I typically have one DB service per app service (not just ler cluster, unless multiple services need the same db).

Advantages:

• Simple backup/data organization, each service is self-contained
• True isolation: Unless you manually create DB accounts for each service, likely all your services have access to all data, and even with accounts there are data leaks and exploits

Disadvantages:

• You have more services running than strictly needed, but this is a minuscule impact on performance (the overhead of the DB service is typically not noticable)

I just run whatever db is required in the docker compose stack. I’ve thought about running separate db like mongo, mysql, sqlite and having them as central db services for the containers. I don’t see a downside to doing that. It just seems to me that it’s easier just to run what is required by the compose stack itself. For what I’m doing, they don’t seem to eat up much resources.

CloudNative PG is so far my favorite. I also prefer a PG per App.

One database service but separate databases running inside of the service. Each database has 3 accounts: table_owner (no remote access), proc_owner (only table specific permissions and the owner of all stored procedures; no remote access) and application_account (no table access and only execute permissions on the proc_owner’s stored procedures).

Which means that even if the application is compromised, it can not compromise the database. It can only use approved stored procedures that check their inputs and abort on the smallest deviation from expected inputs.