From e09505ff12170dac59e82f8ca7a0510f6dfe3833 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Thu, 19 Jun 2025 10:44:27 +0100 Subject: [PATCH 1/4] feat: Install gandalf, salt-wrapper for infra --- .../files/gandalf_config/gandalf.sudoers.conf | 2 + .../files/gandalf_config/gandalf_salt.service | 19 +++++ .../files/gandalf_config/gandalf_salt.timer | 13 +++ ansible/manifest-playbook.yml | 18 +++++ ansible/tasks/internal/gandalf.yml | 79 +++++++++++++++++++ ansible/tasks/setup-supabase-internal.yml | 5 ++ ansible/vars.yml | 2 + 7 files changed, 138 insertions(+) create mode 100644 ansible/files/gandalf_config/gandalf.sudoers.conf create mode 100644 ansible/files/gandalf_config/gandalf_salt.service create mode 100644 ansible/files/gandalf_config/gandalf_salt.timer create mode 100644 ansible/tasks/internal/gandalf.yml diff --git a/ansible/files/gandalf_config/gandalf.sudoers.conf b/ansible/files/gandalf_config/gandalf.sudoers.conf new file mode 100644 index 000000000..bf2517490 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf.sudoers.conf @@ -0,0 +1,2 @@ +%gandalf ALL= NOPASSWD: /usr/bin/salt-call +%gandalf ALL= NOPASSWD: /usr/bin/gpg --homedir /etc/salt/gpgkeys --import, /usr/bin/gpg --homedir /etc/salt/gpgkeys --list-secret-keys * diff --git a/ansible/files/gandalf_config/gandalf_salt.service b/ansible/files/gandalf_config/gandalf_salt.service new file mode 100644 index 000000000..c70db7ed8 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf_salt.service @@ -0,0 +1,19 @@ +[Unit] +Description=Configuration management via gandalf salt +After=network.target + +[Service] +Type=oneshot +ExecStart=/opt/gandalf/gandalf --config /opt/gandalf/config.yaml salt --apply --store-result +User=gandalf +Group=gandalf +StandardOutput=journal +StandardError=journal +StateDirectory=gandalf +CacheDirectory=gandalf + +# Security hardening +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ansible/files/gandalf_config/gandalf_salt.timer b/ansible/files/gandalf_config/gandalf_salt.timer new file mode 100644 index 000000000..6862ca402 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf_salt.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Run Supabase gandalf salt on a schedule +Requires=gandalf_salt.service + +[Timer] +OnCalendar=*:0/10 +# Random delay up to 30 seconds splay +RandomizedDelaySec=30 +AccuracySec=1s +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/ansible/manifest-playbook.yml b/ansible/manifest-playbook.yml index 5c1c65053..583e3596c 100644 --- a/ansible/manifest-playbook.yml +++ b/ansible/manifest-playbook.yml @@ -61,6 +61,22 @@ shell: | cd /tmp && tar -cJf admin-mgr-{{ adminmgr_release }}-arm64.tar.xz admin-mgr + - name: Download gandalf archive + get_url: + url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_arm64.tar.gz" + dest: "/tmp/gandalf.tar.gz" + timeout: 90 + + - name: gandalf - unpack archive in /tmp + unarchive: + remote_src: yes + src: /tmp/gandalf.tar.gz + dest: /tmp + + - name: gandalf - pack archive + shell: | + cd /tmp && tar -cJf gandalf-{{ gandalf_release }}-arm64.tar.xz gandalf + - name: upload archives shell: | aws s3 cp /tmp/{{ item.file }} s3://{{ internal_artifacts_bucket }}/upgrades/{{ item.service }}/{{ item.file }} @@ -73,3 +89,5 @@ file: supabase-admin-api-{{ adminapi_release }}-arm64.tar.xz - service: admin-mgr file: admin-mgr-{{ adminmgr_release }}-arm64.tar.xz + - service: gandalf + file: gandalf-{{ gandalf_release }}-arm64.tar.xz diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml new file mode 100644 index 000000000..c6ffc9673 --- /dev/null +++ b/ansible/tasks/internal/gandalf.yml @@ -0,0 +1,79 @@ +- name: gandalf - system user + user: + name: gandalf + groups: admin,gandalf,salt + append: yes + system: yes + shell: /bin/sh + +- name: Setting arch (x86) + set_fact: + arch: "x86" + when: platform == "amd64" + +- name: Setting arch (arm) + set_fact: + arch: "arm64" + when: platform == "arm64" + +- name: Download gandalf archive + get_url: + url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_{{ arch }}.tar.gz" + dest: "/tmp/gandalf.tar.gz" + timeout: 90 + +- name: gandalf - unpack archive in /opt + unarchive: + remote_src: yes + src: /tmp/gandalf.tar.gz + dest: /opt + owner: gandalf + +- name: gandalf - create symlink + ansible.builtin.file: + path: /opt/gandalf/gandalf + src: "/opt/gandalf/gandalf-linux-{{ arch }}" + state: link + owner: gandalf + mode: '0755' + force: yes + +- name: gandalf - config dir + file: + path: /opt/gandalf + owner: gandalf + state: directory + +- name: gandalf - gpg dir + file: + path: /etc/salt/gpgkeys + owner: root + group: salt + state: directory + +- name: give gandalf user permissions + copy: + src: files/gandalf.sudoers.conf + dest: /etc/sudoers.d/gandalf + mode: "0644" + +- name: gandalf - create salt systemd timer file + copy: + src: files/gandalf_config/gandalf_salt.timer + dest: /etc/systemd/system/gandalf_salt.timer + +- name: gandalf - create salt service file + copy: + src: files/gandalf_config/gandalf_salt.service + dest: /etc/systemd/system/gandalf_salt.service + +- name: gandalf - reload systemd + systemd: + daemon_reload: yes + +# Initially ensure gandalf is installed but not started +- name: gandalf - DISABLE service + systemd: + name: gandalf_salt + enabled: no + state: stopped diff --git a/ansible/tasks/setup-supabase-internal.yml b/ansible/tasks/setup-supabase-internal.yml index 7aa931763..5a37dbaa0 100644 --- a/ansible/tasks/setup-supabase-internal.yml +++ b/ansible/tasks/setup-supabase-internal.yml @@ -115,5 +115,10 @@ tags: - aws-only +- name: Install gandalf + import_tasks: internal/gandalf.yml + tags: + - aws-only + - name: Envoy - use lds.supabase.yaml for /etc/envoy/lds.yaml command: mv /etc/envoy/lds.supabase.yaml /etc/envoy/lds.yaml diff --git a/ansible/vars.yml b/ansible/vars.yml index 2838d6f92..f1e633c8a 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -57,3 +57,5 @@ adminmgr_release: 0.25.1 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb" vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb" + +gandalf_release: 1.4.18 From c7492f518ff06c22d9945eac3527b21b6b5f983e Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 11:38:16 +0100 Subject: [PATCH 2/4] chore: version bumps --- ansible/tasks/internal/gandalf.yml | 2 +- ansible/vars.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index c6ffc9673..7ef2bd0af 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -57,7 +57,7 @@ dest: /etc/sudoers.d/gandalf mode: "0644" -- name: gandalf - create salt systemd timer file +- name: gandalf - create salt systemd timer file copy: src: files/gandalf_config/gandalf_salt.timer dest: /etc/systemd/system/gandalf_salt.timer diff --git a/ansible/vars.yml b/ansible/vars.yml index f1e633c8a..4d54e10bc 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,8 +10,8 @@ postgres_major: # Full version strings for each major version postgres_release: postgresorioledb-17: "17.0.1.093-orioledb" - postgres17: "17.4.1.043" - postgres15: "15.8.1.100" + postgres17: "17.4.1.044" + postgres15: "15.8.1.101" # Non Postgres Extensions pgbouncer_release: "1.19.0" @@ -58,4 +58,4 @@ adminmgr_release: 0.25.1 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb" vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb" -gandalf_release: 1.4.18 +gandalf_release: 1.4.26 From d609e224b79b8437947895d984f2d48539b4832d Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 12:20:21 +0100 Subject: [PATCH 3/4] bumping oriole build also --- ansible/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 4d54e10bc..18895df58 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,7 +9,7 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.093-orioledb" + postgresorioledb-17: "17.0.1.094-orioledb" postgres17: "17.4.1.044" postgres15: "15.8.1.101" From b28ecd6370dcf308da1e42cf9ab7d6696594b59e Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 14:15:54 +0100 Subject: [PATCH 4/4] fix: create the gandalf group for user --- ansible/tasks/internal/gandalf.yml | 3 ++- ansible/vars.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index 7ef2bd0af..29027eb93 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -1,7 +1,8 @@ - name: gandalf - system user user: name: gandalf - groups: admin,gandalf,salt + group: gandalf + groups: admin,salt append: yes system: yes shell: /bin/sh diff --git a/ansible/vars.yml b/ansible/vars.yml index 18895df58..0172182eb 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.094-orioledb" - postgres17: "17.4.1.044" - postgres15: "15.8.1.101" + postgresorioledb-17: "17.0.1.095-orioledb" + postgres17: "17.4.1.045" + postgres15: "15.8.1.102" # Non Postgres Extensions pgbouncer_release: "1.19.0"