chore: make unique ami name

Author: burmecia

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -12,6 +12,7 @@
 EXTENSIONS_TO_DISABLE=(
     "pg_graphql"
     "pg_stat_monitor"
+    "pg_backtrace"
 )
 
 PG14_EXTENSIONS_TO_DISABLE=(
@@ -217,6 +218,7 @@ function initiate_upgrade {
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/pg_net//" | xargs)
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/check_role_membership//" | xargs)
     SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/safeupdate//" | xargs)
+    SHARED_PRELOAD_LIBRARIES=$(echo "$SHARED_PRELOAD_LIBRARIES" | sed "s/pg_backtrace//" | xargs)
 
     # Exclude empty-string entries, as well as leading/trailing commas and spaces resulting from the above lib exclusions
     #  i.e. " , pg_stat_statements, , pgsodium, " -> "pg_stat_statements, pgsodium"

ansible/files/envoy_config/lds.supabase.yaml

@@ -37,51 +37,6 @@ resources:
                     rules:
                       action: DENY
                       policies:
-                        api_key_missing:
-                          permissions:
-                            - any: true
-                          principals:
-                            - not_id:
-                                or_ids:
-                                  ids:
-                                    - header:
-                                        name: apikey
-                                        present_match: true
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=
-                        api_key_not_valid:
-                          permissions:
-                            - any: true
-                          principals:
-                            - not_id:
-                                or_ids:
-                                  ids:
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: anon_key
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: service_key
-                                    - header:
-                                        name: apikey
-                                        string_match:
-                                          exact: supabase_admin_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=anon_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=service_key
-                                    - header:
-                                        name: ':path'
-                                        string_match:
-                                          contains: apikey=supabase_admin_key
                         origin_protection_key_missing:
                           permissions:
                             - any: true
@@ -234,6 +189,10 @@ resources:
                                   prefix: /metrics/aggregated
                                 invert_match: true
                     status_code: 401
+                    headers_to_add:
+                      - header:
+                          key: x-sb-error-code
+                          value: '%RESPONSE_CODE_DETAILS%'
                     body_format_override:
                       json_format:
                         message: >-
@@ -383,24 +342,6 @@ resources:
                         route:
                           cluster: admin_api
                           prefix_rewrite: /privileged/
-                        typed_per_filter_config:
-                          envoy.filters.http.rbac:
-                            '@type': >-
-                              type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
-                            rbac:
-                              rules:
-                                action: DENY
-                                policies:
-                                  basic_auth:
-                                    permissions:
-                                      - any: true
-                                    principals:
-                                      - header:
-                                          name: authorization
-                                          invert_match: true
-                                          string_match:
-                                            exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
-                                          treat_missing_header_as_empty: true
                       - match:
                           prefix: /metrics/aggregated
                         request_headers_to_remove:

ansible/files/envoy_config/lds.yaml

@@ -215,6 +215,10 @@ resources:
                                   prefix: /metrics/aggregated
                                 invert_match: true
                     status_code: 401
+                    headers_to_add:
+                      - header:
+                          key: x-sb-error-code
+                          value: '%RESPONSE_CODE_DETAILS%'
                     body_format_override:
                       json_format:
                         message: >-

ansible/vars.yml

@@ -8,8 +8,8 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.040-orioledb-bo"
-  postgres15: "15.8.1.045-bo"
+  postgresorioledb-17: "17.0.1.042-orioledb-wrapper"
+  postgres15: "15.8.1.049-wrapper"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"

ebssurrogate/scripts/qemu-bootstrap-nix.sh

@@ -143,4 +143,6 @@ function clean_system {
 
 install_nix
 execute_stage2_playbook
+# we do not want to ship an initialized DB as this is performed as needed
+rm -rf /data/pgdata
 cloud-init clean --logs

flake.nix

@@ -125,7 +125,6 @@
           ./nix/ext/postgis.nix
           ./nix/ext/pgrouting.nix
           ./nix/ext/pgtap.nix
-          ./nix/ext/pg_backtrace.nix
           ./nix/ext/pg_cron.nix
           ./nix/ext/pgsql-http.nix
           ./nix/ext/pg_plan_filter.nix

migrations/README.md

@@ -78,15 +78,18 @@ Additionally, [supabase/postgres](https://github.com/supabase/postgres/blob/deve
 
 ### Add a Migration
 
+First, start a local postgres server and apply the migrations
+
 ```shell
 # Start the database server
-docker-compose up
+nix run .#dbmate-tool -- --version 15 --flake-url "."
 
 # create a new migration
+nix develop
 dbmate new '<some message>'
 ```
 
-Then, populate the migration at `./db/migrations/xxxxxxxxx_<some_message>` and make sure it execute sucessfully with
+Then, execute the migration at `./db/migrations/xxxxxxxxx_<some_message>` and make sure it runs sucessfully with
 
 ```shell
 dbmate up

migrations/db/migrations/20250205144616_move_orioledb_to_extensions_schema.sql

@@ -0,0 +1,26 @@
+-- migrate:up
+do $$
+declare
+    ext_schema text;
+    extensions_schema_exists boolean;
+begin
+    -- check if the "extensions" schema exists
+    select exists (
+        select 1 from pg_namespace where nspname = 'extensions'
+    ) into extensions_schema_exists;
+
+    if extensions_schema_exists then
+        -- check if the "orioledb" extension is in the "public" schema
+        select nspname into ext_schema
+        from pg_extension e
+        join pg_namespace n on e.extnamespace = n.oid
+        where extname = 'orioledb';
+
+        if ext_schema = 'public' then
+            execute 'alter extension orioledb set schema extensions';
+        end if;
+    end if;
+end $$;
+
+-- migrate:down
+

migrations/schema-orioledb-17.sql

@@ -91,7 +91,7 @@ CREATE SCHEMA vault;
 -- Name: orioledb; Type: EXTENSION; Schema: -; Owner: -
 --
 
-CREATE EXTENSION IF NOT EXISTS orioledb WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS orioledb WITH SCHEMA extensions;
 
 
 --

nix/tests/expected/security.out

@@ -0,0 +1,30 @@
+-- get a list of security definer functions owned by supabase_admin
+-- this list should be vetted to ensure the functions are safe to use as security definer
+select
+    n.nspname, p.proname
+from pg_catalog.pg_proc p
+    left join pg_catalog.pg_namespace n ON n.oid = p.pronamespace
+where p.proowner = (select oid from pg_catalog.pg_roles where rolname = 'supabase_admin')
+        and p.prosecdef = true
+order by 1,2;
+ nspname  |            proname             
+----------+--------------------------------
+ graphql  | get_schema_version
+ graphql  | increment_schema_version
+ pgsodium | disable_security_label_trigger
+ pgsodium | enable_security_label_trigger
+ pgsodium | get_key_by_id
+ pgsodium | get_key_by_name
+ pgsodium | get_named_keys
+ pgsodium | mask_role
+ pgsodium | update_mask
+ public   | dblink_connect_u
+ public   | dblink_connect_u
+ public   | pgaudit_ddl_command_end
+ public   | pgaudit_sql_drop
+ public   | st_estimatedextent
+ public   | st_estimatedextent
+ public   | st_estimatedextent
+ repack   | repack_trigger
+(17 rows)
+