feat: add PostgREST container spec, config file, and service user role

[moizpgedge]

• Add postgrest_config.go: generates postgrest.conf with db-schemas, db-anon-role,
  db-pool, db-max-rows, and optional JWT fields; credentials are excluded from the file
  and injected as libpq env vars at the container level; nil-guards on params/Config
• Add postgrest_config_resource.go: manages postgrest.conf lifecycle on the host
  filesystem; depends on DirResource; delete is a no-op (parent dir handles cleanup)
• Update service_spec.go: PostgREST container uses postgrest /app/data/postgrest.conf
  as command, postgrest --ready health check (no curl in static binary image),
  read-only bind mount, and PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD env vars;
  PGHOST and PGPORT are built as comma-separated lists from the DatabaseHosts slice
  to support multi-host libpq connections; PGTARGETSESSIONATTRS is set when present
• Update service_instance_spec.go: pass DatabaseHosts and TargetSessionAttrs
  through to ServiceContainerSpecOptions
• Update service_user_role.go: add ServiceType and DBAnonRole fields; PostgREST
  role is created with LOGIN NOINHERIT + GRANT <anon_role> to enable the
  SET ROLE mechanism; bump ResourceVersion to 4
• Register PostgRESTConfigResource in resources.go

Summary

Implements the PostgREST container runtime layer: config file generation, host filesystem resource management, container spec (command, health check, mounts, env vars), and service user role SQL with NOINHERIT semantics.

Changes

• Add postgrest_config.go: generates postgrest.conf with db-schemas, db-anon-role, db-pool, db-max-rows, and optional JWT fields; credentials excluded from the file and injected as libpq env vars; nil-guards on params/Config
• Add postgrest_config_resource.go: manages postgrest.conf lifecycle on the host filesystem; depends on DirResource; chowns config to UID 1000 (PostgREST container user); delete is a no-op (parent dir handles cleanup)
• Update service_spec.go: PostgREST container uses postgrest /app/data/postgrest.conf as command, postgrest --ready health check (no curl in static binary image), read-only bind mount, PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD env vars, PGRST_SERVER_HOST=0.0.0.0 (required for --ready flag), explicit container UID 1000; replace default: with explicit case "mcp": — unknown service types now return an error
• Update service_user_role.go: add ServiceType and DBAnonRole fields; roleAttributesAndGrants() is PostgREST-specific (LOGIN NOINHERIT + GRANT anon_role); MCP uses the group-role path in createUserRole() directly — dead MCP path and associated tests removed; bump ResourceVersion to 4
• Register PostgRESTConfigResource in resources.go

Testing

Unit tests

go test ./server/internal/orchestrator/swarm/... -run "TestGeneratePostgRESTConfig|TestServiceContainerSpec|TestRoleAttributesAndGrants" -v
go test ./server/internal/database/... -run TestParsePostgRESTServiceConfig -v

# Deploy PostgREST service (once storefront database exists)
restish control-plane-local-1 update-database storefront '{
  "spec": {
    "database_name": "storefront",
    "database_users": [{"username": "admin", "password": "password", "db_owner": true, "attributes": ["LOGIN", "SUPERUSER"]}],
    "nodes": [
      {"name": "n1", "host_ids": ["host-1"]},
      {"name": "n2", "host_ids": ["host-2"]},
      {"name": "n3", "host_ids": ["host-3"]}
    ],
    "services": [{
      "service_id": "postgrest",
      "service_type": "postgrest",
      "version": "14.5",
      "host_ids": ["host-1"],
      "config": {}
    }]
  }
}'

Retish command:

restish control-plane-local-1 update-database storefront \
  --body '{
    "spec": {
      "database_name": "storefront",
      "database_users": [{"username": "admin", "password": "password123", "db_owner": true, "attributes": ["LOGIN", "SUPERUSER"]}],
      "nodes": [
        {"name": "n1", "host_ids": ["host-1"]},
        {"name": "n2", "host_ids": ["host-2"]},
        {"name": "n3", "host_ids": ["host-3"]}
      ],
      "services": [{
        "service_id": "postgrest",
        "service_type": "postgrest",
        "version": "14.5",
        "host_ids": ["host-1"],
        "config": {
        }
      }]
    }
  }'



Curl command:

curl -s -X PUT http://localhost:3000/v1/databases/storefront \
  -H "Content-Type: application/json" \
  -d '{
    "spec": {
      "database_name": "storefront",
      "database_users": [{"username": "admin", "password": "password123", "db_owner": true, "attributes": ["LOGIN", "SUPERUSER"]}],
      "nodes": [
        {"name": "n1", "host_ids": ["host-1"]},
        {"name": "n2", "host_ids": ["host-2"]},
        {"name": "n3", "host_ids": ["host-3"]}
      ],
      "services": [{
        "service_id": "postgrest",
        "service_type": "postgrest",
        "version": "14.5",
        "host_ids": ["host-1"],
        "config": {
        }
      }]
    }
  }' 

