feat(kubernetes): support external database URLs (#1365)

kubernetes/loculus/templates/externaldb-sealed-secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.externalDatabase.urlSealedSecret }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: externaldb-credentials
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  encryptedData:
+    url: {{ .Values.externalDatabase.urlSealedSecret | quote }}
+    username: {{ .Values.externalDatabase.usernameSealedSecret | quote }}
+    password: {{ .Values.externalDatabase.passwordSealedSecret | quote }}
+{{ end }}

kubernetes/loculus/templates/loculus-database-service.yaml

@@ -1,8 +1,10 @@
+{{- if not .Values.externalDatabaseUrl }}
 apiVersion: v1
 kind: Service
 metadata:
   name: loculus-database-service
 spec:
+
   {{- template "loculus.serviceType"}}
   selector:
     app: loculus
@@ -14,4 +16,5 @@ spec:
       nodePort: 30432
       {{- end }}
       protocol: TCP
-      name: http
+      name: http
+{{- end }}

kubernetes/loculus/templates/loculus-deployment.yaml

@@ -69,19 +69,51 @@ spec:
           ports:
             - containerPort: 8079
           args:
-            - "--spring.datasource.url=jdbc:postgresql://localhost:5432/loculus"
-            - "--spring.datasource.username=postgres"
-            - "--spring.datasource.password=unsecure"
+            - "--spring.datasource.url=$(DB_URL)"
+            - "--spring.datasource.username=$(DB_USERNAME)"
+            - "--spring.datasource.password=$(DB_PASSWORD)"
             - "--keycloak.user=backend"
             - "--keycloak.password=backend"
             - "--keycloak.realm=loculus"
             - "--keycloak.client=test-cli"
             - "--keycloak.url=http://loculus-keycloak-service:8083"
             - "--spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://loculus-keycloak-service:8083/realms/loculus/protocol/openid-connect/certs"
+          env:
+           {{- if .Values.externalDatabase.urlSealedSecret }}
+            - name: DB_URL
+              valueFrom:
+               secretKeyRef:
+                 name: externaldb-credentials
+                 key: url
+           {{- else }}
+            - name: DB_URL
+              value: "jdbc:postgresql://localhost:5432/loculus"
+           {{- end }}
+           {{- if .Values.externalDatabase.usernameSealedSecret }}
+            - name: DB_USERNAME
+              valueFrom:
+               secretKeyRef:
+                 name: externaldb-credentials
+                 key: username
+           {{- else }}
+            - name: DB_USERNAME
+              value: "postgres"
+           {{- end }}
+           {{- if .Values.externalDatabase.passwordSealedSecret }}
+            - name: DB_PASSWORD
+              valueFrom:
+               secretKeyRef:
+                 name: externaldb-credentials
+                 key: password
+           {{- else }}
+            - name: DB_PASSWORD
+              value: "password"
+           {{- end }}
           volumeMounts:
             - name: loculus-backend-config-processed
               mountPath: /config
         {{- end }}
+        {{- if not .Values.externalDatabaseUrl }}
         - name: database
           image: postgres:latest
           ports:
@@ -93,6 +125,7 @@ spec:
               value: "unsecure"
             - name: POSTGRES_DB
               value: "loculus"
+        {{- end }}
 
       imagePullSecrets:
         - name: ghcr-secret

kubernetes/loculus/values.yaml

@@ -1,4 +1,8 @@
 environment: server
+externalDatabase:
+  urlSealedSecret: ""
+  usernameSealedSecret: ""
+  passwordSealedSecret: ""
 disableWebsite: false
 disableBackend: false
 disablePreprocessing: false
@@ -198,4 +202,4 @@ auth:
     from: "noreply@loculus.org"
     envelopeFrom: "noreply@loculus.org"
   verifyEmail: true
-  resetPasswordAllowed: true
+  resetPasswordAllowed: true