diff --git a/charts/supabase/docker/Database.Dockerfile b/charts/supabase/docker/Database.Dockerfile
index fa94cf546521045f6bb2b3b1748d9ab0b8c4c594..d7143e696eed3a97bb516e310420d09e4a5e6306 100644
--- a/charts/supabase/docker/Database.Dockerfile
+++ b/charts/supabase/docker/Database.Dockerfile
@@ -1,11 +1,52 @@
-FROM bitnami/postgresql:12.9.0-debian-10-r40
+FROM bitnami/postgresql:17-debian-12
USER root
-RUN install_packages make git gcc libc6-dev
+RUN install_packages make git gcc libc6-dev libssl-dev curl libcurl4-openssl-dev libsodium-dev cmake
+# pgjwt
RUN git clone https://github.com/michelp/pgjwt.git
RUN cd pgjwt && make install
+
+# wal2json
RUN git clone https://github.com/eulerto/wal2json.git
RUN cd wal2json && make && make install
+# pgvector
+RUN git clone --branch v0.8.0 https://github.com/pgvector/pgvector.git
+RUN cd pgvector && make && make install
+
+# pg_stat_monitor
+RUN git clone https://github.com/percona/pg_stat_monitor.git
+RUN cd pg_stat_monitor && make USE_PGXS=1 && make USE_PGXS=1 install
+
+# pgaudit
+RUN git clone https://github.com/pgaudit/pgaudit.git
+RUN cd pgaudit && git checkout REL_17_STABLE && make install USE_PGXS=1 PG_CONFIG=/opt/bitnami/postgresql/bin/pg_config
+
+# plpgsql_check
+RUN git clone https://github.com/okbob/plpgsql_check.git
+RUN cd plpgsql_check && make clean && make install
+
+# pg_cron
+RUN git clone https://github.com/citusdata/pg_cron.git
+RUN cd pg_cron && make && make install
+
+
+# pg_net
+RUN git clone https://github.com/supabase/pg_net.git
+RUN cd pg_net && make && make install
+
+RUN git clone https://github.com/michelp/pgsodium.git
+RUN cd pgsodium && make install
+COPY --chown=1001:1001 ./pgsodium_getkey /opt/bitnami/postgresql/share/extension
+RUN chmod -R +x /opt/bitnami/postgresql/share/extension/pgsodium_getkey
+
+RUN git clone https://github.com/timescale/timescaledb
+RUN cd timescaledb && git checkout 2.17.2 && ./bootstrap && cd build && make && make install
+
+
+ENV POSTGRESQL_SHARED_PRELOAD_LIBRARIES="pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, auto_explain"
+
+
+
USER 1001
\ No newline at end of file
diff --git a/charts/supabase/docker/SupabaseDb.Dockerfile b/charts/supabase/docker/SupabaseDb.Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..3533be9b3c37d824cef76502aa76ef855d7fe5ae
--- /dev/null
+++ b/charts/supabase/docker/SupabaseDb.Dockerfile
@@ -0,0 +1,28 @@
+FROM supabase/postgres:15.8.1.040
+
+
+ARG USERNAME=nonroot-pg
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+
+RUN groupadd --gid $USER_GID $USERNAME \
+ && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
+RUN chown -R ${USERNAME}:${USERNAME} /usr/lib/postgresql \
+ && chown -R ${USERNAME}:${USERNAME} /var/lib/postgresql \
+ && chown -R ${USERNAME}:${USERNAME} /usr/share/postgresql
+
+RUN chown -R ${USERNAME}:${USERNAME} /usr/bin
+
+RUN chown -R ${USERNAME}:${USERNAME} /usr/lib/postgresql/share/postgresql/
+RUN chown -R ${USERNAME}:${USERNAME} /usr/share/postgresql/
+RUN chown -R ${USERNAME}:${USERNAME} /usr/lib/postgresql/share/postgresql/contrib/
+RUN chown -R ${USERNAME}:${USERNAME} /usr/lib/postgresql
+
+RUN chown -R ${USERNAME}:${USERNAME} /etc/postgresql-custom
+RUN chown -R ${USERNAME}:${USERNAME} /var/run/postgresql
+COPY --chown=${USERNAME}:${USERNAME} ./pg_hba.conf /etc/postgresql/pg_hba.conf
+
+RUN chmod -R 777 /var/lib/postgresql
+
+USER 1001
\ No newline at end of file
diff --git a/charts/supabase/docker/pg_hba.conf b/charts/supabase/docker/pg_hba.conf
new file mode 100644
index 0000000000000000000000000000000000000000..8deff36e28b9bcc65bd4ab8018294cd4833d3351
--- /dev/null
+++ b/charts/supabase/docker/pg_hba.conf
@@ -0,0 +1,96 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file. A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access. Records take one of these forms:
+#
+# local DATABASE USER METHOD [OPTIONS]
+# host DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
+# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a
+# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
+# non-GSSAPI socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof. In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches. It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask. A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts. Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE. The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted. Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal. If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+# TYPE DATABASE USER ADDRESS METHOD
+
+# trust local connections
+local all nonroot-pg trust
+local all postgres trust
+local all supabase_admin scram-sha-256
+local all all peer map=supabase_map
+host all all 127.0.0.1/32 trust
+host all all ::1/128 trust
+
+# IPv4 external connections
+host all all 10.0.0.0/8 scram-sha-256
+host all all 172.16.0.0/12 scram-sha-256
+host all all 192.168.0.0/16 scram-sha-256
+host all all 0.0.0.0/0 scram-sha-256
+
+# IPv6 external connections
+host all all ::0/0 scram-sha-256
\ No newline at end of file
diff --git a/charts/supabase/docker/pgsodium_getkey b/charts/supabase/docker/pgsodium_getkey
new file mode 100644
index 0000000000000000000000000000000000000000..219c49373d59a7d9795534b3e771b671c34c6bb6
--- /dev/null
+++ b/charts/supabase/docker/pgsodium_getkey
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Script adapted from upstream supabase-postgres
+# https://github.com/supabase/postgres/blob/develop/ansible/files/admin_api_scripts/pg_upgrade_pgsodium_getkey.sh
+
+set -euo pipefail
+
+KEY_FILE=/opt/bitnami/postgresql/conf/pgsodium_root.key
+
+# if key file doesn't exist (project previously didn't use pgsodium), generate a new key
+if [[ ! -f "${KEY_FILE}" ]]; then
+ head -c 32 /dev/urandom | od -A n -t x1 | tr -d ' \n' >$KEY_FILE
+fi
+
+cat $KEY_FILE
diff --git a/charts/supabase/templates/db/deployment.yaml b/charts/supabase/templates/db/deployment.yaml
index 314842ede81a5db873cd8dcab536cfa145b818cb..f6d5089517e6f6059559426c9e00d035874bf5e8 100644
--- a/charts/supabase/templates/db/deployment.yaml
+++ b/charts/supabase/templates/db/deployment.yaml
@@ -32,15 +32,25 @@ spec:
- name: init-db
image: "{{ .Values.db.image.repository }}:{{ .Values.db.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: IfNotPresent
+ securityContext:
+ {{- toYaml .Values.db.securityContext | nindent 12 }}
command: ["/bin/sh", "-c"]
args:
- |
+
+ echo "Creating new PGDATA directory in PVC (for subpath)..."
+ mkdir -p /var/lib/postgresql/data/postgres-data
echo "Copying init scripts into existing image script directory..."
cp -r /docker-entrypoint-initdb.d/* /initdb.d/
+ # init-scripts
cp /custom-init-scripts/98-webhooks.sql /initdb.d/init-scripts/
cp /custom-init-scripts/99-roles.sql /initdb.d/init-scripts/
- cp /custom-init-scripts/99-logs.sql /initdb.d/migrations/
+ cp /custom-init-scripts/99-jwt.sql /initdb.d/init-scripts/
+ # migrations
cp /custom-init-scripts/99-realtime.sql /initdb.d/migrations/
+ cp /custom-init-scripts/97-_supabase.sql /initdb.d/migrations/
+ cp /custom-init-scripts/99-logs.sql /initdb.d/migrations/
+ cp /custom-init-scripts/99-pooler.sql /initdb.d/migrations/
echo "Copying user-defined migration scripts..."
cp /custom-migrations/* /initdb.d/migrations/ || echo "Skip migrations"
@@ -52,6 +62,10 @@ spec:
name: custom-migrations
- mountPath: /initdb.d
name: initdb-scripts-data
+ {{- if .Values.db.persistence.enabled }}
+ - mountPath: /var/lib/postgresql/data
+ name: postgres-volume
+ {{- end }}
containers:
- name: {{ include "supabase.db.name" $ }}
securityContext:
@@ -170,4 +184,4 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/charts/supabase/templates/db/initdb.config.yaml b/charts/supabase/templates/db/initdb.config.yaml
index 25f61ad23fac72cd7b215433d5876a6f24efabd4..aec2e9c684dee94d6f4177cab57c3beefa04cd7a 100644
--- a/charts/supabase/templates/db/initdb.config.yaml
+++ b/charts/supabase/templates/db/initdb.config.yaml
@@ -15,13 +15,21 @@ data:
99-logs.sql: |
\set pguser `echo "$POSTGRES_USER"`
+ \c _supabase
create schema if not exists _analytics;
alter schema _analytics owner to :pguser;
+ \c postgres
99-realtime.sql: |
\set pguser `echo "$POSTGRES_USER"`
create schema if not exists _realtime;
alter schema _realtime owner to :pguser;
+ 99-pooler.sql: |
+ \set pguser `echo "$POSTGRES_USER"`
+ \c _supabase
+ create schema if not exists _supavisor;
+ alter schema _supavisor owner to :pguser;
+ \c postgres
99-roles.sql: |
-- NOTE: change to your own passwords for production environments
\set pgpass `echo "$POSTGRES_PASSWORD"`
@@ -31,6 +39,7 @@ data:
ALTER USER supabase_auth_admin WITH PASSWORD :'pgpass';
ALTER USER supabase_functions_admin WITH PASSWORD :'pgpass';
ALTER USER supabase_storage_admin WITH PASSWORD :'pgpass';
+
98-webhooks.sql: |
BEGIN;
-- Create pg_net extension
@@ -240,4 +249,11 @@ data:
REVOKE ALL ON FUNCTION supabase_functions.http_request() FROM PUBLIC;
GRANT EXECUTE ON FUNCTION supabase_functions.http_request() TO postgres, anon, authenticated, service_role;
COMMIT;
-{{- end }}
\ No newline at end of file
+
+ 97-_supabase.sql: |
+ \set pguser `echo "$POSTGRES_USER"`
+ CREATE DATABASE _supabase WITH OWNER :pguser;
+
+
+
+{{- end }}