enh: prefix schema to enum migrations#2040
Closed
willnode wants to merge 1 commit intosupabase:masterfrom
Closed
Conversation
Add support for nonstandard search path migrations
cstockton
pushed a commit
that referenced
this pull request
Aug 4, 2025
Add support for nonstandard search path migrations
Bewinxed
pushed a commit
that referenced
this pull request
Jan 19, 2026
## What kind of change does this PR introduce? Big fix for #1729, #1848, #1983, and #2040 with an additional type fix. ## What is the current behavior? The auth service cannot be deployed in a net new environment on PostgreSQL 17. ## What is the new behavior? The service is running properly with PostgreSQL 17 in a cleanroom environment. ## Additional context Here is a redacted version of the terraform I used to deploy it with. I used my own container build with these fixes, `ghcr.io/siennathesane/auth:v2.175.0`, that you can use to verify the fix is valid, if you want. ```hcl locals { f2-auth-db-namespace = "auth" } resource "kubernetes_service_account" "f2-auth" { metadata { name = "f2-auth" namespace = var.namespace } } resource "kubernetes_manifest" "f2-auth-db" { manifest = { "apiVersion" = "postgresql.cnpg.io/v1" "kind" = "Database" "metadata" = { "name" = "f2-auth-db" "namespace" = var.namespace } "spec" = { "cluster" = { "name" = kubernetes_manifest.f2-cluster.object.metadata.name } "allowConnections" = true "name" = local.f2-auth-db-namespace "owner" = kubernetes_secret_v1.f2-auth-db.data.username "schemas" = [{ "name" = local.f2-auth-db-namespace "owner" = kubernetes_secret_v1.f2-auth-db.data.username }] } } } resource "kubernetes_config_map_v1" "f2-auth-initdb" { metadata { name = "sql-commands" namespace = var.namespace } data = { "script.sql" = <<-EOT ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} WITH LOGIN CREATEROLE CREATEDB REPLICATION BYPASSRLS; GRANT ${kubernetes_secret_v1.f2-auth-db.data.username} TO postgres; CREATE SCHEMA IF NOT EXISTS ${local.f2-auth-db-namespace} AUTHORIZATION ${kubernetes_secret_v1.f2-auth-db.data.username}; GRANT CREATE ON DATABASE postgres TO ${kubernetes_secret_v1.f2-auth-db.data.username}; ALTER USER ${kubernetes_secret_v1.f2-auth-db.data.username} SET search_path = '${local.f2-auth-db-namespace}'; EOT } } resource "kubernetes_secret_v1" "f2-auth-db" { metadata { name = "auth-db" namespace = var.namespace labels = { "cnpg.io/reload" = "true" } } data = { username = "[REDACTED]" password = random_password.f2-auth-db-password.result database = "auth" } type = "kubernetes.io/basic-auth" } resource "kubernetes_secret_v1" "f2-auth-jwt" { metadata { name = "auth-jwt" namespace = var.namespace } data = { anonKey = "[REDACTED]" secret = "[REDACTED]" serviceKey = "[REDACTED]" } type = "Opaque" } resource "random_password" "f2-auth-db-password" { length = 16 special = false } resource "kubernetes_deployment_v1" "f2-auth" { depends_on = [kubernetes_manifest.f2-auth-db] timeouts { create = "2m" } metadata { name = "f2auth" labels = { "f2.pub/app" = "auth-${var.environment}" } namespace = var.namespace } spec { replicas = 1 selector { match_labels = { "f2.pub/app" = "auth-${var.environment}" } } template { metadata { labels = { "f2.pub/app" = "auth-${var.environment}" } } spec { image_pull_secrets { name = var.ghcr-pull-secret-name } init_container { name = "init-db" image = "postgres:17-alpine" command = ["psql", "-f", "/sql/script.sql"] env { name = "PGHOST" value = "${kubernetes_manifest.f2-cluster.object.metadata.name}-rw" } env { name = "PGPORT" value = "5432" } env { name = "PGDATABASE" value = kubernetes_secret_v1.f2-auth-db.data.database } env { name = "PGUSER" value = kubernetes_secret_v1.f2-auth-db.data.username } env { name = "PGPASSWORD" value = kubernetes_secret_v1.f2-auth-db.data.password } volume_mount { name = "sql-volume" mount_path = "/sql" } } volume { name = "sql-volume" config_map { name = kubernetes_config_map_v1.f2-auth-initdb.metadata[0].name } } container { image = "ghcr.io/siennathesane/auth:${var.goauth-version}" image_pull_policy = "Always" name = "auth" resources { limits = { cpu = "0.5" memory = "512Mi" } requests = { cpu = "250m" memory = "50Mi" } } port { name = "http" container_port = 9999 protocol = "TCP" } env { name = "GOTRUE_DB_DRIVER" value = "postgres" } env { name = "DB_NAMESPACE" value = "auth" } env { name = "DATABASE_URL" value = "postgres://${kubernetes_secret_v1.f2-auth-db.data.username}:[REDACTED]@${ kubernetes_manifest.f2-cluster.object.metadata.name}-rw:5432/${kubernetes_secret_v1.f2-auth-db.data.database}" } env { name = "GOTRUE_JWT_SECRET" value_from { secret_key_ref { name = "auth-jwt" key = "secret" } } } env { name = "API_EXTERNAL_URL" value = "http://[REDACTED]" } env { name = "GOTRUE_SITE_URL" value = "http://[REDACTED]" } env { name = "GOTRUE_API_HOST" value = "0.0.0.0" } env { name = "PORT" value = "9999" } } } } } } ``` Closes #1729 Closes #1848 Closes #1983 Closes #2040 Signed-off-by: Sienna Satterwhite <[email protected]> Co-authored-by: Chris Stockton <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for nonstandard search path migrations
What kind of change does this PR introduce?
Continuation of #1983 and fixes #1729
What is the current behavior?
The current migration script assumes the search path has been set to a custom schema.
If this step missed, the default schema for all migrations is
public. This should be fine if all tables and enums are prefixed accordingly, but currently it's not. All postgres enum is not prefixed with schema.What is the new behavior?
All postgres enum will be prefixed with the schema. This should fixes issue #1729 where the migration is broken if search path is not set properly.
This doesn't introduce a breaking change, because if
search_pathis already set all enums stay on the formersearch_path.Additional context
Haven't test. Will test soon.