Database migrations fail on new installations with Postgres >= 15

Current behavior

According to the requirements Postgres version 16.x is supported with GitLab 17.8.1. However, installing container-registry on a fresh installation with Postgres >= 15 fails with the following error:

time="2025-02-03T18:30:19Z" level=error msg=Query args="[]" database=registry duration_ms=0 err="ERROR: relation \"public.blobs\" does not exist (SQLSTATE 42P01)" pid=2381 sql="CREATE TABLE IF NOT EXISTS partitions.blobs_p_0 PARTITION OF public.blobs FOR VALUES WITH (MODULUS 64, REMAINDER 0)

failed to run database migrations: applying migration 20210503162912_create_blobs_table_partitions: ERROR: relation "public.blobs" does not exist (SQLSTATE 42P01) handling 20210503162912_create_blobs_table_partitions

Expected behavior

database migrations work for existing and new installations for the Postgres versions specified in the requirements

Why does this issue happen?

With Postgres 15 (see release notes) the PUBLIC create permission on the public schema is removed by default:

The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended since the security release for CVE-2018-1058. The change applies to new database clusters and to newly-created databases in existing clusters

Some of the migration scripts (e.g. 20210503162912_create_blobs_table_partitions.go) are hard coding the public schema. This makes it impossible to comply with all of the secure usage patterns as described in the Postgres documentation (and enabled by default with Postgres 15).

This is the reason why the schema shouldn't be hard coded in any of the migration scripts.

Installation Details

I'm using the official Helm Chart for installing GitLab 17.8.1. Configuration of the registry:

Registry Helm Chart configuration


registry:
  enabled: true
  migrations:
    enabled: true
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  storage:
    secret: registry-storage
    key: config
  database:
    enabled: true
    sslmode: verify-full
    ssl:
      secret: gitlab-cluster-cert
      clientKey: tls.key
      clientCertificate: tls.crt
      serverCA: ca.crt
    configure: true
    name: registry
    user: registry
    password:
      secret: gitlab-pguser-registry
      key: password