From c0d5f2e144ab4e5aad2bb1b038971950dec8cb07 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Sun, 28 Jun 2026 22:29:18 +0200
Subject: [PATCH] fix(chart): template Postgres owner role in
 update_ownership.sql for multi-env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Dolibarr before-start step `chart/scripts/update_ownership.sql` (embedded
into a ConfigMap by `chart/templates/scripts-config.yaml`) hardcoded the
Postgres owner role `erp_role`. It reassigns ownership of all public-schema
objects to that role after install. For any non-prod environment the owner
role differs — by the multi-env elision rule (ADR-0002/0003) it is snake-case
`<app>_role` for prod and `<app>_<env>_role` for non-prod, so the sandbox owner
role is `erp_sandbox_role`. With the literal `erp_role`, installing Dolibarr in
`erp-sandbox` would reassign sandbox tables to prod's `erp_role`, which (a)
breaks the sandbox runtime (its dynamic DB creds are a member of
`erp_sandbox_role`, not `erp_role`) and (b) breaks the ADR-0003 reset
(`DROP OWNED BY erp_sandbox_role`).

Fix: make the owner role env-aware via a new chart value `db.ownerRole`.
- values.yaml: default `ownerRole: erp_role` (prod).
- values-sandbox.yaml: override `ownerRole: erp_sandbox_role`.
- update_ownership.sql: all `'erp_role'` literals → `'{{ .Values.db.ownerRole }}'`.
- scripts-config.yaml: render that one SQL file through `tpl` so the value is
  substituted (the other script has no template vars and stays on `.Files.Get`).
  The SQL's `$$`, `%I`, `format(...)`, `RAISE NOTICE` are not Go-template syntax,
  so `tpl` only substitutes the added `{{ .Values.db.ownerRole }}`.

Verified: the prod ConfigMap render (values.yaml only) is byte-identical to
origin/main (empty diff, still `erp_role`); the sandbox render
(-f values.yaml -f values-sandbox.yaml) now contains `erp_sandbox_role` and no
bare `erp_role`; `helm lint` passes (no worse than origin/main).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 chart/scripts/update_ownership.sql  | 10 +++++-----
 chart/templates/scripts-config.yaml |  2 +-
 chart/values-sandbox.yaml           |  1 +
 chart/values.yaml                   |  1 +
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/chart/scripts/update_ownership.sql b/chart/scripts/update_ownership.sql
index 1d2b4df..392b899 100644
--- a/chart/scripts/update_ownership.sql
+++ b/chart/scripts/update_ownership.sql
@@ -10,12 +10,12 @@ BEGIN
     WHERE schemaname = 'public'
     LIMIT 1;
 
-    -- Si le propriétaire actuel est différent de erp_role
-    IF current_schema_owner <> 'erp_role' THEN
+    -- Si le propriétaire actuel est différent de {{ .Values.db.ownerRole }}
+    IF current_schema_owner <> '{{ .Values.db.ownerRole }}' THEN
         -- Construire et exécuter la requête REASSIGN OWNED BY
-        EXECUTE format('REASSIGN OWNED BY %I TO %I', current_schema_owner, 'erp_role');
-        RAISE NOTICE 'Ownership of all objects in schema "public" has been reassigned from % to %', current_schema_owner, 'erp_role';
+        EXECUTE format('REASSIGN OWNED BY %I TO %I', current_schema_owner, '{{ .Values.db.ownerRole }}');
+        RAISE NOTICE 'Ownership of all objects in schema "public" has been reassigned from % to %', current_schema_owner, '{{ .Values.db.ownerRole }}';
     ELSE
-        RAISE NOTICE 'No change needed; the owner of schema "public" is already %', 'erp_role';
+        RAISE NOTICE 'No change needed; the owner of schema "public" is already %', '{{ .Values.db.ownerRole }}';
     END IF;
 END $$;
diff --git a/chart/templates/scripts-config.yaml b/chart/templates/scripts-config.yaml
index a02bb11..0eaaeb6 100644
--- a/chart/templates/scripts-config.yaml
+++ b/chart/templates/scripts-config.yaml
@@ -7,4 +7,4 @@ data:
     {{- .Files.Get "scripts/update_conf_db_credentials.sh" | nindent 4 }}
   
   update_table_ownership.sql: |
-    {{- .Files.Get "scripts/update_ownership.sql" | nindent 4 }}
+    {{- tpl (.Files.Get "scripts/update_ownership.sql") . | nindent 4 }}
diff --git a/chart/values-sandbox.yaml b/chart/values-sandbox.yaml
index ce25ddf..8e1647f 100644
--- a/chart/values-sandbox.yaml
+++ b/chart/values-sandbox.yaml
@@ -16,6 +16,7 @@ host:     erp-sandbox.arcodange.lab
 
 db:
   name: erp-sandbox
+  ownerRole: erp_sandbox_role
 
 vault:
   k8sRole:     erp-sandbox
diff --git a/chart/values.yaml b/chart/values.yaml
index 25929d3..7259ff0 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -16,6 +16,7 @@ host:     erp.arcodange.lab            # internal hostname for this instance
 
 db:
   name: erp                            # PostgreSQL database name (matches factory tfvars)
+  ownerRole: erp_role                  # Postgres owner role; snake-case <app>_role for prod / <app>_<env>_role for non-prod (matches factory/postgres/iac)
 
 vault:
   k8sRole:     erp                     # VaultAuth role (postgres/iac issues this per instance)