feat: remove dependency on pgsodium #37
Conversation
soedirgo
force-pushed
the
feat/vault-sans-pgsodium
branch
from
696992d
to
f61cd0a
Compare
soedirgo
force-pushed
the
feat/vault-sans-pgsodium
branch
3 times, most recently
from
ac58861
to
f525592
Compare
There was a problem hiding this comment.
Creating a separate version here as an alternative to 0.2.8 -> 0.3.0. This lets the extension be created without first creating pgsodium, which would be necessary when creating 0.2.8.
| @@ -0,0 +1 @@ | |||
| requires = pgsodium | |||
There was a problem hiding this comment.
Only 0.2.8 (the current latest version) requires pgsodium - future versions won't require it.
soedirgo
force-pushed
the
feat/vault-sans-pgsodium
branch
2 times, most recently
from
a8db719
to
72cde61
Compare
| @@ -188,3 +190,52 @@ | |||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |||
| See the License for the specific language governing permissions and | |||
| limitations under the License. | |||
|
|
|||
| # pgsodium License | |||
There was a problem hiding this comment.
is this necessary if the dep is getting pulled out?
There was a problem hiding this comment.
Yeah we use pgsodium code in pgsodium.c and pgsodium.h; we can do away with them once we move from libsodium (still needed to decrypt existing secrets)
sql/supabase_vault--0.3.0.sql
Outdated
| GRANT ALL ON SCHEMA vault TO pgsodium_keyiduser; | ||
| GRANT ALL ON TABLE vault.secrets TO pgsodium_keyiduser; | ||
| GRANT ALL ON vault.decrypted_secrets TO pgsodium_keyiduser; |
There was a problem hiding this comment.
these roles come from pg_sodium. for new installs on 0.3.0 is pg_sodium still required?
there is no exception in tests currently due to fixtures.sql creating these roles but wouldn't that need to be directly in this setup script for prod?
There was a problem hiding this comment.
The roles will stay when pgsodium is dropped (Postgres doesn't track extension dependents for roles).
I'll see if I can change how the permissions is set up so we can further remove pgsodium-isms, but at worst we just create these roles at AMI creation once we stop creating pgsodium by default.
nix/postgresql/generic.nix
Outdated
There was a problem hiding this comment.
@soedirgo if it would help once I have a pg 17 in https://github.com/supabase/postgres I could set up a flake here that would let you isolate and use it, so that you could end up with 1:1 sync with what is built and used downstream.
There was a problem hiding this comment.
This would help you match exact build + avoid having to maintain your own build of postgres in this project too.
There was a problem hiding this comment.
...it could also then use the cached versions we have, and would save time on local machine and CI too.
There was a problem hiding this comment.
Yeah that'd be fantastic 👍 it'd halve the size of this PR
soedirgo
force-pushed
the
feat/vault-sans-pgsodium
branch
from
c85dca9
to
19571b1
Compare
soedirgo
force-pushed
the
feat/vault-sans-pgsodium
branch
from
19571b1
to
e4aab63
Compare
Add a new version 0.3.0 that doesn't depend on pgsodium. All the needed pgsodium functionalities are baked directly into supabase_vault.
Tested flows:
drop extension supabase_vault cascade;select * from vault.decrypted_secretsselect * from vault.decrypted_secretsdrop extension pgsodiumselect * from vault.decrypted_secretsselect * from vault.decrypted_secrets