Upgrade builder-datastore to use core/postgresql17

.envrc

@@ -5,39 +5,54 @@ export HAB_STUDIO_SUP="--auto-update"
 export HAB_ORIGIN_KEYS
 export HAB_ORIGIN="habitat"
 
+# This script originally had two large repeated code blocks with the difference
+# being that one ran using '~/.hab' and the other used '/hab' as the root for
+# the operations within.  This eliminates the duplication in favor of
+# $hab_root.
 if [ -d ~/.hab ]; then
-  HAB_CONFIG=~/.hab/etc/cli.toml
-  if [ -e "$HAB_CONFIG" ]; then
-    HAB_AUTH_TOKEN=$(cat $HAB_CONFIG | grep "auth_token" | awk '{print $3}' | tr -d '"')
-    HAB_ORIGIN=$(cat $HAB_CONFIG | grep "origin" | awk '{print $3}' | tr -d '"')
-    export HAB_AUTH_TOKEN HAB_ORIGIN
-  fi
-  if ls ~/.hab/cache/keys/*.sig.key 1>/dev/null 2>&1; then
-    HAB_ORIGIN_KEY_NAMES=$(find ~/.hab/cache/keys/*.sig.key -type f -exec basename {} \;)
-    for key in $HAB_ORIGIN_KEY_NAMES; do
-      HAB_ORIGIN_KEYS="$HAB_ORIGIN_KEYS ${key%-*}"
-    done
-    HAB_ORIGIN_KEYS=$(echo "$HAB_ORIGIN_KEYS" | tr ' ', ',')
-  fi
+  hab_root=~/.hab
 else
-  HAB_CONFIG=/hab/etc/cli.toml
-  if [ -e "$HAB_CONFIG" ]; then
-    HAB_AUTH_TOKEN=$(cat $HAB_CONFIG | grep "auth_token" | awk '{print $3}' | tr -d '"')
-    HAB_ORIGIN=$(cat $HAB_CONFIG | grep "origin" | awk '{print $3}' | tr -d '"')
-    export HAB_AUTH_TOKEN HAB_ORIGIN
-  fi
-  if ls /hab/cache/keys/*.sig.key 1>/dev/null 2>&1; then
-    HAB_ORIGIN_KEY_NAMES=$(find /hab/cache/keys/*.sig.key -type f -exec basename {} \;)
-    for key in $HAB_ORIGIN_KEY_NAMES; do
-      HAB_ORIGIN_KEYS="$HAB_ORIGIN_KEYS ${key%-*}"
-    done
-    HAB_ORIGIN_KEYS=$(echo "$HAB_ORIGIN_KEYS" | tr ' ', ',')
-  fi
+  hab_root=/hab
 fi
+HAB_CONFIG="$hab_root/etc/cli.toml"
+
+# This really only ever execute if the executing user has configured the
+# cli.toml via 'hab cli setup'.  Also, I think this will set the variables
+# within to the empty string if they aren't present but that's a problem for
+# later as it's been that way for a long time now and I'm not aware of an
+# issues that its's causing at this time.
+if [ -e "$HAB_CONFIG" ]; then
+  HAB_AUTH_TOKEN=$(cat $HAB_CONFIG | grep "auth_token" | awk '{print $3}' | tr -d '"')
+  HAB_ORIGIN=$(cat $HAB_CONFIG | grep "origin" | awk '{print $3}' | tr -d '"')
+  export HAB_AUTH_TOKEN HAB_ORIGIN
+fi
+
+# This is the problem I really came to address in reworking this script. I have
+# a lot of different keys for the same origin and this variable was a mess with
+# 10s of the same key and it was causing me issues often enough that I started
+# unsetting it as a regular practice.  This creates a list without dups and
+# only adds the HAB_ORIGIN to the list if it doesn't already exist in the list.
+declare -A hash
+for key in "$hab_root"/cache/keys/*.sig.key; do
+  x=${key##*/}
+  x=${x%-*}
+  hash["$x"]="$x"
+done
+unset x
+
+for x in "${!hash[@]}"; do
+  if [[ -n $HAB_ORIGIN_KEYS ]]; then
+    HAB_ORIGIN_KEYS+=",$x"
+  else
+    HAB_ORIGIN_KEYS+="$x"
+  fi
+done
+unset x
 
