chore: better database migrations - managed by supabase (#570)

* chore: move api migrations into dedicated container for k8s job
* chore: move ui migrations into dedicated container for k8s job
* chore: add migration containers to the release workflow

.github/workflows/release.yaml

@@ -49,6 +49,7 @@ jobs:
       - name: Build and Publish API
         run: |
           docker buildx build --platform amd64,arm64 -t ghcr.io/defenseunicorns/leapfrogai/leapfrogai-api:${{ steps.get_version.outputs.version-without-v }} --push packages/api
+          docker buildx build --platform amd64,arm64 -t ghcr.io/defenseunicorns/leapfrogai/api-migrations:${{ steps.get_version.outputs.version-without-v }} --push packages/api/supabase
 
           zarf package create packages/api --set=LEAPFROGAI_IMAGE_VERSION=${{ steps.get_version.outputs.version-without-v }} --architecture amd64 --confirm
           zarf package create packages/api --set=LEAPFROGAI_IMAGE_VERSION=${{ steps.get_version.outputs.version-without-v }} --architecture arm64 --confirm
@@ -62,6 +63,7 @@ jobs:
       - name: Build and Publish UI
         run: |
           docker buildx build --platform amd64,arm64 -t ghcr.io/defenseunicorns/leapfrogai/leapfrogai-ui:${{ steps.get_version.outputs.version-without-v }} --push src/leapfrogai_ui
+          docker buildx build --platform amd64,arm64 -t ghcr.io/defenseunicorns/leapfrogai/ui-migrations:${{ steps.get_version.outputs.version-without-v }} --push src/leapfrogai_ui/supabase
 
           zarf package create packages/ui --set=IMAGE_VERSION=${{ steps.get_version.outputs.version-without-v }} --architecture amd64 --confirm
           zarf package create packages/ui --set=IMAGE_VERSION=${{ steps.get_version.outputs.version-without-v }} --architecture arm64 --confirm

Makefile

@@ -46,24 +46,34 @@ setup-api-deps: sdk-wheel ## Download the wheels for the leapfrogai_api dependen
 	python -m pip wheel src/leapfrogai_api -w packages/api/build --find-links=${SDK_DEST}
 
 build-api: local-registry setup-api-deps ## Build the leapfrogai_api container and Zarf package
-	## Build the image (and tag it for the local registry)
+	## Build the API image (and tag it for the local registry)
 	docker build -t ghcr.io/defenseunicorns/leapfrogai/leapfrogai-api:${LOCAL_VERSION} packages/api
 	docker tag ghcr.io/defenseunicorns/leapfrogai/leapfrogai-api:${LOCAL_VERSION} localhost:5000/defenseunicorns/leapfrogai/leapfrogai-api:${LOCAL_VERSION}
 
-	## Push the image to the local registry (Zarf is super slow if the image is only in the local daemon)
+	## Build the migration container for this version of the API
+	docker build -t ghcr.io/defenseunicorns/leapfrogai/api-migrations:${LOCAL_VERSION} packages/api/supabase
+	docker tag ghcr.io/defenseunicorns/leapfrogai/api-migrations:${LOCAL_VERSION} localhost:5000/defenseunicorns/leapfrogai/api-migrations:${LOCAL_VERSION}
+
+	## Push the images to the local registry (Zarf is super slow if the image is only in the local daemon)
 	docker push localhost:5000/defenseunicorns/leapfrogai/leapfrogai-api:${LOCAL_VERSION}
+	docker push localhost:5000/defenseunicorns/leapfrogai/api-migrations:${LOCAL_VERSION}
 
 	## Build the Zarf package
 	uds zarf package create packages/api -o packages/api --registry-override=ghcr.io=localhost:5000 --insecure --set LEAPFROGAI_IMAGE_VERSION=${LOCAL_VERSION} --confirm
 
 
 build-ui: local-registry ## Build the leapfrogai_ui container and Zarf package
-	## Build the image (and tag it for the local registry)
+	## Build the UI image (and tag it for the local registry)
 	docker build -t ghcr.io/defenseunicorns/leapfrogai/leapfrogai-ui:${LOCAL_VERSION} src/leapfrogai_ui
 	docker tag ghcr.io/defenseunicorns/leapfrogai/leapfrogai-ui:${LOCAL_VERSION} localhost:5000/defenseunicorns/leapfrogai/leapfrogai-ui:${LOCAL_VERSION}
 
