feat(control-plane): per-app pg16→pg17 cutover command#14
Merged
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Bake the compat baseline into every NEW project so it is born correct on the supabase/postgres (v17) substrate — turning v17 from pilot into the official target for anything new, with zero live-data movement. - migrations/0003_extensions.sql: pgcrypto + uuid-ossp + pg_trgm on every new DB (created from template0, no supabase seed → must install). Idempotent. - gotrue.ts prepareAuth: create Supabase-dialect auth.uid()/role()/jwt() helpers in each project's auth schema (read request.jwt.claims; grant anon+authenticated) so RLS ported from Supabase works unchanged. - gotrue.ts prepareAuth: bake the §5e GoTrue-on-v17 fix into provisioning — pin the postgres role-in-database search_path (auth, public, extensions), which OVERRIDES the role default the supabase image sets on `postgres` (the crash-loop cause). New v17 projects boot GoTrue clean with no manual step. Harmless on the PG16 image. Cluster-agnostic and idempotent → safe whether the target is the legacy PG16 image or v17. Validated end-to-end on hauldr-db-v17 in a throwaway template0 DB (cluster untouched): 0001+0002+0003 apply clean; role-in-database search_path effective for a fresh postgres session; auth.uid() resolves the sub; authenticated INSERT respects RLS (owner = auth.uid()). See docs/pg-supabase-image-migration.md §Fase 3. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… Fase 3 checklist tick Records the design for making new projects born on v17 (§7): registry-driven per-project cluster binding + resolver in db.ts, not a global adminUrl repoint (control DB stays on PG16). Names the touch-list, the supabase_admin superuser requirement, a reduced first-cut scope (no pooler on v17 yet), rollback, and DoD. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add a repeatable, durable per-app v16→v17 cutover (ADR 0007 / Fase 5). Migrates one project's data from the legacy postgres:16 cluster to the supabase/postgres 17 substrate (hauldr-db-v17, superuser supabase_admin) and repoints its sidecars, gating the flip on a stored projects.cluster binding so re-provision/reconcile never revert it. - control/0012_cluster.sql: projects.cluster (pg16|pg17), default pg16. - config.ts: v17AdminUrl/v17Host/v17Port (v17 data-cluster target). - clusters.ts: Cluster resolver — clusterOf + per-cluster admin/db clients and host/port. pg16 resolves to the exact current values (no drift). - gotrue/postgrest/realtime: cluster-aware, defaulting to pg16 (identical behaviour for existing apps); resolve cluster via clusterOf(name). - cutover.ts: stageA (roles + db + dump/restore excluding realtime + compat baseline + reindex + row-count parity) / stageB (flip + repoint + notify pgrst) / rollback. Idempotent, verbose, throws on mismatch. - Dockerfile: postgresql17-client for pg_dump/pg_restore. - cli.ts: `cutover <name> [--rollback] [--stage a|b|all]`. Typecheck clean (pre-existing jobs.ts pg-boss error unrelated). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A repeatable, durable per-app v16→v17 cutover command for the Hauldr fleet (ADR 0007 / the pg17 "Fase 5" plan in
docs/pg-supabase-image-migration.md). Migrates one project's data from the oldhauldr-db(postgres:16) to the newhauldr-db-v17(supabase/postgres 17, superusersupabase_admin) and repoints that project's services — gated on a storedprojects.clusterbinding so re-provision / reconcile never revert it.Cut from
feat/pg17-fase3-compat-baseline(reuses its v17 compat baseline:migrations/0003_extensions.sql+ the GoTrue auth-helper / search_path work).Changes
control/0012_cluster.sql—projects.cluster text not null default 'pg16'+ checkin ('pg16','pg17').config.ts— v17 data-cluster target:v17AdminUrl(HAULDR_DB_V17_ADMIN_URL??cronAdminUrl?? …),v17Host(hauldr-db-v17),v17Port(5432).clusters.ts(new) —clusterOf(name)+adminUrlForCluster/dbHostForCluster/dbPortForCluster/adminClientForCluster/dbClientForCluster/adminDbUrlForCluster. pg16 resolves to the EXACT current values so existing apps are byte-for-byte unchanged.gotrue.ts/postgrest.ts/realtime.ts— cluster-aware, defaulting to pg16 (every new branch gated oncluster === 'pg17'). Realtime tenantdb_host/db_port/db_user/db_passwordand its schema+RLSdbClientcalls now follow the project's cluster.cutover.ts(new) —cutover(name, {rollback?, stage?}):supabase_admin) → authenticator role w/ stored password + ADR-0007 governance (conn limit 20, statement/idle timeouts) →db_<name>from template0 →pg_dump -Fc -N realtime | pg_restore→ compat baseline (extensions + auth helpers reused verbatim fromgotrue.ts+ALTER ROLE postgres IN DATABASE … search_path) →reindex database→ public+auth row-count parity check (throws on mismatch).update projects set cluster='pg17'→ re-provision auth/rest/realtime (repoint + redeploy) →notify pgrston v17.Dockerfile—postgresql17-clientforpg_dump/pg_restore.cli.ts—cutover <name> [--rollback] [--stage a|b|all](defaultall).Safety
jobs.tspg-boss error unrelated).🤖 Generated with Claude Code