Checklist

• Tests added or updated (unit and/or e2e, as needed)
• Documentation updated (if needed)
• Issue is linked (branch name or URL in PR description)
• Changelog entry added for user-facing behavior changes
• Breaking changes (if any) are clearly called out in the PR description

Notes for Reviewers

Base branch is feat/PLAT-499/PLAT-500/PostgREST-prerequisites/image-wiring (not main)
End-to-end provisioning is complete — orchestrator wiring is in PLAT-504 (separate PR on top of this one)
MCP path is unchanged; roleAttributesAndGrants() is now PostgREST-only — MCP uses built-in group roles (pgedge_application_read_only / pgedge_application) via Roles field in CreateUserRole, not this function
Copilot review items addressed: nil guards in GeneratePostgRESTConfig, panic on unexpected statement type in statementsSQL, container UID and chown for postgrest.conf

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1dbb2863-0475-44dc-be68-dda1119d8bbc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 19.23% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main changes: adding PostgREST container spec, config file generation, and service user role functionality.
Description check	✅ Passed	The pull request description follows the template structure with all major sections completed: Summary, Changes (detailed bulleted list), Testing (with specific commands), Checklist (marked appropriately), and comprehensive Notes for Reviewers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/PLAT-501/PLAT-502/PLAT-503/postgrest-container-spec

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds the initial Swarm “runtime layer” for running PostgREST alongside existing services by introducing PostgREST config generation + host-file lifecycle management, extending the service container spec builder, and expanding service-user role SQL to support PostgREST’s SET ROLE flow.

Changes:

• Add PostgREST config generation (postgrest.conf) plus a host filesystem resource to manage it.
• Extend Swarm ServiceContainerSpec to support a new postgrest service type (command/args, healthcheck, env vars, RO mount).
• Extend ServiceUserRole with ServiceType and DBAnonRole to generate PostgREST-appropriate role attributes/grants (and add unit tests).

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
server/internal/orchestrator/swarm/postgrest_config.go	Generates postgrest.conf content from typed PostgREST service config.
server/internal/orchestrator/swarm/postgrest_config_resource.go	Manages postgrest.conf lifecycle on the host filesystem.
server/internal/orchestrator/swarm/postgrest_config_test.go	Unit coverage for config generation and absence/presence of JWT fields.
server/internal/orchestrator/swarm/service_spec.go	Adds postgrest container spec branch (env, mounts, healthcheck, command).
server/internal/orchestrator/swarm/service_spec_test.go	Adds PostgREST container spec unit tests.
server/internal/orchestrator/swarm/service_user_role.go	Adds service-type-driven role/grant generation, bumps resource version.
server/internal/orchestrator/swarm/service_user_role_test.go	Adds unit tests for PostgREST + MCP role/grant behavior.
server/internal/orchestrator/swarm/resources.go	Registers PostgRESTConfigResource type.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[moizpgedge]

@jason-lynch
Can you guide for this issue?

[jason-lynch]

This is an accurate comment. What it's telling you is that in order for the postgrest container to read this file, it needs to be owned by the user that postgrest runs as. It also gives you a suggestion to explicitly set the UID for the container, which is a good suggestion.

If you look at the official postgrest Dockerfile: https://github.com/PostgREST/postgrest/blob/main/Dockerfile

It says:

USER 1000

Which means that postgrest runs with UID = 1000 by default. What I would do in this case is to do the chown, like Copilot suggests, and I would do it with UID and GID = 1000. You can find a few examples of that operation by searching the code for fs.Chown, such as this one in the DirResource that copilot mentions:

control-plane/server/internal/filesystem/dir_resource.go

Lines 115 to 116 in 6ee7a84

	if err := fs.Chown(d.FullPath, d.OwnerUID, d.OwnerGID); err != nil {
	return fmt.Errorf("failed to change ownership for directory %q: %w", d.FullPath, err)

I'd also take its other suggestion, and explicitly set the container UID to 1000. Since that's also the default, it doesn't have any effect now, but it protects us in case that container image changes its UID.

[jason-lynch]

I think we've removed these in the latest version of this file. Is that right, @rshoemaker?

[rshoemaker]

Correct, we use the built-in RO/RW roles instead:

control-plane/server/internal/orchestrator/swarm/service_user_role.go

Lines 169 to 178 in 4713732

	// Determine group role based on mode
	var groupRole string
	switch r.Mode {
	case ServiceUserRoleRO:
	groupRole = "pgedge_application_read_only"
	case ServiceUserRoleRW:
	groupRole = "pgedge_application"
	default:
	return fmt.Errorf("unknown service user role mode: %q", r.Mode)
	}

[rshoemaker]

@moizpgedge After looking at this more carefully, I can see that the RO/RW roles are still being used correctly in createUserRole(). The "default:" block here is dead code (I think). It should probably be removed and this func should return an error for non-PostgREST cases. Or refactor the code.

[rshoemaker]

Same here - MCP specific code shouldn't be in a "default" branch, it should have an explicit branch check for "mcp".