Document -replica and -all endpoints (#4059)

* Document  endpoints

* Add PostgreSQL and Redis

* Add  endpoint doc

* Fix heading

---------

Co-authored-by: Chad Carlson <[email protected]>

Author: AnouckColson

sites/platform/src/add-services/mysql/_index.md

@@ -386,9 +386,139 @@ Possible permissions:
 | Admin       | `admin`       | In addition to read-write permissions, can also create, drop, and alter tables; create views; and create and alter routines. |
 | Replication | `replication` | For [replicating databases](./mysql-replication.md). In addition to read-only permissions, can also lock tables. |
 
+### Restrict access to database replicas only
+
+{{< partial "banners/replicas/body.md" >}}
+
+Your main database lives on one of the three nodes provided on Grid HA and {{% names/dedicated-gen-3 %}}.
+The two other nodes can each accommodate a replica of your main database.
+
+For security reasons, you can grant your app access to a replica instead of your main database.
+To do so, when defining the relationship between your app and database,
+make sure you do the following:
+
+1. Use the [explicit endpoint syntax](/create-apps/app-reference/single-runtime-image.html#relationships).
+2. Add the `-replica` suffix to the name of the endpoint you want to use.
+
+This results in the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+    {{% variable "RELATIONSHIP_NAME" %}}:
+        service: {{% variable "SERVICE_NAME" %}}
+        endpoint: {{% variable "ENDPOINT_NAME" %}}-replica
+```
+
+For example, if you define a `mariadb` database as follows:
+
+```yaml {configFile="services"}
+mariadb:
+  type: mariadb:{{% latest "mariadb" %}}
+  disk: 2048
+    configuration:
+      schemas:
+        - main
+    endpoints:
+      admin:
+        default_schema: main
+        privileges:
+          main: admin
+      reporter:
+        privileges:
+          main: ro
+```
+
+To create a replica of the `mariadb` database and allow your app to connect to it
+through the `admin` endpoint with admin permissions,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  mariadb:
+    service: mariadb
+    endpoint: admin-replica
+```
+
+To create a replica of the `mariadb` database and allow your app to connect to it
+through the `reporter` endpoint with read-only permissions instead,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  mariadb:
+    service: mariadb
+    endpoint: reporter-replica
+```
+
+### Grant access to the main database and its replicas
+
+{{< partial "banners/replicas/body.md" >}}
+
+Your main database lives on one of the three nodes provided on Grid HA and {{% names/dedicated-gen-3 %}}.
+The two other nodes can each accommodate a replica of your main database.
+
+You may want to grant access to both your main database and its replicas.
+To do so, when defining the relationship between your app and database,
+make sure you do the following:
+
+1. Use the [explicit endpoint syntax](/create-apps/app-reference/single-runtime-image.html#relationships).
+2. Add the `-all` suffix to the name of the endpoint you want to use.
+
+This results in the following configuration,
+which creates a replica on each of the secondary nodes:
+
+```yaml {configFile="app"}
+relationships:
+    {{% variable "RELATIONSHIP_NAME" %}}:
+        service: {{% variable "SERVICE_NAME" %}}
+        endpoint: {{% variable "ENDPOINT_NAME" %}}-all
+```
+
+For example, if you define a `mariadb` database as follows:
+
+```yaml {configFile="services"}
+mariadb:
+  type: mariadb:{{% latest "mariadb" %}}
+  disk: 2048
+    configuration:
+      schemas:
+        - main
+    endpoints:
+      admin:
+        default_schema: main
+        privileges:
+          main: admin
+      reporter:
+        privileges:
+          main: ro
+```
+
+To allow your app to connect to your main database and both its replicas
+through the `admin` endpoint with admin permissions,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  mariadb:
+    service: mariadb
+    endpoint: admin-all
+```
+
+To allow your app to connect to your main database and both its replicas
+through the `reporter` endpoint with read-only permissions,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  mariadb:
+    service: mariadb
+    endpoint: reporter-all
+```
+
 ## Multiple databases
 
 With version `10.0` or later, you can define multiple databases.
+
 To do so, define multiple `schemas` in your [service configuration](#configuration-options).
 
 You can also specify multiple `endpoints` for [permissions](#define-permissions).

sites/platform/src/add-services/postgresql.md

@@ -438,6 +438,69 @@ make sure your service name remains unchanged.
 Failure to do so results in the creation of a new service,
 which removes any existing data from your database.
 
