chore: add postgres docker-compose setup (#2903)

Author: miparnisari

development/postgres/primary-init.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+# Create replication user for replica
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE USER replicator WITH REPLICATION ENCRYPTED PASSWORD 'replicator';
+    SELECT pg_create_physical_replication_slot('replication_slot_1');
+EOSQL
+
+# Update pg_hba.conf to allow replication connections
+echo "host replication replicator 0.0.0.0/0 md5" >> "$PGDATA/pg_hba.conf"
+
+# Reload configuration
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -c "SELECT pg_reload_conf();"
+
+echo "Primary PostgreSQL configured for replication"

development/postgres/replica-init.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -e
+
+PGDATA="/var/lib/postgresql/data"
+
+# Wait for primary to be ready
+until pg_isready -h postgres-primary -U spicedb 2>/dev/null; do
+  echo "Waiting for primary to be ready..."
+  sleep 2
+done
+
+# Only run base backup if data directory is empty
+if [ ! -s "$PGDATA/PG_VERSION" ]; then
+  echo "Setting up replica from primary..."
+
+  # Create base backup from primary
+  PGPASSWORD=replicator pg_basebackup \
+    -h postgres-primary \
+    -D "$PGDATA" \
+    -U replicator \
+    -v \
+    -P \
+    -X stream \
+    -R
+
+  # Set proper permissions
+  chmod 700 "$PGDATA"
+  chown -R postgres:postgres "$PGDATA"
+
+  echo "Replica setup complete"
+else
+  echo "Data directory already initialized, skipping base backup"
+fi
+
+# Start PostgreSQL as replica
+exec docker-entrypoint.sh postgres -c recovery_min_apply_delay=${REPLICA_APPLY_DELAY:-0}

