Refactor PostgreSQL configuration and remove deprecated database setup

- Introduced a unified PostgreSQL configuration structure in values.yaml, replacing the old db configuration.
- Added new helper functions for managing PostgreSQL environment variables and secrets based on the selected configuration type (postgrescluster, external-plaintext, external-secret).
- Removed old database-related templates (ConfigMap, Deployment, PVC, Secrets, Service) that are no longer needed.
- Updated the pgstacbootstrap job and configmap templates to align with the new PostgreSQL configuration.
- Implemented validation for PostgreSQL settings to ensure required fields are set based on the selected type.

Author: emmanuelmathot

helm-chart/eoapi/templates/_helpers.tpl

@@ -62,63 +62,82 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Secrets for postgres/postgis access have to be
-derived from what the crunchydata operator creates
+PostgreSQL environment variables based on the configured type
+*/}}
+{{- define "eoapi.postgresqlEnv" -}}
+{{- if eq .Values.postgresql.type "postgrescluster" }}
+  {{- include "eoapi.postgresclusterSecrets" . }}
+{{- else if eq .Values.postgresql.type "external-plaintext" }}
+  {{- include "eoapi.externalPlaintextPgSecrets" . }}
+{{- else if eq .Values.postgresql.type "external-secret" }}
+  {{- include "eoapi.externalSecretPgSecrets" . }}
+{{- end }}
+{{- end }}
 
-Also note that we want to use the pgbouncer-<port|host|uri>
-but currently it doesn't support `search_path` parameters
-(https://github.com/pgbouncer/pgbouncer/pull/73) which
-are required for much of *pgstac
+{{/*
+PostgreSQL cluster secrets
 */}}
-{{- define "eoapi.pgstacSecrets"  -}}
+{{- define "eoapi.postgresclusterSecrets" -}}
 {{- range $userName, $v := .Values.postgrescluster.users -}}
 {{/* do not render anything for the "postgres" user */}}
 {{- if not (eq (index $v "name") "postgres") }}
-- name: POSTGRES_USER
+# Standard PostgreSQL environment variables
+- name: PGUSER
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
       key: user
-- name: POSTGRES_PORT
+- name: PGPORT
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
       key: port
-- name: POSTGRES_HOST
+- name: PGHOST
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
       key: host
-- name: POSTGRES_HOST_READER
+- name: PGPASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: host
-- name: POSTGRES_HOST_WRITER
+      key: password
+- name: PGDATABASE
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: host
-- name: POSTGRES_PASS
+      key: dbname
+- name: PGBOUNCER_URI
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: password
-- name: POSTGRES_DBNAME
+      key: pgbouncer-uri
+# Legacy variables for backward compatibility
+- name: POSTGRES_USER
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: dbname
-- name: PGBOUNCER_URI
+      key: user
+- name: POSTGRES_PORT
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: pgbouncer-uri
-- name: DATABASE_URL
+      key: port
+- name: POSTGRES_HOST
   valueFrom:
     secretKeyRef:
       name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
-      key: uri
+      key: host
+- name: POSTGRES_PASS
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: password
+- name: POSTGRES_DBNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ $.Release.Name }}-pguser-{{ index $v "name" }}
+      key: dbname
 {{- end }}
 {{- end }}
 - name: PGADMIN_URI
@@ -128,6 +147,180 @@ are required for much of *pgstac
       key: uri
 {{- end }}
 
