From 247fdb01c0005a28b8a39507c4a35d141f000172 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Tue, 17 Mar 2026 13:26:01 +0100 Subject: [PATCH] fix: separate Flyway and app datasource search paths for schema isolation Flyway needs public in the search_path to access TimescaleDB extension functions (create_hypertable). The app datasource must NOT include public to prevent accidental cross-schema reads from production data. - spring.flyway.url: currentSchema=,public (extensions accessible) - spring.datasource.url: currentSchema= (strict isolation) - SPRING_FLYWAY_URL env var added to K8s base manifest Co-Authored-By: Claude Opus 4.6 (1M context) --- cameleer3-server-app/src/main/resources/application.yml | 1 + deploy/base/server.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/cameleer3-server-app/src/main/resources/application.yml b/cameleer3-server-app/src/main/resources/application.yml index b976f4d8..f240131a 100644 --- a/cameleer3-server-app/src/main/resources/application.yml +++ b/cameleer3-server-app/src/main/resources/application.yml @@ -10,6 +10,7 @@ spring: flyway: enabled: true locations: classpath:db/migration + url: jdbc:postgresql://localhost:5432/cameleer3?currentSchema=${CAMELEER_DB_SCHEMA:public},public schemas: ${CAMELEER_DB_SCHEMA:public} default-schema: ${CAMELEER_DB_SCHEMA:public} mvc: diff --git a/deploy/base/server.yaml b/deploy/base/server.yaml index bdf52a77..aed28f7e 100644 --- a/deploy/base/server.yaml +++ b/deploy/base/server.yaml @@ -22,6 +22,8 @@ spec: env: - name: SPRING_DATASOURCE_URL value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=$(CAMELEER_DB_SCHEMA)" + - name: SPRING_FLYWAY_URL + value: "jdbc:postgresql://postgres.cameleer.svc.cluster.local:5432/cameleer3?currentSchema=$(CAMELEER_DB_SCHEMA),public" - name: CAMELEER_DB_SCHEMA value: "public" - name: SPRING_DATASOURCE_USERNAME