Refactor PostgreSQL configuration and remove deprecated database setup

helm-chart/eoapi/templates/_helpers.tpl

@@ -62,18 +62,57 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Secrets for postgres/postgis access have to be
-derived from what the crunchydata operator creates
+PostgreSQL environment variables based on the configured type
+*/}}
+{{- define "eoapi.postgresqlEnv" -}}
+{{- if eq .Values.postgresql.type "postgrescluster" }}
+  {{- include "eoapi.postgresclusterSecrets" . }}
+{{- else if eq .Values.postgresql.type "external-plaintext" }}
+  {{- include "eoapi.externalPlaintextPgSecrets" . }}
+{{- else if eq .Values.postgresql.type "external-secret" }}
+  {{- include "eoapi.externalSecretPgSecrets" . }}
+{{- end }}
+{{- end }}
 
-Also note that we want to use the pgbouncer-<port|host|uri>
-but currently it doesn't support `search_path` parameters
-(https://github.com/pgbouncer/pgbouncer/pull/73) which
-are required for much of *pgstac
+{{/*
+PostgreSQL cluster secrets
 */}}
-{{- define "eoapi.pgstacSecrets"  -}}
+{{- define "eoapi.postgresclusterSecrets" -}}
 {{- range $userName, $v := .Values.postgrescluster.users -}}
 {{/* do not render anything for the "postgres" user */}}
 {{- if not (eq (index $v "name") "postgres") }}
+# Standard PostgreSQL environment variables
+- name: PGUSER
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: user
+- name: PGPORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: port
+- name: PGHOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: host
+- name: PGPASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: password
+- name: PGDATABASE
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: dbname
+- name: PGBOUNCER_URI
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: pgbouncer-uri
+# Legacy variables for backward compatibility
 - name: POSTGRES_USER
   valueFrom:
     secretKeyRef:
@@ -109,11 +148,6 @@ are required for much of *pgstac
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
       key: dbname
-- name: PGBOUNCER_URI
-  valueFrom:
-    secretKeyRef:
-      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: pgbouncer-uri
 - name: DATABASE_URL
   valueFrom:
     secretKeyRef:
@@ -128,6 +162,188 @@ are required for much of *pgstac
       key: uri
 {{- end }}
 
+{{/*
+External PostgreSQL with plaintext credentials
+*/}}
+{{- define "eoapi.externalPlaintextPgSecrets" -}}
+# Standard PostgreSQL environment variables
+- name: PGUSER
+  value: {{ .Values.postgresql.external.credentials.username | quote }}
+- name: PGPORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: PGHOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: PGPASSWORD
+  value: {{ .Values.postgresql.external.credentials.password | quote }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.external.database | quote }}
+# Legacy variables for backward compatibility
+- name: POSTGRES_USER
+  value: {{ .Values.postgresql.external.credentials.username | quote }}
+- name: POSTGRES_PORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: POSTGRES_HOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST_READER
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST_WRITER
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_PASS
+  value: {{ .Values.postgresql.external.credentials.password | quote }}
+- name: POSTGRES_DBNAME
+  value: {{ .Values.postgresql.external.database | quote }}
+- name: DATABASE_URL
+  value: "postgresql://{{ .Values.postgresql.external.credentials.username }}:{{ .Values.postgresql.external.credentials.password }}@{{ .Values.postgresql.external.host }}:{{ .Values.postgresql.external.port }}/{{ .Values.postgresql.external.database }}"
+{{- end }}
+
+{{/*
+External PostgreSQL with secret credentials
+*/}}
+{{- define "eoapi.externalSecretPgSecrets" -}}
+# Standard PostgreSQL environment variables
+- name: PGUSER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.username }}
+- name: PGPASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.password }}
+# Legacy variables for backward compatibility
+- name: POSTGRES_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.username }}
+- name: POSTGRES_PASS
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.password }}
+
+# Host, port, and database can be from the secret or from values
+{{- if .Values.postgresql.external.existingSecret.keys.host }}
+- name: PGHOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+- name: POSTGRES_HOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+- name: POSTGRES_HOST_READER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+- name: POSTGRES_HOST_WRITER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+{{- else }}
+- name: PGHOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST_READER
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST_WRITER
+  value: {{ .Values.postgresql.external.host | quote }}
+{{- end }}
+
+{{- if .Values.postgresql.external.existingSecret.keys.port }}
+- name: PGPORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.port }}
+- name: POSTGRES_PORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.port }}
+{{- else }}
+- name: PGPORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: POSTGRES_PORT
+  value: {{ .Values.postgresql.external.port | quote }}
+{{- end }}
+
+{{- if .Values.postgresql.external.existingSecret.keys.database }}
+- name: PGDATABASE
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.database }}
+- name: POSTGRES_DBNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.database }}
+{{- else }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.external.database | quote }}
+- name: POSTGRES_DBNAME
+  value: {{ .Values.postgresql.external.database | quote }}
+{{- end }}
+
+# Add DATABASE_URL for connection string
+{{- if .Values.postgresql.external.existingSecret.keys.uri }}
+- name: DATABASE_URL
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.uri }}
+{{- else }}
+- name: DATABASE_URL
+  value: "postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):$(PGPORT)/$(PGDATABASE)"
+{{- end }}
+{{- end }}
+
+{{/*
+Validate PostgreSQL configuration
+*/}}
+{{- define "eoapi.validatePostgresql" -}}
+{{- if eq .Values.postgresql.type "postgrescluster" }}
+  {{- if not .Values.postgrescluster.enabled }}
+    {{- fail "When postgresql.type is 'postgrescluster', postgrescluster.enabled must be true" }}
+  {{- end }}
+  {{- include "eoapi.validatePostgresCluster" . }}
+{{- else if eq .Values.postgresql.type "external-plaintext" }}
+  {{- if not .Values.postgresql.external.host }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.host must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.credentials.username }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.credentials.username must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.credentials.password }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.credentials.password must be set" }}
+  {{- end }}
+{{- else if eq .Values.postgresql.type "external-secret" }}
+  {{- if not .Values.postgresql.external.existingSecret.name }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.name must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.username }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.keys.username must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.password }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.keys.password must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.host }}
+    {{- if not .Values.postgresql.external.host }}
+      {{- fail "When postgresql.type is 'external-secret' and existingSecret.keys.host is not set, postgresql.external.host must be set" }}
+    {{- end }}
+  {{- end }}
+{{- else }}
+  {{- fail "postgresql.type must be one of: 'postgrescluster', 'external-plaintext', 'external-secret'" }}
+{{- end }}
+{{- end }}
+
 {{/*
 values.schema.json doesn't play nice combined value checks
 so we use this helper function to check autoscaling rules
@@ -192,17 +408,3 @@ that you can only use traefik as ingress when `testing=true`
 {{- end -}}
 
 {{- end -}}
-
-{{/*
-validate:
-that you cannot have db.enabled and (postgrescluster.enabled or pgstacBootstrap.enabled)
-*/}}
-{{- define "eoapi.validateTempDB" -}}
-{{- if and (.Values.db.enabled) (.Values.postgrescluster.enabled) -}}
-  {{- fail "you cannot use have both db.enabled and postgresclsuter.enabled" -}}
-{{- end -}}
-{{- if and (.Values.db.enabled) (.Values.pgstacBootstrap.enabled) -}}
-  {{- fail "you cannot use have both db.enabled and pgstacBootstrap.enabled" -}}
-{{- end -}}
-
-{{- end -}}