fix: sync supabase roles with $POSTGRES_PASSWORD (supabase#1604)

* fix: sync supabase roles with $POSTGRES_PASSWORD

* add changes to pg 17 Dockerfile

* add changes to oriole docker image

* Update docker-entrypoint.sh

---------

Co-authored-by: Bobbie Soedirgo <[email protected]>

Author: jgoux

Dockerfile-15

@@ -181,6 +181,10 @@ RUN sed -i \
     echo "pgsodium.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \    
     echo "vault.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \
     echo 'auto_explain.log_min_duration = 10s' >> /etc/postgresql/postgresql.conf && \
+    # Remove supabase_admin line from pg_hba.conf
+    sed -i '/local all  supabase_admin     scram-sha-256/d' /etc/postgresql/pg_hba.conf && \
+    # Add supabase_admin mappings block to pg_ident.conf before supabase-specific users
+    sed -i '/# supabase-specific users/i\# supabase_admin user mappings\nsupabase_map  postgres   supabase_admin\nsupabase_map  root       supabase_admin\nsupabase_map  ubuntu     supabase_admin\n' /etc/postgresql/pg_ident.conf && \
     usermod -aG postgres wal-g && \
     mkdir -p /etc/postgresql-custom && \
     chown postgres:postgres /etc/postgresql-custom
@@ -194,7 +198,9 @@ COPY ansible/files/stat_extension.sql /docker-entrypoint-initdb.d/migrations/00-
 COPY --from=gosu /usr/local/bin/gosu /usr/local/bin/gosu
 ADD --chmod=0755 \
     https://github.com/docker-library/postgres/raw/master/15/bullseye/docker-entrypoint.sh \
-    /usr/local/bin/
+    /usr/local/bin/upstream-docker-entrypoint.sh
+# # Add custom entrypoint script
+COPY --chmod=0755 docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 RUN mkdir -p /var/run/postgresql && chown postgres:postgres /var/run/postgresql
 

Dockerfile-17

@@ -181,6 +181,10 @@ RUN sed -i \
     echo "pgsodium.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \
     echo "vault.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \
     echo 'auto_explain.log_min_duration = 10s' >> /etc/postgresql/postgresql.conf && \
+    # Remove supabase_admin line from pg_hba.conf
+    sed -i '/local all  supabase_admin     scram-sha-256/d' /etc/postgresql/pg_hba.conf && \
+    # Add supabase_admin mappings block to pg_ident.conf before supabase-specific users
+    sed -i '/# supabase-specific users/i\# supabase_admin user mappings\nsupabase_map  postgres   supabase_admin\nsupabase_map  root       supabase_admin\nsupabase_map  ubuntu     supabase_admin\n' /etc/postgresql/pg_ident.conf && \
     usermod -aG postgres wal-g && \
     mkdir -p /etc/postgresql-custom && \
     chown postgres:postgres /etc/postgresql-custom
@@ -202,7 +206,9 @@ COPY ansible/files/stat_extension.sql /docker-entrypoint-initdb.d/migrations/00-
 COPY --from=gosu /usr/local/bin/gosu /usr/local/bin/gosu
 ADD --chmod=0755 \
     https://github.com/docker-library/postgres/raw/master/17/bullseye/docker-entrypoint.sh \
-    /usr/local/bin/
+    /usr/local/bin/upstream-docker-entrypoint.sh
+# # Add custom entrypoint script
+COPY --chmod=0755 docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 RUN mkdir -p /var/run/postgresql && chown postgres:postgres /var/run/postgresql
 

Dockerfile-orioledb-17

@@ -181,6 +181,10 @@ RUN sed -i \
     echo "pgsodium.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \
     echo "vault.getkey_script= '/usr/lib/postgresql/bin/pgsodium_getkey.sh'" >> /etc/postgresql/postgresql.conf && \
     echo 'auto_explain.log_min_duration = 10s' >> /etc/postgresql/postgresql.conf && \
+    # Remove supabase_admin line from pg_hba.conf
+    sed -i '/local all  supabase_admin     scram-sha-256/d' /etc/postgresql/pg_hba.conf && \
+    # Add supabase_admin mappings block to pg_ident.conf before supabase-specific users
+    sed -i '/# supabase-specific users/i\# supabase_admin user mappings\nsupabase_map  postgres   supabase_admin\nsupabase_map  root       supabase_admin\nsupabase_map  ubuntu     supabase_admin\n' /etc/postgresql/pg_ident.conf && \
     usermod -aG postgres wal-g && \
     mkdir -p /etc/postgresql-custom && \
     chown postgres:postgres /etc/postgresql-custom
@@ -207,7 +211,9 @@ RUN echo "CREATE EXTENSION orioledb;" > /docker-entrypoint-initdb.d/init-scripts
 COPY --from=gosu /usr/local/bin/gosu /usr/local/bin/gosu
 ADD --chmod=0755 \
     https://github.com/docker-library/postgres/raw/master/17/bullseye/docker-entrypoint.sh \
-    /usr/local/bin/
+    /usr/local/bin/upstream-docker-entrypoint.sh
+# # Add custom entrypoint script
+COPY --chmod=0755 docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
 RUN mkdir -p /var/run/postgresql && chown postgres:postgres /var/run/postgresql
 

docker/docker-entrypoint.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+source /usr/local/bin/upstream-docker-entrypoint.sh
+
+# sync $POSTGRES_PASSWORD to supabase-specific roles
+pg_sync_password() {
+  # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+  # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+	export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+	docker_temp_server_start "$@"
+
+	# alter the supabase_admin password
+	docker_process_sql <<-'EOSQL'
+		\set pgpass `echo "$POSTGRES_PASSWORD"`
+		ALTER USER supabase_admin WITH PASSWORD :'pgpass';
+	EOSQL
+
+	# execute the roles SQL file using docker_process_sql
+	docker_process_sql -f /docker-entrypoint-initdb.d/init-scripts/99-roles.sql
+
+	docker_temp_server_stop
+	unset PGPASSWORD
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+
+		pg_sync_password "$@"
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi