Skip to content

feat: vault sans pgsodium #1431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Feb 12, 2025
Merged

feat: vault sans pgsodium #1431

merged 20 commits into from
Feb 12, 2025

Conversation

soedirgo
Copy link
Member

@soedirgo soedirgo commented Feb 5, 2025

Needs https://github.com/supabase/infrastructure/pull/20621 to be deployed first

Updates Vault to 0.3.1 which no longer requires pgsodium. Also omits pgsodium from the list of extensions that are automatically installed on new projects.

Tested logical backup & restore and pg_upgrade flows locally.

@soedirgo soedirgo requested a review from a team as a code owner February 5, 2025 05:52
@soedirgo soedirgo force-pushed the feat/vault-sans-pgsodium branch from 6847543 to 086c825 Compare February 5, 2025 11:06
samrose
samrose requested changes Feb 5, 2025
View reviewed changes
samrose
samrose requested changes Feb 5, 2025
View reviewed changes
@samrose
Copy link
Collaborator

samrose commented Feb 5, 2025

@soedirgo it also looks like you need to actually deactivate pgsodium extension from psql bundle

probably something like

git diff
diff --git a/ansible/files/postgresql_config/postgresql.conf.j2 b/ansible/files/postgresql_config/postgresql.conf.j2
index 1604d94f..28130912 100644
--- a/ansible/files/postgresql_config/postgresql.conf.j2
+++ b/ansible/files/postgresql_config/postgresql.conf.j2
@@ -688,7 +688,7 @@ default_text_search_config = 'pg_catalog.english'
 #local_preload_libraries = ''
 #session_preload_libraries = ''
 
-shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, pg_tle, plan_filter'  # (change requires restart)
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, timescaledb, auto_explain, pg_tle, plan_filter, supabase_vault'    # (change requires restart)
 jit_provider = 'llvmjit'               # JIT library to use
 
 # - Other Defaults -
diff --git a/flake.nix b/flake.nix
index 154352e2..c503c5ca 100644
--- a/flake.nix
+++ b/flake.nix
@@ -126,7 +126,6 @@
           ./nix/ext/pg_plan_filter.nix
           ./nix/ext/pg_net.nix
           ./nix/ext/pg_hashids.nix
-          ./nix/ext/pgsodium.nix
           ./nix/ext/pg_graphql.nix
           ./nix/ext/pg_stat_monitor.nix
           ./nix/ext/pg_jsonschema.nix

Depending on exactly what you need to do here

Also, you may need to revise the migrations, because:

  • if I actually remove pgsodium like in the diff above
  • and then I run migrations we get this error
Applying: 10000000000000_demote-postgres.sql
Applying: 20211115181400_update-auth-permissions.sql
Applying: 20211118015519_create-realtime-schema.sql
Applying: 20211122051245_update-realtime-permissions.sql
Applying: 20211124212715_update-auth-owner.sql
Applying: 20211130151719_update-realtime-permissions.sql
Applying: 20220118070449_enable-safeupdate-postgrest.sql
Applying: 20220126121436_finer-postgrest-triggers.sql
Applying: 20220224211803_fix-postgrest-supautils.sql
Applying: 20220317095840_pg_graphql.sql
Applying: 20220321174452_fix-postgrest-alter-type-event-trigger.sql
Applying: 20220322085208_gotrue-session-limit.sql
Applying: 20220404205710_pg_graphql-on-by-default.sql
Applying: 20220609081115_grant-supabase-auth-admin-and-supabase-storage-admin-to-postgres.sql
Applying: 20220613123923_pg_graphql-pg-dump-perms.sql
Applying: 20220713082019_pg_cron-pg_net-temp-perms-fix.sql
Applying: 20221028101028_set_authenticator_timeout.sql
Applying: 20221103090837_revoke_admin.sql
Applying: 20221207154255_create_vault.sql
Error: pq: required extension "pgsodium" is not installed

@soedirgo
Copy link
Member Author

soedirgo commented Feb 6, 2025

need to actually deactivate pgsodium extension from psql bundle

We want to keep pgsodium available (for now), but automatically CREATE EXTENSION'd. I think omitting that line would make pgsodium unavailable?

required extension "pgsodium" is not installed

This error still puzzles me - from the looks of it it happens on create extension supabase_vault, which would make sense on the older version of supabase_vault (0.2.8) which has a dependency on pgsodium. But the new supabase_vault (0.3.1) has no dependency on pgsodium, so it shouldn't be spitting out this error...