docker-compose.postgres.yaml

@@ -0,0 +1,224 @@
+---
+# FOR DEVELOPMENT ONLY. Run with
+# docker-compose -f docker-compose.postgres.yaml up --build
+services:
+  postgres-primary:
+    image: "postgres:16"
+    container_name: "postgres-primary"
+    environment:
+      - "POSTGRES_USER=spicedb"
+      - "POSTGRES_PASSWORD=spicedb"
+      - "POSTGRES_DB=spicedb"
+      - "POSTGRES_HOST_AUTH_METHOD=md5"
+    ports:
+      - "5432"
+    volumes:
+      - "postgres-primary-data:/var/lib/postgresql/data"
+      - "./development/postgres/primary-init.sh:/docker-entrypoint-initdb.d/primary-init.sh"
+    command: >
+      postgres
+      -c wal_level=replica
+      -c max_wal_senders=10
+      -c max_replication_slots=10
+      -c hot_standby=on
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U spicedb"]
+      interval: "3s"
+      timeout: "3s"
+      retries: 5
+    restart: "unless-stopped"
+
+  postgres-replica:
+    image: "postgres:16"
+    container_name: "postgres-replica"
+    environment:
+      - "PGPASSWORD=replicator"
+      - "REPLICA_APPLY_DELAY=100ms"
+    ports:
+      - "5432"
+    volumes:
+      - "postgres-replica-data:/var/lib/postgresql/data"
+      - "./development/postgres/replica-init.sh:/replica-init.sh"
+    depends_on:
+      postgres-primary:
+        condition: "service_healthy"
+    entrypoint: ["/bin/bash", "/replica-init.sh"]
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U spicedb || exit 1"]
+      interval: "5s"
+      timeout: "3s"
+      retries: 10
+    restart: "unless-stopped"
+
+  migrate:
+    depends_on:
+      postgres-primary:
+        condition: "service_healthy"
+    build: "."
+    container_name: "migrate"
+    environment:
+      - "SPICEDB_DATASTORE_ENGINE=postgres"
+        # Run migrations on primary
+      - "SPICEDB_DATASTORE_CONN_URI=postgres://spicedb:spicedb@postgres-primary:5432/spicedb?sslmode=disable"
+    command: "datastore migrate head"
+    networks:
+      - "default"
+
+  nginx:
+    image: "nginx:latest"
+    ports:
+      - "50051:50051" # grpc
+      - "8443:8443" # http
+    volumes:
+      - "./development/nginx.conf:/etc/nginx/nginx.conf"
+    depends_on:
+      spicedb-1:
+        condition: "service_healthy"
+      spicedb-2:
+        condition: "service_healthy"
+
+  spicedb-1:
+    container_name: "spicedb-1"
+    build: "."
+    command: "serve"
+    restart: "no"
+    ports:
+      - "9090" # prometheus metrics
+      - "50051" # grpc endpoint
+      - "8443" # http endpoint
+      - "50053" # dispatch endpoint
+    environment:
+      - "SPICEDB_LOG_FORMAT=json"
+      - "SPICEDB_LOG_LEVEL=info"
+      - "SPICEDB_HTTP_ENABLED=true"
+      - "SPICEDB_GRPC_PRESHARED_KEY=foobar"
+      - "SPICEDB_DATASTORE_ENGINE=postgres"
+      - "SPICEDB_DATASTORE_CONN_URI=postgres://spicedb:spicedb@postgres-primary:5432/spicedb?sslmode=disable"
+      - "SPICEDB_DATASTORE_READ_REPLICA_CONN_URI=postgres://spicedb:spicedb@postgres-replica:5432/spicedb?sslmode=disable"
+      - "SPICEDB_DISPATCH_CLUSTER_ENABLED=true"
+      - "SPICEDB_DISPATCH_UPSTREAM_ADDR=spicedb-2:50053"
+      - "SPICEDB_OTEL_PROVIDER=otlpgrpc"
+      - "SPICEDB_OTEL_SAMPLE_RATIO=1"
+      - "SPICEDB_TELEMETRY_ENDPOINT="
+      - "SPICEDB_GRPC_LOG_REQUESTS_ENABLED=false"
+      - "SPICEDB_GRPC_LOG_RESPONSES_ENABLED=false"
+      - "SPICEDB_STREAMING_API_RESPONSE_DELAY_TIMEOUT=0s"
+      - "OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317"
+      - "SPICEDB_DATASTORE_FOLLOWER_READ_DELAY_DURATION=2000ms"
+    depends_on:
+      migrate:
+        condition: "service_completed_successfully"
+      postgres-replica:
+        condition: "service_healthy"
+      otel-collector:
+        condition: "service_started"
+    healthcheck:
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
+      interval: "5s"
+      timeout: "30s"
+      retries: 3
+
+  spicedb-2:
+    container_name: "spicedb-2"
+    build: "."
+    command: "serve"
+    restart: "no"
+    ports:
+      - "9090" # prometheus metrics
+      - "50051" # grpc endpoint
+      - "8443" # http endpoint
+      - "50053" # dispatch endpoint
+    environment:
+      - "SPICEDB_LOG_FORMAT=json"
+      - "SPICEDB_LOG_LEVEL=info"
+      - "SPICEDB_HTTP_ENABLED=true"
+      - "SPICEDB_GRPC_PRESHARED_KEY=foobar"
+      - "SPICEDB_DATASTORE_ENGINE=postgres"
+      - "SPICEDB_DATASTORE_CONN_URI=postgres://spicedb:spicedb@postgres-primary:5432/spicedb?sslmode=disable"
+      - "SPICEDB_DATASTORE_READ_REPLICA_CONN_URI=postgres://spicedb:spicedb@postgres-replica:5432/spicedb?sslmode=disable"
+      - "SPICEDB_DISPATCH_CLUSTER_ENABLED=true"
+      - "SPICEDB_DISPATCH_UPSTREAM_ADDR=spicedb-1:50053"
+      - "SPICEDB_OTEL_PROVIDER=otlpgrpc"
+      - "SPICEDB_OTEL_SAMPLE_RATIO=1"
+      - "SPICEDB_TELEMETRY_ENDPOINT="
+      - "SPICEDB_GRPC_LOG_REQUESTS_ENABLED=true"
+      - "SPICEDB_GRPC_LOG_RESPONSES_ENABLED=false"
+      - "SPICEDB_STREAMING_API_RESPONSE_DELAY_TIMEOUT=0s"
+      - "OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317"
+      - "SPICEDB_DATASTORE_FOLLOWER_READ_DELAY_DURATION=2000ms"
+    depends_on:
+      migrate:
+        condition: "service_completed_successfully"
+      postgres-replica:
+        condition: "service_healthy"
+      otel-collector:
+        condition: "service_started"
+    healthcheck:
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
+      interval: "5s"
+      timeout: "30s"
+      retries: 3
+
+  prometheus:
+    image: "prom/prometheus:v2.47.0"
+    command:
+      - "--config.file=/etc/prometheus/prometheus.yaml"
+      - "--storage.tsdb.path=/prometheus"
+    volumes:
+      - "./development/prometheus.yaml:/etc/prometheus/prometheus.yaml"
+    ports:
+      - "9091:9090" # Prometheus UI
+    restart: "unless-stopped"
+
+  otel-collector:
+    image: "otel/opentelemetry-collector:0.60.0"
+    command: "--config /etc/otel-config.yaml"
+    volumes:
+      - "./development/otel-config.yaml:/etc/otel-config.yaml"
+    ports:
+      - "4317:4317" # OTLP gRPC
+      - "8888" # Prometheus metrics for collector
+    depends_on:
+      - "tempo"
+    restart: "unless-stopped"
+
+  loki:
+    image: "grafana/loki:2.9.0"
+    command: "-config.file=/etc/loki/loki.yaml"
+    volumes:
+      - "./development/loki.yaml:/etc/loki/loki.yaml"
+    ports:
+      - "3100" # Loki API
+    restart: "unless-stopped"
+
+  tempo:
+    image: "grafana/tempo:1.5.0"
+    command: "-search.enabled=true -config.file=/etc/tempo.yaml"
+    volumes:
+      - "./development/tempo.yaml:/etc/tempo.yaml"
+    restart: "unless-stopped"
+    ports:
+      - "4317" # OTLP gRPC
+      - "3100" # tempo
+
+  grafana:
+    image: "grafana/grafana:9.1.5-ubuntu"
+    volumes:
+      - "./development/grafana/provisioning/datasources:/etc/grafana/provisioning/datasources"
+      - "./development/grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards"
+      - "./development/grafana/dashboards:/etc/grafana/dashboards"
+    environment:
+      - "GF_AUTH_ANONYMOUS_ENABLED=true"
+      - "GF_AUTH_ANONYMOUS_ORG_ROLE=Admin"
+      - "GF_AUTH_DISABLE_LOGIN_FORM=true"
+    ports:
+      - "3000:3000" # UI
+    depends_on:
+      - "tempo"
+      - "prometheus"
+      - "loki"
+    restart: "unless-stopped"
+
+volumes:
+  postgres-primary-data:
+  postgres-replica-data:

