Skip to content

Commit

Permalink
Showing 32 changed files with 462 additions and 48 deletions.
28 changes: 11 additions & 17 deletions .github/workflows/clean_workflow.yml
Original file line number Diff line number Diff line change
@@ -117,25 +117,19 @@ jobs:
echo "${{ secrets.DEV_KUBE_CONFIG_NBC }}" > files/config_nbc
echo "${{ secrets.DEV_KUBE_CONFIG_THR }}" > files/config_thr
echo "${{ secrets.DEV_KUBE_CONFIG_DBC }}" > files/config_dbc
- name: delete custom resources and namespaces
- name: delete custom resources, databases and namespaces
run: |
branch_identifier='${{ needs.create_branch_identifier.outputs.id_branch }}'
kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
kubectl --kubeconfig=files/config_brb delete --ignore-not-found=true ns $branch_identifier
kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
kubectl --kubeconfig=files/config_nbc delete --ignore-not-found=true ns $branch_identifier
kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
kubectl --kubeconfig=files/config_thr delete --ignore-not-found=true ns $branch_identifier
kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
kubectl --kubeconfig=files/config_dbc delete --ignore-not-found=true ns $branch_identifier
for CLUSTER in brb nbc thr dbc
do
echo "Cleanup for $CLUSTER"
kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier patch job/pg-deletion-job -p '{"spec":{"suspend":false}}' || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier wait --for=delete pod/pg-deletion-job --timeout=180s || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
kubectl --kubeconfig=files/config_$CLUSTER delete --ignore-not-found=true ns $branch_identifier
done
- name: remove kubeconfig
run: |
rm -rf files/config_.*
3 changes: 3 additions & 0 deletions ansible/group_vars/all/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
POSTGRES_MANAGEMENT_PREFIX: ""
POSTGRES_MANAGEMENT_PORT: 5432
POSTGRES_MANAGEMENT_JOB_IMAGE: "quay.io/schulcloudverbund/infra-tools:4.1"
4 changes: 3 additions & 1 deletion ansible/group_vars/all/with.yml
Original file line number Diff line number Diff line change
@@ -2,7 +2,9 @@ WITH_STORAGE: false
WITH_ERWINIDM: true
WITH_LDAP: false
WITH_TSP: false
WITH_DATABASES: false
WITH_MONGO_DATABASES: false
WITH_POSTGRES_DATABASES: false
WITH_BRANCH_POSTGRES_DB_MANAGEMENT: false
WITH_SCHULCLOUD_INIT: false
WITH_CALENDAR_INIT: false
WITH_OIDCMOCK: false
1 change: 1 addition & 0 deletions ansible/group_vars/develop/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
POSTGRES_MANAGEMENT_PREFIX: "{{ (NAMESPACE | replace('-','_'))[:40] }}__"
3 changes: 2 additions & 1 deletion ansible/group_vars/develop/with.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
WITH_DATABASES: true
WITH_MONGO_DATABASES: true
WITH_BRANCH_POSTGRES_DB_MANAGEMENT: true
WITH_SCHULCLOUD_INIT: true
WITH_CALENDAR_INIT: true
WITH_ERWINIDM: true
2 changes: 1 addition & 1 deletion ansible/group_vars/infra/with.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
WITH_DATABASES: true
WITH_MONGO_DATABASES: true
WITH_SCHULCLOUD_INIT: true
WITH_CALENDAR_INIT: true
WITH_STORAGE: true
3 changes: 2 additions & 1 deletion ansible/group_vars/loadtest/with.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
WITH_DATABASES: true
WITH_MONGO_DATABASES: true
WITH_POSTGRES_DATABASES: true
WITH_SCHULCLOUD_INIT: true
WITH_CALENDAR_INIT: true
WITH_STORAGE: true
1 change: 1 addition & 0 deletions ansible/host_vars/brb_host/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
POSTGRES_MANAGEMENT_HOST: "pg-4ifot8r4h0ksummi.postgresql.de-txl.ionos.com"
1 change: 1 addition & 0 deletions ansible/host_vars/dbc_host/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
POSTGRES_MANAGEMENT_HOST: "pg-0em2c6d51cp7s177.postgresql.de-txl.ionos.com"
1 change: 1 addition & 0 deletions ansible/host_vars/nbc_host/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
POSTGRES_MANAGEMENT_HOST: "pg-d2n03p780atcj0fk.postgresql.de-txl.ionos.com"
1 change: 1 addition & 0 deletions ansible/host_vars/thr_host/postgres.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
POSTGRES_MANAGEMENT_HOST: "pg-15bkj89e4fo00bve.postgresql.de-txl.ionos.com"
1 change: 1 addition & 0 deletions ansible/playbook.yml
Original file line number Diff line number Diff line change
@@ -10,6 +10,7 @@
- namespace-activator-scaled-objects
- dof_mongo
- dof_postgresql
- dof_postgresql_management
- dof_rabbitmq
- dof_redis
- dof_mailcatcher
20 changes: 10 additions & 10 deletions ansible/roles/dof_mongo/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: svc.yml.j2
when: WITH_DATABASES
when: WITH_MONGO_DATABASES

