Update example conf for supabase to use dedicated secret

2025-06-17 12:05:51 +02:00 · 2025-06-17 12:05:51 +02:00 · 7dfeda268e
commit 7dfeda268e
parent 99e1419556
4 changed files with 71 additions and 18 deletions
--- a/supabase/README.md
+++ b/supabase/README.md
@ -8,6 +8,12 @@
 git clone https://github.com/supabase-community/supabase-kubernetes
 ```

+2. Create secret
+
+```
+cat src-secret.yaml | kubeseal -o yaml --controller-name=sealed-secrets --controller-namespace=default | kubectl apply -f -
+```
+
 2. Install Supabase

 ```
--- a/supabase/src-secret.yaml
+++ b/supabase/src-secret.yaml
@ -0,0 +1,29 @@
+# The secrets it's just for testing, it's not used in production
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supabase-app-secret
+type: Opaque
+data:
+  # WyXn60h#H1FlK%;&UDAj"BjAZuEC.=s\zwJ>n`~JHs)NM`bYc10PDe.&b>K>$+nQg.)Z>X@*n]bkQ=NA6#J=@as+9g]^'009_xqb
+  ANALYTICS_API_KEY: V3lYbjYwaCNIMUZsSyU7JlVEQWoiQmpBWnVFQy49c1x6d0o+bmB+SkhzKU5NYGJZYzEwUERlLiZiPks+JCtuUWcuKVo+WEAqbl1ia1E9TkE2I0o9QGFzKzlnXV4nMDA5X3hxYg==
+  # supabase
+  DASHBOARD_USERNAME: c3VwYWJhc2U=
+  # *Q2tYxC`Y2G0;qlU#8Y$z?r`9[[MGr"t
+  DASHBOARD_PASSWORD: KlEydFl4Q2BZMkcwO3FsVSM4WSR6P3JgOVtbTUdyInQ=
+  # postgres
+  DATABASE_NAME: cG9zdGdyZXM=
+  # postgres
+  DATABASE_USERNAME: cG9zdGdyZXM=
+  # o"D?"Kz&OZd=PkDwK{RhKO"m+@4V?t#2
+  DATABASE_PASSWORD: byJEPyJLeiZPWmQ9UGtEd0t7UmhLTyJtK0A0Vj90IzI=
+  # eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE
+  JWT_ANON_KEY: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKaGJtOXVJaXdLSUNBZ0lDSnBjM01pT2lBaWMzVndZV0poYzJVdFpHVnRieUlzQ2lBZ0lDQWlhV0YwSWpvZ01UWTBNVGMyT1RJd01Dd0tJQ0FnSUNKbGVIQWlPaUF4TnprNU5UTTFOakF3Q24wLmRjX1g1aVJfVlBfcVQwenNpeWpfSV9PWjJUOUZ0UlUyQkJOV044QnU0R0U=
+  # eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q
+  JWT_SERVICE_KEY: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5QWdDaUFnSUNBaWNtOXNaU0k2SUNKelpYSjJhV05sWDNKdmJHVWlMQW9nSUNBZ0ltbHpjeUk2SUNKemRYQmhZbUZ6WlMxa1pXMXZJaXdLSUNBZ0lDSnBZWFFpT2lBeE5qUXhOelk1TWpBd0xBb2dJQ0FnSW1WNGNDSTZJREUzT1RrMU16VTJNREFLZlEuRGFZbE5Fb1VyckVuMklnN3RxaWJTLVBISzV2Z3VzYmNibzdYMzZYVnQ0UQ==
+  # 9`JVAG$EN]3aXAv%C#"nz$iE`tmI)?38
+  JWT_SECRET: OWBKVkFHJEVOXTNhWEF2JUMjIm56JGlFYHRtSSk/Mzg=
+  # contact@example.com
+  SMTP_USERNAME: Y29udGFjdEBleGFtcGxlLmNvbQ==
+  # ;|[ot!`QREZM#.R2i2hLae=+vsUP!G$g
+  SMTP_PASSWORD: O3xbb3QhYFFSRVpNIy5SMmkyaExhZT0rdnNVUCFHJGc=
--- a/supabase/values.yaml
+++ b/supabase/values.yaml
@ -1,20 +1,30 @@
 secret:
  jwt:
-    anonKey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJhbm9uIiwKICAgICJpc3MiOiAic3VwYWJhc2UtZGVtbyIsCiAgICAiaWF0IjogMTY0MTc2OTIwMCwKICAgICJleHAiOiAxNzk5NTM1NjAwCn0.dc_X5iR_VP_qT0zsiyj_I_OZ2T9FtRU2BBNWN8Bu4GE
-    serviceKey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAgCiAgICAicm9sZSI6ICJzZXJ2aWNlX3JvbGUiLAogICAgImlzcyI6ICJzdXBhYmFzZS1kZW1vIiwKICAgICJpYXQiOiAxNjQxNzY5MjAwLAogICAgImV4cCI6IDE3OTk1MzU2MDAKfQ.DaYlNEoUrrEn2Ig7tqibS-PHK5vgusbcbo7X36XVt4Q
-    secret: your-super-secret-jwt-token-with-at-least-32-characters-long
+    secretRef: "supabase-app-secret"
+    secretRefKey:
+      anonKey: JWT_ANON_KEY
+      serviceKey: JWT_SERVICE_KEY
+      secret: JWT_SECRET
  smtp:
-    username: your-mail@example.com
-    password: example123456
+    secretRef: "supabase-app-secret"
+    secretRefKey:
+      username: SMTP_USERNAME
+      password: SMTP_PASSWORD
  dashboard:
-    username: supabase
-    password: this_password_is_insecure_and_should_be_updated
+    secretRef: "supabase-app-secret"
+    secretRefKey:
+      username: DASHBOARD_USERNAME
+      password: DASHBOARD_PASSWORD
  db:
-    username: postgres
-    password: example123456
-    database: postgres
+    secretRef: "supabase-app-secret"
+    secretRefKey:
+      username: DATABASE_USERNAME
+      password: DATABASE_PASSWORD
+      database: DATABASE_NAME
  analytics:
-    apiKey: your-super-secret-and-long-logflare-key
+    secretRef: "supabase-app-secret"
+    secretRefKey:
+      apiKey: ANALYTICS_API_KEY

 db:
  enabled: true
@ -50,12 +60,8 @@ auth:
  environment:
    API_EXTERNAL_URL: http://example.com
    GOTRUE_SITE_URL: http://example.com
-    GOTRUE_EXTERNAL_EMAIL_ENABLED: "true"
-    GOTRUE_MAILER_AUTOCONFIRM: "true"
-    GOTRUE_SMTP_ADMIN_EMAIL: "your-mail@example.com"
-    GOTRUE_SMTP_HOST: "smtp.example.com"
-    GOTRUE_SMTP_PORT: "587"
-    GOTRUE_SMTP_SENDER_NAME: "your-mail@example.com"
+    GOTRUE_EXTERNAL_EMAIL_ENABLED: "false"
+    GOTRUE_MAILER_AUTOCONFIRM: "false"

 rest:
  image: