Sam/nix and conventional ami (#1012)

* feat: nix-ami-changes * chore: version bump * chore: remap branch for ami build * chore: bump version * chore: bump version to trigger build * feat: use /var/lib/postgresql as home for postgres user * fix: makre sure bashrc exists * fix: minor refactor * chore: moving to a different PR * chore: bump version and remove deprecated workflow * feat: parallel testinfra-nix just for ami test * chore: testing just testinfra-nix workflow * chore: re-run build * chore: re-trigger testinfra * fix: wait for AMI to reach available state * fix: use ami id in stage 3 testinfra ami-test * fix: env vars * chore: bump version * chore: restore packer build * chore: create a parallel test * chore: bump version * fix: capture and use ami name * fix: aws regions * chore: capture ami name * chore: force_deregister all ami prior to create new * fix: pass same ami name each time * fix: manage concurrency of testinfra builds * fix: no args on stage 2 * fix: re-intro original testinfra * Revert "fix: re-intro original testinfra" This reverts commit f719e66. * chore: push to re-trigger build * chore: update instance name * fix: location of pg_isready binary * fix: re-intro conventional ami infra test + more symlinks where expected * fix: dealing with symlink creation issues * fix: try concurrency rules on on all large builds * chore; try with no concurrency rules * chore: rerun * chore: rebasing on develop Sam/nix and conventional consolidate (#1025) * feat: consolidate ansible and use vars to toggle AMI builds * fix: resolving merge conflict * chore: merge conflict * Revert "chore: merge conflict" This reverts commit ddc6b1d. * fix: update ansible location for script * fix: ansible consolidated location * fix: set up modes on system-setup * fix: set vars * fix: python True and False in extra_vars * fix: adj vars * fix: set all ami vars * fix: args as json * fix: nixpkg_mode * fix: refining mode rules * fix: consolidate create dirs * fix: cleaning up modes * fix: systemd psql service reload targets * fix: starting postgres issues * fix: timing for pgsodium_getkey script * fix: packer file upload on stage 2 * fix: consolidation of ansible location * fix: stage2 fix hostname * fix: limit stage that tasks run on * fix: setting hosts only on stage 2 nix ami * fix: rewrite hosts in ansible to allow for re-use of playbook file * chore: trigger checks * fix: pgsodium getkey is different for deb vs nix builds * fix: consolidated files location * fix: on stage2 postgres server is already started at this point * fix: without env vars * fix: vars on the right mode * fix: dedupe * fix: locales * fix: locales * chore: try step with no env vars * fix: no need to start pg at this point stage2 * fix: yaml * fix: more cleanup of modes * fix: snapd already absent at this point + consolidate tasks * fix: already absent at this point * fix: service not present at this stage * fix: disable different services for first boot depending on mode * fix: pg already restarted at this point in stage 2 * fix: no start on stage2 * fix: try to start in stage2 * chore: include env vars for stage2 * fix: stop before starting * fix: debpkg mode only * fix: should use conventional path * fix: need to locale-gen prior to initdb * fix: nix build needs .env * fix: stage2 treatment of pgsodium_getket * chore: re-introduce permission checks via osquery * fix: correct the path to files --------- Co-authored-by: Sam Rose <[email protected]> * Sam/timescale and wrappers (#1052) * fix: was using the wrong sha256 hash for version * chore: updating wrappers version * itests: make sure we run the current commit on psql bundle test --------- Co-authored-by: Sam Rose <[email protected]> * fix: locale gen and ami deregister on any testinfra run (#1055) * fix: locale gen and ami deregister on any testinfra run * fix: use more manual approach --------- Co-authored-by: Sam Rose <[email protected]> * chore: update pg_upgrade initiate.sh to support nix-based upgrades (#1057) * chore: package nix flake revision in pg_upgrade binaries tarball when building the nix AMI (#1058) * chore: activate release workflow * chore: bump version --------- Co-authored-by: Sam Rose <[email protected]> Co-authored-by: Paul Cioanca <[email protected]>
supabase · Jul 19, 2024 · bad563a · bad563a
1 parent 77100e2
commit bad563a
Show file tree

