feat: add the supabase admin agent to the ami build

ansible/files/permission_check.py

@@ -94,11 +94,17 @@
     "systemd-coredump": [
         {"groupname": "systemd-coredump", "username": "systemd-coredump"}
     ],
+    "supabase-admin-agent": [
+        {"groupname": "supabase-admin-agent", "username": "supabase-admin-agent"},
+        {"groupname": "admin", "username": "supabase-admin-agent"},
+        {"groupname": "salt", "username": "supabase-admin-agent"},
+    ],
 }
 
 # postgresql.service is expected to mount /etc as read-only
 expected_mount = "/etc ro"
 
+
 # This program depends on osquery being installed on the system
 # Function to run osquery
 def run_osquery(query):
@@ -154,6 +160,7 @@ def check_nixbld_users():
 
     print("All nixbld users are in the 'nixbld' group.")
 
+
 def check_postgresql_mount():
     # processes table has the nix .postgres-wrapped path as the
     # binary path, rather than /usr/lib/postgresql/bin/postgres which
@@ -182,6 +189,7 @@ def check_postgresql_mount():
 
     print("postgresql.service mounts /etc as read-only.")
 
+
 def main():
     parser = argparse.ArgumentParser(
         prog="Supabase Postgres Artifact Permissions Checker",
@@ -251,5 +259,6 @@ def main():
     # Check if postgresql.service is using a read-only mount for /etc
     check_postgresql_mount()
 
+
 if __name__ == "__main__":
     main()

ansible/files/supabase_admin_agent_config/supabase-admin-agent.sudoers.conf

@@ -0,0 +1,2 @@
+%supabase-admin-agent ALL= NOPASSWD: /usr/bin/salt-call
+%supabase-admin-agent ALL= NOPASSWD: /usr/bin/gpg --homedir {{ gpgdir }} --import, /usr/bin/gpg --homedir {{ gpgdir }} --list-secret-keys *

ansible/files/supabase_admin_agent_config/supabase-admin-agent_salt.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Configuration management via supabase-admin-agent salt
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/supabase-admin-agent/supabase-admin-agent --config /opt/supabase-admin-agent/config.yaml salt --apply --store-result
+User=supabase-admin-agent
+Group=supabase-admin-agent
+StandardOutput=journal
+StandardError=journal
+StateDirectory=supabase-admin-agent
+CacheDirectory=supabase-admin-agent
+
+# Security hardening
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

ansible/files/supabase_admin_agent_config/supabase-admin-agent_salt.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Run Supabase supabase-admin-agent salt on a schedule
+Requires=supabase-admin-agent_salt.service
+
+[Timer]
+OnCalendar=*:0/10
+# Random delay up to {{ splay }} seconds splay
+RandomizedDelaySec={{ splay }}
+AccuracySec=1s
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/manifest-playbook.yml

@@ -61,6 +61,22 @@
       shell: |
         cd /tmp && tar -cJf admin-mgr-{{ adminmgr_release }}-arm64.tar.xz admin-mgr
 
+    - name: Download supabase-admin-agent archive
+      get_url:
+        url: "https://supabase-internal-artifacts-bucket.s3.amazonaws.com/supabase-admin-agent/v{{ supabase_admin_agent_release }}/supabase-admin-agent_{{ supabase_admin_agent_release }}_linux_arm64.tar.gz"
+        dest: "/tmp/supabase-admin-agent.tar.gz"
+        timeout: 90
+
+    - name: supabase-admin-agent - unpack archive in /tmp
+      unarchive:
+        remote_src: yes
+        src: /tmp/supabase-admin-agent.tar.gz
+        dest: /tmp
+
+    - name: supabase-admin-agent - pack archive
+      shell: |
+        cd /tmp && tar -cJf supabase-admin-agent-{{ supabase_admin_agent_release }}-arm64.tar.xz supabase-admin-agent
+
     - name: upload archives
       shell: |
         aws s3 cp /tmp/{{ item.file }} s3://{{ internal_artifacts_bucket }}/upgrades/{{ item.service }}/{{ item.file }}
@@ -73,3 +89,5 @@
           file: supabase-admin-api-{{ adminapi_release }}-arm64.tar.xz
         - service: admin-mgr
           file: admin-mgr-{{ adminmgr_release }}-arm64.tar.xz
+        - service: supabase-admin-agent
+          file: supabase-admin-agent-{{ supabase_admin_agent_release }}-arm64.tar.xz

ansible/tasks/internal/supabase-admin-agent.yaml

@@ -0,0 +1,87 @@
+- name: supabase-admin-agent - system group
+  group:
+    name: supabase-admin-agent
+    system: yes
+
+- name: supabase-admin-agent - system user
+  user:
+    name: supabase-admin-agent
+    group: supabase-admin-agent
+    groups: admin,salt
+    append: yes
+    system: yes
+    shell: /bin/sh
+
+- name: supabase-admin-agent - config dir
+  file:
+    path: /opt/supabase-admin-agent
+    owner: supabase-admin-agent
+    state: directory
+
+- name: supabase-admin-agent - gpg dir
+  file:
+    path: /etc/salt/gpgkeys
+    owner: root
+    group: salt
+    state: directory
+
+- name: give supabase-admin-agent user permissions
+  copy:
+    src: files/supabase-admin-agent_config/supabase-admin-agent.sudoers.conf
+    dest: /etc/sudoers.d/supabase-admin-agent
+    mode: "0644"
+
+- name: Setting arch (x86)
+  set_fact:
+    arch: "x86"
+  when: platform == "amd64"
+
+- name: Setting arch (arm)
+  set_fact:
+    arch: "arm64"
+  when: platform == "arm64"
+
+- name: Download supabase-admin-agent archive
+  get_url:
+    url: "https://supabase-internal-artifacts-bucket.s3.amazonaws.com/supabase-admin-agent/v{{ supabase_admin_agent_release }}/supabase-admin-agent-{{ supabase_admin_agent_release }}-linux-{{ arch }}.tar.gz"
+    dest: "/tmp/supabase-admin-agent.tar.gz"
+    timeout: 90
+
+- name: supabase-admin-agent - unpack archive in /opt
+  unarchive:
+    remote_src: yes
+    src: /tmp/supabase-admin-agent.tar.gz
+    dest: /opt/supabase-admin-agent/
+    owner: supabase-admin-agent
+    extra_opts:
+      - --strip-components=1
+
+- name: supabase-admin-agent - create symlink
+  ansible.builtin.file:
+    path: /opt/supabase-admin-agent/supabase-admin-agent
+    src: "/opt/supabase-admin-agent/supabase-admin-agent-linux-{{ arch }}"
+    state: link
+    owner: supabase-admin-agent
+    mode: "0755"
+    force: yes
+
+- name: supabase-admin-agent - create salt systemd timer file
+  copy:
+    src: files/supabase-admin-agent_config/supabase-admin-agent_salt.timer
+    dest: /etc/systemd/system/supabase-admin-agent_salt.timer
+
+- name: supabase-admin-agent - create salt service file
+  copy:
+    src: files/supabase-admin-agent_config/supabase-admin-agent_salt.service
+    dest: /etc/systemd/system/supabase-admin-agent_salt.service
+
+- name: supabase-admin-agent - reload systemd
+  systemd:
+    daemon_reload: yes
+
+# Initially ensure supabase-admin-agent is installed but not started
+- name: supabase-admin-agent - DISABLE service
+  systemd:
+    name: supabase-admin-agent_salt
+    enabled: no
+    state: stopped

ansible/tasks/setup-supabase-internal.yml

@@ -34,19 +34,19 @@
     aws configure set default.s3.use_dualstack_endpoint true
 
 - name: install Vector for logging
-  become: yes
+  become: true
   apt:
     deb: "{{ vector_x86_deb }}"
   when: platform == "amd64"
 
 - name: install Vector for logging
-  become: yes
+  become: true
   apt:
     deb: "{{ vector_arm_deb }}"
   when: platform == "arm64"
 
 - name: add Vector to postgres group
-  become: yes
+  become: true
   shell:
     cmd: |
       usermod -a -G postgres vector
@@ -72,21 +72,21 @@
     daemon_reload: yes
 
 - name: Create checkpoints dir
-  become: yes
+  become: true
   file:
     path: /var/lib/vector
     state: directory
     owner: vector
 
 - name: Include file for generated optimizations in postgresql.conf
-  become: yes
+  become: true
   replace:
     path: /etc/postgresql/postgresql.conf
     regexp: "#include = '/etc/postgresql-custom/generated-optimizations.conf'"
     replace: "include = '/etc/postgresql-custom/generated-optimizations.conf'"
 
 - name: Include file for custom overrides in postgresql.conf
-  become: yes
+  become: true
   replace:
     path: /etc/postgresql/postgresql.conf
     regexp: "#include = '/etc/postgresql-custom/custom-overrides.conf'"
@@ -115,5 +115,10 @@
   tags:
     - aws-only
 
+- name: Install supabase-admin-agent
+  import_tasks: internal/supabase-admin-agent.yml
+  tags:
+    - aws-only
+
 - name: Envoy - use lds.supabase.yaml for /etc/envoy/lds.yaml
   command: mv /etc/envoy/lds.supabase.yaml /etc/envoy/lds.yaml

ansible/vars.yml

@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.098-orioledb"
-  postgres17: "17.4.1.048"
-  postgres15: "15.8.1.105"
+  postgresorioledb-17: "17.0.1.099-orioledb"
+  postgres17: "17.4.1.049"
+  postgres15: "15.8.1.106"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
@@ -54,6 +54,7 @@ postgres_exporter_release_checksum:
 
 adminapi_release: 0.84.1
 adminmgr_release: 0.25.1
+supabase_admin_agent_release: 1.4.32
 
 vector_x86_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_amd64.deb"
 vector_arm_deb: "https://packages.timber.io/vector/0.22.3/vector_0.22.3-1_arm64.deb"