAccessToken | default "apiKey" }} {{- else }} - name: {{ include "supabase.secret.db" . }} - key: database + name: {{ include "supabase.secret.analytics" . }} + key: publicAccessToken {{- end }} - - name: LOGFLARE_API_KEY + - name: LOGFLARE_PRIVATE_ACCESS_TOKEN valueFrom: secretKeyRef: {{- if .Values.secret.analytics.secretRef }} name: {{ .Values.secret.analytics.secretRef }} - key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }} + key: {{ .Values.secret.analytics.secretRefKey.privateAccessToken | default "apiKey" }} {{- else }} name: {{ include "supabase.secret.analytics" . }} - key: apiKey + key: privateAccessToken {{- end }} {{- if .Values.analytics.bigQuery.enabled }} - name: GOOGLE_PROJECT_ID @@ -122,10 +116,6 @@ spec: {{- else }} - name: POSTGRES_BACKEND_URL value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE) - - name: POSTGRES_BACKEND_SCHEMA - value: $(DB_SCHEMA) - - name: LOGFLARE_FEATURE_FLAG_OVERRIDE - value: $(FEATURE_FLAG_OVERRIDE) {{- end }} {{- with .Values.analytics.livenessProbe }} livenessProbe: @@ -176,4 +166,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/auth/deployment.yaml b/charts/supabase/templates/auth/deployment.yaml index 8f3bba38..cc8eafcd 100644 --- a/charts/supabase/templates/auth/deployment.yaml +++ b/charts/supabase/templates/auth/deployment.yaml @@ -39,22 +39,12 @@ spec: {{- else }} value: {{ .Values.auth.environment.DB_HOST | quote }} {{- end }} - - name: DB_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} - name: DB_PORT value: {{ .Values.auth.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] args: - | - until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do + until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do echo "Waiting for database to start..." sleep 2 done @@ -178,4 +168,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/db/initdb.config.yaml b/charts/supabase/templates/db/initdb.config.yaml index 25f61ad2..7375dc8c 100644 --- a/charts/supabase/templates/db/initdb.config.yaml +++ b/charts/supabase/templates/db/initdb.config.yaml @@ -10,13 +10,21 @@ data: \set jwt_secret `echo "$JWT_SECRET"` \set jwt_exp `echo "$JWT_EXP"` - ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :jwt_secret; - ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :jwt_exp; - 99-logs.sql: | + ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret'; + ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp'; + 99-pooler.sql: | \set pguser `echo "$POSTGRES_USER"` + \c _supabase + create schema if not exists _supavisor; + alter schema _supavisor owner to :pguser; + \c postgres + 99-logs.sql: | + \set pguser `echo "$POSTGRES_USER"` + \c _supabase create schema if not exists _analytics; alter schema _analytics owner to :pguser; + \c postgres 99-realtime.sql: | \set pguser `echo "$POSTGRES_USER"` @@ -31,6 +39,10 @@ data: ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass'; ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass'; ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass'; + 97-_supabase.sql: | + \set pguser `echo "$POSTGRES_USER"` + + CREATE DATABASE _supabase WITH OWNER :pguser; 98-webhooks.sql: | BEGIN; -- Create pg_net extension @@ -75,29 +87,29 @@ data: IF url IS NULL OR url = 'null' THEN RAISE EXCEPTION 'url argument is missing'; END IF; - + IF method IS NULL OR method = 'null' THEN RAISE EXCEPTION 'method argument is missing'; END IF; - + IF TG_ARGV[2] IS NULL OR TG_ARGV[2] = 'null' THEN headers = '{"Content-Type": "application/json"}'::jsonb; ELSE headers = TG_ARGV[2]::jsonb; END IF; - + IF TG_ARGV[3] IS NULL OR TG_ARGV[3] = 'null' THEN params = '{}'::jsonb; ELSE params = TG_ARGV[3]::jsonb; END IF; - + IF TG_ARGV[4] IS NULL OR TG_ARGV[4] = 'null' THEN timeout_ms = 1000; ELSE timeout_ms = TG_ARGV[4]::integer; END IF; - + CASE WHEN method = 'GET' THEN SELECT http_get INTO request_id FROM net.http_get( @@ -114,7 +126,7 @@ data: 'table', TG_TABLE_NAME, 'schema', TG_TABLE_SCHEMA ); - + SELECT http_post INTO request_id FROM net.http_post( url, payload, @@ -125,12 +137,12 @@ data: ELSE RAISE EXCEPTION 'method argument % is invalid', method; END CASE; - + INSERT INTO supabase_functions.hooks (hook_table_id, hook_name, request_id) VALUES (TG_RELID, TG_NAME, request_id); - + RETURN NEW; END $function$; @@ -240,4 +252,4 @@ data: REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC; GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role; COMMIT; -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/db/migration.config.yaml b/charts/supabase/templates/db/migration.config.yaml index 77acec56..ebaab261 100644 --- a/charts/supabase/templates/db/migration.config.yaml +++ b/charts/supabase/templates/db/migration.config.yaml @@ -7,4 +7,4 @@ metadata: {{- include "supabase.labels" . | nindent 4 }} data: {{- toYaml .Values.db.config | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/db/service.yaml b/charts/supabase/templates/db/service.yaml index c8dc9fac..0c98226b 100644 --- a/charts/supabase/templates/db/service.yaml +++ b/charts/supabase/templates/db/service.yaml @@ -14,4 +14,4 @@ spec: name: http selector: {{- include "supabase.db.selectorLabels" . | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/db/serviceaccount.yaml b/charts/supabase/templates/db/serviceaccount.yaml index 204e3277..69fc6175 100644 --- a/charts/supabase/templates/db/serviceaccount.yaml +++ b/charts/supabase/templates/db/serviceaccount.yaml @@ -11,4 +11,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/db/deployment.yaml b/charts/supabase/templates/db/statefulset.yaml similarity index 89% rename from charts/supabase/templates/db/deployment.yaml rename to charts/supabase/templates/db/statefulset.yaml index 314842ed..c87723a5 100644 --- a/charts/supabase/templates/db/deployment.yaml +++ b/charts/supabase/templates/db/statefulset.yaml @@ -1,6 +1,6 @@ {{- if .Values.db.enabled -}} apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "supabase.db.fullname" . }} labels: @@ -39,8 +39,12 @@ spec: cp -r /docker-entrypoint-initdb.d/* /initdb.d/ cp /custom-init-scripts/98-webhooks.sql /initdb.d/init-scripts/ cp /custom-init-scripts/99-roles.sql /initdb.d/init-scripts/ + cp /custom-init-scripts/99-jwt.sql /initdb.d/init-scripts/ + cp /custom-init-scripts/99-logs.sql /initdb.d/migrations/ cp /custom-init-scripts/99-realtime.sql /initdb.d/migrations/ + cp /custom-init-scripts/97-_supabase.sql /initdb.d/migrations/ + cp /custom-init-scripts/99-pooler.sql /initdb.d/migrations/ echo "Copying user-defined migration scripts..." cp /custom-migrations/* /initdb.d/migrations/ || echo "Skip migrations" @@ -58,21 +62,15 @@ spec: {{- toYaml .Values.db.securityContext | nindent 12 }} image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.db.image.pullPolicy }} + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "pg_ctl -D /var/lib/postgres/data -w -t 60 -m fast stop"] env: {{- range $key, $value := .Values.db.environment }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} - name: PGPASSWORD valueFrom: secretKeyRef: @@ -113,6 +111,16 @@ spec: name: {{ include "supabase.secret.db" . }} key: database {{- end }} + - name: JWT_SECRET + valueFrom: + secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "database" }} + {{- else }} + name: {{ include "supabase.secret.jwt" . }} + key: secret + {{- end }} {{- with .Values.db.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -123,7 +131,7 @@ spec: {{- end }} ports: - name: http - containerPort: 9999 + containerPort: 5432 protocol: TCP volumeMounts: - mountPath: /docker-entrypoint-initdb.d @@ -170,4 +178,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/functions/deployment.yaml b/charts/supabase/templates/functions/deployment.yaml index 22726897..3a8eb97b 100644 --- a/charts/supabase/templates/functions/deployment.yaml +++ b/charts/supabase/templates/functions/deployment.yaml @@ -38,11 +38,21 @@ spec: {{- toYaml .Values.functions.securityContext | nindent 12 }} image: "{{ .Values.functions.image.repository }}:{{ .Values.functions.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.functions.image.pullPolicy }} + {{- if .Values.functions.envFrom }} + envFrom: + {{- toYaml .Values.functions.envFrom | nindent 12 }} + {{- end }} env: {{- range $key, $value := .Values.functions.environment }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} + + {{- if .Values.kong.enabled }} + - name: SUPABASE_URL + value: http://{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }} + {{- end }} + - name: DB_HOSTNAME {{- if .Values.db.enabled }} value: {{ include "supabase.db.fullname" . }} @@ -109,7 +119,7 @@ spec: name: {{ include "supabase.secret.jwt" . }} key: serviceKey {{- end }} - - name: POSTGRES_BACKEND_URL + - name: SUPABASE_DB_URL value: $(DB_DRIVER)://$(DB_USERNAME):$(DB_PASSWORD_ENC)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_DATABASE)?search_path=auth&sslmode=$(DB_SSL) {{- with .Values.functions.livenessProbe }} livenessProbe: @@ -148,4 +158,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/functions/functions.config.yaml b/charts/supabase/templates/functions/functions.config.yaml index 8aed927d..6a24bad9 100644 --- a/charts/supabase/templates/functions/functions.config.yaml +++ b/charts/supabase/templates/functions/functions.config.yaml @@ -16,89 +16,89 @@ data: const VERIFY_JWT = Deno.env.get('VERIFY_JWT') === 'true' function getAuthToken(req: Request) { - const authHeader = req.headers.get('authorization') - if (!authHeader) { + const authHeader = req.headers.get('authorization') + if (!authHeader) { throw new Error('Missing authorization header') - } - const [bearer, token] = authHeader.split(' ') - if (bearer !