docker-compose.spanner.yaml

@@ -44,8 +44,10 @@ services:
     volumes:
       - "./development/nginx.conf:/etc/nginx/nginx.conf"
     depends_on:
-      - "spicedb-1"
-      - "spicedb-2"
+      spicedb-1:
+        condition: "service_healthy"
+      spicedb-2:
+        condition: "service_healthy"
   spicedb-1:
     container_name: "spicedb-1"
     build: "."
@@ -79,7 +81,7 @@ services:
       otel-collector:
         condition: "service_started"
     healthcheck:
-      test: ["CMD", "/bin/grpc_health_probe", "-addr=spicedb:50051"]
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
       interval: "5s"
       timeout: "30s"
       retries: 3
@@ -96,7 +98,7 @@ services:
     environment:
       - "SPICEDB_LOG_FORMAT=json"
       - "SPICEDB_LOG_LEVEL=info"
-      - "SPICEDB_HTTP_ENABLED=false"
+      - "SPICEDB_HTTP_ENABLED=true"
       - "SPICEDB_GRPC_PRESHARED_KEY=foobar"
       - "SPICEDB_DATASTORE_ENGINE=spanner"
       - "SPICEDB_DATASTORE_CONN_URI=projects/test-project/instances/test-instance/databases/test-database"
@@ -115,6 +117,11 @@ services:
         condition: "service_completed_successfully"
       otel-collector:
         condition: "service_started"
+    healthcheck:
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
+      interval: "5s"
+      timeout: "30s"
+      retries: 3
   prometheus:
     image: "prom/prometheus:v2.47.0"
     command:

docker-compose.yaml

@@ -41,8 +41,10 @@ services:
     volumes:
       - "./development/nginx.conf:/etc/nginx/nginx.conf"
     depends_on:
-      - "spicedb-1"
-      - "spicedb-2"
+      spicedb-1:
+        condition: "service_healthy"
+      spicedb-2:
+        condition: "service_healthy"
   spicedb-1:
     container_name: "spicedb-1"
     build: "."
@@ -75,7 +77,7 @@ services:
       otel-collector:
         condition: "service_started"
     healthcheck:
-      test: ["CMD", "/bin/grpc_health_probe", "-addr=spicedb:50051"]
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
       interval: "5s"
       timeout: "30s"
       retries: 3
@@ -92,7 +94,7 @@ services:
     environment:
       - "SPICEDB_LOG_FORMAT=json"
       - "SPICEDB_LOG_LEVEL=info"
-      - "SPICEDB_HTTP_ENABLED=false"
+      - "SPICEDB_HTTP_ENABLED=true"
       - "SPICEDB_GRPC_PRESHARED_KEY=foobar"
       - "SPICEDB_DATASTORE_ENGINE=cockroachdb"
       - "SPICEDB_DATASTORE_CONN_URI=postgresql://root@crdb:26257/defaultdb?sslmode=disable"
@@ -110,6 +112,11 @@ services:
         condition: "service_completed_successfully"
       otel-collector:
         condition: "service_started"
+    healthcheck:
+      test: ["CMD", "/bin/grpc_health_probe", "-addr=localhost:50051"]
+      interval: "5s"
+      timeout: "30s"
+      retries: 3
   prometheus:
     image: "prom/prometheus:v2.47.0"
     command: