feat: Add specific database URL for migrateDb job (#449)

matthewelwell · germangarces · web-flow · commit d3b2aedf67f7 · 2026-04-09T10:37:33.000+02:00
Co-authored-by: Germán Garcés &lt;german.garces@flagsmith.com&gt;
diff --git a/charts/flagsmith/templates/jobs-migrate-db.yaml b/charts/flagsmith/templates/jobs-migrate-db.yaml
@@ -71,7 +71,16 @@ spec:
         {{- else }}
         args: ["migrate"]
         {{- end }}
-        env: {{ include (print $.Template.BasePath "/_api_environment.yaml") . | nindent 8 }}
+        env:
+        {{- include (print $.Template.BasePath "/_api_environment.yaml") . | nindent 8 }}
+        {{- if and .Values.jobs.migrateDb.databaseUrl .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.enabled }}
+        {{- /* Override DATABASE_URL with migration-specific credentials */}}
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.name | required "jobs.migrateDb.databaseUrl.fromExistingSecret.name is required when enabled" }}
+              key: {{ .Values.jobs.migrateDb.databaseUrl.fromExistingSecret.key | required "jobs.migrateDb.databaseUrl.fromExistingSecret.key is required when enabled" }}
+        {{- end }}
 {{- with .Values.jobs.migrateDb.extraContainers }}
 {{ if typeIs "string" . }}
     {{- tpl . $ | nindent 6 }}
diff --git a/charts/flagsmith/values.yaml b/charts/flagsmith/values.yaml
@@ -569,6 +569,17 @@ jobs:
     extraVolumes: []
     command: []
     args: []
+    # Use separate database credentials for migrations.
+    # This allows the migration job to run with elevated privileges (e.g., CREATE,
+    # ALTER, DROP for schema modifications) while the main application uses
+    # restricted credentials (e.g., SELECT, INSERT, UPDATE, DELETE only).
+    # This improves security by not granting schema modification privileges to
+    # the running application.
+    databaseUrl:
+      fromExistingSecret:
+        enabled: false
+        name: null
+        key: null
   migrateAnalyticsData:
     enabled: false
     args: []
