feat: Install gandalf, salt-wrapper for infra (#1657)

* feat: Install gandalf, salt-wrapper for infra

* chore: version bumps

* bumping oriole build also

* fix: create the Gandalf group

* fix: implicitly create the gandalf group

* fix: correct gandalf archive path

* fix: unpack gandalf build correctly

* fix: reorganise order for gandalf installs

* fix: point to the correct path

* chore: bump vars due to conflicts

* fix: pin version of libpq to 17.x (#1649)

* fix: pin version of libpq to the major version installed

* fix: the variable is postgresql_major_version

* fix: using the correct var

* fix: default to postgres 15 major version

* fix: default to 15

* fix: supposedly main contains all releases for libpq5

* fix: syntax

* fix: different syntax

* fix: rely on ppa

* fix: ppa removal

* fix: change to trigger workflow

* fix: adding a test to see postgres version

* fix: testing for failure related to libpq5 version issue

* test: include read-only test for postgrest

* test: reduce log access time

* test: make sure to fail if version wrong

* chore: bump vars

* ci: no longer build Oriole QEMU artifact

Said artifact is no longer being used. If needed in the future, it can
be trivially reintroduced, but in the meantime there's no reason to
expend resources on them.

* chore: disable auth config reloading within qemu artifact

The QEMU artifact is not running with a filesystem that supports the
inotify API, resulting in spurious error messages, and broken config
reloading.

* chore: strip out unnecessary dependencies from QEMU builds

Also upgrades to Alpine 3.22.

* chore: version bumps

* tests: update user and group test adding gandalf

* chore: add gandalf user to user list

---------

Co-authored-by: Crispy1975 <[email protected]>
Co-authored-by: samrose <[email protected]>
Co-authored-by: Div Arora <[email protected]>

Author: 4 people

ansible/files/gandalf_config/gandalf.sudoers.conf

@@ -0,0 +1,2 @@
+%gandalf ALL= NOPASSWD: /usr/bin/salt-call
+%gandalf ALL= NOPASSWD: /usr/bin/gpg --homedir /etc/salt/gpgkeys --import, /usr/bin/gpg --homedir /etc/salt/gpgkeys --list-secret-keys *

ansible/files/gandalf_config/gandalf_salt.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Configuration management via gandalf salt
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/gandalf/gandalf --config /opt/gandalf/config.yaml salt --apply --store-result
+User=gandalf
+Group=gandalf
+StandardOutput=journal
+StandardError=journal
+StateDirectory=gandalf
+CacheDirectory=gandalf
+
+# Security hardening
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

ansible/files/gandalf_config/gandalf_salt.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Run Supabase gandalf salt on a schedule
+Requires=gandalf_salt.service
+
+[Timer]
+OnCalendar=*:0/10
+# Random delay up to 30 seconds splay
+RandomizedDelaySec=30
+AccuracySec=1s
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/files/permission_check.py

@@ -94,11 +94,17 @@
     "systemd-coredump": [
         {"groupname": "systemd-coredump", "username": "systemd-coredump"}
     ],
+    "gandalf": [
+        {"groupname": "gandalf", "username": "gandalf"},
+        {"groupname": "admin", "username": "gandalf"},
+        {"groupname": "salt", "username": "gandalf"},
+    ],
 }
 
 # postgresql.service is expected to mount /etc as read-only
 expected_mount = "/etc ro"
 
+
 # This program depends on osquery being installed on the system
 # Function to run osquery
 def run_osquery(query):
@@ -154,6 +160,7 @@ def check_nixbld_users():
 
     print("All nixbld users are in the 'nixbld' group.")
 
+
 def check_postgresql_mount():
     # processes table has the nix .postgres-wrapped path as the
     # binary path, rather than /usr/lib/postgresql/bin/postgres which
@@ -182,6 +189,7 @@ def check_postgresql_mount():
 
     print("postgresql.service mounts /etc as read-only.")
 
+
 def main():
     parser = argparse.ArgumentParser(
         prog="Supabase Postgres Artifact Permissions Checker",
@@ -234,6 +242,7 @@ def main():
         "postgrest",
         "tcpdump",
         "systemd-coredump",
+        "gandalf",
     ]
     if not qemu_artifact:
         usernames.append("ec2-instance-connect")
@@ -251,5 +260,6 @@ def main():
     # Check if postgresql.service is using a read-only mount for /etc
     check_postgresql_mount()
 
+
 if __name__ == "__main__":
     main()

ansible/manifest-playbook.yml

@@ -61,6 +61,22 @@
       shell: |
         cd /tmp && tar -cJf admin-mgr-{{ adminmgr_release }}-arm64.tar.xz admin-mgr
 
