Update image tags

* add JWT expiry
* update `db` JWT schema
* update `db` arguments based on docker-compose
* update README with local testing suite
* fix testing conditions
* remove `db` ingress

charts/supabase/README.md

@@ -211,6 +211,21 @@ kong:
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: /
 ```
+
+### Testing suite
+
+Before creating a merge request, you can test the charts locally by using [helm/chart-testing](https://github.com/helm/chart-testing). If you have Docker and a Kubernetes environment to test with, simply run:
+
+```shell
+docker run -it \
+  --network host \
+  --workdir=/data \
+  --volume ~/.kube/config:/root/.kube/config:ro \
+  --volume $(pwd)/charts/supabase:/data \
+  quay.io/helmpack/chart-testing:v3.7.1 \
+  ct install --chart-dirs . --charts .
+```
+
 ### Version compatibility
 
 #### `0.0.x` to `0.1.x`

charts/supabase/templates/db/ingress.yaml

-{{- if .Values.db.enabled -}}
-{{- if .Values.db.ingress.enabled -}}
-{{- $fullName := include "supabase.db.fullname" . -}}
-{{- $svcPort := .Values.db.service.port -}}
-{{- if and .Values.db.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.db.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.db.ingress.annotations "kubernetes.io/ingress.class" .Values.db.ingress.className}}
-  {{- end }}
-{{- end }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{- include "supabase.labels" . | nindent 4 }}
-  {{- with .Values.db.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  {{- if and .Values.db.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.db.ingress.className }}
-  {{- end }}
-  {{- if .Values.db.ingress.tls }}
-  tls:
-    {{- range .Values.db.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-      secretName: {{ .secretName }}
-    {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.db.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: {{ .pathType }}
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
-          {{- end }}
-    {{- end }}
-{{- end }}
-{{- end }}
\ No newline at end of file

charts/supabase/templates/db/initdb.config.yaml

@@ -6,6 +6,12 @@ metadata:
   labels:
     {{- include "supabase.labels" . | nindent 4 }}
 data:
+  99-jwt.sql: |
+    \set jwt_secret `echo "$JWT_SECRET"`
+    \set jwt_exp `echo "$JWT_EXP"`
+
+    ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :jwt_secret;
+    ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :jwt_exp;
   99-logs.sql: |
     \set pguser `echo "$POSTGRES_USER"`
 

charts/supabase/templates/rest/deployment.yaml

@@ -65,6 +65,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "supabase.secret.jwt" . }}
                   key: secret
+            - name: JWT_EXPIRY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "supabase.secret.jwt" . }}
+                  key: expiry
           {{- with .Values.rest.livenessProbe }}
           livenessProbe:
             {{- toYaml . | nindent 12 }}

charts/supabase/templates/secrets/jwt.yaml

@@ -8,6 +8,6 @@ metadata:
 type: Opaque
 data:
 {{- range $key, $value := .Values.secret.jwt }}
-  {{ $key }}: {{ $value | b64enc }}
+  {{ $key }}: {{ $value | toString | b64enc }}
 {{- end }}
 {{- end }}

charts/supabase/templates/test/analytics.yaml

+{{- if .Values.analytics.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.analytics.fullname" . }}:{{ .Values.analytics.service.port }}/health
               echo "Sevice {{ include "supabase.analytics.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/auth.yaml

+{{- if .Values.auth.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.auth.fullname" . }}:{{ .Values.auth.service.port }}/health
               echo "Sevice {{ include "supabase.auth.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/db.yaml

+{{- if .Values.db.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -35,3 +36,4 @@ spec:
           imagePullPolicy: IfNotPresent
           name: test-db
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/imgproxy.yaml

+{{- if .Values.imgproxy.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.imgproxy.fullname" . }}:{{ .Values.imgproxy.service.port }}/health