+	## Build the migration container for the version of the UI
+	docker build -t ghcr.io/defenseunicorns/leapfrogai/ui-migrations:${LOCAL_VERSION} src/leapfrogai_ui/supabase
+	docker tag ghcr.io/defenseunicorns/leapfrogai/ui-migrations:${LOCAL_VERSION} localhost:5000/defenseunicorns/leapfrogai/ui-migrations:${LOCAL_VERSION}
+
 	## Push the image to the local registry (Zarf is super slow if the image is only in the local daemon)
 	docker push localhost:5000/defenseunicorns/leapfrogai/leapfrogai-ui:${LOCAL_VERSION}
+	docker push localhost:5000/defenseunicorns/leapfrogai/ui-migrations:${LOCAL_VERSION}
 
 	## Build the Zarf package
 	uds zarf package create packages/ui -o packages/ui --registry-override=ghcr.io=localhost:5000 --insecure --set IMAGE_VERSION=${LOCAL_VERSION} --confirm
@@ -149,8 +159,8 @@ build-repeater: local-registry setup-repeater-deps ## Build the repeater contain
 	## Build the Zarf package
 	uds zarf package create packages/repeater -o packages/repeater --registry-override=ghcr.io=localhost:5000 --insecure --set IMAGE_VERSION=${LOCAL_VERSION} --confirm
 
-build-cpu: build-api build-llama-cpp-python build-text-embeddings build-whisper ## Build all zarf packages for a cpu-enabled deployment of LFAI
+build-cpu: build-supabase build-api build-ui build-llama-cpp-python build-text-embeddings build-whisper ## Build all zarf packages for a cpu-enabled deployment of LFAI
 
-build-gpu: build-api build-vllm build-text-embeddings build-whisper ## Build all zarf packages for a gpu-enabled deployment of LFAI
+build-gpu: build-supabase build-api build-ui build-vllm build-text-embeddings build-whisper ## Build all zarf packages for a gpu-enabled deployment of LFAI
 
-build-all: build-api build-llama-cpp-python build-vllm build-text-embeddings build-whisper build-repeater ## Build all of the LFAI packages
+build-all: build-cpu build-gpu ## Build all of the LFAI packages

packages/api/chart/templates/migration-job.yaml

@@ -0,0 +1,32 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: api-migrations-{{ .Values.image.lfaiAPITag }}
+spec:
+  template:
+    spec:
+      containers:
+      - name: supabase-cli
+        image: "ghcr.io/defenseunicorns/leapfrogai/api-migrations:{{ .Values.image.lfaiAPITag }}"
+        env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: supabase-postgresql
+                  key: postgres-password
+            - name: MIGRATION_NAMESPACE
+              value: "{{ .Values.api.migration.namespace }}"
+            - name: MIGRATION_SERVICE_NAME
+              value: "{{ .Values.api.migration.serviceName }}"
+            - name: MIGRATION_SERVICE_PORT
+              value: "{{ .Values.api.migration.servicePort }}"
+
+        # NOTE: This command is assuming the default username.
+        command: ["/bin/sh"]
+        args:
+          - -c
+          - >-
+            supabase migration fetch --db-url="postgresql://postgres:$POSTGRES_PASSWORD@$MIGRATION_SERVICE_NAME.$MIGRATION_NAMESPACE.svc.cluster.local:$MIGRATION_SERVICE_PORT" --debug || true &&
+            supabase db push --db-url="postgresql://postgres:$POSTGRES_PASSWORD@$MIGRATION_SERVICE_NAME.$MIGRATION_NAMESPACE.svc.cluster.local:$MIGRATION_SERVICE_PORT" --debug
+      restartPolicy: Never
+  backoffLimit: 4

packages/api/chart/values.yaml

@@ -13,5 +13,10 @@ api:
   exposeOpenAPISchema: false
   defaultEmbeddingsModel: "###ZARF_VAR_DEFAULT_EMBEDDINGS_MODEL###"
 
+  migration:
+    namespace: "leapfrogai"
+    serviceName: "supabase-postgresql"
+    servicePort: "5432"
+
 package:
   host: leapfrogai-api

packages/api/supabase/Dockerfile

@@ -0,0 +1,16 @@
+FROM --platform=$TARGETPLATFORM cgr.dev/chainguard/bash:latest
+ARG TARGETPLATFORM
+ARG version="1.169.8"
+
+# Download the supabase cli
+RUN mkdir -p /usr/local/bin
+RUN ARCH=$(echo $TARGETPLATFORM | cut -d '/' -f2) \
+    && curl -LO https://github.com/supabase/cli/releases/download/v${version}/supabase_linux_${ARCH}.tar.gz \
+    && tar -xzf supabase_linux_${ARCH}.tar.gz -C /usr/local/bin/ \
+    && rm supabase_linux_${ARCH}.tar.gz
+
+# 65532 is the UID of the `nonroot` user in chainguard/static.  See: https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/overview/#users
+USER 65532:65532
+
+# Download the migration scripts
+COPY --chown=65532:65532 migrations/*.sql supabase/migrations/

packages/api/zarf.yaml

@@ -37,4 +37,14 @@ components:
         - "lfai-values.yaml"
     images:
       - "ghcr.io/defenseunicorns/leapfrogai/leapfrogai-api:###ZARF_PKG_TMPL_LEAPFROGAI_IMAGE_VERSION###"
+      - "ghcr.io/defenseunicorns/leapfrogai/api-migrations:###ZARF_PKG_TMPL_LEAPFROGAI_IMAGE_VERSION###"
       - "kiwigrid/k8s-sidecar:1.23.3"
+    actions:
+      onDeploy:
+        after:
+          - wait:
+              cluster:
+                kind: Job
+                name: api-migrations-###ZARF_PKG_TMPL_IMAGE_VERSION###
+                namespace: leapfrogai
+                condition: complete

packages/supabase/bitnami-values.yaml

@@ -187,17 +187,6 @@ postgresql:
     resourcesPreset: "none"
     podLabels:
       sidecar.istio.io/inject: "false"
-    initdb:
-      scripts:
-        0000000000000000_migrate.sh: |
-          ###ZARF_VAR_MIGRATION_SCRIPT###
-
-        20240322174520_api_sql_schema.sql: |
-          ###ZARF_VAR_API_SQL_SCHEMA###
-
-        20240322174521_ui_sql_schema.sql: |
-          ###ZARF_VAR_UI_SQL_SCHEMA###
-
 
   commonAnnotations:
     helm.sh/resource-policy: keep

packages/supabase/zarf.yaml

@@ -17,19 +17,6 @@ constants:
 variables:
   - name: HOSTED_DOMAIN
     default: "uds.dev"
-  - name: UI_SQL_SCHEMA
-    type: file
-    default: "migrations/20240322174521_ui_sql_schema.sql"
-    autoIndent: true
-  - name: API_SQL_SCHEMA
-    type: file
-    default: "migrations/20240322174520_api_sql_schema.sql"
-    autoIndent: true
-  - name: MIGRATION_SCRIPT
-    type: file
-    default: "migrations/migrate.sh"
-    autoIndent: true
-
   - name: ENABLE_AUTH
     description: 'Enable Supabases built-in authentication and authorization parts'
     default: "true"
@@ -104,13 +91,6 @@ components:
       - docker.io/bitnami/supabase-storage:0.48.4-debian-12-r0
       - docker.io/bitnami/supabase-studio:0.24.3-debian-12-r0
       - docker.io/bitnami/kong:3.6.1-debian-12-r13
-    files:
-      - source: migrations/migrate.sh
-        target: migrations/migrate.sh
-      - source: migrations/20240322174521_ui_sql_schema.sql
-        target: migrations/20240322174521_ui_sql_schema.sql
-      - source: migrations/20240322174520_api_sql_schema.sql
-        target: migrations/20240322174520_api_sql_schema.sql
   - name: supabase-post-process
     description: "Perform necessary post processing here"
     required: true

packages/ui/chart/templates/ui/migration-job.yaml

@@ -0,0 +1,32 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ui-migrations-{{ .Values.image.tag }}
+spec:
+  template:
+    spec:
+      containers:
+      - name: supabase-cli
+        image: "ghcr.io/defenseunicorns/leapfrogai/ui-migrations:{{ .Values.image.tag }}"
+        env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: supabase-postgresql
+                  key: postgres-password
+            - name: MIGRATION_NAMESPACE
+              value: "{{ .Values.migration.namespace }}"
+            - name: MIGRATION_SERVICE_NAME
+              value: "{{ .Values.migration.serviceName }}"
+            - name: MIGRATION_SERVICE_PORT
+              value: "{{ .Values.migration.servicePort }}"
+
+        # NOTE: This command is assuming the default username.
+        command: ["/bin/sh"]
+        args:
+          - -c
+          - >-
+            supabase migration fetch --db-url="postgresql://postgres:$POSTGRES_PASSWORD@$MIGRATION_SERVICE_NAME.$MIGRATION_NAMESPACE.svc.cluster.local:$MIGRATION_SERVICE_PORT" --debug || true &&
+            supabase db push --db-url="postgresql://postgres:$POSTGRES_PASSWORD@$MIGRATION_SERVICE_NAME.$MIGRATION_NAMESPACE.svc.cluster.local:$MIGRATION_SERVICE_PORT" --debug
+      restartPolicy: Never
+  backoffLimit: 4