+{{/*
+External PostgreSQL with plaintext credentials
+*/}}
+{{- define "eoapi.externalPlaintextPgSecrets" -}}
+# Standard PostgreSQL environment variables
+- name: PGUSER
+  value: {{ .Values.postgresql.external.credentials.username | quote }}
+- name: PGPORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: PGHOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: PGPASSWORD
+  value: {{ .Values.postgresql.external.credentials.password | quote }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.external.database | quote }}
+# Legacy variables for backward compatibility
+- name: POSTGRES_USER
+  value: {{ .Values.postgresql.external.credentials.username | quote }}
+- name: POSTGRES_PORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: POSTGRES_HOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_PASS
+  value: {{ .Values.postgresql.external.credentials.password | quote }}
+- name: POSTGRES_DBNAME
+  value: {{ .Values.postgresql.external.database | quote }}
+{{- end }}
+
+{{/*
+External PostgreSQL with secret credentials
+*/}}
+{{- define "eoapi.externalSecretPgSecrets" -}}
+# Standard PostgreSQL environment variables
+- name: PGUSER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.username }}
+- name: PGPASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.password }}
+# Legacy variables for backward compatibility
+- name: POSTGRES_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.username }}
+- name: POSTGRES_PASS
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.password }}
+
+# Host, port, and database can be from the secret or from values
+{{- if .Values.postgresql.external.existingSecret.keys.host }}
+- name: PGHOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+- name: POSTGRES_HOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.host }}
+{{- else }}
+- name: PGHOST
+  value: {{ .Values.postgresql.external.host | quote }}
+- name: POSTGRES_HOST
+  value: {{ .Values.postgresql.external.host | quote }}
+{{- end }}
+
+{{- if .Values.postgresql.external.existingSecret.keys.port }}
+- name: PGPORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.port }}
+- name: POSTGRES_PORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.port }}
+{{- else }}
+- name: PGPORT
+  value: {{ .Values.postgresql.external.port | quote }}
+- name: POSTGRES_PORT
+  value: {{ .Values.postgresql.external.port | quote }}
+{{- end }}
+
+{{- if .Values.postgresql.external.existingSecret.keys.database }}
+- name: PGDATABASE
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.database }}
+- name: POSTGRES_DBNAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.external.existingSecret.name }}
+      key: {{ .Values.postgresql.external.existingSecret.keys.database }}
+{{- else }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.external.database | quote }}
+- name: POSTGRES_DBNAME
+  value: {{ .Values.postgresql.external.database | quote }}
+{{- end }}
+{{- end }}
+
+{{/*
+Validate PostgreSQL configuration
+*/}}
+{{- define "eoapi.validatePostgresql" -}}
+{{- if eq .Values.postgresql.type "postgrescluster" }}
+  {{- if not .Values.postgrescluster.enabled }}
+    {{- fail "When postgresql.type is 'postgrescluster', postgrescluster.enabled must be true" }}
+  {{- end }}
+  {{- include "eoapi.validatePostgresCluster" . }}
+{{- else if eq .Values.postgresql.type "external-plaintext" }}
+  {{- if not .Values.postgresql.external.host }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.host must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.credentials.username }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.credentials.username must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.credentials.password }}
+    {{- fail "When postgresql.type is 'external-plaintext', postgresql.external.credentials.password must be set" }}
+  {{- end }}
+{{- else if eq .Values.postgresql.type "external-secret" }}
+  {{- if not .Values.postgresql.external.existingSecret.name }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.name must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.username }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.keys.username must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.password }}
+    {{- fail "When postgresql.type is 'external-secret', postgresql.external.existingSecret.keys.password must be set" }}
+  {{- end }}
+  {{- if not .Values.postgresql.external.existingSecret.keys.host }}
+    {{- if not .Values.postgresql.external.host }}
+      {{- fail "When postgresql.type is 'external-secret' and existingSecret.keys.host is not set, postgresql.external.host must be set" }}
+    {{- end }}
+  {{- end }}
+{{- else }}
+  {{- fail "postgresql.type must be one of: 'postgrescluster', 'external-plaintext', 'external-secret'" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Map legacy configuration to new postgresql configuration
+*/}}
+{{- define "eoapi.mapLegacyPostgresql" -}}
+{{- $postgresql := dict }}
+{{- if .Values.postgrescluster.enabled }}
+  {{- $_ := set $postgresql "type" "postgrescluster" }}
+{{- else if .Values.db.enabled }}
+  {{- $_ := set $postgresql "type" "external-plaintext" }}
+  {{- $external := dict }}
+  {{- $_ := set $external "host" .Values.db.settings.secrets.POSTGRES_HOST }}
+  {{- $_ := set $external "port" .Values.db.settings.secrets.POSTGRES_PORT }}
+  {{- $_ := set $external "database" .Values.db.settings.secrets.POSTGRES_DB }}
+  {{- $credentials := dict }}
+  {{- $_ := set $credentials "username" .Values.db.settings.secrets.POSTGRES_USER }}
+  {{- $_ := set $credentials "password" .Values.db.settings.secrets.POSTGRES_PASSWORD }}
+  {{- $_ := set $external "credentials" $credentials }}
+  {{- $_ := set $postgresql "external" $external }}
+{{- else }}
+  {{- $_ := set $postgresql "type" "postgrescluster" }}
+{{- end }}
+{{- $postgresql | toYaml }}
+{{- end }}
+
 {{/*
 values.schema.json doesn't play nice combined value checks
 so we use this helper function to check autoscaling rules
@@ -192,17 +385,3 @@ that you can only use traefik as ingress when `testing=true`
 {{- end -}}
 
 {{- end -}}
-
-{{/*
-validate:
-that you cannot have db.enabled and (postgrescluster.enabled or pgstacBootstrap.enabled)
-*/}}
-{{- define "eoapi.validateTempDB" -}}
-{{- if and (.Values.db.enabled) (.Values.postgrescluster.enabled) -}}
-  {{- fail "you cannot use have both db.enabled and postgresclsuter.enabled" -}}
-{{- end -}}
-{{- if and (.Values.db.enabled) (.Values.pgstacBootstrap.enabled) -}}
-  {{- fail "you cannot use have both db.enabled and pgstacBootstrap.enabled" -}}
-{{- end -}}
-
-{{- end -}}