ldraney/pal-e-api
Archived
1
0
Fork 0
Code Issues 15 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Fix pgvector extension ownership — remove CREATE EXTENSION from migration #126

New issue
Closed
opened 2026-03-09 03:40:48 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-09 03:40:48 +00:00
Contributor
Copy link

Lineage

plan-2026-02-26-tf-modularize-postgres → Phase 6 → Phase 6b-1 (extension ownership fix)

Repo

forgejo_admin/pal-e-docs (migration fix)
forgejo_admin/deployments (CNPG CRD — extension provisioning)

User Story

As a platform operator
I want pgvector extension creation to follow the platform-provides/app-consumes pattern
So that Alembic migrations don't need superuser privileges and fresh deployments work without manual intervention

Context

PR #122 added a pgvector schema migration that includes CREATE EXTENSION IF NOT EXISTS vector. This fails at deploy time because the Alembic migration runs as the paledocs app user, which is NOT a superuser. CREATE EXTENSION requires superuser privileges in PostgreSQL.

We fixed this manually by running CREATE EXTENSION as the postgres superuser via kubectl exec. But this is a band-aid — the migration will fail again on any fresh cluster bootstrap.

The enterprise fix follows the same pattern as CNPG itself: platform provides the extension, app assumes it exists.

File Targets

pal-e-docs (migration fix):

  • alembic/versions/l2g3h4i5j6k7_add_vector_embeddings.py — remove CREATE EXTENSION IF NOT EXISTS vector from upgrade(). Replace with a check that the extension exists (raise informative error if not). Remove DROP EXTENSION from downgrade().

deployments (CNPG CRD — extension provisioning):

  • Find the CNPG Cluster CRD YAML and add pgvector to bootstrap.initdb.postInitApplicationSQL or equivalent, so the extension is created automatically on cluster bootstrap as superuser. Example: 
    bootstrap:
  initdb:
    postInitSQL:
      - CREATE EXTENSION IF NOT EXISTS vector

Acceptance Criteria

  • Migration no longer runs CREATE EXTENSION — it checks and fails with a clear error if the extension is missing
  • Migration downgrade no longer runs DROP EXTENSION
  • CNPG Cluster CRD provisions the pgvector extension on bootstrap
  • Existing tests still pass
  • App deploys cleanly (current cluster already has extension installed)

Test Expectations

  • pytest tests/ -v passes
  • Migration upgrade is idempotent (safe to re-run)

Constraints

  • Do NOT change the migration revision ID or chain — only modify the upgrade/downgrade functions
  • The extension is already installed on the running cluster — this is a future-proofing fix
  • Follow the pattern: platform provides capability (extension), app consumes it (columns, indexes, triggers)

Checklist

  • PR opened (pal-e-docs)
  • PR opened (deployments) — if CRD change needed
  • Tests pass
  • No unrelated changes

Related

  • phase-postgres-6-vector-search — parent phase
  • Issue #121 / PR #122 — original migration that introduced the problem
  • plan-2026-02-26-tf-modularize-postgres Architecture Revision — "platform provides capability, apps consume it"
### Lineage `plan-2026-02-26-tf-modularize-postgres` → Phase 6 → Phase 6b-1 (extension ownership fix) ### Repo `forgejo_admin/pal-e-docs` (migration fix) `forgejo_admin/deployments` (CNPG CRD — extension provisioning) ### User Story As a platform operator I want pgvector extension creation to follow the platform-provides/app-consumes pattern So that Alembic migrations don't need superuser privileges and fresh deployments work without manual intervention ### Context PR #122 added a pgvector schema migration that includes `CREATE EXTENSION IF NOT EXISTS vector`. This fails at deploy time because the Alembic migration runs as the `paledocs` app user, which is NOT a superuser. `CREATE EXTENSION` requires superuser privileges in PostgreSQL. We fixed this manually by running `CREATE EXTENSION` as the `postgres` superuser via `kubectl exec`. But this is a band-aid — the migration will fail again on any fresh cluster bootstrap. The enterprise fix follows the same pattern as CNPG itself: **platform provides the extension, app assumes it exists.** ### File Targets **pal-e-docs (migration fix):** - `alembic/versions/l2g3h4i5j6k7_add_vector_embeddings.py` — remove `CREATE EXTENSION IF NOT EXISTS vector` from `upgrade()`. Replace with a check that the extension exists (raise informative error if not). Remove `DROP EXTENSION` from `downgrade()`. **deployments (CNPG CRD — extension provisioning):** - Find the CNPG Cluster CRD YAML and add pgvector to `bootstrap.initdb.postInitApplicationSQL` or equivalent, so the extension is created automatically on cluster bootstrap as superuser. Example: ```yaml bootstrap: initdb: postInitSQL: - CREATE EXTENSION IF NOT EXISTS vector ``` ### Acceptance Criteria - [ ] Migration no longer runs `CREATE EXTENSION` — it checks and fails with a clear error if the extension is missing - [ ] Migration downgrade no longer runs `DROP EXTENSION` - [ ] CNPG Cluster CRD provisions the pgvector extension on bootstrap - [ ] Existing tests still pass - [ ] App deploys cleanly (current cluster already has extension installed) ### Test Expectations - [ ] `pytest tests/ -v` passes - [ ] Migration upgrade is idempotent (safe to re-run) ### Constraints - Do NOT change the migration revision ID or chain — only modify the upgrade/downgrade functions - The extension is already installed on the running cluster — this is a future-proofing fix - Follow the pattern: platform provides capability (extension), app consumes it (columns, indexes, triggers) ### Checklist - [ ] PR opened (pal-e-docs) - [ ] PR opened (deployments) — if CRD change needed - [ ] Tests pass - [ ] No unrelated changes ### Related - `phase-postgres-6-vector-search` — parent phase - Issue #121 / PR #122 — original migration that introduced the problem - `plan-2026-02-26-tf-modularize-postgres` Architecture Revision — "platform provides capability, apps consume it"
Commenting is not possible because the repository is archived.
No Branch/Tag specified
Branches Tags
main
265-fix-add-partial-index-declarations-to-mo
256-cors-middleware
158-incident-fix-migration-crash-drop-hnsw-i
128-add-jinja2-template-rendering-endpoint-p
132-fix-template-endpoint-qa-nits-is-public
123-clean-up-test-seed-block-objects-with-nu
124-harden-anchor-id-column-to-not-null
119-generate-anchor-ids-for-all-block-types
111-7e-1a-qa-nits-cleanup-redundant-assignme
11-fix-repos-formatting
5-browse-frontend
1-scaffold-project
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-api#126
No description provided.