Merge branch 'develop' into bo/dataeng-873-upgrade-wrappers-to-v045

burmecia · web-flow · commit 0df1ccda4cb2 · 2025-03-13T14:33:07.000+01:00
diff --git a/Dockerfile-kubernetes b/Dockerfile-kubernetes
@@ -2,7 +2,7 @@ FROM alpine:3.21
 
 ADD ./output-cloudimg/packer-cloudimg /disk/focal.qcow2
 
-RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf
+RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf virtiofsd
 # dev stuff
 # RUN apk add --no-cache iproute2
 
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -9,6 +9,6 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
+supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -9,7 +9,7 @@ postgres_major:
 # Full version strings for each major version
 postgres_release:
   postgresorioledb-17: "17.0.1.044-orioledb"
-  postgres15: "15.8.1.050"
+  postgres15: "15.8.1.052"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/migrations/db/migrations/20250312095419_pgbouncer_ownership.sql b/migrations/db/migrations/20250312095419_pgbouncer_ownership.sql
@@ -0,0 +1,5 @@
+-- migrate:up
+alter function pgbouncer.get_auth owner to supabase_admin;
+grant execute on function pgbouncer.get_auth(p_usename text) to postgres;
+
+-- migrate:down
diff --git a/nix/tests/expected/security.out b/nix/tests/expected/security.out
@@ -7,24 +7,25 @@ from pg_catalog.pg_proc p
 where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
         and p.prosecdef = true
 order by 1,2;
- nspname  |            proname             
-----------+--------------------------------
- graphql  | get_schema_version
- graphql  | increment_schema_version
- pgsodium | disable_security_label_trigger
- pgsodium | enable_security_label_trigger
- pgsodium | get_key_by_id
- pgsodium | get_key_by_name
- pgsodium | get_named_keys
- pgsodium | mask_role
- pgsodium | update_mask
- public   | dblink_connect_u
- public   | dblink_connect_u
- public   | pgaudit_ddl_command_end
- public   | pgaudit_sql_drop
- public   | st_estimatedextent
- public   | st_estimatedextent
- public   | st_estimatedextent
- repack   | repack_trigger
-(17 rows)
+  nspname  |            proname             
+-----------+--------------------------------
+ graphql   | get_schema_version
+ graphql   | increment_schema_version
+ pgbouncer | get_auth
+ pgsodium  | disable_security_label_trigger
+ pgsodium  | enable_security_label_trigger
+ pgsodium  | get_key_by_id
+ pgsodium  | get_key_by_name
+ pgsodium  | get_named_keys
+ pgsodium  | mask_role
+ pgsodium  | update_mask
+ public    | dblink_connect_u
+ public    | dblink_connect_u
+ public    | pgaudit_ddl_command_end
+ public    | pgaudit_sql_drop
+ public    | st_estimatedextent
+ public    | st_estimatedextent
+ public    | st_estimatedextent
+ repack    | repack_trigger
+(18 rows)
 
