tmp

soedirgo · soedirgo · commit 5bfdb3367475 · 2025-04-16T23:18:32.000+08:00
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/common.sh
@@ -86,12 +86,6 @@ CI_start_postgres() {
     su postgres -c "$BINDIR/pg_ctl start -o '-c config_file=/etc/postgresql/postgresql.conf' -l /tmp/postgres.log"
 }
 
-print_vault_secrets() {
-    run_sql <<'EOSQL'
-select * from vault.secrets;
-EOSQL
-}
-
 swap_postgres_and_supabase_admin() {
     run_sql <<'EOSQL'
 alter database postgres connection limit 0;
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
@@ -32,6 +32,45 @@ function execute_extension_upgrade_patches {
     fi
 }
 
+function execute_wrappers_patch {
+    # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
+    # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
+    UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$(cat <<EOF
+  DO \$\$
+  DECLARE
+    server_rec RECORD;
+    option_rec RECORD;
+    vault_secrets RECORD;
+  BEGIN
+    IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
+      AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
+    THEN
+      FOR server_rec IN
+        SELECT srvname, srvoptions
+        FROM pg_foreign_server
+      LOOP
+        FOR option_rec IN
+          SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
+          FROM UNNEST(server_rec.srvoptions) AS srvoption
+        LOOP
+          IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
+            EXECUTE format(
+              'ALTER SERVER %I OPTIONS (SET %I %L)',
+              server_rec.srvname,
+              option_rec.option_name,
+              (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
+            );
+          END IF;
+        END LOOP;
+      END LOOP;
+    END IF;
+  END;
+  \$\$;
+EOF
+    )
+    run_sql -c "$UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY"
+}
+
 function execute_patches {
     # Patch pg_net grants
     PG_NET_ENABLED=$(run_sql -A -t -c "select count(*) > 0 from pg_extension where extname = 'pg_net';")
@@ -152,81 +191,42 @@ EOF
         run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
     fi
 
-    # If upgrading to pgsodium-less Vault, Wrappers need to be updated so that
-    # foreign servers use `vault.secrets.id` instead of `vault.secrets.key_id`
-    UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY=$(cat <<EOF
-  DO \$\$
-  DECLARE
-    server_rec RECORD;
-    option_rec RECORD;
-    vault_secrets RECORD;
-  BEGIN
-    IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'wrappers' AND version = '0.4.6')
-      AND EXISTS (SELECT FROM pg_extension WHERE extname = 'wrappers')
-    THEN
-      FOR server_rec IN
-        SELECT srvname, srvoptions
-        FROM pg_foreign_server
-      LOOP
-        FOR option_rec IN
-          SELECT split_part(srvoption, '=', 1) AS option_name, split_part(srvoption, '=', 2) AS option_value
-          FROM UNNEST(server_rec.srvoptions) AS srvoption
-        LOOP
-          IF EXISTS (SELECT FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text)) THEN
-            RAISE WARNING '%', format(
-              'ALTER SERVER %I OPTIONS (SET %I %L)',
-              server_rec.srvname,
-              option_rec.option_name,
-              (SELECT id FROM vault.secrets WHERE option_rec.option_value IN (id::text, key_id::text))
-            );
-          END IF;
-        END LOOP;
-      END LOOP;
-    END IF;
-    CREATE SCHEMA sentinel;
-  END;
-  \$\$;
+    # Patch to handle upgrading to pgsodium-less Vault
+    REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
+    DO \$\$
+    BEGIN
+      IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
+        AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
+      THEN
+        IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
+          GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
+          GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
+          GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+        END IF;
+        -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
+        IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
+          UPDATE vault.secrets s
+          SET
+            secret = encode(
+              vault._crypto_aead_det_encrypt(
+                message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
+                additional := convert_to(s.id::text, 'utf8'),
+                key_id := 0,
+                context := 'pgsodium'::bytea,
+                nonce := s.nonce
+              ),
+              'base64'
+            ),
+            key_id = NULL
+          WHERE
+            key_id IS NOT NULL;
+        END IF;
+      END IF;
+    END
+    \$\$;
 EOF
     )
-    run_sql -c "$UPDATE_WRAPPERS_SERVER_OPTIONS_QUERY"
-    run_sql -c "select * from vault.secrets"
-
-#     # Patch to handle upgrading to pgsodium-less Vault
-#     REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
-#     DO \$\$
-#     BEGIN
-#       IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
-#         AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
-#       THEN
-#         IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-#           GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-#           GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-#           GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
-#         END IF;
-#         -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
-#         IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
-#           UPDATE vault.secrets s
-#           SET
-#             secret = encode(
-#               vault._crypto_aead_det_encrypt(
-#                 message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
-#                 additional := convert_to(s.id::text, 'utf8'),
-#                 key_id := 0,
-#                 context := 'pgsodium'::bytea,
-#                 nonce := s.nonce
-#               ),
-#               'base64'
-#             ),
-#             key_id = NULL
-#           WHERE
-#             key_id IS NOT NULL;
-#         END IF;
-#       END IF;
-#     END
-#     \$\$;
-# EOF
-#     )
-#     run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
+    run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
 
     run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"
 }
@@ -259,12 +259,15 @@ function complete_pg_upgrade {
 
     execute_extension_upgrade_patches || true
 
+    # For this to work we need `vault.secrets` from the old project to be
+    # preserved, but `run_generated_sql` includes `ALTER EXTENSION
+    # supabase_vault UPDATE` which modifies that. So we need to run it
+    # beforehand.
+    echo "3.1. Patch Wrappers server options"
+    execute_wrappers_patch
+
     echo "4. Running generated SQL files"
-    echo "before"
-    retry 3 print_vault_secrets
     retry 3 run_generated_sql
-    echo "after"
-    retry 3 print_vault_secrets
 
     echo "4.1. Applying patches"
     execute_patches || true
@@ -303,8 +306,6 @@ function run_generated_sql {
     if [ -d /data/sql ]; then
         for FILE in /data/sql/*.sql; do
             if [ -f "$FILE" ]; then
-                echo "executing $FILE"
-                cat "$FILE"
                 run_sql -f "$FILE" || true
             fi
         done
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -367,16 +367,13 @@ function initiate_upgrade {
     fi
 
     echo "7. Disabling extensions and generating post-upgrade script"
-    print_vault_secrets
     handle_extensions
 
     echo "8.1. Granting SUPERUSER to postgres user"
-    print_vault_secrets
     run_sql -c "ALTER USER postgres WITH SUPERUSER;"
 
     if [ "$OLD_BOOTSTRAP_USER" = "postgres" ]; then
         echo "8.2. Swap postgres & supabase_admin roles as we're upgrading a project with postgres as bootstrap user"
-        print_vault_secrets
         swap_postgres_and_supabase_admin
     fi
 
@@ -391,10 +388,8 @@ function initiate_upgrade {
 
         export LD_LIBRARY_PATH="${PGLIBNEW}"
     fi
-    print_vault_secrets
 
     echo "9. Creating new data directory, initializing database"
-    print_vault_secrets
     chown -R postgres:postgres "$MOUNT_POINT/"
     rm -rf "${PGDATANEW:?}/"
 
@@ -413,7 +408,6 @@ function initiate_upgrade {
 $(cat /etc/postgresql/pg_hba.conf)" > /etc/postgresql/pg_hba.conf
         run_sql -c "select pg_reload_conf();"
     fi
-    print_vault_secrets
 
     UPGRADE_COMMAND=$(cat <<EOF
     time ${PGBINNEW}/pg_upgrade \
