From e09505ff12170dac59e82f8ca7a0510f6dfe3833 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Thu, 19 Jun 2025 10:44:27 +0100 Subject: [PATCH 1/9] feat: Install gandalf, salt-wrapper for infra --- .../files/gandalf_config/gandalf.sudoers.conf | 2 + .../files/gandalf_config/gandalf_salt.service | 19 +++++ .../files/gandalf_config/gandalf_salt.timer | 13 +++ ansible/manifest-playbook.yml | 18 +++++ ansible/tasks/internal/gandalf.yml | 79 +++++++++++++++++++ ansible/tasks/setup-supabase-internal.yml | 5 ++ ansible/vars.yml | 2 + 7 files changed, 138 insertions(+) create mode 100644 ansible/files/gandalf_config/gandalf.sudoers.conf create mode 100644 ansible/files/gandalf_config/gandalf_salt.service create mode 100644 ansible/files/gandalf_config/gandalf_salt.timer create mode 100644 ansible/tasks/internal/gandalf.yml diff --git a/ansible/files/gandalf_config/gandalf.sudoers.conf b/ansible/files/gandalf_config/gandalf.sudoers.conf new file mode 100644 index 000000000..bf2517490 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf.sudoers.conf @@ -0,0 +1,2 @@ +%gandalf ALL= NOPASSWD: /usr/bin/salt-call +%gandalf ALL= NOPASSWD: /usr/bin/gpg --homedir /etc/salt/gpgkeys --import, /usr/bin/gpg --homedir /etc/salt/gpgkeys --list-secret-keys * diff --git a/ansible/files/gandalf_config/gandalf_salt.service b/ansible/files/gandalf_config/gandalf_salt.service new file mode 100644 index 000000000..c70db7ed8 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf_salt.service @@ -0,0 +1,19 @@ +[Unit] +Description=Configuration management via gandalf salt +After=network.target + +[Service] +Type=oneshot +ExecStart=/opt/gandalf/gandalf --config /opt/gandalf/config.yaml salt --apply --store-result +User=gandalf +Group=gandalf +StandardOutput=journal +StandardError=journal +StateDirectory=gandalf +CacheDirectory=gandalf + +# Security hardening +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/ansible/files/gandalf_config/gandalf_salt.timer b/ansible/files/gandalf_config/gandalf_salt.timer new file mode 100644 index 000000000..6862ca402 --- /dev/null +++ b/ansible/files/gandalf_config/gandalf_salt.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Run Supabase gandalf salt on a schedule +Requires=gandalf_salt.service + +[Timer] +OnCalendar=*:0/10 +# Random delay up to 30 seconds splay +RandomizedDelaySec=30 +AccuracySec=1s +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/ansible/manifest-playbook.yml b/ansible/manifest-playbook.yml index 5c1c65053..583e3596c 100644 --- a/ansible/manifest-playbook.yml +++ b/ansible/manifest-playbook.yml @@ -61,6 +61,22 @@ shell: | cd /tmp && tar -cJf admin-mgr-{{ adminmgr_release }}-arm64.tar.xz admin-mgr + - name: Download gandalf archive + get_url: + url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_arm64.tar.gz" + dest: "/tmp/gandalf.tar.gz" + timeout: 90 + + - name: gandalf - unpack archive in /tmp + unarchive: + remote_src: yes + src: /tmp/gandalf.tar.gz + dest: /tmp + + - name: gandalf - pack archive + shell: | + cd /tmp && tar -cJf gandalf-{{ gandalf_release }}-arm64.tar.xz gandalf + - name: upload archives shell: | aws s3 cp /tmp/{{ item.file }} s3://{{ internal_artifacts_bucket }}/upgrades/{{ item.service }}/{{ item.file }} @@ -73,3 +89,5 @@ file: supabase-admin-api-{{ adminapi_release }}-arm64.tar.xz - service: admin-mgr file: admin-mgr-{{ adminmgr_release }}-arm64.tar.xz + - service: gandalf + file: gandalf-{{ gandalf_release }}-arm64.tar.xz diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml new file mode 100644 index 000000000..c6ffc9673 --- /dev/null +++ b/ansible/tasks/internal/gandalf.yml @@ -0,0 +1,79 @@ +- name: gandalf - system user + user: + name: gandalf + groups: admin,gandalf,salt + append: yes + system: yes + shell: /bin/sh + +- name: Setting arch (x86) + set_fact: + arch: "x86" + when: platform == "amd64" + +- name: Setting arch (arm) + set_fact: + arch: "arm64" + when: platform == "arm64" + +- name: Download gandalf archive + get_url: + url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_{{ arch }}.tar.gz" + dest: "/tmp/gandalf.tar.gz" + timeout: 90 + +- name: gandalf - unpack archive in /opt + unarchive: + remote_src: yes + src: /tmp/gandalf.tar.gz + dest: /opt + owner: gandalf + +- name: gandalf - create symlink + ansible.builtin.file: + path: /opt/gandalf/gandalf + src: "/opt/gandalf/gandalf-linux-{{ arch }}" + state: link + owner: gandalf + mode: '0755' + force: yes + +- name: gandalf - config dir + file: + path: /opt/gandalf + owner: gandalf + state: directory + +- name: gandalf - gpg dir + file: + path: /etc/salt/gpgkeys + owner: root + group: salt + state: directory + +- name: give gandalf user permissions + copy: + src: files/gandalf.sudoers.conf + dest: /etc/sudoers.d/gandalf + mode: "0644" + +- name: gandalf - create salt systemd timer file + copy: + src: files/gandalf_config/gandalf_salt.timer + dest: /etc/systemd/system/gandalf_salt.timer + +- name: gandalf - create salt service file + copy: + src: files/gandalf_config/gandalf_salt.service + dest: /etc/systemd/system/gandalf_salt.service + +- name: gandalf - reload systemd + systemd: + daemon_reload: yes + +# Initially ensure gandalf is installed but not started +- name: gandalf - DISABLE service + systemd: + name: gandalf_salt + enabled: no + state: stopped diff --git a/ansible/tasks/setup-supabase-internal.yml b/ansible/tasks/setup-supabase-internal.yml index 7aa931763..5a37dbaa0 100644 --- a/ansible/tasks/setup-supabase-internal.yml +++ b/ansible/tasks/setup-supabase-internal.yml @@ -115,5 +115,10 @@ tags: - aws-only +- name: Install gandalf + import_tasks: internal/gandalf.yml + tags: + - aws-only + - name: Envoy - use lds.supabase.yaml for /etc/envoy/lds.yaml command: mv /etc/envoy/lds.supabase.yaml /etc/envoy/lds.yaml diff --git a/ansible/vars.yml b/ansible/vars.yml index 2838d6f92..f1e633c8a 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -57,3 +57,5 @@ adminmgr_release: 0.25.1 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb" vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb" + +gandalf_release: 1.4.18 From c7492f518ff06c22d9945eac3527b21b6b5f983e Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 11:38:16 +0100 Subject: [PATCH 2/9] chore: version bumps --- ansible/tasks/internal/gandalf.yml | 2 +- ansible/vars.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index c6ffc9673..7ef2bd0af 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -57,7 +57,7 @@ dest: /etc/sudoers.d/gandalf mode: "0644" -- name: gandalf - create salt systemd timer file +- name: gandalf - create salt systemd timer file copy: src: files/gandalf_config/gandalf_salt.timer dest: /etc/systemd/system/gandalf_salt.timer diff --git a/ansible/vars.yml b/ansible/vars.yml index f1e633c8a..4d54e10bc 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,8 +10,8 @@ postgres_major: # Full version strings for each major version postgres_release: postgresorioledb-17: "17.0.1.093-orioledb" - postgres17: "17.4.1.043" - postgres15: "15.8.1.100" + postgres17: "17.4.1.044" + postgres15: "15.8.1.101" # Non Postgres Extensions pgbouncer_release: "1.19.0" @@ -58,4 +58,4 @@ adminmgr_release: 0.25.1 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb" vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb" -gandalf_release: 1.4.18 +gandalf_release: 1.4.26 From d609e224b79b8437947895d984f2d48539b4832d Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 12:20:21 +0100 Subject: [PATCH 3/9] bumping oriole build also --- ansible/vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 4d54e10bc..18895df58 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,7 +9,7 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.0.1.093-orioledb" + postgresorioledb-17: "17.0.1.094-orioledb" postgres17: "17.4.1.044" postgres15: "15.8.1.101" From 6021a156011ec65d420595e6c9f0c22bf8cadf18 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 14:19:24 +0100 Subject: [PATCH 4/9] fix: create the Gandalf group --- ansible/tasks/internal/gandalf.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index 7ef2bd0af..29027eb93 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -1,7 +1,8 @@ - name: gandalf - system user user: name: gandalf - groups: admin,gandalf,salt + group: gandalf + groups: admin,salt append: yes system: yes shell: /bin/sh From 4c177538a1c1f084ca0b3d9a39d03314774dac72 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 14:55:45 +0100 Subject: [PATCH 5/9] fix: implicitly create the gandalf group --- ansible/tasks/internal/gandalf.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index 29027eb93..6c8358ce1 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -1,3 +1,8 @@ +- name: gandalf - system group + group: + name: gandalf + system: yes + - name: gandalf - system user user: name: gandalf From 43fea2e40a0951ab8a538637dab1c3b7ae54ab93 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 15:48:01 +0100 Subject: [PATCH 6/9] fix: correct gandalf archive path --- ansible/tasks/internal/gandalf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index 6c8358ce1..b0b701bcb 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -24,7 +24,7 @@ - name: Download gandalf archive get_url: - url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_{{ arch }}.tar.gz" + url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf-{{ gandalf_release }}-linux-{{ arch }}.tar.gz" dest: "/tmp/gandalf.tar.gz" timeout: 90 From 43eed3d0d91b5faee850d44c42a6d77d331337e9 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 16:16:52 +0100 Subject: [PATCH 7/9] fix: unpack gandalf build correctly --- ansible/tasks/internal/gandalf.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index b0b701bcb..daa9cf524 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -32,8 +32,10 @@ unarchive: remote_src: yes src: /tmp/gandalf.tar.gz - dest: /opt + dest: /opt/gandalf/ owner: gandalf + extra_opts: + - --strip-components=1 - name: gandalf - create symlink ansible.builtin.file: From ed4933411ecc121eb783ae782e6be1f88517ade0 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 16:54:03 +0100 Subject: [PATCH 8/9] fix: reorganise order for gandalf installs --- ansible/tasks/internal/gandalf.yml | 38 +++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index daa9cf524..2821998f3 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -12,6 +12,25 @@ system: yes shell: /bin/sh +- name: gandalf - config dir + file: + path: /opt/gandalf + owner: gandalf + state: directory + +- name: gandalf - gpg dir + file: + path: /etc/salt/gpgkeys + owner: root + group: salt + state: directory + +- name: give gandalf user permissions + copy: + src: files/gandalf.sudoers.conf + dest: /etc/sudoers.d/gandalf + mode: "0644" + - name: Setting arch (x86) set_fact: arch: "x86" @@ -46,25 +65,6 @@ mode: '0755' force: yes -- name: gandalf - config dir - file: - path: /opt/gandalf - owner: gandalf - state: directory - -- name: gandalf - gpg dir - file: - path: /etc/salt/gpgkeys - owner: root - group: salt - state: directory - -- name: give gandalf user permissions - copy: - src: files/gandalf.sudoers.conf - dest: /etc/sudoers.d/gandalf - mode: "0644" - - name: gandalf - create salt systemd timer file copy: src: files/gandalf_config/gandalf_salt.timer From 0ca5760e798ce28d8afa9b0cf4eaf728989ebdb8 Mon Sep 17 00:00:00 2001 From: Tom Ashley Date: Mon, 23 Jun 2025 17:16:30 +0100 Subject: [PATCH 9/9] fix: point to the correct path --- ansible/tasks/internal/gandalf.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/internal/gandalf.yml b/ansible/tasks/internal/gandalf.yml index 2821998f3..47231daad 100644 --- a/ansible/tasks/internal/gandalf.yml +++ b/ansible/tasks/internal/gandalf.yml @@ -27,7 +27,7 @@ - name: give gandalf user permissions copy: - src: files/gandalf.sudoers.conf + src: files/gandalf_config/gandalf.sudoers.conf dest: /etc/sudoers.d/gandalf mode: "0644"