@samrose
Copy link
Collaborator

samrose commented Feb 6, 2025

@soedirgo

This error still puzzles me - from the looks of it it happens on create extension supabase_vault, which would make sense on the older version of supabase_vault (0.2.8) which has a dependency on pgsodium. But the new supabase_vault (0.3.1) has no dependency on pgsodium, so it shouldn't be spitting out this error...

I fixed this error in my pr to this pr

@samrose
Copy link
Collaborator

samrose commented Feb 6, 2025

I’ll create a new pr against this branch to try and continue fixing the testdb issue

@soedirgo soedirgo force-pushed the feat/vault-sans-pgsodium branch from b5126d4 to b9ec53e Compare February 11, 2025 05:58
soedirgo and others added 20 commits February 11, 2025 13:58
@soedirgo
feat: vault sans pgsodium
1e1d69c
@samrose @soedirgo
chore: this substitution no longer needed
0b04339
@samrose @soedirgo
fix: nix flake check
b83f2d5
@samrose @soedirgo
chore: need schema files in proper place for tests
6f1b602
@samrose @soedirgo
chore: try with flake url to target current changes
e1c47f8
@samrose @soedirgo
fix: a better cleanup process
096a014
@samrose @soedirgo
chore: more attempts at graceful shutdown
3f0469e
@samrose @soedirgo
chore: more attempts to handle shutdown across arch
147e5af
@samrose @soedirgo
chore: revert to earlier
7ef8fab
@samrose @soedirgo
fix: gh actions oom try without overmind
eba1fef
@samrose @soedirgo
chore: more tweaks to run in gh actions
7f63879
@samrose @soedirgo
chore: already in background
2d7a760
@samrose @soedirgo
chore: this line may be causing segfault
790b6d9
@samrose @soedirgo
chore: do nothing if not running
6a8b1bc
@samrose @soedirgo
chore: too many trap exits
d7cf020
@samrose @soedirgo
chore: mod stop_postgres for daemon
a360456
@samrose @soedirgo
chore: adjust cleanup
3cbfa59
@samrose @soedirgo
chore: allow other scripts to stop the start-server cluster
370e2d0
@samrose @soedirgo
chore: also deactivate supabase_vault in test (#1439)
02c0f83 
* chore: also deactivate supabase_vault in test

* chore: check that refs are removed

* chore: add a pattern for when vault at end of line

* fix: yaml typo

* chore: retry on fail for initial installs

* chore: revert logic for ansible install
@samrose @soedirgo
chore: create a workflow_dispatch only method with input, for docker … (
d7f6f7c 
#1440)

* chore: create a workflow_dispatch only method with input, for docker release

* chore: move file to correct dir
@soedirgo soedirgo force-pushed the feat/vault-sans-pgsodium branch from b9ec53e to d7f6f7c Compare February 11, 2025 05:59
@soedirgo
Copy link
Member Author

CI failures have been fixed (thanks Sam 🙏 ) ready to merge now

@samrose samrose self-requested a review February 11, 2025 12:46
@soedirgo soedirgo merged commit 1559c2d into develop Feb 12, 2025
12 checks passed
@soedirgo soedirgo deleted the feat/vault-sans-pgsodium branch February 12, 2025 06:47
This was referenced Feb 19, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samrose samrose samrose approved these changes

@pcnc pcnc pcnc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@soedirgo @samrose @pcnc