Postgres/K8s Networking Change - Phase 6 #4077
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37c70b5 to
9e3f62e
Compare
24c979a to
eb22d12
Compare
9e3f62e to
9666296
Compare
|
I rebased this (and the PRs for phases 3-5) on top of #4801 so we don't lose the descriptions for the firewall rules. |
eb22d12 to
50081a7
Compare
9666296 to
fae8d6f
Compare
50081a7 to
55d1760
Compare
Have the postgres networking page show a link to the customer firewall networking page if the customer firewall exists, or the private subnet networking page otherwise. This allows for the same control of firewall rules (even more control, actually), though the interface is slightly more complex as the user needs to specify the ports. However, the user can now have different rules for pg vs pgbouncer traffic. Maybe you want to ensure your web servers are only able to access the database via pgbouncer, but other applications are allowed to access the database directly and shouldn't be using pgbouncer. No change to API handling in this commit. Remove inline_edit_buttons component and hero-check-circle icons, no longer used.
Previously, this used the PostgresFirewallRule related to the PostgresResource. With the switch to using customer firewalls and customer subnets for PostgresResources, PostgresFirewallRule is an unnecessary abstraction. Add port to API responses for postgres firewall rules. This previously wasn't needed because each postgres firewall rule was for 2 ports, but now that each port is handled by a separate rule, the port is needed to disambiguate. Temporarily, use 5432 if it is a PostgresFirewallRule, but that will be going away shortly. If the customer firewall allows other ports, they will not be shown in this view. This is designed for keeping as much backwards compatibility as possible while removing PostgresFirewallRule. For full information on firewall rules, the private subnet for the Postgres database should be used. Add PostgresResource#pg_firewall_rules to handle this filtering. To avoid duplicate queries, have postgres_require_customer_firewall! helper return the firewall if it is found. Temporarily, have the openapi.yml configuration allow either pf or fr ubids for PostgresFirewallRule. This will eventually be switching to all fr when the conversion is complete.
This makes it similar to the GET firewall-rule route. This has a larger effect, the SDK/CLI use this. For the CLI, include the port and description when showing the rule.
Instead of inserting 1 PostgresFirewallRule. This is a little awkward, since we can return only one rule. Return the 5432 rule in this case. Use the same description for both created FirewallRules.
… ubids
Add PostgresResource#pg_firewall_rule{,s_dataset} to make it easier
to retrieve a specific rule.
Make PrivateSubnet#update_private_subnet_firewall_rules public,
so it can be called in the routes.
Update openapi.yml to remove use of pf ubids. The
postgres_firewall_rule_id component can be switched to firewall_rule_id.
This removes the last usage of PostgresFirewallRule in the routes.
The serializer still refers to PostgresFirewallRule, but it operates
on FirewallRule instances only now.
No longer create PostgresFirewallRule instances when creating PostgresResources. Create FirewallRule instances instead. Remove PostgresResource firewall_rules association and set_firewall_rules method. Add a before_destroy so the postgres_firewall_rule entries will be removed before the resource is destroyed. This does not drop the table. That can be done in later, and requires multiple steps (delete all records, drop before_destroy, drop postgres_firewall_rule table). This keeps the update_firewall_rules semaphore for PostgresResource, but makes it a no-op. That can also be cleaned up later. Update regen-screenshots to handle networking changes. It's showing: Missing screenshots: managed-postgresql/metrics-1-screenshot.png managed-postgresql/metrics-2-screenshot.png But I think that is unrelated to this change.
fae8d6f to
facb1c0
Compare
furkansahin
approved these changes
Oct 29, 2025
| <% else %> | ||
| The firewall related to this PostgreSQL database was deleted or detached from the related private subnet, | ||
| you can manage firewall rules using an appropriate firewall on the | ||
| <a class="text-orange-600" href="<%= path(@pg.private_subnet) %>/networking">private subnet</a>. |
There was a problem hiding this comment.
since we are removing the pg specific firewalls from the UI. For the sake of UX, we might add some predefined port selection in the firewall creation page? Like, the port box stays edittable but we can pick a "Postgres" type that fills 5432 automatically, "pgbouncer", "ssh", "http", or "https". What do you think? It is not really something we have to solve in this PR but it might be a good addition later to increase usability.
There was a problem hiding this comment.
I don't think the benefit of doing that is worth making the UI more complicated. However, I'm not opposed to it if another developer wants to work on that and the UI doesn't get worse. We're basically out of horizontal space in the existing UI at ~1240px width (I generally browse at ~1260px width). You would have to start stacking inputs vertically. Doing it for existing rows means every row will start taking more space, which I don't think we want. Maybe we could do it only for the row to create new rules, though.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This removes the use of PostgresFirewallRule, and has the postgres
firewall rule routes operate directly on the FirewallRules for the
customer firewall.
For the web UI, we just link to the customer firewall networking
page if the customer firewall exists, or to the private subnet
networking page otherwise.
For the API/CLI, this isn't 100% backwards compatible, as
PostgresFirewallRules have descriptions and FirewallRules do not,
and PostgreFirewallRule represents a combination of 2 FirewallRules.
Use the description field in the API to show the port information,
and only show FirewallRules that are for only 5432 or for only 6432.
This change avoids an issue where if a customer changes the firewall
rules for the postgres customer firewall, and then changes the
postgres firewall rules, the postgres firewall rules would replace
any changes made directly to the customer firewall.
Long term, we should probably deprecate and remove this API/CLI
support, and point customers to the related firewall if they want to
make networking changes.
Important
Removes
PostgresFirewallRule, directly usingFirewallRulesfor PostgreSQL networking, updating UI, API/CLI, and tests.PostgresFirewallRuleand usesFirewallRulesdirectly for PostgreSQL networking.FirewallRulesfor ports 5432 or 6432 only, using description for port info.PostgresFirewallRulemodel.PostgresResourceto manageFirewallRulesdirectly.pg/add-firewall-rule_spec.rb,pg/delete-firewall-rule_spec.rb,pg/modify-firewall-rule_spec.rb, andpg/show_spec.rbto reflect new firewall rule handling.project/location/postgres_spec.rbandweb/project/postgres_spec.rbfor UI changes.hero-check-circleicon fromicon.erb.inline_edit_buttons.erbcomponent.This description was created by
for facb1c0. You can customize this summary. It will automatically update as commits are pushed.