== 'Bearer') { + } + const [bearer, token] = authHeader.split(' ') + if (bearer !== 'Bearer') { throw new Error(`Auth header is not 'Bearer {token}'`) - } - return token + } + return token } async function verifyJWT(jwt: string): Promise { - const encoder = new TextEncoder() - const secretKey = encoder.encode(JWT_SECRET) - try { + const encoder = new TextEncoder() + const secretKey = encoder.encode(JWT_SECRET) + try { await jose.jwtVerify(jwt, secretKey) - } catch (err) { + } catch (err) { console.error(err) return false - } - return true + } + return true } serve(async (req: Request) => { - if (req.method !== 'OPTIONS' && VERIFY_JWT) { + if (req.method !== 'OPTIONS' && VERIFY_JWT) { try { - const token = getAuthToken(req) - const isValidJWT = await verifyJWT(token) + const token = getAuthToken(req) + const isValidJWT = await verifyJWT(token) - if (!isValidJWT) { + if (!isValidJWT) { return new Response(JSON.stringify({ msg: 'Invalid JWT' }), { - status: 401, - headers: { 'Content-Type': 'application/json' }, + status: 401, + headers: { 'Content-Type': 'application/json' }, }) - } + } } catch (e) { - console.error(e) - return new Response(JSON.stringify({ msg: e.toString() }), { + console.error(e) + return new Response(JSON.stringify({ msg: e.toString() }), { status: 401, headers: { 'Content-Type': 'application/json' }, - }) + }) } - } + } - const url = new URL(req.url) - const { pathname } = url - const path_parts = pathname.split('/') - const service_name = path_parts[1] + const url = new URL(req.url) + const { pathname } = url + const path_parts = pathname.split('/') + const service_name = path_parts[1] - if (!service_name || service_name === '') { + if (!service_name || service_name === '') { const error = { msg: 'missing function name in request' } return new Response(JSON.stringify(error), { - status: 400, - headers: { 'Content-Type': 'application/json' }, + status: 400, + headers: { 'Content-Type': 'application/json' }, }) - } + } - const servicePath = `/home/deno/functions/${service_name}` - console.error(`serving the request with ${servicePath}`) + const servicePath = `/home/deno/functions/${service_name}` + console.error(`serving the request with ${servicePath}`) - const memoryLimitMb = 150 - const workerTimeoutMs = 1 * 60 * 1000 - const noModuleCache = false - const importMapPath = null - const envVarsObj = Deno.env.toObject() - const envVars = Object.keys(envVarsObj).map((k) => [k, envVarsObj[k]]) + const memoryLimitMb = 150 + const workerTimeoutMs = 1 * 60 * 1000 + const noModuleCache = false + const importMapPath = null + const envVarsObj = Deno.env.toObject() + const envVars = Object.keys(envVarsObj).map((k) => [k, envVarsObj[k]]) - try { + try { const worker = await EdgeRuntime.userWorkers.create({ - servicePath, - memoryLimitMb, - workerTimeoutMs, - noModuleCache, - importMapPath, - envVars, + servicePath, + memoryLimitMb, + workerTimeoutMs, + noModuleCache, + importMapPath, + envVars, }) return await worker.fetch(req) - } catch (e) { + } catch (e) { const error = { msg: e.toString() } return new Response(JSON.stringify(error), { - status: 500, - headers: { 'Content-Type': 'application/json' }, + status: 500, + headers: { 'Content-Type': 'application/json' }, }) - } + } }) -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/kong/config.yaml b/charts/supabase/templates/kong/config.yaml index 2edd25af..84eeb8b5 100644 --- a/charts/supabase/templates/kong/config.yaml +++ b/charts/supabase/templates/kong/config.yaml @@ -177,7 +177,7 @@ data: {{- if .Values.functions.enabled }} - name: functions-v1 _comment: 'Edge Functions: /functions/v1/* -> http://{{ include "supabase.functions.fullname" . }}:{{ .Values.functions.service.port }}/*' - url: http://functions:{{ .Values.functions.service.port }}/ + url: http://{{ include "supabase.functions.fullname" . }}:{{ .Values.functions.service.port }}/ routes: - name: functions-v1-all strip_path: true diff --git a/charts/supabase/templates/meta/deployment.yaml b/charts/supabase/templates/meta/deployment.yaml index 2dac17b5..79336191 100644 --- a/charts/supabase/templates/meta/deployment.yaml +++ b/charts/supabase/templates/meta/deployment.yaml @@ -75,6 +75,18 @@ spec: value: $(DB_PASSWORD) - name: PG_META_DB_SSL_MODE value: $(DB_SSL) + - name: CRYPTO_KEY + valueFrom: + secretKeyRef: + {{- if .Values.secret.meta.secretRef }} + name: {{ .Values.secret.meta.secretRef }} + key: {{ .Values.secret.meta.secretRefKey.cryptoKey }} + {{- else }} + name: {{ include "supabase.secret.meta" . }} + key: cryptoKey + {{- end }} + + {{- with .Values.meta.