Merge branch 'develop' into chore/bump_wrappers

Author: burmecia

.github/workflows/ami-release.yml

@@ -30,6 +30,16 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v3
 
+      - name: Run checks if triggered manually
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        # Update `ci.yaml` too if changing constraints.
+        run: |
+          SUFFIX=$(sed -E 's/postgres-version = "[0-9\.]+(.*)"/\1/g' common.vars.pkr.hcl)
+          if [[ -z $SUFFIX ]] ; then
+            echo "Version must include non-numeric characters if built manually."
+            exit 1
+          fi
+
       - id: args
         uses: mikefarah/yq@master
         with:

.github/workflows/ci.yml

@@ -4,7 +4,6 @@ on:
   pull_request:
 
 jobs:
-
   check-release-version:
     timeout-minutes: 5
     runs-on: ubuntu-latest
@@ -13,6 +12,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run checks
+        # Update `ami-release.yaml` too if changing constraints.
         run: |
           SUFFIX=$(sed -E 's/postgres-version = "[0-9\.]+(.*)"/\1/g' common.vars.pkr.hcl)
           if [[ -n $SUFFIX ]] ; then

ansible/files/adminapi.sudoers.conf

@@ -1,3 +1,4 @@
+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service
 Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service
 Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service
 Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service
@@ -20,6 +21,7 @@ Cmnd_Alias PGBOUNCER = /bin/systemctl start pgbouncer.service, /bin/systemctl st
 %adminapi ALL= NOPASSWD: /bin/systemctl restart services.slice
 %adminapi ALL= NOPASSWD: /usr/sbin/nft -f /etc/nftables/supabase_managed.conf
 %adminapi ALL= NOPASSWD: /usr/bin/admin-mgr
+%adminapi ALL= NOPASSWD: ENVOY
 %adminapi ALL= NOPASSWD: KONG
 %adminapi ALL= NOPASSWD: POSTGREST
 %adminapi ALL= NOPASSWD: GOTRUE

ansible/files/envoy.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=Envoy
+After=postgrest.service gotrue.service adminapi.service
+Wants=postgrest.service gotrue.service adminapi.service
+Conflicts=kong.service
+
+[Service]
+Type=simple
+
+# Need to run via a restarter script to support hot restart when using a process
+# manager, see:
+# https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter
+ExecStart=/opt/envoy-hot-restarter.py /opt/start-envoy.sh
+
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -TERM $MAINPID
+User=envoy
+Slice=services.slice
+Restart=always
+RestartSec=3
+LimitNOFILE=100000
+
+# The envoy user is unpriviledged and thus not permited to bind on ports < 1024
+# Via systemd we grant the process a set of priviledges to bind to 80/443
+# See http://archive.vn/36zJU
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target

ansible/files/envoy_config/cds.yaml

@@ -0,0 +1,46 @@
+resources:
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: admin_api
+    load_assignment:
+      cluster_name: admin_api
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8085
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: gotrue
+    load_assignment:
+      cluster_name: gotrue
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 9999
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest
+    load_assignment:
+      cluster_name: postgrest
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3000
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest_admin
+    load_assignment:
+      cluster_name: postgrest_admin
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3001
+

ansible/files/envoy_config/envoy.yaml

@@ -0,0 +1,23 @@
+dynamic_resources:
+  cds_config:
+    path_config_source:
+      path: /etc/envoy/cds.yaml
+    resource_api_version: V3
+  lds_config:
+    path_config_source:
+      path: /etc/envoy/lds.yaml
+    resource_api_version: V3
+node:
+  cluster: cluster_0
+  id: node_0
+overload_manager:
+  resource_monitors:
+    - name: envoy.resource_monitors.global_downstream_max_connections
+      typed_config:
+        '@type': >-
+          type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+        max_active_downstream_connections: 30000
+stats_config:
+  stats_matcher:
+    reject_all: true
+