-if [ -n "$HAB_ORIGIN" ]; then
+if [[ ! -v hash["$HAB_ORIGIN"] ]]; then
   HAB_ORIGIN_KEYS="${HAB_ORIGIN_KEYS},${HAB_ORIGIN}"
 fi
+unset hash
 
 if [ -z "${HAB_AUTH_TOKEN:-}" ]; then
   echo "WARNING: No auth token set. Please run hab setup before running builder."

.expeditor/scripts/post_habitat_release/cargo_update.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 
-set -euo pipefail 
+set -euo pipefail
 
-# shellcheck source=.expeditor/scripts/shared.sh 
-source .expeditor/scripts/post_habitat_release/shared.sh 
+# shellcheck source=shared.sh
+source .expeditor/scripts/post_habitat_release/shared.sh
 
 branch="expeditor/cargo-update-$(date +"%Y%m%d%H%M%S")"
 git checkout -b "$branch"
@@ -13,21 +13,8 @@ toolchain="$(get_toolchain)"
 install_hub
 
 echo "--- :habicat: Installing and configuring build dependencies"
-hab pkg install core/rust/"$toolchain" \
-                core/libarchive \
-                core/openssl \
-                core/pkg-config \
-                core/postgresql \
-                core/protobuf \
-                core/zeromq \
-                core/cmake
-
-export OPENSSL_NO_VENDOR=1
-export LD_RUN_PATH
-LD_RUN_PATH="$(hab pkg path core/glibc)/lib:$(hab pkg path core/gcc-libs)/lib:$(hab pkg path core/openssl)/lib:$(hab pkg path core/postgresql)/lib:$(hab pkg path core/zeromq)/lib:$(hab pkg path core/libarchive)/lib"
-export PKG_CONFIG_PATH
-PKG_CONFIG_PATH="$(hab pkg path core/zeromq)/lib/pkgconfig:$(hab pkg path core/libarchive)/lib/pkgconfig:$(hab pkg path core/postgresql)/lib/pkgconfig:$(hab pkg path core/openssl)/lib/pkgconfig"
-eval "$(hab pkg env core/rust/"$toolchain"):$(hab pkg path core/protobuf)/bin:$(hab pkg path core/pkg-config)/bin:$(hab pkg path core/postgresql)/bin:$(hab pkg path core/cmake)/bin:$PATH"
+# shellcheck source=../../../support/ci/shared_build_environment.sh
+source support/ci/shared_build_environment.sh
 
 echo "--- :rust: Cargo Update"
 cargo clean
@@ -43,14 +30,14 @@ git commit -s -m "Update Cargo.lock"
 
 pr_labels=""
 pr_message=""
-if [ "$update_status" -ne 0 ]; then 
+if [ "$update_status" -ne 0 ]; then
   pr_labels="T-DO-NOT-MERGE"
 
-  # read will exit 1 if it can't find a delimeter.
-  # -d '' will always trigger this case as there is no delimeter to find, 
-  # but this is required in order to write the entire message into a single PR 
+  # read will exit 1 if it can't find a delimiter.
+  # -d '' will always trigger this case as there is no delimiter to find,
+  # but this is required in order to write the entire message into a single PR
   # preserving newlines.
-   read -r -d '' pr_message <<EOM || true
+  read -r -d '' pr_message <<EOM || true
 Unable to update Cargo.lock!
 
