feat: Add supabase deployment package (#380)

Adds Supabase with initial configs to get it deployed via Zarf and UDS.

- Includes some basic e2e tests that verify the supabase package can be built and deployed
- Readme with baisc deployment instructions
- Automatically creates a default keycloak client with the id uds-supabase for integration with the UI

.github/workflows/e2e.yaml

@@ -70,6 +70,35 @@ jobs:
           run: |
             uds deploy k3d-core-slim-dev:0.18.0 --confirm
 
+          ##########
+          # Supabase
+          ##########
+        - name: Deploy Supabase
+          run: |
+            make build-supabase LOCAL_VERSION=e2e-test
+            docker image prune -af
+            uds zarf tools kubectl create namespace leapfrogai
+            uds zarf package deploy packages/supabase/zarf-package-supabase-amd64-e2e-test.tar.zst --confirm
+            rm packages/supabase/zarf-package-supabase-amd64-e2e-test.tar.zst
+
+        - name: Set environment variable
+          id: set-env-var
+          run: |
+            echo "API_KEY=$(uds zarf tools kubectl get secret supabase-bootstrap-jwt -n leapfrogai -o jsonpath='{.data.anon-key}' | base64 -d)" >> "$GITHUB_ENV"
+
+        - name: Test Supabase
+          run: |
+            python -m pip install requests
+            python -m pytest ./tests/e2e/test_supabase.py -v
+
+        # This cleanup may need to be moved/removed when other packages depend on Supabase
+        - name: Cleanup Supabase
+          run: |
+            uds zarf package remove supabase -l=trace --confirm
+
+        ##########
+        # API
+        ##########
         - name: Deploy LFAI-API
           run: |
             make build-api LOCAL_VERSION=e2e-test

Makefile

@@ -37,6 +37,10 @@ sdk-wheel: ## build wheels for the leapfrogai_sdk package as a dependency for ot
 	-rm ${SDK_DEST}/*.whl
 	python -m pip wheel src/leapfrogai_sdk -w ${SDK_DEST}
 
+build-supabase:
+	## Build the Zarf package
+	uds zarf package create packages/supabase -o packages/supabase --set IMAGE_VERSION=${LOCAL_VERSION} --confirm
+
 setup-api-deps: sdk-wheel ## Download the wheels for the leapfrogai_api dependencies
 	-rm packages/api/build/*.whl
 	python -m pip wheel src/leapfrogai_api -w packages/api/build --find-links=${SDK_DEST}

packages/supabase/README.md

@@ -0,0 +1,30 @@
+# Setting up Supabase locally
+
+## Step 1: Create a Zarf package
+
+From `leapfrogai/packages/supabase` run `zarf package create`
+
+## Step 2: Create the uds bundle
+
+From `leapfrogai/uds-bundles/dev/<cpu|gpu>/` run `uds create`
+
+
+## Step 3: Deploy the UDS bundle or deploy the Zarf package
+
+To deploy only Supabase for UDS bundle run the following from `leapfrogai/uds-bundles/dev/<cpu|gpu>/`:
+* `uds deploy -p supabase uds-bundle-leapfrogai-*.tar.zst`
+
+To deploy the Zarf package run the following from `leapfrogai/packages/supabase`:
+* `uds zarf package deploy zarf-package-supabase-*.tar.zst`
+
+## Step 4: Accessing Supabase
+
+Go to `https://supabase-kong.uds.dev`. The login is `supabase-admin` the password is randomly generated in a cluster secret named `supabase-dashboard-secret`
+
+# Troubleshooting
+
+* If you cannot reach `https://supabase-kong.uds.dev`, check if the `Packages` CRDs and `VirtualServices` contain `supabase-kong.uds.dev`. If they do not, try restarting the `pepr-uds-core-watcher` pod.
+* If logging in to the UI through keycloak returns a `500`, check and see if the `sql` migrations have been run in Supabase.
+  * You can find those in `leapfrogai/src/leapfrogai_ui/supabase/migrations`. They can be run in the studios SQL Editor.
+
+By following these steps, you'll have successfully set up Keycloak for your application, allowing secure authentication and authorization for your users.

