Merge branch 'develop' into chore/update_adminapi

Author: jose-ledesma

Dockerfile-15

@@ -24,7 +24,7 @@ ARG rum_release=1.3.13
 ARG pg_hashids_release=cd0e1b31d52b394a0df64079406a14a4f7387cd6
 ARG libsodium_release=1.0.18
 ARG pgsodium_release=3.1.6
-ARG pg_graphql_release=1.5.1
+ARG pg_graphql_release=1.5.11
 ARG pg_stat_monitor_release=1.1.1
 ARG pg_jsonschema_release=0.1.4
 ARG pg_repack_release=1.4.8
@@ -67,6 +67,7 @@ WORKDIR /nixpg
 
 RUN nix profile install .#psql_15/bin 
 
+RUN nix store gc
 
 
 WORKDIR /

Dockerfile-kubernetes

@@ -2,7 +2,7 @@ FROM alpine:3.21
 
 ADD ./output-cloudimg/packer-cloudimg /disk/focal.qcow2
 
-RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf
+RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf virtiofsd
 # dev stuff
 # RUN apk add --no-cache iproute2
 

Dockerfile-orioledb-17

@@ -24,7 +24,7 @@ ARG rum_release=1.3.13
 ARG pg_hashids_release=cd0e1b31d52b394a0df64079406a14a4f7387cd6
 ARG libsodium_release=1.0.18
 ARG pgsodium_release=3.1.6
-ARG pg_graphql_release=1.5.1
+ARG pg_graphql_release=1.5.11
 ARG pg_stat_monitor_release=1.1.1
 ARG pg_jsonschema_release=0.1.4
 ARG pg_repack_release=1.4.8
@@ -68,7 +68,7 @@ WORKDIR /nixpg
 
 RUN nix profile install .#psql_orioledb-17/bin 
 
-
+RUN nix store gc
 
 WORKDIR /
 

README.md

@@ -9,15 +9,32 @@ if pgrep resizefs; then
     exit 1
 fi
 
+# Parses the output of lsblk to get the root partition number
+# Example output:
+# NAME        MOUNTPOINT
+# nvme0n1
+# ├─nvme0n1p1 /boot
+# └─nvme0n1p3 /
+# nvme1n1     /data
+#
+# Resulting in:
+# └─nvme0n1p3 / -> nvme0n1p3 -> 3
+ROOT_PARTITION_NUMBER=$(lsblk -no NAME,MOUNTPOINT | grep ' /$' | awk '{print $1;}' | sed 's/.*nvme[0-9]n[0-9]p//g')
+
+if ! [[ "$ROOT_PARTITION_NUMBER" =~ ^[0-9]+$ ]]; then
+  echo "Error: ROOT_PARTITION_NUMBER is not a valid number: $ROOT_PARTITION_NUMBER"
+  exit 1
+fi
+
 if [ -b /dev/nvme1n1 ] ; then
     if [[ "${VOLUME_TYPE}" == "data" ]]; then
         resize2fs /dev/nvme1n1
 
     elif [[ "${VOLUME_TYPE}" == "root" ]] ; then
         PLACEHOLDER_FL=/home/ubuntu/50M_PLACEHOLDER
         rm -f "${PLACEHOLDER_FL}" || true
-        growpart /dev/nvme0n1 2
-        resize2fs /dev/nvme0n1p2
+        growpart /dev/nvme0n1 "${ROOT_PARTITION_NUMBER}"
+        resize2fs "/dev/nvme0n1p${ROOT_PARTITION_NUMBER}"
         if [[ ! -f "${PLACEHOLDER_FL}" ]] ; then
             fallocate -l50M "${PLACEHOLDER_FL}"
         fi
@@ -26,7 +43,7 @@ if [ -b /dev/nvme1n1 ] ; then
         exit 1
     fi
 else
-    growpart /dev/nvme0n1 2
-    resize2fs /dev/nvme0n1p2
+    growpart /dev/nvme0n1 "${ROOT_PARTITION_NUMBER}"
+    resize2fs "/dev/nvme0n1p${ROOT_PARTITION_NUMBER}"
 fi
 echo "Done resizing disk"

