fix: address review comments and fix tests

Author: samrose

Dockerfile-multigres

@@ -189,7 +189,13 @@ RUN for f in /nix/var/nix/profiles/default/bin/*; do \
 RUN chown -R postgres:postgres /usr/lib/postgresql && \
     chown -R postgres:postgres /usr/share/postgresql
 
-RUN ln -sf /nix/var/nix/profiles/default/bin/pgctld /usr/local/bin/pgctld
+COPY docker/pgctld/postgresql.conf.tmpl /etc/pgctld/postgresql.conf.tmpl
+
+# Wrapper: injects --postgres-config-template on every pgctld call so the team's
+# unmodified k8s manifests and local provisioner commands work without extra flags.
+RUN printf '#!/bin/sh\nexec /nix/var/nix/profiles/default/bin/pgctld --postgres-config-template /etc/pgctld/postgresql.conf.tmpl "$@"\n' \
+    > /usr/local/bin/pgctld && \
+    chmod +x /usr/local/bin/pgctld
 
 # Strip extensions absent from pg17 vanilla build
 RUN sed -i 's/ timescaledb,//g; s/ plv8,//g' /etc/postgresql-custom/supautils.conf

docker/pgctld/orioledb-postgresql.conf.tmpl

@@ -281,6 +281,8 @@ restart_after_crash = off		# reinitialize after backend crash?
 # Add settings for extensions here
 auto_explain.log_min_duration = 10s
 cron.database_name = 'postgres'
+pgsodium.getkey_script = '/usr/lib/postgresql/bin/pgsodium_getkey.sh'
+vault.getkey_script = '/usr/lib/postgresql/bin/pgsodium_getkey.sh'
 wal_log_hints = 'on'
 
 #------------------------------------------------------------------------------

docker/pgctld/postgresql.conf.tmpl

@@ -0,0 +1,288 @@
+# ╔══════════════════════════════════════════════════════════════════════════════╗
+# ║                                                                              ║
+# ║                     PostgreSQL Configuration                                 ║
+# ║                                                                              ║
+# ║          Generated by Multigres - Helping you Scale PostgreSQL               ║
+# ║                                                                              ║
+# ║  This configuration contains optimized settings for PostgreSQL               ║
+# ║  instances managed by Multigres.                                             ║
+# ║  will be replaced with actual values during deployment.                      ║
+# ║                                                                              ║
+# ║                                                                              ║
+# ╚══════════════════════════════════════════════════════════════════════════════╝
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+# Port, listen_addresses, and unix_socket_directories are passed as command-line parameters
+# This ensures backups remain portable across different environments
+max_connections = {{.MaxConnections}}
+
+# - Authentication -
+
+authentication_timeout = 1min		# 1s-600s
+password_encryption = scram-sha-256	# scram-sha-256 or md5
+
+# GSSAPI using Kerberos
+
+# - SSL -
+
+ssl = off
+ssl_ca_file = ''
+ssl_cert_file = ''
+ssl_crl_file = ''
+ssl_crl_dir = ''
+ssl_key_file = ''
+ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+ssl_prefer_server_ciphers = on
+ssl_ecdh_curve = 'prime256v1'
+ssl_min_protocol_version = 'TLSv1.2'
+ssl_max_protocol_version = ''
+ssl_dh_params_file = ''
+ssl_passphrase_command = ''
+ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = {{.SharedBuffers}}			# min 128kB
+					# (change requires restart)
+maintenance_work_mem = {{.MaintenanceWorkMem}}		# min 1MB
+work_mem = {{.WorkMem}}				# min 64kB
+
+# - Disk -
+
+# - Kernel Resources -
+
+max_worker_processes = {{.MaxWorkerProcesses}}		# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+# - Background Writer -
+
+# - Asynchronous Behavior -
+
+effective_io_concurrency = {{.EffectiveIoConcurrency}}	# 1-1000; 0 disables prefetching
+max_parallel_workers = {{.MaxParallelWorkers}}		# max number of parallel workers
+max_parallel_workers_per_gather = {{.MaxParallelWorkersPerGather}}	# taken from max_parallel_workers
+max_parallel_maintenance_workers = {{.MaxParallelMaintenanceWorkers}}	# taken from max_parallel_workers
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+wal_level = logical			# minimal, replica, or logical
+					# (change requires restart)
+wal_buffers = {{.WalBuffers}}			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+min_wal_size = {{.MinWalSize}}
+max_wal_size = {{.MaxWalSize}}
+wal_keep_size = 1000
+
+# - Checkpoints -
+
+checkpoint_completion_target = {{.CheckpointCompletionTarget}}	# checkpoint target duration, 0.0 - 1.0
+checkpoint_flush_after = 256kB		# measured in pages, 0 disables
+
+# - Archiving -
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+max_wal_senders = {{.MaxWalSenders}}		# max number of walsender processes
+					# (change requires restart)
+max_replication_slots = {{.MaxReplicationSlots}}	# max number of replication slots
+					# (change requires restart)
+max_slot_wal_keep_size = 4096   # in megabytes; -1 disables
+
+# - Primary Server -
+
+# These settings are ignored on a standby server.
+
+# - Standby Servers -
+
+# These settings are ignored on a primary server.
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+# - Planner Cost Constants -
+
+effective_cache_size = {{.EffectiveCacheSize}}
+random_page_cost = {{.RandomPageCost}}			# same scale as above
+
+# - Genetic Query Optimizer -
+
+# - Other Planner Options -
+
+default_statistics_target = {{.DefaultStatisticsTarget}}	# range 1-10000
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# These are relevant when logging to syslog:
+
+# This is only relevant when logging to eventlog (Windows):
+# (change requires restart)
+
+# - When to Log -
+
+# - What to Log -
+
+log_line_prefix = '%h %m [%p] %q%u@%d '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %b = backend type
+					#   %p = process ID
+					#   %P = process ID of parallel group leader
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %Q = query ID (0 if none or not computed)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+log_statement = 'ddl'			# none, ddl, mod, all
+log_timezone = 'UTC'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+cluster_name = 'main'			# added to process titles if nonempty
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+
+# - Monitoring -
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+row_security = on
+
+timezone = 'UTC'
+
+# Locale settings (lc_messages, lc_monetary, lc_numeric, lc_time) are
+# inherited from the container environment (LANG, LC_ALL).
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.english'
+
+# - Shared Library Preloading -
+
+shared_preload_libraries = 'pg_stat_statements, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, auto_explain, pg_tle, plan_filter, supabase_vault'
+
+jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+# - Other Platforms and Clients -
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+restart_after_crash = off		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+#recovery_init_sync_method = fsync	# fsync, syncfs (Linux 5.8+)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+# Automatically generated optimizations
+# User-supplied custom parameters, override any automatically generated ones
+
+# WAL-G specific configurations
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
+auto_explain.log_min_duration = 10s
+cron.database_name = 'postgres'
+pgsodium.getkey_script = '/usr/lib/postgresql/bin/pgsodium_getkey.sh'
+vault.getkey_script = '/usr/lib/postgresql/bin/pgsodium_getkey.sh'
+wal_log_hints = 'on'

nix/packages/docker-image-test.nix

@@ -350,8 +350,8 @@ writeShellApplication {
             # 6. shared_preload_libraries must include orioledb — injected by wrapper, no flags needed
             local spl
             spl=$(docker exec "$container" sh -c "
-                psql -U postgres -h $pooler_dir/pg_sockets \
-                    -tAc \"SHOW shared_preload_libraries;\" 2>&1")
+                psql -U $POSTGRES_USER -d postgres -h $pooler_dir/pg_sockets \
+                    -tAc \"SHOW shared_preload_libraries;\" 2>&1") || true
             if ! echo "$spl" | grep -q "orioledb"; then
                 log_error "  orioledb not in shared_preload_libraries (got: $spl)"
                 log_error "  Check that wrapper script injects --postgres-config-template"
@@ -362,8 +362,8 @@ writeShellApplication {
             # 7. default_table_access_method must be orioledb
             local tam
             tam=$(docker exec "$container" sh -c "
-                psql -U postgres -h $pooler_dir/pg_sockets \
-                    -tAc \"SHOW default_table_access_method;\" 2>&1")
+                psql -U $POSTGRES_USER -d postgres -h $pooler_dir/pg_sockets \
+                    -tAc \"SHOW default_table_access_method;\" 2>&1") || true
             if ! echo "$tam" | grep -q "orioledb"; then
                 log_error "  default_table_access_method is not orioledb (got: $tam)"
                 exit 1

nix/packages/pgctld.nix

@@ -17,7 +17,7 @@ buildGoModule {
   '';
   # Tests require a running PostgreSQL instance (integration tests); skip in sandbox.
   doCheck = false;
-  vendorHash = "sha256-0G/l5MlEnyXSoElPbRkn1MaQNCtil3rE/tPZILbhKaA=";
+  vendorHash = "sha256-HesmA96WVxnBvspLc9FZ5M4m5J/T5r6ymaui8g58yMM=";
 
   meta = {
     description = "PostgreSQL control daemon for Multigres cluster lifecycle management";