packages/supabase/bitnami-values-bootstrap.yaml

@@ -0,0 +1,113 @@
+# Copyright VMware, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+## @section Global parameters
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
+##
+
+## @param global.imageRegistry Global Docker image registry
+## @param global.imagePullSecrets Global Docker registry secret names as an array
+## @param global.storageClass Global StorageClass for Persistent Volume(s)
+##
+global:
+  ## We need to add the existing secret in global in order to make it accessible to the Kong subchart
+  ##
+  jwt:
+    ## @param global.jwt.existingSecret The name of the existing secret containing the JWT secret
+    ##
+    existingSecret: ""
+
+## @section Supabase Common parameters
+##
+jwt:
+  autoGenerate:
+    ## @param jwt.autoGenerate.forceRun Force the run of the JWT generation job
+    ##
+    forceRun: true
+    ## @param jwt.autoGenerate.annotations [object] Add annotations to the job
+    ##
+    annotations:
+      helm.sh/hook: null
+      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+      # This should be executed after the minio provisioning job
+      helm.sh/hook-weight: "10"
+## @section Supabase Auth Parameters
+##
+##
+auth:
+  ## @param auth.enabled Enable Supabase auth
+  ##
+  enabled: false
+## @section Supabase Meta Parameters
+##
+##
+meta:
+  ## @param meta.enabled Enable Supabase Postgres Meta
+  ##
+  enabled: false
+## @section Supabase Realtime Parameters
+##
+##
+realtime:
+  ## @param realtime.enabled Enable Supabase realtime
+  ##
+  enabled: false
+## @section Supabase Rest Parameters
+##
+##
+rest:
+  ## @param rest.enabled Enable Supabase rest
+  ##
+  enabled: false
+## @section Supabase Storage Parameters
+##
+##
+storage:
+  ## @param storage.enabled Enable Supabase storage
+  ##
+  enabled: false
+  ## Enable persistence using Persistent Volume Claims
+  ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+  ##
+  persistence:
+    ## @param storage.persistence.enabled Enable persistence using Persistent Volume Claims
+    ##
+    enabled: false
+## @section Supabase Studio Parameters
+##
+##
+studio:
+  ## @param studio.enabled Enable Supabase studio
+  ##
+  enabled: false
+## @section Init Container Parameters
+##
+
+## 'volumePermissions' init container parameters
+## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
+##   based on the *podSecurityContext/*containerSecurityContext parameters
+##
+volumePermissions:
+  ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
+  ##
+  enabled: false
+## @section Kong sub-chart parameters
+##
+kong:
+  ## @param kong.enabled Enable Kong
+  ##
+  enabled: false
+## @section PostgreSQL sub-chart parameters
+##
+
+## PostgreSQL chart configuration
+## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
+## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
+## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
+## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
+## @param postgresql.service.ports.postgresql PostgreSQL service port
+##
+postgresql:
+  enabled: false