ansible/files/admin_api_scripts/grow_fs.sh

@@ -150,43 +150,6 @@ EOF
 
         run_sql -c "$PATCH_PGMQ_QUERY"
         run_sql -c "update pg_extension set extowner = 'postgres'::regrole where extname = 'pgmq';"
-
-        # Patch to handle upgrading to pgsodium-less Vault
-        REENCRYPT_VAULT_SECRETS_QUERY=$(cat <<EOF
-        DO \$\$
-        BEGIN
-          IF EXISTS (SELECT FROM pg_available_extension_versions WHERE name = 'supabase_vault' AND version = '0.3.0')
-            AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
-          THEN
-            IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-              GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-              GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-              GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
-            END IF;
-            -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
-            IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
-              UPDATE vault.secrets s
-              SET
-                secret = encode(
-                  vault._crypto_aead_det_encrypt(
-                    message := pgsodium.crypto_aead_det_decrypt(decode(s.secret, 'base64'), convert_to(s.id || s.description || s.created_at || s.updated_at, 'utf8'), s.key_id, s.nonce),
-                    additional := convert_to(s.id::text, 'utf8'),
-                    key_id := 0,
-                    context := 'pgsodium'::bytea,
-                    nonce := s.nonce
-                  ),
-                  'base64'
-                ),
-                key_id = NULL
-              WHERE
-                key_id IS NOT NULL;
-            END IF;
-          END IF;
-        END
-        \$\$;
-EOF
-        )
-        run_sql -c "$REENCRYPT_VAULT_SECRETS_QUERY"
     fi
 
     run_sql -c "grant pg_read_all_data, pg_signal_backend to postgres"

ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh

@@ -12,6 +12,7 @@
 EXTENSIONS_TO_DISABLE=(
     "pg_graphql"
     "pg_stat_monitor"
+    "pg_backtrace"
 )
 
 PG14_EXTENSIONS_TO_DISABLE=(
@@ -217,6 +218,7 @@ function initiate_upgrade {
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/pg_net//" | xargs)
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/check_role_membership//" | xargs)
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/safeupdate//" | xargs)
+    SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/pg_backtrace//" | xargs)
 
     # Exclude empty-string entries, as well as leading/trailing commas and spaces resulting from the above lib exclusions
     #  i.e. " , pg_stat_statements, , pgsodium, " -> "pg_stat_statements, pgsodium"

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -37,51 +37,6 @@ resources:
                     rules:
                       action: DENY
                       policies:
-                        api_key_missing:
-                          permissions:
-                            - any: true
-                          principals:
-                            - not_id:
-                                or_ids:
-                                  ids:
-                                    - header:
-                                        name: apikey
-                                        present_match: true
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=
-                        api_key_not_valid:
-                          permissions:
-                            - any: true
-                          principals:
-                            - not_id:
-                                or_ids:
-                                  ids:
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: anon_key
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: service_key
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: supabase_admin_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=anon_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=service_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=supabase_admin_key
                         origin_protection_key_missing:
                           permissions:
                             - any: true
@@ -234,6 +189,10 @@ resources:
                                   prefix: /metrics/aggregated
                                 invert_match: true
                     status_code: 401
+                    headers_to_add:
+                      - header:
+                          key: x-sb-error-code
+                          value: '%RESPONSE_CODE_DETAILS%'
                     body_format_override:
                       json_format:
                         message: >-
@@ -383,24 +342,6 @@ resources:
                         route:
                           cluster: admin_api
                           prefix_rewrite: /privileged/
-                        typed_per_filter_config:
-                          envoy.filters.http.rbac:
-                            '@type': >-
-                              type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
-                            rbac:
-                              rules:
-                                action: DENY
-                                policies:
-                                  basic_auth:
-                                    permissions:
-                                      - any: true
-                                    principals:
-                                      - header:
-                                          name: authorization
-                                          invert_match: true
-                                          string_match:
-                                            exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
-                                          treat_missing_header_as_empty: true
                       - match:
                           prefix: /metrics/aggregated
                         request_headers_to_remove:

ansible/files/envoy_config/lds.supabase.yaml

@@ -215,6 +215,10 @@ resources:
                                   prefix: /metrics/aggregated
                                 invert_match: true
                     status_code: 401
+                    headers_to_add:
+                      - header:
+                          key: x-sb-error-code
+                          value: '%RESPONSE_CODE_DETAILS%'
                     body_format_override:
                       json_format:
                         message: >-

ansible/files/envoy_config/lds.yaml

@@ -688,7 +688,7 @@ default_text_search_config = 'pg_catalog.english'
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 
-shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter, supabase_vault'	# (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'	# (change requires restart)
 jit_provider = 'llvmjit'		# JIT library to use
 
 # - Other Defaults -