feat: Install gandalf, salt-wrapper for infra

Author: tomashley

ansible/files/gandalf_config/gandalf.sudoers.conf

@@ -0,0 +1,2 @@
+%gandalf ALL= NOPASSWD: /usr/bin/salt-call
+%gandalf ALL= NOPASSWD: /usr/bin/gpg --homedir /etc/salt/gpgkeys --import, /usr/bin/gpg --homedir /etc/salt/gpgkeys --list-secret-keys *

ansible/files/gandalf_config/gandalf_salt.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Configuration management via gandalf salt
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/gandalf/gandalf --config /opt/gandalf/config.yaml salt --apply --store-result
+User=gandalf
+Group=gandalf
+StandardOutput=journal
+StandardError=journal
+StateDirectory=gandalf
+CacheDirectory=gandalf
+
+# Security hardening
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

ansible/files/gandalf_config/gandalf_salt.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Run Supabase gandalf salt on a schedule
+Requires=gandalf_salt.service
+
+[Timer]
+OnCalendar=*:0/10
+# Random delay up to 30 seconds splay
+RandomizedDelaySec=30
+AccuracySec=1s
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/manifest-playbook.yml

@@ -61,6 +61,22 @@
       shell: |
         cd /tmp && tar -cJf admin-mgr-{{ adminmgr_release }}-arm64.tar.xz admin-mgr
 
+    - name: Download gandalf archive
+      get_url:
+        url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_arm64.tar.gz"
+        dest: "/tmp/gandalf.tar.gz"
+        timeout: 90
+
+    - name: gandalf - unpack archive in /tmp
+      unarchive:
+        remote_src: yes
+        src: /tmp/gandalf.tar.gz
+        dest: /tmp
+
+    - name: gandalf - pack archive
+      shell: |
+        cd /tmp && tar -cJf gandalf-{{ gandalf_release }}-arm64.tar.xz gandalf
+
     - name: upload archives
       shell: |
         aws s3 cp /tmp/{{ item.file }} s3://{{ internal_artifacts_bucket }}/upgrades/{{ item.service }}/{{ item.file }}
@@ -73,3 +89,5 @@
           file: supabase-admin-api-{{ adminapi_release }}-arm64.tar.xz
         - service: admin-mgr
           file: admin-mgr-{{ adminmgr_release }}-arm64.tar.xz
+        - service: gandalf
+          file: gandalf-{{ gandalf_release }}-arm64.tar.xz

ansible/tasks/internal/gandalf.yml

@@ -0,0 +1,79 @@
+- name: gandalf - system user
+  user:
+    name: gandalf
+    groups: admin,gandalf,salt
+    append: yes
+    system: yes
+    shell: /bin/sh
+
+- name: Setting arch (x86)
+  set_fact:
+    arch: "x86"
+  when: platform == "amd64"
+
+- name: Setting arch (arm)
+  set_fact:
+    arch: "arm64"
+  when: platform == "arm64"
+
+- name: Download gandalf archive
+  get_url:
+    url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_{{ arch }}.tar.gz"
+    dest: "/tmp/gandalf.tar.gz"
+    timeout: 90
+
+- name: gandalf - unpack archive in /opt
+  unarchive:
+    remote_src: yes
+    src: /tmp/gandalf.tar.gz
+    dest: /opt
+    owner: gandalf
+
+- name: gandalf - create symlink
+  ansible.builtin.file:
+    path: /opt/gandalf/gandalf
+    src: "/opt/gandalf/gandalf-linux-{{ arch }}"
+    state: link
+    owner: gandalf
+    mode: '0755'
+    force: yes
+
+- name: gandalf - config dir
+  file:
+    path: /opt/gandalf
+    owner: gandalf
+    state: directory
+
+- name: gandalf - gpg dir
+  file:
+    path: /etc/salt/gpgkeys
+    owner: root
+    group: salt
+    state: directory
+
+- name: give gandalf user permissions
+  copy:
+    src: files/gandalf.sudoers.conf
+    dest: /etc/sudoers.d/gandalf
+    mode: "0644"
+
+- name: gandalf - create salt systemd timer file 
+  copy:
+     src: files/gandalf_config/gandalf_salt.timer
+     dest: /etc/systemd/system/gandalf_salt.timer
+
+- name: gandalf - create salt service file
+  copy:
+    src: files/gandalf_config/gandalf_salt.service
+    dest: /etc/systemd/system/gandalf_salt.service
+
+- name: gandalf - reload systemd
+  systemd:
+    daemon_reload: yes
+
+# Initially ensure gandalf is installed but not started
+- name: gandalf - DISABLE service
+  systemd:
+    name: gandalf_salt
+    enabled: no
+    state: stopped

ansible/tasks/setup-supabase-internal.yml

@@ -115,5 +115,10 @@
   tags:
     - aws-only
 
+- name: Install gandalf
+  import_tasks: internal/gandalf.yml
+  tags:
+    - aws-only
+
 - name: Envoy - use lds.supabase.yaml for /etc/envoy/lds.yaml
   command: mv /etc/envoy/lds.supabase.yaml /etc/envoy/lds.yaml

ansible/vars.yml

@@ -57,3 +57,5 @@ adminmgr_release: 0.25.1
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"
 vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb"
+
+gandalf_release: 1.4.18