 For details on the failure, please visit ${BUILDKITE_BUILD_URL:-No Buildkite url}#${BUILDKITE_JOB_ID:-No Buildkite job id}
@@ -63,7 +50,7 @@ fi
 # the latter requires multiple curl commands and parsing json responses and error handling at each step.
 push_current_branch
 
-# We have to use --force to open the PR. We're specifying where to push, rather than using a remote, in 
+# We have to use --force to open the PR. We're specifying where to push, rather than using a remote, in
 # the previous command to avoid writing secrets to disk, so hub isn't able to read that information from
 # the git configuration
 hub pull-request --force --no-edit --labels "$pr_labels" --file - <<EOF

.expeditor/templates/studiorc

@@ -19,18 +19,21 @@ hab pkg exec core/openssl openssl genrsa \
 echo "--- Creating log directory"
 mkdir -p logs
 echo "--- Starting the supervisor"
-env HAB_FUNC_TEST=1 hab sup run > logs/sup.log 2>&1 &
+if pgrep hab-sup >/dev/null 2>&1; then
+  echo "Before attempting to start a hab-sup a hab-sup process was found, exiting"
+  exit 1
+fi
+env HAB_FUNC_TEST=1 hab sup run >logs/sup.log 2>&1 &
 
-until hab svc status >/dev/null 2>&1;
-  do echo "waiting for hab sup to start"
+until hab svc status >/dev/null 2>&1; do
+  echo "waiting for hab sup to start"
   sleep 1
 done
 
 echo "--- Starting builder"
 start-builder
 
-while ! [ -f "/hab/svc/builder-api/files/builder-github-app.pem" ];
-do
+while ! [ -f "/hab/svc/builder-api/files/builder-github-app.pem" ]; do
   echo "Waiting for builder-github-app.pem"
   ls /hab/svc/builder-api/files
   sleep 10
@@ -40,20 +43,22 @@ done
 # Redirect the output into a file that is automatically uploaded
 # to buildkite so we can inspect if necessary
 echo "--- Building changed builder components"
+
+# NOTE: While building builder-api there is repeating error that can be
+# recognized by "Crypto error: No revisions found for bldr". We might be able
+# prevent it but things will self-correct and the script will continue.
 echo "--- Building builder-api"
 echo "Redirecting log output; See build artifact 'builder-api.build.log'"
-build-builder api > logs/builder-api.build.log 2>&1
+build-builder api >logs/builder-api.build.log 2>&1
 
 echo "--- Waiting for services to start"
-while hab svc status | grep --quiet down;
-do
+while hab svc status | grep --quiet down; do
   echo "Waiting for services to start..."
   sleep 10
 done
 
 echo "--- Waiting for builder-github-app.pem to arrive"
-while ! [ -f "/hab/svc/builder-api/files/builder-github-app.pem" ];
-do
+while ! [ -f "/hab/svc/builder-api/files/builder-github-app.pem" ]; do
   echo "Waiting for builder-github-app.pem"
   ls /hab/svc/builder-api/files
   sleep 10

.expeditor/verify.pipeline.yml

@@ -3,9 +3,12 @@ expeditor:
     buildkite:
       timeout_in_minutes: 30
       env:
+          HAB_BLDR_CHANNEL: LTS-2024
+          HAB_REFRESH_CHANNEL: LTS-2024
+          HAB_FALLBACK_CHANNEL: LTS-2024
           HAB_STUDIO_SECRET_HAB_BLDR_CHANNEL: LTS-2024
           HAB_STUDIO_SECRET_HAB_REFRESH_CHANNEL: LTS-2024
-          HAB_STUDIO_SECRET_HAB_FALLBACK_CHANNEL: "LTS-2024"
+          HAB_STUDIO_SECRET_HAB_FALLBACK_CHANNEL: LTS-2024
 
 steps:
 #######################################################################
@@ -142,4 +145,3 @@ steps:
             # `studio` should not matter.
             # test test
             - HAB_STUDIO_SECRET_NODE_OPTIONS="--dns-result-order=ipv4first"
-

.studiorc

@@ -75,7 +75,6 @@ install-packages() {
     core/procps-ng \
     core/sccache \
     core/shadow \
-    --channel LTS-2024 \
     --binlink
 }
 
