[stack-auth] migrate to PGO cluster for postgres

jshimko · Sep 25, 2024 · 75c2673 · 75c2673
1 parent fedec94
commit 75c2673
Show file tree

Hide file tree

Showing 4 changed files with 160 additions and 29 deletions.
diff --git a/charts/stack-auth/Chart.lock b/charts/stack-auth/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
-- name: postgresql
-  repository: https://charts.bitnami.com/bitnami
-  version: 15.5.34
+- name: postgres
+  repository: file://../postgrescluster
+  version: 5.6.0
 - name: svix
-  repository: https://jshimko.github.io/helm-charts
-  version: 0.4.1
-digest: sha256:39f631fa1b7ab5a1d9f04691176c07ce41ed30ef04fdfb17b144bd4c21408bfc
-generated: "2024-09-25T11:18:49.012602-04:00"
+  repository: file://../svix
+  version: 0.5.0
+digest: sha256:3652d7a29d9fa6ab23738bb23afe0c4e9733959198334b558ca864df43e9bce8
+generated: "2024-09-25T17:11:15.288899-04:00"
diff --git a/charts/stack-auth/Chart.yaml b/charts/stack-auth/Chart.yaml
@@ -2,16 +2,19 @@ apiVersion: v2
 name: stack-auth
 description: A Helm chart to deploy the Stack Auth platform. https://stack-auth.com
 type: application
-version: 0.6.1
+version: 0.7.0
 
 dependencies:
-  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
-  - name: postgresql
-    version: 15.5.34
-    repository: https://charts.bitnami.com/bitnami
-    condition: postgresql.enabled
+  # Postgres Operator - PostgresCluster
+  # https://access.crunchydata.com/documentation/postgres-operator/v5/
+  - name: postgres
+    version: 5.6.0
+    repository: file://../postgrescluster
+    condition: postgres.enabled
 
+  # Svix webhooks
+  # https://github.com/jshimko/helm-charts/tree/main/charts/svix
   - name: svix
-    version: 0.4.1
-    repository: https://jshimko.github.io/helm-charts
+    version: 0.5.0
+    repository: file://../svix
     condition: svix.enabled
diff --git a/charts/stack-auth/templates/backend/deployment.yaml b/charts/stack-auth/templates/backend/deployment.yaml
@@ -49,11 +49,35 @@ spec:
           {{- end }}
 
           env:
-            {{- if .Values.postgresql.enabled  }}
+            {{- if or .Values.postgres.enabled .Values.backend.postgresSecret }}
+            - name: PGO_PGBOUNCER_URI
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.backend.postgresSecret }}
+                  name: "{{ .Values.backend.postgresSecret }}"
+                  {{- else }}
+                  name: "{{ .Values.postgres.name }}-pguser-stack"
+                  {{- end }}
+                  key: "pgbouncer-uri"
+
+            # If we are connecting through pgbouncer we need to provide a direction connection url
+            # as well because prisma migrations do not support connection pooling
+            # https://www.prisma.io/docs/guides/performance-and-optimization/connection-management/configure-pg-bouncer#prisma-migrate-and-pgbouncer-workaround
+            - name: POSTGRES_DIRECT_URI
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.backend.postgresSecret }}
+                  name: "{{ .Values.backend.postgresSecret }}"
+                  {{- else }}
+                  name: "{{ .Values.postgres.name }}-pguser-stack"
+                  {{- end }}
+                  key: "uri"
+
+            # map above to the correct Stack env variables
             - name: STACK_DATABASE_CONNECTION_STRING
-              value: "postgres://{{ .Values.postgresql.auth.username }}:{{ .Values.postgresql.auth.password }}@stack-postgresql:5432/{{ .Values.postgresql.auth.database }}?{{ .Values.backend.dbUrlOptions }}"
+              value: "$(PGO_PGBOUNCER_URI)?{{ .Values.backend.dbUrlOptions }}&pgbouncer=true"
             - name: STACK_DIRECT_DATABASE_CONNECTION_STRING
-              value: "$(STACK_DATABASE_CONNECTION_STRING)"
+              value: "$(POSTGRES_DIRECT_URI)?{{ .Values.backend.dbUrlOptions }}"
             {{- end }}
 
             {{- range .Values.backend.env }}

diff --git a/charts/stack-auth/values.yaml b/charts/stack-auth/values.yaml
@@ -146,7 +146,12 @@ backend:
 
   imagePullSecrets: []
 