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -111,4 +123,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/realtime/deployment.yaml b/charts/supabase/templates/realtime/deployment.yaml index 4083a46f..f68b055f 100644 --- a/charts/supabase/templates/realtime/deployment.yaml +++ b/charts/supabase/templates/realtime/deployment.yaml @@ -39,22 +39,12 @@ spec: {{- else }} value: {{ .Values.auth.environment.DB_HOST | quote }} {{- end }} - - name: DB_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] args: - | - until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do + until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do echo "Waiting for database to start..." sleep 2 done @@ -116,6 +106,18 @@ spec: name: {{ include "supabase.secret.jwt" . }} key: secret {{- end }} + + - name: SECRET_KEY_BASE + valueFrom: + secretKeyRef: + {{- if .Values.secret.realtime.secretRef }} + name: {{ .Values.secret.realtime.secretRef }} + key: {{ .Values.secret.realtime.secretRefKey.secretKeyBase | default "secretKeyBase" }} + {{- else }} + name: {{ include "supabase.secret.realtime" . }} + key: secretKeyBase + {{- end }} + {{- with .Values.realtime.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -152,4 +154,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/rest/deployment.yaml b/charts/supabase/templates/rest/deployment.yaml index e877fa6f..33be4e69 100644 --- a/charts/supabase/templates/rest/deployment.yaml +++ b/charts/supabase/templates/rest/deployment.yaml @@ -131,4 +131,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/secrets/_helpers.tpl b/charts/supabase/templates/secrets/_helpers.tpl index 61d74ecc..a7241a30 100644 --- a/charts/supabase/templates/secrets/_helpers.tpl +++ b/charts/supabase/templates/secrets/_helpers.tpl @@ -33,6 +33,20 @@ Expand the name of the analytics secret. {{- printf "%s-analytics" (include "supabase.fullname" .) }} {{- end -}} +{{/* +Expand the name of the meta secret. +*/}} +{{- define "supabase.secret.meta" -}} +{{- printf "%s-meta" (include "supabase.fullname" .) }} +{{- end -}} + +{{/* +Expand the name of the realtime secret. +*/}} +{{- define "supabase.secret.realtime" -}} +{{- printf "%s-realtime" (include "supabase.fullname" .) }} +{{- end -}} + {{/* Expand the name of the s3 secret. */}} diff --git a/charts/supabase/templates/secrets/meta.yaml b/charts/supabase/templates/secrets/meta.yaml new file mode 100644 index 00000000..a62b5b84 --- /dev/null +++ b/charts/supabase/templates/secrets/meta.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.secret.meta.secretRef }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "supabase.secret.meta" . }} + labels: + {{- include "supabase.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $value := .Values.secret.meta }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} + {{ $key }}: {{ $value | b64enc }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/secrets/realtime.yaml b/charts/supabase/templates/secrets/realtime.yaml new file mode 100644 index 00000000..ca09eaef --- /dev/null +++ b/charts/supabase/templates/secrets/realtime.yaml @@ -0,0 +1,19 @@ +{{- if .Values.secret.realtime }} +{{- if not .Values.secret.realtime.secretRef }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "supabase.secret.realtime" . }} + labels: + {{- include "supabase.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $value := .Values.secret.realtime }} +{{- if $value }} +{{- if eq (typeOf $value) "string" }} + {{ $key }}: {{ $value | b64enc }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/supabase/templates/storage/deployment.yaml b/charts/supabase/templates/storage/deployment.yaml index b0454297..50a02cd7 100644 --- a/charts/supabase/templates/storage/deployment.yaml +++ b/charts/supabase/templates/storage/deployment.yaml @@ -40,22 +40,12 @@ spec: {{- else }} value: {{ .Values.auth.environment.DB_HOST | quote }} {{- end }} - - name: DB_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} - name: DB_PORT value: {{ .Values.analytics.environment.DB_PORT | quote }} command: ["/bin/sh", "-c"] args: - | - until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER); do + until pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres; do echo "Waiting for database to start..." sleep 2 done @@ -186,7 +176,7 @@ spec: secretKeyRef: {{- if .Values.secret.s3.secretRef }} name: {{ .Values.secret.s3.secretRef }} - key: {{ .Values.secret.s3.secretRefKey.keyId | default "accessKey" }} + key: {{ .Values.secret.s3.secretRefKey.accessKey | default "accessKey" }} {{- else }} name: {{ include "supabase.secret.s3" . }} key: accessKey @@ -242,4 +232,4 @@ spec: {{- with .Values.storage.volumes }} {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/studio/deployment.yaml