@@ -181,7 +180,7 @@ _load-if-not-loaded() {
   if hab svc status "$pkg_ident" >/dev/null 2>&1; then
     echo "$pkg_ident is already loaded"
   else
-    hab svc load --channel "${HAB_BLDR_CHANNEL:-LTS-2024}" "$@"
+    hab svc load "$@"
   fi
 }
 load-if-not-loaded() { stop-on-failure _load-if-not-loaded "$@"; }
@@ -192,7 +191,7 @@ start-datastore() {
     echo "habitat/builder-datastore is already loaded"
   else
     init-datastore
-    hab svc load --channel "${HAB_BLDR_CHANNEL:-LTS-2024}" habitat/builder-datastore
+    hab svc load habitat/builder-datastore
   fi
 }
 
@@ -251,8 +250,7 @@ generate_bldr_keys() {
 }
 
 load_package() {
-  # JAH:  Should there really be a --channel option here at all?
-  hab pkg upload --url http://localhost --auth "${HAB_AUTH_TOKEN}" "$@" --channel "${HAB_BLDR_CHANNEL:-LTS-2024}"
+  hab pkg upload --url http://localhost --auth "${HAB_AUTH_TOKEN}" "$@"
 }
 
 load_packages() {
@@ -310,7 +308,7 @@ test-builder() {
   fi
 
   echo "Starting supervisor in test mode. Logs saved to ${logs}"
-  HAB_BLDR_CHANNEL="${HAB_BLDR_CHANNEL:-LTS-2024}" HAB_FUNC_TEST=1 RUST_LOG=debug HAB_NONINTERACTIVE=true HAB_NOCOLORING=true hab sup run --no-color >${logs} 2>&1 &
+  HAB_FUNC_TEST=1 RUST_LOG=debug HAB_NONINTERACTIVE=true HAB_NOCOLORING=true hab sup run --no-color >${logs} 2>&1 &
   sleep 8
 
   start-builder
@@ -327,11 +325,33 @@ test-builder() {
   fi
 }
 
+PSQL_POSTGRES_IDENT=''
+export PSQL_POSTGRES_IDENT
+set_postgres_ident() {
+  if [[ -z $PSQL_POSTGRES_IDENT ]]; then
+    s="$(hab pkg list core/postgresql17-client)"
+    if [[ -n $s ]]; then
+      PSQL_POSTGRES_IDENT='core/postgresql17-client'
+    else
+      s="$(hab pkg list core/postgresql17)"
+      if [[ -n $s ]]; then
+        PSQL_POSTGRES_IDENT='core/postgresql17'
+      else
+        hab pkg install core/postgresql17-client
+        PSQL_POSTGRES_IDENT='core/postgresql17-client'
+      fi
+    fi
+  fi
+}
+
+export -f set_postgres_ident
+
 function psql() {
   local config_dir port
   config_dir="/hab/svc/builder-datastore/config"
   port=$(grep port $config_dir/postgresql.conf | grep -oE '[[:digit:]]+')
-  PGPASSWORD=$(cat $config_dir/pwfile) hab pkg exec core/postgresql17-client psql -U hab -h 127.0.0.1 -p "$port" "$@"
+  set_postgres_ident
+  PGPASSWORD=$(cat $config_dir/pwfile) hab pkg exec "$PSQL_POSTGRES_IDENT" psql -U hab -h 127.0.0.1 -p "$port" "$@"
 }
 
 export -f psql

Makefile

@@ -57,9 +57,9 @@ clean-lib: $(addprefix clean-,$(LIB)) ## cleans the library components' project
 clean-srv: $(addprefix clean-,$(SRV)) ## cleans the service components' project trees
 .PHONY: clean-srv
 
-fmt: 
+fmt:
 	bash ./support/ci/rustfmt.sh
-.PHONY: fmt 
+.PHONY: fmt
 
 help:
 	@perl -nle'print $& if m{^[a-zA-Z_-]+:.*?## .*$$}' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
@@ -82,7 +82,7 @@ $(foreach component,$(ALL),$(eval $(call UNIT,$(component))))
 
 TOOLCHAIN := $(shell tail -n 1  rust-toolchain | cut -d'"' -f 2)
 lint:
-	$(run) test/run_clippy.sh $(TOOLCHAIN) test/unexamined_lints.txt \
+	test/run_clippy.sh $(TOOLCHAIN) test/unexamined_lints.txt \
 	                                 test/allowed_lints.txt \
 	                                 test/lints_to_fix.txt \
 	                                 test/denied_lints.txt

build.sh

@@ -2,31 +2,9 @@
 
 set -eou pipefail
 
-source ./support/ci/shared.sh
-
-toolchain=$(get_toolchain)
-
 component=${1?component argument required}
 
-# Accept hab license
-sudo hab pkg install core/rust/"$toolchain" --channel LTS-2024
-sudo hab pkg install core/libarchive --channel LTS-2024
-sudo hab pkg install core/openssl --channel LTS-2024
-sudo hab pkg install core/zeromq --channel LTS-2024
-sudo hab pkg install core/pkg-config --channel LTS-2024
-sudo hab pkg install core/protobuf --channel LTS-2024
-sudo hab pkg install core/postgresql15 --channel LTS-2024
-sudo hab pkg install core/cmake --channel LTS-2024
-# It is important NOT to use a vendored openssl from openssl-sys
-# pg-sys does not use openssl-sys. So for components that use
-# diesel's postgres feature, you wil end up with 2 versions of openssl
-# which can lead to segmentation faults when connecting to postgres
-export OPENSSL_NO_VENDOR=1
-export LD_RUN_PATH
-LD_RUN_PATH="$(hab pkg path core/glibc)/lib:$(hab pkg path core/gcc-libs)/lib:$(hab pkg path core/openssl)/lib:$(hab pkg path core/postgresql15)/lib:$(hab pkg path core/zeromq)/lib:$(hab pkg path core/libarchive)/lib"
-export PKG_CONFIG_PATH
-PKG_CONFIG_PATH="$(hab pkg path core/zeromq)/lib/pkgconfig:$(hab pkg path core/libarchive)/lib/pkgconfig:$(hab pkg path core/postgresql15)/lib/pkgconfig:$(hab pkg path core/openssl)/lib/pkgconfig"
-eval "$(hab pkg env core/rust/"$toolchain"):$(hab pkg path core/protobuf)/bin:$(hab pkg path core/pkg-config)/bin:$(hab pkg path core/postgresql15)/bin:$(hab pkg path core/cmake)/bin:$PATH"
+source support/ci/shared_build_environment.sh
 
 cd "components/$component"
 cargo build

components/builder-api/habitat/default.toml

@@ -48,6 +48,5 @@ password = ""
 database = "builder"
 connection_retry_ms = 300
 connection_timeout_sec = 3600
-db_workers = 4
 host = "127.0.0.1"
 port = 5432

components/builder-api/habitat/hooks/init

@@ -1,16 +1,20 @@
 #!/bin/bash
+# shellcheck disable=SC1083
 
 set -euo pipefail
 
-PGHOST="{{cfg.datastore.host}}"
-PGPORT="{{cfg.datastore.port}}"
-PGUSER="{{cfg.datastore.user}}"
-PGPASSWORD="{{cfg.datastore.password}}"
-PGDATABASE="{{cfg.datastore.database}}"
+PGHOST={{cfg.datastore.host}}
+PGPORT={{cfg.datastore.port}}
+PGUSER={{cfg.datastore.user}}
+PGPASSWORD={{cfg.datastore.password}}
+PGDATABASE={{cfg.datastore.database}}
 export PGHOST PGPORT PGUSER PGPASSWORD PGDATABASE
 
-# Check that the DB is exists and is reachable or create it
-# NOTE: Builder's .studiorc has a psql function necessitating the use of command
-if ! command psql --no-password --command=";"; then
-  createdb
+# confirm that the builder db is accessible
+if command psql --no-password -c ";"; then
+  echo The builder-datastore is available to the builder-api
+  exit 0
+else
+  echo The builder-datastore is UNAVAILABLE to the builder-api
+  exit 3
 fi