-  dbUrlOptions: "" # schema=public,connect_timeout=10,pool_timeout=10
+  # -- optional Postgres Operator cluster secret name
+  postgresSecret: ""
+
+  # -- PostgresCluster connection string options. e.g. schema=stack,connection_limit=10,connect_timeout=10,pool_timeout=10
+  # Note that the schema option must match the user name in the PostgresCluster users list below or permissions will be denied.
+  dbUrlOptions: "schema=stack&sslmode=require&application_name=stack-auth"
 
   # -- Backend environment variables - see available [.env](https://github.com/stack-auth/stack/blob/dev/apps/backend/.env) options
   env:
@@ -263,16 +268,6 @@ backend:
 
   affinity: {}
 
-# Postgres deployment for Stack Auth
-# https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
-postgresql:
-  enabled: true
-  fullnameOverride: stack-postgresql
-  auth:
-    username: stack
-    password: stack123
-    database: stack
-
 # -- Any misc extra K8s manifests you'd like to create
 extraTemplates:
   []
@@ -285,6 +280,115 @@ extraTemplates:
   #   data:
   #     key: value
 
+# PGO PostgresCluster deployment
+# If enabled below, PostgresOperator must already be installed in the cluster so the PostgresCluster CRD is available.
+# You can install PostgresOperator to your cluster with the following command:
+
+# helm install pgo -n pgo --create-namespace oci://registry.developers.crunchydata.com/crunchydata/pgo
+#
+# Postgres Operator docs
+# https://access.crunchydata.com/documentation/postgres-operator/latest
+# https://github.com/CrunchyData/postgres-operator
+#
+# PostgresCluster Chart
+# https://github.com/jshimko/helm-charts/tree/main/charts/postgres
+postgres:
+  # -- disabled by default in case PostgresOperator is not installed in the cluster
+  enabled: false
+
+  # -- PostgresCluster name
+  name: postgres-stack
+
+  # -- Postgres users to create and assign access to databases
+  users:
+    # -- db admin
+    - name: postgres
+
+    # -- app user
+    - name: stack
+      databases:
+        - stack
+
+  # -- Postgres instances
+  instances:
+    - name: stack #
+      replicas: 2
+
+      # -- Postgres instance resources
+      resources: {}
+        # requests:
+        #   cpu: 500m
+        #   memory: 1Gi
+        # limits:
+        #   cpu: 1000m
+        #   memory: 2Gi
+
+      dataVolumeClaimSpec:
+        accessModes:
+          - "ReadWriteOnce"
+        resources:
+          requests:
+            storage: 10Gi
+
+  pgBouncerReplicas: 1
+
+  # pgBackRest Backups
+  # https://pgbackrest.org/user-guide.html
+  # -- https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups
+  pgBackRestConfig:
+    # which repo to use when triggering a manual backup
+    manual:
+      repoName: repo1 # in-cluster persistent volume
+      options:
+        - --type=full
+
+    # # S3 auth
+    # # https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#using-s3
+    # configuration:
+    #   - secret:
+    #       name: pgbackrest-backup-secret
+
+    global:
+      # set retention of full backups to 7 days
+      # https://pgbackrest.org/user-guide.html#retention
+
+      # in-cluster persistent volume
+      repo1-retention-full: "7"
+      repo1-retention-full-type: time
+
+      # # S3 bucket
+      # repo2-path: /pgbackrest/production
+      # repo2-retention-full: "7"
+      # repo2-retention-full-type: time
+
+    repos:
+      # in-cluster persistent volume
+      - name: repo1
+        volume:
+          volumeClaimSpec:
+            accessModes:
+              - "ReadWriteOnce"
+            resources:
+              requests:
+                storage: 10Gi
+        schedules:
+          # full backup weekly at 12:00a UTC Sunday
+          full: "0 12 * * 0"
+          # differential backup at 12:00 UTC Monday-Saturday
+          differential: "0 12 * * 1-6"
+
+      # # S3 bucket
+      # - name: repo2
+      #   s3:
+      #     bucket: example-pgbackrest-bucket
+      #     endpoint: s3.amazonaws.com
+      #     region: us-east-1
+      #   schedules:
+      #     # full backup weekly at 1:00a UTC Sunday
+      #     full: "0 1 * * 0"
+      #     # differential backup at 1:00 UTC Monday-Saturday
+      #     differential: "0 1 * * 1-6"
+
 # svix chart
 # Optional Svix webhooks chart deployment. See docs https://github.com/jshimko/helm-charts/tree/main/charts/svix
 svix: