[ADD] Feature to expose database

[josep-tecnativa]

Since Traefik 3 is avaliable on Doodba Copier Template, we can configure with our template, a postgres exposed database. This is only working on Traefik 3.

• Correct when serveral domains, HostSNI duplicated map key traefik label.

[pedrobaeza]

Can you check CI?

[celm1990]

LGTM, thanks a lot for improving this feature

[josep-tecnativa]

ping @pedrobaeza

[pedrobaeza]

As this doesn't work in Traefik 2-, you can put for them the port direct mapping instead of limiting the question to Traefik 3

[pedrobaeza]

It seems OK in code review, but you should try to generate a scaffolding on each type to be sure, or add them to tests.

[yajo]

Sorry, I don't mean to sound rude, but I have the feeling all this is wrong... 😅

• TCP routers don't have a concept of "path".
• Are you sure TLS termination can be done in Traefik for a TCP router?
• Are you seriously exposing the database always, by default and with no opt-out option?

[josep-tecnativa]

Sorry, I don't mean to sound rude, but I have the feeling all this is wrong... 😅

* TCP routers don't have a concept of "path".

* Are you sure TLS termination _can_ be done in Traefik for a TCP router?

* Are you seriously exposing the database _always, by default and with no opt-out option_?

First of all, thanks for pointing out that TCP routers don't have the concept of a path. I have already corrected that.

Secondly, I would say that Traefik 3 can handle TLS termination for TCP routers. This functionality is documented in the official Traefik documentation here. But please correct me if I'm wrong, although I believe it is correct.

Lastly, no, by default I do not expose the database. It is only exposed if the option to expose it is chosen, as you can see here:

doodba-copier-template/prod.yaml.jinja

Line 90 in 081f737

{%- if postgres_exposed %}

[yajo]

Thanks for attending the previous comment! Yes, it seems I was wrong in those last 2 points.

I see this also would need some changes on the traefik deployment, so you probably need to update the docs, as now there must exist a postgres-entrypoint.

Thank you

[josep-tecnativa]

This is ready to merge @pedrobaeza . I have generated a scaffolding on each type and works correctly.

[pedrobaeza]

@yajo is it OK for you?

[yajo]

One minor comment.

One bigger concern is that there are no tests for this. I think it deserves one.

[josep-tecnativa]

@ap-wtioit Do you have any idea why I can't connect to the database in the new test?

https://github.com/Tecnativa/doodba-copier-template/actions/runs/11326688958/job/31496138294#step:16:279

[ap-wtioit]

@josep-tecnativa i'm not 100% sure. One issue we had on our systems was this one: moby/moby#47145 where starting with docker 25 it was no longer possible to access container ports directly from the host for internal networks.

Another issue could be test tested postgres image. If the postgres stopped after the test started it there could also be a connection issue

To be sure i would add the following debugging info to the failed test:

• docker compose ps info (showing containers running/stopped and open ports)
• docker inspect ... | grep IPAddress showing the configured IPs per container
• ip route showing package routing info (did docker add the route to the internal network / ip)

[josep-tecnativa]

Since Docker does not allow connections through ports on the same host starting from version 25, it is currently not possible to create a test. The functionality of this PR has been tested by both @celm1990 and me. Therefore, I believe it is ready to be merged (once CI finishes), and if in the future I find a way to create the test, I will implement it.

ping @pedrobaeza