6.4 KiB
6.4 KiB
Session Handoff: Supabase Vault Provisioning & Inventory Secret Migration
Date: 2026-04-15 Session Focus: Create provision_supabase_project.yml; move all vault lookups from playbooks into inventory Context Usage at Handoff: ~50%
What Was Accomplished
- Created
playbooks/provision_supabase_project.yml— reads admin secrets fromkv/data/toallab/supabase(usingvault_kv2_get), asserts required keys present, then writesurl,anon_key,service_key, andpostgres_urlto per-environment vault path (usingvault_kv2_write) - Updated
inventories/bab-inventory/host_vars/supabase-dev/main.yml— added 5 provisioning vars:supabase_admin_vault_path,supabase_api_url,supabase_db_host,supabase_db_port,supabase_db_name - Updated
inventories/bab-inventory/host_vars/supabase-prod/main.yml— same vars; prod marked OPEN (may need different admin instance) - Created
inventories/bab-inventory/host_vars/supabase-dev/vault.yml—supabasevar backed by hashi_vault lookup onsupabase_vault_path - Created
inventories/bab-inventory/host_vars/supabase-prod/vault.yml— same pattern - Created
inventories/bab-inventory/group_vars/all/vault.yml—gitea_tokenvar backed by hashi_vault lookup onkv/data/oys/shared/infra/gitea_token - Updated
playbooks/backup_supabase.yml— removed inline vault lookup task; pg_dump now usessupabase.postgres_urlfrom inventory - Updated
playbooks/sync_gitea_secrets.yml— removed both vault lookup tasks; usessupabase.url,supabase.anon_key,gitea_token.token; added idempotent GET→POST/PUT pattern for Gitea variable API
Exact State of Work in Progress
provision_supabase_project.ymlwritten but not yet run against prod; dev run is next stepkv/data/oys/dev/supabasecurrently only containspostgres_url—url,anon_key,service_keyare missing until provision playbook runskv/data/oys/prod/supabasestate unknown — assume same gap
Decisions Made This Session
- Vault lookups moved to inventory (
host_vars/*/vault.ymlandgroup_vars/all/vault.yml) BECAUSE playbooks should reference clean variable names, not embed vault paths — STATUS: confirmed - Self-hosted Supabase has no project management API — "create project" scope was abandoned BECAUSE the Studio
/api/v1/projectsendpoint is not exposed on self-hosted; there is one project per deployment — STATUS: confirmed - Gitea variable API requires GET-then-POST/PUT (not PUT alone) BECAUSE PUT returns 404 when variable does not yet exist — STATUS: confirmed, tested
Key Numbers Generated or Discovered This Session
kv/toallab/supabaseconfirmed keys:anon_key,service_key,db_password,jwt_secret,dashboard_username,dashboard_password, plus analytics/realtime tokenskv/oys/shared/infra/gitea_tokenconfirmed key:token(NOTvalue— old code was wrong)kv/data/oys/dev/supabasehas exactly 1 key:postgres_url=postgresql://postgres:mr8CQASBOwwxploV9nxoPFSVkhCzXOZA@db-supabase.apps.openshift.toal.ca:30432/postgres- Supabase Studio URL:
https://supabase.apps.openshift.toal.ca(Kong gateway + Studio, same hostname) - Supabase DB external NodePort:
30432
Conditional Logic Established
- IF
kv/data/oys/dev/supabasedoes not haveurl/anon_keyTHENsync_gitea_secrets.ymlwill fail with'dict object' has no attribute 'url'— runprovision_supabase_project.yml --limit supabase-devfirst - IF Gitea variable does not exist THEN POST (status 201); IF it exists THEN PUT (status 204) — GET check drives the branch
- IF targeting
supabase-devTHEN vault reads fromkv/data/oys/dev/supabase; IF targetingsupabase-prodTHENkv/data/oys/prod/supabase
Files Created or Modified
| File Path | Action | Description |
|---|---|---|
playbooks/provision_supabase_project.yml |
Created | Reads kv/toallab/supabase, writes url/anon_key/service_key/postgres_url to per-env vault path |
inventories/bab-inventory/host_vars/supabase-dev/main.yml |
Modified | Added supabase_admin_vault_path, supabase_api_url, supabase_db_host/port/name |
inventories/bab-inventory/host_vars/supabase-prod/main.yml |
Modified | Same vars; prod OPEN for different admin instance |
inventories/bab-inventory/host_vars/supabase-dev/vault.yml |
Created | supabase hashi_vault lookup var |
inventories/bab-inventory/host_vars/supabase-prod/vault.yml |
Created | supabase hashi_vault lookup var |
inventories/bab-inventory/group_vars/all/vault.yml |
Created | gitea_token hashi_vault lookup var |
playbooks/backup_supabase.yml |
Modified | Removed vault lookup task; uses supabase.postgres_url |
playbooks/sync_gitea_secrets.yml |
Modified | Removed vault lookups; uses inventory vars; GET→POST/PUT idempotency |
What the NEXT Session Should Do
- First: Run
ansible-navigator run playbooks/provision_supabase_project.yml --mode stdout --limit supabase-devto populatekv/data/oys/dev/supabasewithurl,anon_key,service_key - Then: Run
ansible-navigator run playbooks/sync_gitea_secrets.yml --mode stdout --limit supabase-devto verify end-to-end success - Then: Confirm
supabase_api_urlvalue for prod (supabase-prodcurrently ASSUMED same as dev —https://supabase.apps.openshift.toal.ca) - Then: Run provision + sync for prod
Open Questions Requiring User Input
supabase-prodadmin instance — is it the same toallab Supabase as dev, or a different production instance? Impactssupabase_admin_vault_pathandsupabase_api_urlinhost_vars/supabase-prod/main.yml
Assumptions That Need Validation
- ASSUMED:
supabase_api_url: https://supabase.apps.openshift.toal.cais the correct Kong/PostgREST API URL that the BAB app should use — validate by checking what URL the Vue app should call - ASSUMED: prod uses the same admin vault path and API URL as dev — validate before running provision against prod
What NOT to Re-Read
docs/archive/handoffs/handoff-2026-04-15-supabase-migration.md— superseded by this handoff; all open questions from it are resolved or carried forward here
Files to Load Next Session
playbooks/provision_supabase_project.yml— if running or debugging provisionplaybooks/sync_gitea_secrets.yml— if running or debugging syncinventories/bab-inventory/host_vars/supabase-dev/main.yml— if adjusting provisioning varsinventories/bab-inventory/host_vars/supabase-prod/main.yml— when addressing prod OPEN question