+    - name: Download gandalf archive
+      get_url:
+        url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf_{{ gandalf_release }}_linux_arm64.tar.gz"
+        dest: "/tmp/gandalf.tar.gz"
+        timeout: 90
+
+    - name: gandalf - unpack archive in /tmp
+      unarchive:
+        remote_src: yes
+        src: /tmp/gandalf.tar.gz
+        dest: /tmp
+
+    - name: gandalf - pack archive
+      shell: |
+        cd /tmp && tar -cJf gandalf-{{ gandalf_release }}-arm64.tar.xz gandalf
+
     - name: upload archives
       shell: |
         aws s3 cp /tmp/{{ item.file }} s3://{{ internal_artifacts_bucket }}/upgrades/{{ item.service }}/{{ item.file }}
@@ -73,3 +89,5 @@
           file: supabase-admin-api-{{ adminapi_release }}-arm64.tar.xz
         - service: admin-mgr
           file: admin-mgr-{{ adminmgr_release }}-arm64.tar.xz
+        - service: gandalf
+          file: gandalf-{{ gandalf_release }}-arm64.tar.xz

ansible/tasks/internal/gandalf.yml

@@ -0,0 +1,87 @@
+- name: gandalf - system group
+  group:
+    name: gandalf
+    system: yes
+
+- name: gandalf - system user
+  user:
+    name: gandalf
+    group: gandalf
+    groups: admin,salt
+    append: yes
+    system: yes
+    shell: /bin/sh
+
+- name: gandalf - config dir
+  file:
+    path: /opt/gandalf
+    owner: gandalf
+    state: directory
+
+- name: gandalf - gpg dir
+  file:
+    path: /etc/salt/gpgkeys
+    owner: root
+    group: salt
+    state: directory
+
+- name: give gandalf user permissions
+  copy:
+    src: files/gandalf_config/gandalf.sudoers.conf
+    dest: /etc/sudoers.d/gandalf
+    mode: "0644"
+
+- name: Setting arch (x86)
+  set_fact:
+    arch: "x86"
+  when: platform == "amd64"
+
+- name: Setting arch (arm)
+  set_fact:
+    arch: "arm64"
+  when: platform == "arm64"
+
+- name: Download gandalf archive
+  get_url:
+    url: "https://supabase-public-artifacts-bucket.s3.amazonaws.com/gandalf/v{{ gandalf_release }}/gandalf-{{ gandalf_release }}-linux-{{ arch }}.tar.gz"
+    dest: "/tmp/gandalf.tar.gz"
+    timeout: 90
+
+- name: gandalf - unpack archive in /opt
+  unarchive:
+    remote_src: yes
+    src: /tmp/gandalf.tar.gz
+    dest: /opt/gandalf/
+    owner: gandalf
+    extra_opts:
+      - --strip-components=1
+
+- name: gandalf - create symlink
+  ansible.builtin.file:
+    path: /opt/gandalf/gandalf
+    src: "/opt/gandalf/gandalf-linux-{{ arch }}"
+    state: link
+    owner: gandalf
+    mode: "0755"
+    force: yes
+
+- name: gandalf - create salt systemd timer file
+  copy:
+    src: files/gandalf_config/gandalf_salt.timer
+    dest: /etc/systemd/system/gandalf_salt.timer
+
+- name: gandalf - create salt service file
+  copy:
+    src: files/gandalf_config/gandalf_salt.service
+    dest: /etc/systemd/system/gandalf_salt.service
+
+- name: gandalf - reload systemd
+  systemd:
+    daemon_reload: yes
+
+# Initially ensure gandalf is installed but not started
+- name: gandalf - DISABLE service
+  systemd:
+    name: gandalf_salt
+    enabled: no
+    state: stopped

ansible/tasks/setup-supabase-internal.yml

@@ -115,5 +115,10 @@
   tags:
     - aws-only
 
+- name: Install gandalf
+  import_tasks: internal/gandalf.yml
+  tags:
+    - aws-only
+
 - name: Envoy - use lds.supabase.yaml for /etc/envoy/lds.yaml
   command: mv /etc/envoy/lds.supabase.yaml /etc/envoy/lds.yaml

ansible/vars.yml

@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.095-orioledb"
-  postgres17: "17.4.1.45"
-  postgres15: "15.8.1.102"
+  postgresorioledb-17: "17.0.1.096-orioledb"
+  postgres17: "17.4.1.046"
+  postgres15: "15.8.1.103"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
@@ -57,3 +57,5 @@ adminmgr_release: 0.25.1
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"
 vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb"
+
+gandalf_release: 1.4.30