Create dedicated controller database

mxsrc · mxsrc · commit 5ab70e5fa659 · 2026-03-26T18:47:46.000+01:00
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -3,16 +3,37 @@ Reusable snippets shared across Vela Helm templates.
 */}}
 
 {{/*
-Renders a Postgres init container that waits for the target database to accept connections.
+Returns the plaintext password for a given DB credential key, preserving it across upgrades
+via lookup of the existing vela-controller-secret. On fresh installs the password is derived
+deterministically from the release name, namespace, and key so that all templates in the same
+render produce the same value.
+
+Usage: {{ include "vela.dbPassword" (list "controller-db-password" .) }}
+*/}}
+{{- define "vela.dbPassword" -}}
+{{- $key := index . 0 -}}
+{{- $ctx := index . 1 -}}
+{{- $existingSecret := lookup "v1" "Secret" $ctx.Release.Namespace "vela-controller-secret" -}}
+{{- if and $existingSecret (index $existingSecret.data $key) -}}
+{{- index $existingSecret.data $key | b64dec -}}
+{{- else -}}
+{{- printf "%s-%s-%s" $ctx.Release.Name $ctx.Release.Namespace $key | sha256sum | trunc 32 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Renders a Postgres init container that waits for the server to be ready.
+When `database` is provided it also waits until that specific database accepts connections.
 The helper accepts a dictionary with the following optional keys:
   - name               : init container name (default: wait-for-database)
   - image              : container image (default: postgres:17-alpine)
   - imagePullPolicy    : pull policy (default: IfNotPresent)
   - host               : database hostname (default: database)
   - port               : database port (default: 5432)
-  - secretName         : Kubernetes secret with credentials (default: database)
-  - usernameKey        : Secret key used for DB username (default: superuser-username)
-  - passwordKey        : Secret key used for DB password (default: superuser-password)
+  - database           : if set, block until this database accepts connections
+  - secretName         : secret containing credentials for the psql check (default: database)
+  - usernameKey        : key for the DB username in secretName (default: superuser-username)
+  - passwordKey        : key for the DB password in secretName (default: superuser-password)
   - securityContext    : optional security context applied to the init container
 */}}
 {{- define "vela.waitForPostgresInitContainer" -}}
@@ -21,6 +42,7 @@ The helper accepts a dictionary with the following optional keys:
 {{- $imagePullPolicy := default "IfNotPresent" .imagePullPolicy -}}
 {{- $host := default "database" .host -}}
 {{- $port := default "5432" .port -}}
+{{- $database := .database -}}
 {{- $secretName := default "database" .secretName -}}
 {{- $usernameKey := default "superuser-username" .usernameKey -}}
 {{- $passwordKey := default "superuser-password" .passwordKey -}}
@@ -32,6 +54,7 @@ The helper accepts a dictionary with the following optional keys:
       value: {{ $host | quote }}
     - name: DB_PORT
       value: {{ $port | quote }}
+{{- if $database }}
     - name: DB_USER
       valueFrom:
         secretKeyRef:
@@ -42,20 +65,22 @@ The helper accepts a dictionary with the following optional keys:
         secretKeyRef:
           name: {{ $secretName }}
           key: {{ $passwordKey }}
+{{- end }}
   command: ["/bin/sh", "-c"]
   args:
     - |
       echo "Waiting for database..."
-      until pg_isready -h "$DB_HOST" -p "$DB_PORT" -U "$DB_USER"; do
+      until pg_isready -h "$DB_HOST" -p "$DB_PORT"; do
         sleep 2
       done
       echo "Database is ready"
+{{- if $database }}
 
-      # Ensure postgres user can connect
-      until psql -h "$DB_HOST" -U "$DB_USER" -d postgres -c '\q' 2>/dev/null; do
-        echo "Waiting for Postgres superuser connection..."
