From 14301f2afe5344f7493bfb15209ee22a65deb941 Mon Sep 17 00:00:00 2001
From: Matthew Elwell <matthew.elwell@flagsmith.com>
Date: Tue, 16 Dec 2025 18:22:03 +0000
Subject: [PATCH] Add specific database URL for migrateDb job

---
 charts/flagsmith/templates/jobs-migrate-db.yaml | 11 ++++++++++-
 charts/flagsmith/values.yaml                    | 11 +++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/charts/flagsmith/templates/jobs-migrate-db.yaml b/charts/flagsmith/templates/jobs-migrate-db.yaml
index e937d9e..26f0732 100644
--- a/charts/flagsmith/templates/jobs-migrate-db.yaml
+++ b/charts/flagsmith/templates/jobs-migrate-db.yaml
@@ -71,7 +71,16 @@ spec:
         {{- else }}
         args: ["migrate"]
         {{- end }}
-        env: {{ include (print $.Template.BasePath "/_api_environment.yaml") . | nindent 8 }}
+        env:
+        {{- include (print $.Template.BasePath "/_api_environment.yaml") . | nindent 8 }}
+        {{- if and .Values.jobs.migrateDb.databaseUrl .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.enabled }}
+        {{- /* Override DATABASE_URL with migration-specific credentials */}}
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.name | required "jobs.migrateDb.databaseUrl.fromExistingSecret.name is required when enabled" }}
+              key: {{ .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.key | required "jobs.migrateDb.databaseUrl.fromExistingSecret.key is required when enabled" }}
+        {{- end }}
 {{- with .Values.jobs.migrateDb.extraContainers }}
 {{ if typeIs "string" . }}
     {{- tpl . $ | nindent 6 }}
diff --git a/charts/flagsmith/values.yaml b/charts/flagsmith/values.yaml
index e20a27e..0b1fd1b 100644
--- a/charts/flagsmith/values.yaml
+++ b/charts/flagsmith/values.yaml
@@ -504,6 +504,17 @@ jobs:
     extraVolumes: []
     command: []
     args: []
+    # Use separate database credentials for migrations.
+    # This allows the migration job to run with elevated privileges (e.g., CREATE,
+    # ALTER, DROP for schema modifications) while the main application uses
+    # restricted credentials (e.g., SELECT, INSERT, UPDATE, DELETE only).
+    # This improves security by not granting schema modification privileges to
+    # the running application.
+    databaseUrl:
+      fromExistingSecret:
+        enabled: false
+        name: null
+        key: null
   migrateAnalyticsData:
     enabled: false
     args: []