packages/supabase/bitnami-values.yaml

@@ -0,0 +1,190 @@
+## @section Leapfrog parameters
+## Parameters not defined in the upstream chart that are related to LeapfrogAI's specific configuration
+leapfrogai:
+  package:
+    host: supabase-kong
+    name: supabase
+    component: kong
+  sso:
+    clientId: ###ZARF_CONST_EXTERNAL_KEYCLOAK_CLIENT_ID###
+
+global:
+  jwt:
+    existingSecret: "supabase-bootstrap-jwt"
+
+commonLabels:
+  sidecar.istio.io/inject: "false"
+
+jwt:
+  autoGenerate:
+    image:
+      tag: 6.0.0-debian-12-r19
+    kubectlImage:
+      tag: 1.29.3-debian-12-r4
+    resourcesPreset: "none"
+    podLabels:
+      sidecar.istio.io/inject: "false"
+publicURL: "https://supabase-kong.uds.dev"
+auth:
+  enabled: ###ZARF_VAR_ENABLE_AUTH###
+  defaultConfig: |
+    GOTRUE_API_HOST: "0.0.0.0"
+    GOTRUE_API_PORT: {{ .Values.auth.containerPorts.http | quote }}
+    API_EXTERNAL_URL: "http://{{ include "supabase.auth.fullname" . }}:{{ .Values.auth.service.ports.http }}"
+    GOTRUE_SITE_URL: {{ include "supabase.studio.publicURL" . | quote }}
+    GOTRUE_DISABLE_SIGNUP: "false"
+    GOTRUE_DB_DRIVER: "postgres"
+    GOTRUE_DB_MIGRATIONS_PATH: "/opt/bitnami/gotrue/"
+    GOTRUE_JWT_DEFAULT_GROUP_NAME: "authenticated"
+    GOTRUE_JWT_ADMIN_ROLES: "service_role"
+    GOTRUE_JWT_AUD: "authenticated"
+    GOTRUE_JWT_EXP: "3600"
+    GOTRUE_EXTERNAL_EMAIL_ENABLED: "true"
+    GOTRUE_MAILER_AUTOCONFIRM: "true"
+    GOTRUE_SMTP_ADMIN_EMAIL: "your-mail@example.com"
+    GOTRUE_SMTP_HOST: "smtp.example.com"
+    GOTRUE_SMTP_PORT: "587"
+    GOTRUE_SMTP_SENDER_NAME: "your-mail@example.com"
+    GOTRUE_EXTERNAL_PHONE_ENABLED: "false"
+    GOTRUE_SMS_AUTOCONFIRM: "false"
+    GOTRUE_MAILER_URLPATHS_INVITE: "{{ include "supabase.studio.publicURL" . }}/auth/v1/verify"
+    GOTRUE_MAILER_URLPATHS_CONFIRMATION: "{{ include "supabase.studio.publicURL" . }}/auth/v1/verify"
+    GOTRUE_MAILER_URLPATHS_RECOVERY: "{{ include "supabase.studio.publicURL" . }}/auth/v1/verify"
+    GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE: "{{ include "supabase.studio.publicURL" . }}/auth/v1/verify"
+    GOTRUE_EXTERNAL_KEYCLOAK_ENABLED: "###ZARF_VAR_ENABLE_EXTERNAL_KEYCLOAK###"
+    GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID: "{{ .Values.leapfrogai.sso.clientId }}"
+    GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI: "###ZARF_CONST_EXTERNAL_KEYCLOAK_REDIRECT_URL###"
+    GOTRUE_EXTERNAL_KEYCLOAK_URL: "###ZARF_CONST_EXTERNAL_KEYCLOAK_URL###"
+  image:
+    tag: 2.149.0-debian-12-r0
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+  extraEnvVars:
+    - name: GOTRUE_EXTERNAL_KEYCLOAK_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: sso-client-uds-supabase
+          key: secret
+meta:
+  enabled: ###ZARF_VAR_ENABLE_META###
+  image:
+    tag: 0.80.0-debian-12-r1
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+
+realtime:
+  enabled: ###ZARF_VAR_ENABLE_REALTIME###
+  image:
+    tag: 2.28.22-debian-12-r0
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+
+rest:
+  enabled: ###ZARF_VAR_ENABLE_REST###
+  image:
+    tag: 11.2.2-debian-12-r14
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+
+storage:
+  enabled: ###ZARF_VAR_ENABLE_STORAGE###
+  image:
+    tag: 0.48.4-debian-12-r0
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+
+studio:
+  enabled: ###ZARF_VAR_ENABLE_STUDIO###
+  publicURL: "https://lfaiui.uds.dev"
+  image:
+    tag: 0.24.3-debian-12-r0
+  resourcesPreset: "none"
+  podLabels:
+    sidecar.istio.io/inject: "false"
+
+volumePermissions:
+  enabled: ###ZARF_VAR_ENABLE_VOLUME_PERMISSIONS###
+  image:
+    tag: 12-debian-12-r18
+  resourcesPreset: "none"
+
+psqlImage:
+  tag: 15.1.1-debian-12-r24
+
+kong:
+  enabled: ###ZARF_VAR_ENABLE_KONG###
+  initContainers: |
+    - name: render-kong-declarative-conf
+      image: '{{ include "kong.image" . }}'
+      command:
+        - /bin/bash
+      args:
+        - -ec
+        - |
+          #!/bin/bash
+
+          . /opt/bitnami/scripts/liblog.sh
+
+          # We need to generate it in the tmp folder to ensure that we have write permissions
+          info "Rendering Supabase declarative config template"
+          render-template /bitnami/kong/declarative-template/kong.yml.tpl > "/bitnami/kong/declarative-conf/kong.yml"
+      volumeMounts:
+        - name: declarative-conf-template
+          mountPath: /bitnami/kong/declarative-template/
+        - name: rendered-declarative-conf
+          mountPath: /bitnami/kong/declarative-conf/
+      {{- if .Values.containerSecurityContext.enabled }}
+      securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 6 }}
+      {{- end }}
+      env:
+        - name: SUPABASE_DASHBOARD_USERNAME
+          value: '###ZARF_CONST_DASHBOARD_USERNAME###'
+        - name: SUPABASE_DASHBOARD_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: supabase-dashboard-secret
+              key: password
+        - name: SUPABASE_ANON_KEY
+          valueFrom:
+            secretKeyRef:
+              name: '{{ include "supabase.jwt.secretName" . }}'
+              key: '{{ include "supabase.jwt.anonSecretKey" . }}'
+        - name: SUPABASE_SERVICE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: '{{ include "supabase.jwt.secretName" . }}'
+              key: '{{ include "supabase.jwt.serviceSecretKey" . }}'
+  podLabels:
+    sidecar.istio.io/inject: "false"
+  kong:
+    extraEnvVars:
+      - name: KONG_DECLARATIVE_CONFIG
+        value: "/bitnami/kong/declarative-conf/kong.yml"
+      - name: KONG_DNS_ORDER
+        value: LAST,A,CNAME
+      - name: KONG_PLUGINS
+        value: request-transformer,cors,key-auth,acl,basic-auth
+    resourcesPreset: "none"
+    livenessProbe:
+      timeoutSeconds: 40
+    readinessProbe:
+      timeoutSeconds: 40
+postgresql:
+  enabled: ###ZARF_VAR_ENABLE_POSTGRES###
+  image:
+    tag: 15.1.1-debian-12-r24
+  primary:
+    resourcesPreset: "none"
+    podLabels:
+      sidecar.istio.io/inject: "false"
+  commonAnnotations:
+    helm.sh/resource-policy: keep
+  ## @param postgresql.postgresqlSharedPreloadLibraries Set the shared_preload_libraries parameter in postgresql.conf
+  ## Setting an empty value in order to force the default extensions of supabase-postgres
+  ##
+  postgresqlSharedPreloadLibraries: "pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, vector"