Hide file tree

Showing 35 changed files with 2,558 additions and 146 deletions.
diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml
@@ -0,0 +1,135 @@
+name: Release AMI Nix
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - '.github/workflows/ami-release-nix.yml'
+      - 'common-nix.vars.pkr.hcl'
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: arm-runner
+            arch: arm64
+            ubuntu_release: focal
+            ubuntu_version: 20.04
+            mcpu: neoverse-n1
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 150
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Run checks if triggered manually
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        # Update `ci.yaml` too if changing constraints.
+        run: |
+          SUFFIX=$(sed -E 's/postgres-version = "[0-9\.]+(.*)"/\1/g' common-nix.vars.pkr.hcl)
+          if [[ -z $SUFFIX ]] ; then
+            echo "Version must include non-numeric characters if built manually."
+            exit 1
+          fi
+
+      # extensions are build in nix prior to this step
+      # so we can just use the binaries from the nix store
+      # for postgres, extensions and wrappers
+
+      - name: Build AMI stage 1
+        run: |
+          packer init amazon-arm64-nix.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments="  amazon-arm64-nix.pkr.hcl
+
+      - name: Build AMI stage 2
+        run: |
+          packer init stage2-nix-psql.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl
+
+      - name: Grab release version
+        id: process_release_version
+        run: |
+          VERSION=$(sed -e 's/postgres-version = "\(.*\)"/\1/g' common-nix.vars.pkr.hcl)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Create nix flake revision tarball
+        run: |
+          GIT_SHA=${{github.sha}}
+          MAJOR_VERSION=$(echo "${{ steps.process_release_version.outputs.version }}" | cut -d. -f1)
+
+          mkdir -p "/tmp/pg_upgrade_bin/${MAJOR_VERSION}"
+          echo "$GIT_SHA" >> "/tmp/pg_upgrade_bin/${MAJOR_VERSION}/nix_flake_version"
+          tar -czf "/tmp/pg_binaries.tar.gz" -C "/tmp/pg_upgrade_bin" .
+
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 staging
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.ARTIFACTS_BUCKET }}" \
+            manifest-playbook.yml
+
+      - name: Upload nix flake revision to s3 staging
+        run: |
+          aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+
+      #Our self hosted github runner already has permissions to publish images 
+      #but they're limited to only that; 
+      #so if we want s3 access we'll need to config credentials with the below steps 
+      # (which overwrites existing perms) after the ami build
+
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 prod
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.PROD_ARTIFACTS_BUCKET }}" \
+            manifest-playbook.yml
+    
+      - name: Upload nix flake revision to s3 prod
+        run: |
+          aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: ${{ steps.process_release_version.outputs.version }}
+          tag_name: ${{ steps.process_release_version.outputs.version }}
+          target_commitish: ${{github.sha}}
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }}
+          SLACK_USERNAME: 'gha-failures-notifier'
+          SLACK_COLOR: 'danger'
+          SLACK_MESSAGE: 'Building Postgres AMI failed'
+          SLACK_FOOTER: ''
+
+      - name: Cleanup resources on build cancellation
+        if: ${{ cancelled() }}
+        run: |
+          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --instance-ids {}
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -25,7 +25,11 @@ jobs:
     steps:
 
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref || github.ref }}
+          fetch-depth: 0
+          fetch-tags: true
       - name: aws-creds
         uses: aws-actions/configure-aws-credentials@v4
         with:

