Elevate eoapi db user permissions and rely on pgstac for db migrations.

pantierra · pantierra · commit 174ae8335754 · 2025-06-27T17:28:22.000+02:00
diff --git a/helm-chart/eoapi/templates/pgstacbootstrap/eoapiuser-permissions-upgrade.yaml b/helm-chart/eoapi/templates/pgstacbootstrap/eoapiuser-permissions-upgrade.yaml
@@ -1,18 +1,15 @@
 {{- if and .Values.postgrescluster.enabled .Values.pgstacBootstrap.enabled }}
 ---
-# This job is part of the upgrade process from pre-0.7.0 versions.
-# Prior to 0.7.0, database schema updates were run with superuser privileges.
-# This job ensures proper permissions are granted to the eoapi user during upgrade.
-# TODO: Remove with the next mayor verson and add to documentation that one needs to
-# through 0.7.x when upgrading.
+# The eoapi database user runs pgstac migrate and needs some elevated object
+# level permissions without being a superuser.
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: pgstac-eoapiuser-permissions-upgrade
   labels:
     app: pgstac-eoapiuser-permissions-upgrade
   annotations:
-    helm.sh/hook: "post-upgrade"
+    helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"
     helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
@@ -33,11 +30,10 @@ spec:
               # Exit immediately if a command exits with a non-zero status
               set -e
 
-              # Run permission setup with superuser
-              echo "Applying superuser permissions for upgrade from version {{ .Values.previousVersion }}..."
+              # Run initial setup with superuser
+              # - https://stac-utils.github.io/pgstac/pypgstac/#option-2-create-user-with-initial-grants
               PGUSER=postgres psql -f /opt/sql/initdb.sql
 
-              echo "Permissions upgrade complete"
           resources:
             {{- toYaml .Values.pgstacBootstrap.settings.resources | nindent 12 }}
           volumeMounts:
@@ -49,6 +45,11 @@ spec:
                 secretKeyRef:
                   name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
                   key: user
+            - name: EOAPI_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-eoapi
+                  key: user
             - name: PGPORT
               valueFrom:
                 secretKeyRef:
diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml
@@ -69,19 +69,19 @@ comment_db: >
 postgresql:
   # Management type: "postgrescluster" (default), "external-plaintext", or "external-secret"
   type: "postgrescluster"
-  
+
   # Configuration for external PostgreSQL (used when type is "external-plaintext" or "external-secret")
   external:
     # Connection information
     host: ""
     port: "5432"
     database: "eoapi"
-    
+
     # Credentials configuration (used when type is "external-plaintext")
     credentials:
       username: ""
       password: ""
-    
+
     # Secret reference (used when type is "external-secret")
     existingSecret:
       name: ""
