[DPE-5833] Create new PostgreSQL version 16 charm #788
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 16/edge #788 +/- ##
===========================================
- Coverage 75.53% 75.53% -0.01%
===========================================
Files 12 12
Lines 3115 3123 +8
Branches 466 468 +2
===========================================
+ Hits 2353 2359 +6
Misses 621 621
- Partials 141 143 +2 ☔ View full report in Codecov by Sentry. |
|
|
||
| integration-test: | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| juju: | ||
| - agent: 2.9.51 # renovate: juju-agent-pin-minor | ||
| libjuju: ==2.9.49.1 # renovate: latest libjuju 2 | ||
| allure_on_amd64: false |
There was a problem hiding this comment.
no more juju 2
| for extension, enable in ordered_extensions.items(): | ||
| if extension == "postgis": | ||
| cursor.execute("SET pgaudit.log = 'none';") |
There was a problem hiding this comment.
necessary for postgis to work
There was a problem hiding this comment.
Interesting. So, postgis and pgaudit don't work together?
| sslrootcert: {{ conf_path }}/ca.pem | ||
| sslcert: {{ conf_path }}/cert.pem | ||
| sslkey: {{ conf_path }}/key.pem | ||
| {%- endif %} |
There was a problem hiding this comment.
no idea why this wasn't an issue before.
|
|
||
| @pytest.fixture(scope="module") | ||
| async def database_charm(ops_test: OpsTest): | ||
| """Build the database charm.""" | ||
| charm = await ops_test.build_charm(".") | ||
| charm = await build_charm(".") |
There was a problem hiding this comment.
workaround for multi-base integration testing (currently hardcoded to jammy)
| @@ -43,7 +42,6 @@ async def test_build_and_deploy(ops_test: OpsTest) -> None: | |||
| await ops_test.model.deploy( | |||
| APPLICATION_NAME, | |||
| application_name=APPLICATION_NAME, | |||
| base=CHARM_BASE, | |||
There was a problem hiding this comment.
this parameter still doesn't play nice with noble base.
| @@ -372,6 +374,7 @@ def _generate_database_privileges_statements( | |||
| ) -> List[Composed]: | |||
| """Generates a list of databases privileges statements.""" | |||
| statements = [] | |||
| statements.append(SQL("GRANT USAGE, CREATE ON SCHEMA public TO PUBLIC;")) | |||
There was a problem hiding this comment.
Here and below are the specific workarounds mentioned in the doc for the new restrictive permissions added on PG 15/16.
lucasgameiroborges
requested review from
dragomirp,
taurus-forever and
marceloneppel
| @@ -17,6 +17,7 @@ | |||
| CHARM_SERIES, | |||
| DATABASE_APP_NAME, | |||
| METADATA, | |||
| build_charm, | |||
There was a problem hiding this comment.
This test file and tests/integration/ha_tests/test_rollback_to_master_label.py can be removed as we don't have a previous version without the primary label for PG 16.
| ORAFCE_EXTENSION_STATEMENT = "SELECT oracle.add_months(date '2005-05-31',1);" | ||
| PG_SIMILARITY_EXTENSION_STATEMENT = ( | ||
| "SET pg_similarity.levenshtein_threshold = 0.7; SELECT 'aaa', 'aab', lev('aaa','aab');" | ||
| ) |
There was a problem hiding this comment.
Do these statements also work on PG 14? If so, I think we can create a ticket to remember to backport it later.
| for extension, enable in ordered_extensions.items(): | ||
| if extension == "postgis": | ||
| cursor.execute("SET pgaudit.log = 'none';") |
There was a problem hiding this comment.
Interesting. So, postgis and pgaudit don't work together?
| @@ -534,7 +534,7 @@ def render_patroni_yml_file( | |||
| ) | |||
| self._render_file(f"{self._storage_path}/patroni.yml", rendered, 0o644) | |||
|
|
|||
| @retry(stop=stop_after_attempt(10), wait=wait_exponential(multiplier=1, min=2, max=30)) | |||
| @retry(stop=stop_after_attempt(20), wait=wait_exponential(multiplier=1, min=2, max=30)) | |||
There was a problem hiding this comment.
Did you have a link to a failing test that motivated this change? Did it happen multiple times?
| SQL("GRANT USAGE, CREATE ON SCHEMA {} TO {};").format( | ||
| schema, Identifier(user) | ||
| ), | ||
| SQL("GRANT USAGE, CREATE ON SCHEMA {} TO admin;").format(schema), |
There was a problem hiding this comment.
I checked the PostgreSQL 15 release notes and changed my mind about the approach here. Now, I think that it's important that we don't grant those permissions to users on the public schema to avoid CVE-2018-1058.
| @@ -28,7 +28,7 @@ resources: | |||
| postgresql-image: | |||
| type: oci-image | |||
| description: OCI image for PostgreSQL | |||
| upstream-source: ghcr.io/canonical/charmed-postgresql@sha256:7e41d7f60e45ee2f5463aa9aafcd3c35121423423ee08c26a174b99ad0235b7e # renovate: oci-image tag: 14.15-22.04_edge | |||
| upstream-source: ghcr.io/canonical/charmed-postgresql:16.4-24.04_edge | |||
There was a problem hiding this comment.
I'd prefer to keep the SHA256 digest here because it'll prevent us from publishing the charm with a newer and not yet tested version of the OCI image.
Part of the 4-PR bundle to merge PostgreSQL 16. See doc for further info: https://docs.google.com/document/d/1K4xMxKDOiHfdCTc_hxMh6bW1DCZ6HC6wa6g8tAJAtno/edit?tab=t.0