+      until psql -h "$DB_HOST" -U "$DB_USER" -d {{ $database | quote }} -c '\q' 2>/dev/null; do
+        echo "Waiting for Postgres connection to {{ $database }}..."
         sleep 2
       done
+{{- end }}
 {{- with .securityContext }}
   securityContext:
 {{ toYaml . | nindent 4 }}
diff --git a/chart/templates/controller/deployment.yaml b/chart/templates/controller/deployment.yaml
@@ -18,7 +18,12 @@ spec:
     spec:
       serviceAccountName: vela-controller
       initContainers:
-{{ include "vela.waitForPostgresInitContainer" (dict) | nindent 8 }}
+{{ include "vela.waitForPostgresInitContainer" (dict
+    "secretName" "vela-controller-secret"
+    "usernameKey" "controller-db-username"
+    "passwordKey" "controller-db-password"
+    "database" "controller"
+  ) | nindent 8 }}
       containers:
         - name: vela-controller
           image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}"
@@ -41,16 +46,16 @@ spec:
                 secretKeyRef:
                   name: vela-grafana-secret
                   key: VELA_GRAFANA_SECURITY_ADMIN_PASSWORD
-            - name: DB_USER
+            - name: CONTROLLER_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: database
-                  key: superuser-username
-            - name: DB_PASSWORD
+                  name: vela-controller-secret
+                  key: controller-db-password
+            - name: CELERY_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: database
-                  key: superuser-password
+                  name: vela-controller-secret
+                  key: celery-db-password
             - name: VELA_DEPLOYMENT_PASSWORD_SECRET
               valueFrom:
                 secretKeyRef:
@@ -59,13 +64,13 @@ spec:
             - name: DB_HOST
               value: database
             - name: VELA_POSTGRES_URL
-              value: 'postgresql+asyncpg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
-            - name: VELA_GRAFANA_URL
-              value: "https://{{ .Values.domain }}:{{ .Values.port }}/grafana"
+              value: 'postgresql+asyncpg://vela_controller:$(CONTROLLER_DB_PASSWORD)@$(DB_HOST):5432/controller'
             - name: VELA_BROKER_URL
-              value: 'sqla+postgresql+psycopg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
+              value: 'sqla+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
             - name: VELA_RESULT_BACKEND
-              value: 'db+postgresql+psycopg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
+              value: 'db+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_GRAFANA_URL
+              value: "https://{{ .Values.domain }}:{{ .Values.port }}/grafana"
           livenessProbe:
             httpGet:
               path: /health
diff --git a/chart/templates/controller/secret.yaml b/chart/templates/controller/secret.yaml
@@ -2,11 +2,11 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: vela-controller-secret
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
   {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "vela-controller-secret" }}
-  {{- if $existingSecret }}
-    deployment-password-secret: {{ index $existingSecret.data "deployment-password-secret" }}
-  {{- else }}
-    deployment-password-secret: {{ randAlphaNum 32 | b64enc }}
-  {{- end }}
+  deployment-password-secret: {{ if $existingSecret }}{{ index $existingSecret.data "deployment-password-secret" }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
+  controller-db-password: {{ include "vela.dbPassword" (list "controller-db-password" .) | b64enc }}
+  celery-db-password: {{ include "vela.dbPassword" (list "celery-db-password" .) | b64enc }}
+  controller-db-username: {{ "vela_controller" | b64enc }}
diff --git a/chart/templates/controller/worker.yaml b/chart/templates/controller/worker.yaml
@@ -18,7 +18,12 @@ spec:
     spec:
       serviceAccountName: vela-controller
       initContainers:
-{{ include "vela.waitForPostgresInitContainer" (dict) | nindent 8 }}
+{{ include "vela.waitForPostgresInitContainer" (dict
+    "secretName" "vela-controller-secret"
+    "usernameKey" "controller-db-username"
+    "passwordKey" "controller-db-password"
+    "database" "controller"
+  ) | nindent 8 }}
       containers:
         - name: vela-controller-worker
           image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}"
@@ -38,29 +43,29 @@ spec:
                 secretKeyRef:
                   name: vela-grafana-secret
                   key: VELA_GRAFANA_SECURITY_ADMIN_PASSWORD
-            - name: DB_USER
+            - name: CONTROLLER_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: database
-                  key: superuser-username
-            - name: DB_PASSWORD
+                  name: vela-controller-secret
+                  key: controller-db-password
+            - name: CELERY_DB_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: database
-                  key: superuser-password
-            - name: DB_HOST
-              value: database
-            - name: VELA_BROKER_URL
-              value: 'sqla+postgresql+psycopg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
-            - name: VELA_RESULT_BACKEND
-              value: 'db+postgresql+psycopg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
+                  name: vela-controller-secret
+                  key: celery-db-password
             - name: VELA_DEPLOYMENT_PASSWORD_SECRET
               valueFrom:
                 secretKeyRef:
                   name: vela-controller-secret
                   key: deployment-password-secret
+            - name: DB_HOST
+              value: database
             - name: VELA_POSTGRES_URL
-              value: 'postgresql+asyncpg://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/postgres'
+              value: 'postgresql+asyncpg://vela_controller:$(CONTROLLER_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_BROKER_URL
+              value: 'sqla+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
+            - name: VELA_RESULT_BACKEND
+              value: 'db+postgresql+psycopg://vela_celery:$(CELERY_DB_PASSWORD)@$(DB_HOST):5432/controller'
           {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
diff --git a/chart/templates/database.yaml b/chart/templates/database.yaml
@@ -46,3 +46,6 @@ spec:
   replication:
     mode: async
     role: ha-read
+  managedSql:
+    scripts:
+    - sgScript: controller-db-init
diff --git a/chart/templates/db-init-script-secret.yaml b/chart/templates/db-init-script-secret.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vela-db-init-sql
+  namespace: {{ .Release.Namespace }}
+stringData:
+  create-database.sql: |
+    CREATE DATABASE controller;
+
+  init.sql: |
+    DO $$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'vela_controller') THEN
+        CREATE USER vela_controller WITH PASSWORD '{{ include "vela.dbPassword" (list "controller-db-password" .) }}';
+      ELSE
+        ALTER USER vela_controller WITH PASSWORD '{{ include "vela.dbPassword" (list "controller-db-password" .) }}';
+      END IF;
+      IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'vela_celery') THEN
+        CREATE USER vela_celery WITH PASSWORD '{{ include "vela.dbPassword" (list "celery-db-password" .) }}';
+      ELSE
+        ALTER USER vela_celery WITH PASSWORD '{{ include "vela.dbPassword" (list "celery-db-password" .) }}';
+      END IF;
+    END $$;
+
+    GRANT ALL PRIVILEGES ON DATABASE controller TO vela_controller;
+    ALTER DATABASE controller OWNER TO vela_controller;
+    GRANT CONNECT ON DATABASE controller TO vela_celery;
+
+  init-controller-db.sql: |
+    CREATE SCHEMA IF NOT EXISTS celery AUTHORIZATION vela_celery;
+    ALTER ROLE vela_celery IN DATABASE controller SET search_path TO celery;
diff --git a/chart/templates/db-init-sgscript.yaml b/chart/templates/db-init-sgscript.yaml
@@ -0,0 +1,27 @@
+apiVersion: stackgres.io/v1
+kind: SGScript
+metadata:
+  name: controller-db-init
+  namespace: {{ .Release.Namespace }}
+spec:
+  continueOnError: true
+  scripts:
+  - id: 1
+    name: create-database
+    scriptFrom:
+      secretKeyRef:
+        name: vela-db-init-sql
+        key: create-database.sql
+  - id: 2
+    name: init-users-and-grants
+    scriptFrom:
+      secretKeyRef:
+        name: vela-db-init-sql
+        key: init.sql
+  - id: 3
+    name: init-controller-db-schemas
+    database: controller
+    scriptFrom:
+      secretKeyRef:
+        name: vela-db-init-sql
+        key: init-controller-db.sql
diff --git a/chart/templates/db-migration-job.yaml b/chart/templates/db-migration-job.yaml
@@ -0,0 +1,64 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vela-db-migration
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: db-migration
+          image: postgres:17-alpine
+          env:
+            - name: DB_HOST
+              value: database
+            - name: SUPERUSER
+              valueFrom:
+                secretKeyRef:
+                  name: database
+                  key: superuser-username
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: database
+                  key: superuser-password
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              until pg_isready -h "$DB_HOST" -U "$SUPERUSER"; do
+                echo "Waiting for database..."
+                sleep 2
+              done
+
+              # Create controller database if it doesn't exist yet.
+              # The SGScript normally handles this, but it runs asynchronously after
+              # the upgrade so the migration job must bootstrap the database itself.
+              psql -h "$DB_HOST" -U "$SUPERUSER" -d postgres \
+                -c "CREATE DATABASE controller" 2>/dev/null || true
+
+              if psql -h "$DB_HOST" -U "$SUPERUSER" -d controller \
+                   -c "SELECT 1 FROM alembic_version LIMIT 1" 2>/dev/null; then
+                echo "Migration already done, skipping."
+                exit 0
+              fi
+
+              if ! psql -h "$DB_HOST" -U "$SUPERUSER" -d postgres \
+                    -c "SELECT 1 FROM alembic_version LIMIT 1" 2>/dev/null; then
+                echo "No source data found, skipping migration."
+                exit 0
+              fi
+
+              echo "Migrating data from postgres to controller database..."
+              pg_dump -h "$DB_HOST" -U "$SUPERUSER" -d postgres \
+                --schema=public --no-owner --no-privileges \
+                --exclude-table=kombu_message \
+                --exclude-table=kombu_queue \
+                --exclude-table=celery_taskmeta \
+                --exclude-table=celery_tasksetmeta \
+              | psql -h "$DB_HOST" -U "$SUPERUSER" -d controller
+              echo "Migration complete."
diff --git a/containers/compose-dev.yml b/containers/compose-dev.yml
@@ -7,12 +7,12 @@ services:
       - ~/.kube/config:/home/vela/.kube/config:ro
       - ..:/app
     environment:
-      VELA_POSTGRES_URL: 'postgresql+asyncpg://postgres:vela@database:5432/vela'
+      VELA_POSTGRES_URL: 'postgresql+asyncpg://vela_controller:controller@database:5432/controller'
       VELA_JWT_SECRET: 'secret'
       VELA_CORS_ORIGINS: '["http://localhost:3000"]'
       VELA_ENABLE_DB_EXTERNAL_IPV6_LOADBALANCER: 'false'
-      VELA_BROKER_URL: 'sqla+postgresql+psycopg://postgres:vela@database:5432/vela'
-      VELA_RESULT_BACKEND: 'db+postgresql+psycopg://postgres:vela@database:5432/vela'
+      VELA_BROKER_URL: 'sqla+postgresql+psycopg://vela_celery:celery@database:5432/controller'
+      VELA_RESULT_BACKEND: 'db+postgresql+psycopg://vela_celery:celery@database:5432/controller'
     ports:
       - 8000:8000
     command: 'bash -c "python -m venv /tmp/venv && source /tmp/venv/bin/activate && pip install -e . && uvicorn --host 0.0.0.0 --reload simplyblock.vela.api:app"'
@@ -36,9 +36,9 @@ services:
       - ..:/app
     command: 'bash -c "python -m venv /tmp/venv && source /tmp/venv/bin/activate && pip install -e . && celery -A simplyblock.vela.worker worker --loglevel=info"'
     environment:
-      VELA_BROKER_URL: 'sqla+postgresql+psycopg://postgres:vela@database:5432/vela'
-      VELA_RESULT_BACKEND: 'db+postgresql+psycopg://postgres:vela@database:5432/vela'
-      VELA_POSTGRES_URL: 'postgresql+asyncpg://postgres:vela@database:5432/vela'
+      VELA_BROKER_URL: 'sqla+postgresql+psycopg://vela_celery:celery@database:5432/controller'
+      VELA_RESULT_BACKEND: 'db+postgresql+psycopg://vela_celery:celery@database:5432/controller'
+      VELA_POSTGRES_URL: 'postgresql+asyncpg://vela_controller:controller@database:5432/controller'
       VELA_JWT_SECRET: 'secret'
       VELA_ENABLE_DB_EXTERNAL_IPV6_LOADBALANCER: 'false'
     depends_on:
@@ -50,10 +50,12 @@ services:
   database:
     image: docker.io/postgres:17
     environment:
-      POSTGRES_PASSWORD: vela
-      POSTGRES_DB: vela
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: postgres
+    volumes:
+      - ./init.sql:/docker-entrypoint-initdb.d/90-init.sql:ro
     healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U postgres -d vela']
+      test: ['CMD-SHELL', 'pg_isready -U postgres -d postgres']
       timeout: 5s
       interval: 5s
       retries: 3
diff --git a/containers/compose.yml b/containers/compose.yml
diff --git a/containers/init.sql b/containers/init.sql