diff --git a/.github/workflows/nix-cache-upload.yml b/.github/workflows/nix-cache-upload.yml
diff --git a/.github/workflows/publish-nix-pgupgrade-scripts.yml b/.github/workflows/publish-nix-pgupgrade-scripts.yml
@@ -0,0 +1,94 @@
+name: Publish pg_upgrade_scripts
+
+on:
+  push:
+    branches:
+      - develop
+      - sam/nix-and-conventional-ami
+    paths:
+      - '.github/workflows/publish-pgupgrade-scripts.yml'
+      - 'common-nix.vars.pkr.hcl'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+
+jobs:
+  publish-staging:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Grab release version
+        id: process_release_version
+        run: |
+          VERSION=$(grep 'postgres-version' common-nix.vars.pkr.hcl | sed -e 's/postgres-version = "\(.*\)"/\1/g')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Create a tarball containing pg_upgrade scripts
+        run: |
+          mkdir -p /tmp/pg_upgrade_scripts
+          cp -r ansible/files/admin_api_scripts/pg_upgrade_scripts/* /tmp/pg_upgrade_scripts
+          tar -czvf /tmp/pg_upgrade_scripts.tar.gz -C /tmp/ pg_upgrade_scripts
+
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload pg_upgrade scripts to s3 staging
+        run: |
+          aws s3 cp /tmp/pg_upgrade_scripts.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }}
+          SLACK_USERNAME: 'gha-failures-notifier'
+          SLACK_COLOR: 'danger'
+          SLACK_MESSAGE: 'Publishing pg_upgrade scripts failed'
+          SLACK_FOOTER: ''
+
+  publish-prod:
+    runs-on: ubuntu-latest
+    if: github.ref_name == 'develop'
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Grab release version
+        id: process_release_version
+        run: |
+          VERSION=$(grep 'postgres-version' common-nix.vars.pkr.hcl | sed -e 's/postgres-version = "\(.*\)"/\1/g')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Create a tarball containing pg_upgrade scripts
+        run: |
+          mkdir -p /tmp/pg_upgrade_scripts
+          cp -r ansible/files/admin_api_scripts/pg_upgrade_scripts/* /tmp/pg_upgrade_scripts
+          tar -czvf /tmp/pg_upgrade_scripts.tar.gz -C /tmp/ pg_upgrade_scripts
+
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload pg_upgrade scripts to s3 prod
+        run: |
+          aws s3 cp /tmp/pg_upgrade_scripts.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/pg_upgrade_scripts.tar.gz
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }}
+          SLACK_USERNAME: 'gha-failures-notifier'
+          SLACK_COLOR: 'danger'
+          SLACK_MESSAGE: 'Publishing pg_upgrade scripts failed'
+          SLACK_FOOTER: ''
diff --git a/.github/workflows/testinfra-nix.yml b/.github/workflows/testinfra-nix.yml
@@ -0,0 +1,88 @@
+name: Testinfra Integration Tests Nix
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  test-ami-nix:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: arm-runner
+            arch: arm64
+            ubuntu_release: focal
+            ubuntu_version: 20.04
+            mcpu: neoverse-n1
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 150
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - id: args
+        uses: mikefarah/yq@master
+        with:
+          cmd: yq 'to_entries | map(select(.value|type == "!!str")) |  map(.key + "=" + .value) | join("\n")' 'ansible/vars.yml'
+
+      - run: docker context create builders
+
+      - uses: docker/setup-buildx-action@v3
+        with:
+          endpoint: builders
+
+      - name: Build AMI stage 1
+        run: |
+          packer init amazon-arm64-nix.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=ci-ami-test" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" amazon-arm64-nix.pkr.hcl
+
+      - name: Build AMI stage 2
+        run: |
+          packer init stage2-nix-psql.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl"  -var "postgres-version=ci-ami-test" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}"  stage2-nix-psql.pkr.hcl 
+
+      - name: Run tests
+        timeout-minutes: 10
+        run: |
+          # TODO: use poetry for pkg mgmt
+          pip3 install boto3 boto3-stubs[essential] docker ec2instanceconnectcli pytest pytest-testinfra[paramiko,docker] requests
+          pytest -vv -s testinfra/test_ami_nix.py
+      
+      - name: Cleanup resources on build cancellation
+        if: ${{ cancelled() }}
+        run: |
+          aws ec2 --region ap-southeast-1 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --region ap-southeast-1 --instance-ids {}
+   
+      - name: Cleanup resources on build cancellation
+        if: ${{ always() }}
+        run: |
+          aws ec2 --region ap-southeast-1 describe-instances --filters "Name=tag:testinfra-run-id,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --region ap-southeast-1 --instance-ids {} || true
+
+      - name: Cleanup AMIs
+        if: always()
+        run: |
+          # Define AMI name patterns
+          STAGE1_AMI_NAME="supabase-postgres-ci-ami-test-stage-1"
+          STAGE2_AMI_NAME="supabase-postgres-ci-ami-test-nix"
+          
+          # Function to deregister AMIs by name pattern
+          deregister_ami_by_name() {
+            local ami_name_pattern=$1
+            local ami_ids=$(aws ec2 describe-images --region ap-southeast-1 --owners self --filters "Name=name,Values=${ami_name_pattern}" --query 'Images[*].ImageId' --output text)
+            for ami_id in $ami_ids; do
+              echo "Deregistering AMI: $ami_id"
+              aws ec2 deregister-image --region ap-southeast-1 --image-id $ami_id
+            done
+          }
+          
+          # Deregister AMIs
+          deregister_ami_by_name "$STAGE1_AMI_NAME"
+          deregister_ami_by_name "$STAGE2_AMI_NAME"