Skip to content

Commit 00837a2

Browse files
michelpsoedirgosweatybridge
authored
Feat/pgsodium vault updates (#411)
* update release candidate ami for pgsodium and vault updates. * update pgsodium and vault. * update release candidate ami for pgsodium and vault updates. * remove vault ami release. * bump vault version. * add pgsodium in migration file, not at ami creation point. * spelled extension name wrong. * remove pgsodium from docker init, add as migration script. * make migration idempotent * bump version * fix schema check in tests * add vault schema to tests * fix extension dependencies after extension creation * bump vault Co-authored-by: Bobbie Soedirgo <[email protected]> Co-authored-by: Qiao Han <[email protected]>
1 parent 4b12897 commit 00837a2

File tree

8 files changed

+35
-12
lines changed

8 files changed

+35
-12
lines changed

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ ENV LC_ALL en_US.UTF-8
3333

3434
COPY ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql /docker-entrypoint-initdb.d/00-schema.sql
3535
COPY ansible/files/stat_extension.sql /docker-entrypoint-initdb.d/01-extension.sql
36-
COPY ansible/files/sodium_extension.sql /docker-entrypoint-initdb.d/02-sodium-extension.sql
36+
# COPY ansible/files/sodium_extension.sql /docker-entrypoint-initdb.d/02-sodium-extension.sql
3737
COPY migrations/db/ /docker-entrypoint-initdb.d/
3838

3939
CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ Unmodified Postgres with some useful plugins. Our goal with this repo is not to
2828
| [pg_net](https://github.com/supabase/pg_net) | [v0.6.1](https://github.com/supabase/pg_net/releases/tag/v0.6.1) | Expose the SQL interface for async networking. |
2929
| [rum](https://github.com/postgrespro/rum) | [1.3.13](https://github.com/postgrespro/rum/releases/tag/1.3.13) | An alternative to the GIN index. |
3030
| [pg_hashids](https://github.com/iCyberon/pg_hashids) | [commit](https://github.com/iCyberon/pg_hashids/commit/83398bcbb616aac2970f5e77d93a3200f0f28e74) | Generate unique identifiers from numbers. |
31-
| [pgsodium](https://github.com/michelp/pgsodium) | [2.0.0](https://github.com/michelp/pgsodium/releases/tag/2.0.0) | Modern encryption API using libsodium. |
31+
| [pgsodium](https://github.com/michelp/pgsodium) | [3.1.0](https://github.com/michelp/pgsodium/releases/tag/2.0.0) | Modern encryption API using libsodium. |
3232
| [pg_stat_monitor](https://github.com/percona/pg_stat_monitor) | [1.0.1](https://github.com/percona/pg_stat_monitor/releases/tag/1.0.1) | Query Performance Monitoring Tool for PostgreSQL
3333

3434

ansible/playbook.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414
dest: "00-schema.sql",
1515
}
1616
- { source: "stat_extension.sql", dest: "01-extension.sql" }
17-
- { source: "sodium_extension.sql", dest: "02-sodium-extension.sql" }
1817

1918
environment:
2019
PATH: /usr/lib/postgresql/bin:{{ ansible_env.PATH }}

ansible/tasks/setup-extensions.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,8 @@
6464
- name: Install auto_explain
6565
import_tasks: tasks/postgres-extensions/21-auto_explain.yml
6666

67-
# - name: Install vault
68-
# import_tasks: tasks/postgres-extensions/23-vault.yml
67+
- name: Install vault
68+
import_tasks: tasks/postgres-extensions/23-vault.yml
6969

7070
- name: Install PGroonga
7171
import_tasks: tasks/postgres-extensions/24-pgroonga.yml

ansible/vars.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -95,17 +95,17 @@ vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.
9595
libsodium_release: "1.0.18"
9696
libsodium_release_checksum: sha1:795b73e3f92a362fabee238a71735579bf46bb97
9797

98-
pgsodium_release: "3.0.4"
99-
pgsodium_release_checksum: sha1:f08e9ac109ab5e6fc8b15ea21b26f88f451a2070
98+
pgsodium_release: "3.1.0"
99+
pgsodium_release_checksum: sha1:b77c384e2908064dca136f87163d011cd56edd54
100100

101101
pg_graphql_release: "v1.0.0"
102102

103103
pg_jsonschema_release: "v0.1.3"
104104

105105
pg_stat_monitor_release: "1.1.1"
106106

107-
vault_release: "0.0.1"
108-
vault_release_checksum: sha1:a5ea3356c6f41985b2bef67b6a0491d4ffa99816
107+
vault_release: "0.2.3"
108+
vault_release_checksum: sha256:463cea027d19edda1f4e8025180db0a90535233cb9edd850d6d153aad8f609d1
109109

110110
groonga_release: "12.0.8"
111111
groonga_release_checksum: sha1:32aee787efffc2a22760fde946fb6462286074e2

common.vars.pkr.hcl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
postgres-version = "15.1.0.2"
1+
postgres-version = "15.1.0.3-rc0"
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
-- migrate:up
2+
3+
create extension if not exists pgsodium;
4+
5+
grant pgsodium_keyiduser to postgres with admin option;
6+
grant pgsodium_keyholder to postgres with admin option;
7+
grant pgsodium_keymaker to postgres with admin option;
8+
9+
do $$
10+
begin
11+
if not exists (select from pg_extension where extname = 'supabase_vault') then
12+
create extension supabase_vault;
13+
-- Creating the extension creates a table and creates a security label on the table.
14+
-- Creating the security label triggers a function that recreates these objects.
15+
-- Since the recreation happens in an extension script, these objects become owned by the `supabase_vault` extension.
16+
-- This is an issue because then we can't recreate these objects without also dropping the extension.
17+
-- Thus we drop the dependency on the `supabase_vault` extension for these objects.
18+
alter extension supabase_vault drop view pgsodium.decrypted_key;
19+
alter extension supabase_vault drop function pgsodium.key_encrypt_secret;
20+
end if;
21+
end;
22+
$$;
23+
24+
-- migrate:down

migrations/tests/database/exists.sql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@ SELECT schemas_are(ARRAY[
33
'public',
44
'auth',
55
'extensions',
6-
'graphql',
76
'graphql_public',
87
'realtime',
9-
'storage'
8+
'storage',
9+
'vault'
1010
]);

0 commit comments

Comments
 (0)