b/charts/supabase/templates/studio/deployment.yaml index dc4d9f84..9c0b5bee 100644 --- a/charts/supabase/templates/studio/deployment.yaml +++ b/charts/supabase/templates/studio/deployment.yaml @@ -47,6 +47,57 @@ spec: - name: STUDIO_PG_META_URL value: http://{{ include "supabase.meta.fullname" . }}:{{ .Values.meta.service.port }} {{- end }} + + {{- if .Values.db.enabled }} + - name: POSTGRES_HOST + value: {{ include "supabase.db.fullname" . }} + {{- end }} + + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.database | default "database" }} + {{- else }} + name: {{ include "supabase.secret.db" . }} + key: database + {{- end }} + + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.secret.db.secretRef }} + name: {{ .Values.secret.db.secretRef }} + key: {{ .Values.secret.db.secretRefKey.password | default "password" }} + {{- else }} + name: {{ include "supabase.secret.db" . }} + key: password + {{- end }} + + - name: PG_META_CRYPTO_KEY + valueFrom: + secretKeyRef: + {{- if .Values.secret.meta.secretRef }} + name: {{ .Values.secret.meta.secretRef }} + key: {{ .Values.secret.meta.secretRefKey.cryptoKey | default "cryptoKey" }} + {{- else }} + name: {{ include "supabase.secret.meta" . }} + key: cryptoKey + {{- end }} + + + - name: OPENAI_API_KEY + valueFrom: + secretKeyRef: + {{- if .Values.secret.dashboard.secretRef }} + name: {{ .Values.secret.dashboard.secretRef }} + key: {{ .Values.secret.dashboard.secretRefKey.openAiApiKey | default "openAiApiKey" }} + {{- else }} + name: {{ include "supabase.secret.dashboard" . }} + key: openAiApiKey + {{- end }} + - name: SUPABASE_ANON_KEY valueFrom: secretKeyRef: @@ -57,6 +108,7 @@ spec: name: {{ include "supabase.secret.jwt" . }} key: anonKey {{- end }} + - name: SUPABASE_SERVICE_KEY valueFrom: secretKeyRef: @@ -67,14 +119,41 @@ spec: name: {{ include "supabase.secret.jwt" . }} key: serviceKey {{- end }} + + - name: AUTH_JWT_SECRET + valueFrom: + secretKeyRef: + {{- if .Values.secret.jwt.secretRef }} + name: {{ .Values.secret.jwt.secretRef }} + key: {{ .Values.secret.jwt.secretRefKey.secret | default "secret" }} + {{- else }} + name: {{ include "supabase.secret.jwt" . }} + key: secret + {{- end }} + {{- if .Values.analytics.enabled }} - name: LOGFLARE_URL value: http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }} - - name: LOGFLARE_API_KEY + - name: LOGFLARE_PUBLIC_ACCESS_TOKEN valueFrom: secretKeyRef: + {{- if .Values.secret.analytics.secretRef }} + name: {{ .Values.secret.analytics.secretRef }} + key: {{ .Values.secret.analytics.secretRefKey.publicAccessToken | default "apiKey" }} + {{- else }} name: {{ include "supabase.secret.analytics" . }} - key: apiKey + key: publicAccessToken + {{- end }} + - name: LOGFLARE_PRIVATE_ACCESS_TOKEN + valueFrom: + secretKeyRef: + {{- if .Values.secret.analytics.secretRef }} + name: {{ .Values.secret.analytics.secretRef }} + key: {{ .Values.secret.analytics.secretRefKey.privateAccessToken | default "apiKey" }} + {{- else }} + name: {{ include "supabase.secret.analytics" . }} + key: privateAccessToken + {{- end }} {{- end }} {{- with .Values.studio.livenessProbe }} livenessProbe: @@ -112,4 +191,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/test/db.yaml b/charts/supabase/templates/test/db.yaml index 296bcc3b..10a5c74a 100644 --- a/charts/supabase/templates/test/db.yaml +++ b/charts/supabase/templates/test/db.yaml @@ -16,7 +16,7 @@ spec: - /bin/sh - -c - | - pg_isready -h $(DB_HOST) -p $(DB_PORT) -U $(DB_USER) || $(echo "\e[0;31mFailed to connect to the database." && exit 1) + pg_isready -h $(DB_HOST) -p $(DB_PORT) -U postgres || $(echo "\e[0;31mFailed to connect to the database." && exit 1) echo "Database is ready" env: - name: DB_HOST @@ -25,16 +25,6 @@ spec: {{- else }} value: {{ .Values.auth.environment.DB_HOST | quote }} {{- end }} - - name: DB_USER - valueFrom: - secretKeyRef: - {{- if .Values.secret.db.secretRef }} - name: {{ .Values.secret.db.secretRef }} - key: {{ .Values.secret.db.secretRefKey.username | default "username" }} - {{- else }} - name: {{ include "supabase.secret.db" . }} - key: username - {{- end }} - name: DB_PORT value: {{ .Values.auth.environment.DB_PORT | quote }} image: postgres:15-alpine diff --git a/charts/supabase/templates/vector/config.yaml b/charts/supabase/templates/vector/config.yaml index df2e8973..e8fcf2b1 100644 --- a/charts/supabase/templates/vector/config.yaml +++ b/charts/supabase/templates/vector/config.yaml @@ -6,23 +6,7 @@ metadata: labels: {{- include "supabase.labels" . | nindent 4 }} data: - secret.sh: | - #!