               echo "Sevice {{ include "supabase.imgproxy.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/kong.yaml

+{{- if .Values.kong.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -28,10 +29,11 @@ spec:
             - /bin/bash
             - -c
             - |
-              RETURN_CODE=$(curl -sL \
-                -w "%{http_code}\n" \
+              echo "Attempting to access dashboard with provided credentials..."
+              curl -sL --fail \
                 -o /dev/null \
-                http://${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}@{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }})
-              ! [[ "$RETURN_CODE" =~ 20[0-9] ]] && echo -e "\e[0;31mFailed to get a valid response." && exit 1
+                "http://${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}@{{ include "supabase.kong.fullname" . }}:{{ .Values.kong.service.port }}" \
+                || ( echo -e "\e[0;31mFailed to get a valid response." && exit 1 )
               echo "Successfully connected."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/meta.yaml

+{{- if .Values.meta.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.meta.fullname" . }}:{{ .Values.meta.service.port }}/health
               echo "Sevice {{ include "supabase.meta.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/realtime.yaml

+{{- if .Values.realtime.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.realtime.fullname" . }}:{{ .Values.realtime.service.port }}
               echo "Sevice {{ include "supabase.realtime.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/rest.yaml

+{{- if .Values.rest.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.rest.fullname" . }}:{{ .Values.rest.service.port }}
               echo "Sevice {{ include "supabase.rest.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/storage.yaml

+{{- if .Values.storage.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.storage.fullname" . }}:{{ .Values.storage.service.port }}/status
               echo "Sevice {{ include "supabase.storage.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/templates/test/studio.yaml

+{{- if .Values.studio.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -21,3 +22,4 @@ spec:
                 http://{{ include "supabase.studio.fullname" . }}:{{ .Values.studio.service.port }}/api/profile
               echo "Sevice {{ include "supabase.studio.fullname" . }} is healthy."
       restartPolicy: Never
+{{- end }}

charts/supabase/values.example.yaml

@@ -60,7 +60,7 @@ auth:
 
 rest:
   image:
-    tag: v11.2.0
+    tag: v11.2.2
 
 realtime:
   image:
@@ -77,7 +77,7 @@ meta:
 
 storage:
   image:
-    tag: v0.40.4
+    tag: v0.43.11
   livenessProbe:
     httpGet:
       path: /status
@@ -145,4 +145,4 @@ vector:
 
 functions:
   image:
-    tag: v1.22.3
+    tag: v1.22.4

charts/supabase/values.yaml

@@ -20,6 +20,7 @@ secret:
     anonKey: ""
     serviceKey: ""
     secret: ""
+    expiry: 3600
   # database credentials
   # these fields must be provided even if using external database
   db:
@@ -82,25 +83,9 @@ db:
     PGPORT: "5432"
     POSTGRES_PORT: "5432"
     # POSTGRES_HOST_AUTH_METHOD: md5
-  ingress:
-    enabled: false
-    className: "nginx"
-    annotations:
-      nginx.ingress.kubernetes.io/rewrite-target: /
-      # cert-manager.io/cluster-issuer: "letsencrypt-staging"
-      # kubernetes.io/tls-acme: "true"
-    tls:
-      - secretName: DB.EXAMPLE.COM
-        hosts:
-          - DB.EXAMPLE.COM
-    hosts:
-      - host: DB.EXAMPLE.COM
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              serviceName: database
-              servicePort: 5432
+    # Enable SSL for postgres by specifying paths for mounted certificate key pair
+    # POSTGRES_SSL_CERT: /path/to/ssl/server.crt
+    # POSTGRES_SSL_KEY: /path/to/ssl/server.key
   # volumeMounts:
   #   - name: volume_name
   #     mountPath: /path/to/my/secret
@@ -357,7 +342,6 @@ rest:
     PGRST_DB_SCHEMAS: public,storage,graphql_public
     PGRST_DB_ANON_ROLE: anon
     PGRST_DB_USE_LEGACY_GUCS: false
-    JWT_EXPIRY: 3600
   # volumeMounts:
   #   - name: volume_name
   #     mountPath: /path/to/my/secret