+## Restrict access to database replicas only
+
+{{< partial "banners/replicas/body.md" >}}
+
+For security reasons, you can grant your app access to replicas instead of your actual database.
+To do so, when defining the relationship between your app and database,
+make sure you do the following:
+
+1. Use the [explicit endpoint syntax](/create-apps/app-reference/single-runtime-image.html#relationships).
+2. Add the `-replica` suffix to the name of the endpoint you want to use.
+
+This results in the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+    {{% variable "RELATIONSHIP_NAME" %}}:
+        service: {{% variable "SERVICE_NAME" %}}
+        endpoint: {{% variable "ENDPOINT_NAME" %}}-replica
+```
+
+For example, if you define a `postgresql` database as follows:
+
+```yaml {configFile="services"}
+postgresql:
+    type: "postgresql:16"
+    disk: 2048
+    configuration:
+        databases:
+            - main
+            - legacy
+        endpoints:
+            admin:
+                privileges:
+                    main: admin
+                    legacy: admin
+            reporter:
+                default_database: main
+                privileges:
+                    main: ro
+```
+
+To create a replica of the `postgresql` database and allow your app to connect to it
+through the `admin` endpoint with admin permissions,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  postgresql:
+    service: postgresql
+    endpoint: admin-replica
+```
+
+To create a replica of the `postgresql` database and allow your app to connect to it
+through the `reporter` endpoint with read-only permissions instead,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  postgresql:
+    service: postgresql
+    endpoint: reporter-replica
+```
+
 ## Service timezone
 
 To change the timezone for the current session, run `SET TIME ZONE {{< variable "TIMEZONE" >}};`.

sites/platform/src/add-services/redis.md

@@ -393,6 +393,69 @@ const value = await client.get('x');     // returns 42
 
 {{< /codetabs >}}
 
+## Restrict access to database replicas only
+
+{{< partial "banners/replicas/body.md" >}}
+
+For security reasons, you can grant your app access to replicas instead of your actual database.
+To do so, when defining the relationship between your app and database,
+make sure you do the following:
+
+1. Use the [explicit endpoint syntax](/create-apps/app-reference/single-runtime-image.html#relationships).
+2. Add the `-replica` suffix to the name of the endpoint you want to use.
+
+This results in the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+    {{% variable "RELATIONSHIP_NAME" %}}:
+        service: {{% variable "SERVICE_NAME" %}}
+        endpoint: {{% variable "ENDPOINT_NAME" %}}-replica
+```
+
+For example, if you define a `redis-persistent` database as follows:
+
+```yaml {configFile="services"}
+postgresql:
+    type: "redis-persistent:16"
+    disk: 2048
+    configuration:
+        databases:
+            - main
+            - legacy
+        endpoints:
+            admin:
+                privileges:
+                    main: admin
+                    legacy: admin
+            reporter:
+                default_database: main
+                privileges:
+                    main: ro
+```
+
+To create a replica of the `redis-persistent` database and allow your app to connect to it
+through the `admin` endpoint with admin permissions,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  redis-persistent:
+    service: redis-persistent
+    endpoint: admin-replica
+```
+
+To create a replica of the `redis-persistent` database and allow your app to connect to it
+through the `reporter` endpoint with read-only permissions instead,
+use the following configuration:
+
+```yaml {configFile="app"}
+relationships:
+  redis-persistent:
+    service: redis-persistent
+    endpoint: reporter-replica
+```
+
 ## Relationship reference 
 
 Example information available through the [`{{% vendor/prefix %}}_RELATIONSHIPS` environment variable](/development/variables/use-variables.md#use-provided-variables)

themes/psh-docs/layouts/partials/banners/replicas/banner.html

@@ -0,0 +1,4 @@
+<!-- Creates single page banner note for warning about a feature being part of the Observability Suite -->
+{{ if .Params.replicas }}
+  {{ partial "replicas/body.md" . }}
+{{ end }}

themes/psh-docs/layouts/partials/banners/replicas/body.md

@@ -0,0 +1,3 @@
+{{ $content := `This feature is available on Grid HA (High Availability) and {{% names/dedicated-gen-3 %}} projects. For more information, [contact Sales](https://platform.sh/contact/).`}}
+
+{{ partial "premium-features/banner" ( dict "context" . "content" $content "title" "Feature availability" )}}