/bin/sh - cat << EOF - { - "logflare_api_key": { - "value": "$LOGFLARE_API_KEY", - "error": null - } - } - EOF vector.yml: | - secret: - credentials: - type: exec - command: - - /etc/vector/secret.sh - api: enabled: true address: 0.0.0.0:{{ .Values.vector.service.port }} @@ -186,7 +170,9 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=gotrue.logs.prod&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=gotrue.logs.prod' logflare_realtime: type: 'http' inputs: @@ -196,7 +182,9 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=realtime.logs.prod&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=realtime.logs.prod' logflare_rest: type: 'http' inputs: @@ -206,7 +194,9 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=postgREST.logs.prod&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=postgREST.logs.prod' logflare_db: type: 'http' inputs: @@ -216,10 +206,12 @@ data: method: 'post' request: retry_max_duration_secs: 10 + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} # We must route the sink through kong because ingesting logs before logflare is fully initialised will # lead to broken queries from studio. This works by the assumption that containers are started in the # following order: vector > db > logflare > kong - uri: 'http://{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }}/analytics/v1/api/logs?source_name=postgres.logs&api_key=SECRET[credentials.logflare_api_key]' + uri: 'http://{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }}/analytics/v1/api/logs?source_name=postgres.logs' logflare_functions: type: 'http' inputs: @@ -229,7 +221,9 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=deno-relay-logs&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=deno-relay-logs' logflare_storage: type: 'http' inputs: @@ -239,7 +233,9 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=storage.logs.prod.2&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=storage.logs.prod.2' logflare_kong: type: 'http' inputs: @@ -250,6 +246,8 @@ data: method: 'post' request: retry_max_duration_secs: 10 - uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=cloudflare.logs.prod&api_key=SECRET[credentials.logflare_api_key]' + headers: + x-api-key: ${LOGFLARE_PUBLIC_ACCESS_TOKEN?LOGFLARE_PUBLIC_ACCESS_TOKEN is required} + uri: 'http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/api/logs?source_name=cloudflare.logs.prod' {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/templates/vector/deployment.yaml b/charts/supabase/templates/vector/deployment.yaml index 911ff08d..2098c995 100644 --- a/charts/supabase/templates/vector/deployment.yaml +++ b/charts/supabase/templates/vector/deployment.yaml @@ -48,18 +48,18 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - {{- if .Values.analytics.enabled }} - - name: LOGFLARE_API_KEY + {{- if .Values.analytics.enabled }} + - name: LOGFLARE_PUBLIC_ACCESS_TOKEN valueFrom: secretKeyRef: {{- if .Values.secret.analytics.secretRef }} name: {{ .Values.secret.analytics.secretRef }} - key: {{ .Values.secret.analytics.secretRefKey.apiKey | default "apiKey" }} + key: {{ .Values.secret.analytics.secretRefKey.publicAccessToken | default "apiKey" }} {{- else }} name: {{ include "supabase.secret.analytics" . }} - key: apiKey + key: publicAccessToken {{- end }} - {{- end }} + {{- end }} {{- with .Values.vector.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -78,9 +78,6 @@ spec: - mountPath: /etc/vector/vector.yml name: vector-config subPath: vector.yml - - mountPath: /etc/vector/secret.sh - name: vector-config - subPath: secret.sh {{- with .Values.vector.resources }} resources: {{- toYaml . | nindent 12 }} @@ -105,4 +102,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/supabase/values.example.yaml b/charts/supabase/values.example.yaml index c8f46e05..04ce6583 100644 --- a/charts/supabase/values.example.yaml +++ b/charts/supabase/values.example.yaml @@ -9,17 +9,22 @@ secret: dashboard: username: supabase password: this_password_is_insecure_and_should_be_updated + openAiApiKey: api-key db: - username: postgres password: example123456 database: postgres analytics: - apiKey: your-super-secret-and-long-logflare-key + publicAccessToken: your-super-secret-and-long-logflare-key-public + privateAccessToken: your-super-secret-and-long-logflare-key-private + realtime: + secretKeyBase: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq + meta: + cryptoKey: "your-super-secret-and-long-crypto-key" db: enabled: true image: - tag: 15.1.0.147 + tag: 15.8.1.085 livenessProbe: exec: command: @@ -32,21 +37,16 @@ db: studio: image: - tag: 20240326-5e5586d + tag: 2025.11.10-sha-5291fe3 environment: - STUDIO_DEFAULT_ORGANIZATION: "My Organization" - STUDIO_DEFAULT_PROJECT: "My Project" - SUPABASE_PUBLIC_URL: http://example.com/ - NEXT_PUBLIC_ENABLE_LOGS: "true" - livenessProbe: - httpGet: - path: /api/profile - port: 3000 - initialDelaySeconds: 3 + DEFAULT_ORGANIZATION_NAME: Default Organization + DEFAULT_PROJECT_NAME: Default Project + SUPABASE_PUBLIC_URL: http://example.com + NEXT_PUBLIC_ENABLE_LOGS: true auth: image: - tag: v2.143.0 + tag: v2.182.1 environment: API_EXTERNAL_URL: http://example.com GOTRUE_SITE_URL: http://example.com @@ -59,11 +59,11 @@ auth: rest: image: - tag: v12.0.1 + tag: v13.0.7 realtime: image: - tag: v2.27.5 + tag: v2.63.0 livenessProbe: httpGet: path: / @@ -72,11 +72,11 @@ realtime: meta: image: - tag: v0.80.0 + tag: v0.93.1 storage: image: - tag: v0.46.4 + tag: v1.29.0 livenessProbe: httpGet: path: /status @@ -123,7 +123,7 @@ kong: analytics: image: - tag: 1.4.0 + tag: 1.22.6 livenessProbe: httpGet: path: /health @@ -132,7 +132,7 @@ analytics: vector: image: - tag: 0.34.0-alpine + tag: 0.28.1-alpine livenessProbe: httpGet: path: /health @@ -151,4 +151,4 @@ vector: functions: image: - tag: v1.41.2 + tag: v1.68.4 diff --git a/charts/supabase/values.yaml b/charts/supabase/values.yaml index 038c17a4..659a664f 100644 --- a/charts/supabase/values.yaml +++ b/charts/supabase/values.yaml @@ -31,24 +31,24 @@ secret: # database credentials # these fields must be provided even if using external database db: - username: "" password: "" database: "" # specify existing secret, which takes precedence over variables above secretRef: "" # override secret keys for existing secret refs secretRefKey: - username: username password: password database: database - # analytics Logflare API key + # analytics Logflare Public/Private access token analytics: - apiKey: "" + publicAccessToken: your-super-secret-and-long-logflare-key-public + privateAccessToken: your-super-secret-and-long-logflare-key-private # specify existing secret, which takes precedence over variable above secretRef: "" # override secret keys for existing secret refs secretRefKey: - apiKey: apiKey + publicAccessToken: publicAccessToken + privateAccessToken: privateAccessToken # smtp will be used to reference secret including smtp credentials smtp: # username: "" @@ -64,12 +64,14 @@ secret: dashboard: # username: "" # password: "" + # openAiApiKey: api-key # specify existing secret, which takes precedence over variables above # secretRef: "" # override secret keys for existing secret refs secretRefKey: username: username password: password + openAiApiKey: openAiApiKey # S3 credentials for storage object bucket s3: # keyId: "" @@ -80,6 +82,18 @@ secret: secretRefKey: keyId: keyId accessKey: accessKey + # Realtime environment + realtime: + secretKeyBase: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq + # secretRef: "" + secretRefKey: + secretKeyBase: secretKeyBase + # Meta environment + meta: + cryptoKey: "your-super-secret-and-long-crypto-key" + # secretRef: "" + secretRefKey: + cryptoKey: cryptoKey # Optional: Postgres Database # A standalone Postgres database configured to work with Supabase services. @@ -206,11 +220,13 @@ studio: type: ClusterIP port: 3000 environment: - STUDIO_DEFAULT_ORGANIZATION: Default Organization - STUDIO_DEFAULT_PROJECT: Default Project + HOSTNAME: "::" STUDIO_PORT: "3000" + POSTGRES_PORT: 5432 + DEFAULT_ORGANIZATION_NAME: Default Organization + DEFAULT_PROJECT_NAME: Default Project SUPABASE_PUBLIC_URL: http://example.com - NEXT_PUBLIC_ENABLE_LOGS: "true" + NEXT_PUBLIC_ENABLE_LOGS: true # Set value to bigquery to use Big Query backend for analytics NEXT_ANALYTICS_BACKEND_PROVIDER: postgres # postgres, bigquery # volumeMounts: @@ -299,18 +315,33 @@ auth: GOTRUE_JWT_EXP: "3600" GOTRUE_EXTERNAL_EMAIL_ENABLED: "true" GOTRUE_MAILER_AUTOCONFIRM: "true" + GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED: "false" # GOTRUE_MAILER_SECURE_EMAIL_CHANGE_ENABLED: true # GOTRUE_SMTP_MAX_FREQUENCY: 1s GOTRUE_SMTP_ADMIN_EMAIL: "SMTP_ADMIN_MAIL" GOTRUE_SMTP_HOST: "SMTP_HOST" - GOTRUE_SMTP_PORT: "SMTP_PORT" - GOTRUE_SMTP_SENDER_NAME: "SMTP_SENDER_NAME" + GOTRUE_SMTP_PORT: "123" GOTRUE_EXTERNAL_PHONE_ENABLED: "false" GOTRUE_SMS_AUTOCONFIRM: "false" + GOTRUE_SMTP_SENDER_NAME: "SMTP_SENDER_NAME" GOTRUE_MAILER_URLPATHS_INVITE: "/auth/v1/verify" GOTRUE_MAILER_URLPATHS_CONFIRMATION: "/auth/v1/verify" GOTRUE_MAILER_URLPATHS_RECOVERY: "/auth/v1/verify" GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: "/auth/v1/verify" + # Uncomment to enable custom access token hook. Please see: https://supabase.com/docs/guides/auth/auth-hooks for full list of hooks and additional details about custom_access_token_hook + # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_ENABLED: "true" + # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_URI: "pg-functions://postgres/public/custom_access_token_hook" + # GOTRUE_HOOK_CUSTOM_ACCESS_TOKEN_SECRETS: "" + # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_ENABLED: "true" + # GOTRUE_HOOK_MFA_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/mfa_verification_attempt" + # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_ENABLED: "true" + # GOTRUE_HOOK_PASSWORD_VERIFICATION_ATTEMPT_URI: "pg-functions://postgres/public/password_verification_attempt" + # GOTRUE_HOOK_SEND_SMS_ENABLED: "false" + # GOTRUE_HOOK_SEND_SMS_URI: "pg-functions://postgres/public/custom_access_token_hook" + # GOTRUE_HOOK_SEND_SMS_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" + # GOTRUE_HOOK_SEND_EMAIL_ENABLED: "false" + # GOTRUE_HOOK_SEND_EMAIL_URI: "http://host.docker.internal:54321/functions/v1/email_sender" + # GOTRUE_HOOK_SEND_EMAIL_SECRETS: "v1,whsec_VGhpcyBpcyBhbiBleGFtcGxlIG9mIGEgc2hvcnRlciBCYXNlNjQgc3RyaW5n" envFrom: [] # - secretRef: # name: env-secret @@ -462,16 +493,19 @@ realtime: # DB_HOST: DATABASE.NAMESPACE.svc.cluster.local DB_USER: supabase_admin DB_PORT: 5432 - DB_SSL: disable # disable, allow, prefer, require, verify-ca, verify-full - DB_AFTER_CONNECT_QUERY: "SET search_path TO _realtime" - DB_ENC_KEY: supabaserealtime + DB_SSL: false # true PORT: "4000" FLY_ALLOC_ID: fly123 FLY_APP_NAME: realtime - SECRET_KEY_BASE: UpNVntn3cDxHJpq99YMc1T1AQgQpc8kfYTuRgBiYa15BLrx8etQoXz3gZv1/u2oq - ERL_AFLAGS: -proto_dist inet_tcp ENABLE_TAILSCALE: "false" + DB_AFTER_CONNECT_QUERY: "SET search_path TO _realtime" + DB_ENC_KEY: supabaserealtime + ERL_AFLAGS: -proto_dist inet_tcp DNS_NODES: "''" + RLIMIT_NOFILE: "10000" + APP_NAME: realtime + SEED_SELF_HOST: true + RUN_JANITOR: true # volumeMounts: # - name: volume_name # mountPath: /path/to/my/secret @@ -621,6 +655,7 @@ storage: DB_PORT: 5432 DB_DRIVER: postgres DB_SSL: disable # disable, allow, prefer, require, verify-ca, verify-full + REQUEST_ALLOW_X_FORWARDED_PATH: "true" PGOPTIONS: -c search_path=storage,public FILE_SIZE_LIMIT: "52428800" STORAGE_BACKEND: file # file, s3 @@ -628,6 +663,7 @@ storage: TENANT_ID: stub REGION: stub GLOBAL_S3_BUCKET: stub + ENABLE_IMAGE_TRANSFORMATION: "true" # Set variables below and secret.s3 above to enable S3 storage bucket # If using this chart's minio, skip the endpoint and protocol below # GLOBAL_S3_ENDPOINT: http://minio:9000 @@ -889,12 +925,14 @@ analytics: # Override the database hostname if using external database # DB_HOST: DATABASE.NAMESPACE.svc.cluster.local DB_USERNAME: supabase_admin + DB_DATABASE: _supabase DB_PORT: 5432 DB_DRIVER: postgresql DB_SCHEMA: _analytics + POSTGRES_BACKEND_SCHEMA: _analytics LOGFLARE_SINGLE_TENANT: "true" LOGFLARE_SUPABASE_MODE: "true" - FEATURE_FLAG_OVERRIDE: multibackend=true + LOGFLARE_FEATURE_FLAG_OVERRIDE: multibackend=true # Enable Big Query backend for analytics bigQuery: enabled: false @@ -1038,10 +1076,11 @@ functions: environment: # Override the database hostname if using external database # DB_HOST: DATABASE.NAMESPACE.svc.cluster.local - DB_USERNAME: supabase_functions_admin + DB_USERNAME: postgres DB_PORT: 5432 DB_DRIVER: postgresql DB_SSL: disable # disable, allow, prefer, require, verify-ca, verify-full + VERIFY_JWT: false # Mount user functions # volumeMounts: # - name: my_functions diff --git a/index.yaml b/index.yaml index e3b8437f..a1a6af4a 100644 --- a/index.yaml +++ b/index.yaml @@ -2,16 +2,17 @@ apiVersion: v1 entries: supabase: - apiVersion: v2 - created: "2023-02-10T15:04:18.116554-05:00" + created: "2025-11-24T10:31:07.33544705-03:00" description: The open source Firebase alternative. - digest: 79a75d1ca844b0551a9d0a084131273c63925c19f32513ad18fdc23e6f5854bf + digest: 68d5675757c377f26b40911b3aa375611c22068fc229f17d3925518cb6e658b6 + icon: https://avatars.githubusercontent.com/u/54469796?s=280&v=4 name: supabase type: application urls: - - https://supabase-community.github.io/supabase-kubernetes/build/supabase-0.0.3.tgz - version: 0.0.3 + - https://supabase-community.github.io/supabase-kubernetes/build/supabase-0.2.0.tgz + version: 0.2.0 - apiVersion: v2 - created: "2023-02-10T15:04:18.113431-05:00" + created: "2025-11-24T10:31:07.332314036-03:00" description: The open source Firebase alternative. digest: a0d6c0627c049642f3a9a1d068ecc4601d87c26d0326b47422223a7660424e31 name: supabase @@ -20,7 +21,7 @@ entries: - https://supabase-community.github.io/supabase-kubernetes/build/supabase-0.0.2.tgz version: 0.0.2 - apiVersion: v2 - created: "2023-02-10T15:04:18.111993-05:00" + created: "2025-11-24T10:31:07.331174634-03:00" description: The open source Firebase alternative. digest: 651547b54edc5cfbac1ed39cb42fc574ee766ff8c1c61aa6cedef84d2faa358f name: supabase @@ -28,4 +29,4 @@ entries: urls: - https://supabase-community.github.io/supabase-kubernetes/build/supabase-0.0.1.tgz version: 0.0.1 -generated: "2023-02-10T15:04:18.110189-05:00" +generated: "2025-11-24T10:31:07.329905479-03:00"