---
apiVersion: v1
kind: ConfigMap
metadata:
  name: pgsodium-config
data:
  pgsodium_getkey.sh: |
    #!/bin/bash
    set -euo pipefail
    if [[ -z "${VAULT_KEY}" ]]; then
      echo "PGSODIUM_KEY is not set" >&2
      exit 1
    fi

    echo -n "$VAULT_KEY"
---
apiVersion: v1
kind: Secret
metadata:
  name: pgsodium-key
data:
  # Generate a 32-byte key
  # head -c 32 /dev/urandom | od -A n -t x1 | tr -d ' \n' | base64
  key: NmE4YzQwMWY3NzI4YzdiMWViOTE5NmJhMWRlYmFkOTRhMDRlZTgwZDUzZDg4NWE5MWZlODY0MzdkOGIyYmQ2OA==
---
apiVersion: v1
kind: Secret
metadata:
  name: supabase-admin-credentials
  labels:
    cnpg.io/reload: "true"
type: kubernetes.io/basic-auth
stringData:
  username: supabase_admin
  password: 1n1t-R00t!
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 1
  imageName: ghcr.io/supabase/postgres:15.8.1.021
  postgresUID: 105
  postgresGID: 106

  bootstrap:
    initdb:
      database: app
      owner: setup
      postInitSQL:
        - drop publication if exists supabase_realtime;

  postgresql:
    shared_preload_libraries:
      - pg_stat_statements
      - pgaudit
      - plpgsql
      - plpgsql_check
      - pg_cron
      - pg_net
      - pgsodium
      - timescaledb
      - auto_explain
      - pg_tle
      - plan_filter
    parameters:
      pgsodium.getkey_script: /projected/bin/pgsodium_getkey.sh
      cron.database_name: app
      auto_explain.log_min_duration: 10s

  projectedVolumeTemplate:
    sources:
      - configMap:
          name: pgsodium-config
          items:
            - key: pgsodium_getkey.sh
              path: bin/pgsodium_getkey.sh
              mode: 0755
  env:
    # cloudnative-pg reserves all env variables that start with PG for internal use
    - name: VAULT_KEY
      valueFrom:
        secretKeyRef:
          name: pgsodium-key
          key: key

  managed:
    roles:
      - name: supabase_admin
        ensure: present
        superuser: true
        login: true
        passwordSecret:
          name: supabase-admin-credentials
  storage:
    size: 1Gi