Merge remote-tracking branch 'origin/develop' into pg_repack_non_superuser

Author: za-arthur

.github/workflows/nix-build.yml

@@ -24,8 +24,10 @@ jobs:
             arch: arm64
           - runner: macos-latest
             arch: arm64
+          - runner: macos-13
+            arch: amd64
     runs-on: ${{ matrix.runner }}
-
+    timeout-minutes: 180
     steps:
 
       - name: Check out code
@@ -40,30 +42,31 @@ jobs:
           role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
           aws-region: "us-east-1"
           output-credentials: true
+          role-duration-seconds: 7200
       - name: write secret key
         # use python so we don't interpolate the secret into the workflow logs, in case of bugs
         run: |
           python -c "import os; file = open('nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Log in to Docker Hub
-        if: matrix.runner != 'macos-latest'
+        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Build psql bundle with nix
-        if: matrix.runner != 'macos-latest'
+        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
         run: docker build -t base_nix -f docker/nix/Dockerfile .
       - name: Run build psql bundle
-        if: matrix.runner != 'macos-latest'
+        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
         run:  |
           docker run -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \
                     -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \
                     -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \
                     base_nix bash -c "./workspace/docker/nix/build_nix.sh"
       - name: Build psql bundle on macos
-        if: matrix.runner == 'macos-latest'
+        if: matrix.runner == 'macos-latest' || matrix.runner == 'macos-13'
         run: |
           curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
           --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \

ansible/files/envoy_config/lds.yaml

@@ -258,6 +258,9 @@ resources:
                               max_program_size: 150
                             regex: >-
                               /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo)|\.well-known/(openid-configuration|jwks\.json))
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: gotrue
                           regex_rewrite:
@@ -271,6 +274,9 @@ resources:
                         typed_per_filter_config: *ref_0
                       - match:
                           prefix: /auth/v1/
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: gotrue
                           prefix_rewrite: /
@@ -282,6 +288,7 @@ resources:
                               present_match: true
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /
@@ -295,6 +302,7 @@ resources:
                           prefix: /rest/v1/
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /
@@ -311,6 +319,7 @@ resources:
                               present_match: true
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest_admin
                           prefix_rewrite: /
@@ -323,6 +332,7 @@ resources:
                           prefix: /rest-admin/v1/
                         request_headers_to_remove:
                           - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest_admin
                           prefix_rewrite: /
@@ -332,18 +342,25 @@ resources:
                           header:
                             key: Content-Profile
                             value: graphql_public
+                        request_headers_to_remove:
+                          - apikey
+                          - sb-opk
                         route:
                           cluster: postgrest
                           prefix_rewrite: /rpc/graphql
                           timeout: 125s
                       - match:
                           prefix: /admin/v1/
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /
                           timeout: 600s
                       - match:
                           prefix: /customer/v1/privileged/
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /privileged/
@@ -367,6 +384,8 @@ resources:
                                           treat_missing_header_as_empty: true
                       - match:
                           prefix: /metrics/aggregated
+                        request_headers_to_remove:
+                          - sb-opk
                         route:
                           cluster: admin_api
                           prefix_rewrite: /supabase-internal/metrics

ansible/files/postgresql_config/supautils.conf.j2

@@ -1,9 +1,10 @@
 supautils.extensions_parameter_overrides = '{"pg_cron":{"schema":"pg_catalog"}}'
 supautils.policy_grants = '{"postgres":["auth.audit_log_entries","auth.identities","auth.refresh_tokens","auth.sessions","auth.users","realtime.messages","storage.buckets","storage.migrations","storage.objects","storage.s3_multipart_uploads","storage.s3_multipart_uploads_parts"]}'
-# full list:                                 address_standardizer, address_standardizer_data_us, adminpack, amcheck, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, file_fdw, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intagg, intarray, isn, lo, ltree, moddatetime, old_snapshot, orioledb, pageinspect, pg_buffercache, pg_cron, pg_freespacemap, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_surgery, pg_tle, pg_trgm, pg_visibility, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers, xml2
+# full list:                                 address_standardizer, address_standardizer_data_us, adminpack, amcheck, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, file_fdw, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intagg, intarray, isn, lo, ltree, moddatetime, old_snapshot, orioledb, pageinspect, pg_buffercache, pg_cron, pg_freespacemap, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_surgery, pg_tle, pg_trgm, pg_visibility, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgmq, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers, xml2
 # omitted because may be unsafe:             adminpack, amcheck, file_fdw, lo, old_snapshot, pageinspect, pg_buffercache, pg_freespacemap, pg_surgery, pg_visibility
 # omitted because deprecated:                intagg, xml2
-supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_partman, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pg_prewarm, pgmq, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgstattuple, pgsodium, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
+# omitted because doesn't require superuser: pgmq
+supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
 supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'

ansible/vars.yml

@@ -10,7 +10,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgres15: "15.8.1.004-repack-2"
+  postgres15: "15.8.1.007"
+  postgres16: "16.3.1.013"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

docker/nix/build_nix.sh

@@ -5,9 +5,15 @@ nix --version
 if [ -d "/workspace" ]; then
     cd /workspace
 fi
-nix build .#checks.$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"').psql_15 -L --no-link
-nix build .#checks.$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"').psql_16 -L --no-link
-nix build .#psql_15/bin -o psql_15
-nix build .#psql_16/bin -o psql_16
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_16
+if [ $(nix-instantiate --eval -E builtins.currentSystem | tr -d '"') == "x86_64-darwin" ]; then
+    nix build .#checks.$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"').psql_15 -L --no-link
+    nix build .#psql_15/bin -o psql_15
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
+else
+    nix build .#checks.$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"').psql_15 -L --no-link
+    nix build .#checks.$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"').psql_16 -L --no-link
+    nix build .#psql_15/bin -o psql_15
+    nix build .#psql_16/bin -o psql_16
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_16
+fi

flake.nix

@@ -17,6 +17,7 @@
         system.x86_64-linux
         system.aarch64-linux
         system.aarch64-darwin
+        system.x86_64-darwin
       ];
     in
     flake-utils.lib.eachSystem ourSystems (system:
@@ -128,8 +129,7 @@
         # use, but even if they did, keeping our own copies means that we can
         # rollout new versions of these critical things easier without having to
         # go through the upstream release engineering process.
-      ourExtensions = let
-        baseExtensions = [
+        ourExtensions = [
           ./nix/ext/rum.nix
           ./nix/ext/timescaledb.nix
           ./nix/ext/pgroonga.nix
@@ -148,10 +148,10 @@
           ./nix/ext/pg_cron.nix
           ./nix/ext/pgsql-http.nix
           ./nix/ext/pg_plan_filter.nix
+          ./nix/ext/pg_net.nix
           ./nix/ext/pg_hashids.nix
           ./nix/ext/pgsodium.nix
           ./nix/ext/pg_graphql.nix
-          ./nix/ext/pg_partman.nix
           ./nix/ext/pg_stat_monitor.nix
           ./nix/ext/pg_jsonschema.nix
           ./nix/ext/pgvector.nix
@@ -162,13 +162,7 @@
           ./nix/ext/supautils.nix
           ./nix/ext/plv8.nix
         ];
-        
-        # Add pg_net only if NOT on macOS aarch64
-        pgNetExtension = if (system == "aarch64-darwin") 
-          then []
-          else [ ./nix/ext/pg_net.nix ];
 
-        in baseExtensions ++ pgNetExtension;
         #Where we import and build the orioledb extension, we add on our custom extensions
         # plus the orioledb option
         orioledbExtension = ourExtensions ++ [ ./nix/ext/orioledb.nix ];
@@ -468,8 +462,7 @@
                 --subst-var-by 'LOCALES' '${localeArchive}' \
                 --subst-var-by 'EXTENSION_CUSTOM_SCRIPTS_DIR' "$out/extension-custom-scripts" \
                 --subst-var-by 'MECAB_LIB' '${basePackages.psql_15.exts.pgroonga}/lib/groonga/plugins/tokenizers/tokenizer_mecab.so' \
-                --subst-var-by 'GROONGA_DIR' '${supabase-groonga}' \
-                --subst-var-by 'CURRENT_SYSTEM' '${system}'
+                --subst-var-by 'GROONGA_DIR' '${supabase-groonga}' 
 
               chmod +x $out/bin/start-postgres-server
             '';

nix/ext/pg_net.nix

@@ -2,15 +2,15 @@
 
 stdenv.mkDerivation rec {
   pname = "pg_net";
-  version = "0.11.0";
+  version = "0.13.0";
 
   buildInputs = [ curl postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-XN441jXK1q+I/LZRNwvzbSsebXHgZ8iYsslZvcPFlAs=";
+    hash = "sha256-FRaTZPCJQPYAFmsJg22hYJJ0+gH1tMdDQoCQgiqEnaA=";
   };
 
   env.NIX_CFLAGS_COMPILE = "-Wno-error";

nix/ext/plv8.nix

@@ -120,7 +120,7 @@ stdenv.mkDerivation (finalAttrs: {
     description = "V8 Engine Javascript Procedural Language add-on for PostgreSQL";
     homepage = "https://plv8.github.io/";
     maintainers = with maintainers; [ samrose ];
-    platforms = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ];
+    platforms = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin" ];
     license = licenses.postgresql;
   };
 })