- name: remove Service
kubernetes.core.k8s:
@@ -13,14 +13,14 @@
api_version: v1
kind: Service
name: mongo-svc
when: not WITH_DATABASES
when: not WITH_MONGO_DATABASES

- name: Add or Update ServiceMonitor
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: svc-monitor.yml.j2
when: WITH_DATABASES
when: WITH_MONGO_DATABASES

- name: remove ServiceMonitor
kubernetes.core.k8s:
@@ -30,14 +30,14 @@
api_version: monitoring.coreos.com/v1
kind: ServiceMonitor
name: mongo-svc-monitor
when: not WITH_DATABASES
when: not WITH_MONGO_DATABASES

- name: Add or Update Secret by 1Password
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: onepassword.yml.j2
when: WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
when: WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool

- name: remove Secret by 1Password
kubernetes.core.k8s:
@@ -47,14 +47,14 @@
api_version: onepassword.com/v1
kind: OnePasswordItem
name: mongo-secret
when: not WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
when: not WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool

- name: Add or Update Persistent Volumes Claim
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: pvc.yml.j2
when: WITH_DATABASES
when: WITH_MONGO_DATABASES

- name: remove Persistent Volumes Claim
kubernetes.core.k8s:
@@ -64,15 +64,15 @@
api_version: v1
kind: PersistentVolumeClaim
name: mongo-pvc
when: not WITH_DATABASES
when: not WITH_MONGO_DATABASES

- name: Add or Update Deployment
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: deployment.yml.j2
apply: yes
when: WITH_DATABASES
when: WITH_MONGO_DATABASES

- name: remove Deployment
kubernetes.core.k8s:
@@ -82,4 +82,4 @@
api_version: apps/v1
kind: Deployment
name: mongo-deployment
when: not WITH_DATABASES
when: not WITH_MONGO_DATABASES
24 changes: 12 additions & 12 deletions ansible/roles/dof_postgresql/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: svc.yml.j2
when: WITH_DATABASES
when: WITH_POSTGRES_DATABASES

- name: remove Service
kubernetes.core.k8s:
@@ -13,14 +13,14 @@
kind: Service
name: postgres-svc
state: absent
when: not WITH_DATABASES
when: not WITH_POSTGRES_DATABASES

- name: Add or Update Persistent Volumes Claim
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: pvc.yml.j2
when: WITH_DATABASES
when: WITH_POSTGRES_DATABASES

- name: remove Persistent Volumes Claim
kubernetes.core.k8s:
@@ -30,15 +30,15 @@
kind: PersistentVolumeClaim
name: postgres-pvc
state: absent
when: not WITH_DATABASES
when: not WITH_POSTGRES_DATABASES

- name: Add or Update Configmap
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap.yml.j2
apply: yes
when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )

- name: remove Configmap
kubernetes.core.k8s:
@@ -48,15 +48,15 @@
kind: ConfigMap
name: postgres-configmap
state: absent
when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )

- name: Add or Update init scripts Configmap
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap-init.yml.j2
apply: yes
when: WITH_DATABASES
when: WITH_POSTGRES_DATABASES

- name: remove init scripts Configmap
kubernetes.core.k8s:
@@ -66,14 +66,14 @@
kind: ConfigMap
name: postgres-configmap-init
state: absent
when: not WITH_DATABASES
when: not WITH_POSTGRES_DATABASES

- name: Add or Update Secret by 1Password
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: onepassword.yml.j2
when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)

- name: remove Secret by 1Password
kubernetes.core.k8s:
@@ -83,15 +83,15 @@
kind: OnePasswordItem
name: postgres-secret
state: absent
when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)

- name: Add or Update Deployment
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: deployment.yml.j2
apply: yes
when: WITH_DATABASES
when: WITH_POSTGRES_DATABASES

- name: remove Deployment
kubernetes.core.k8s:
@@ -101,4 +101,4 @@
kind: Deployment
name: postgres-deployment
state: absent
when: not WITH_DATABASES
when: not WITH_POSTGRES_DATABASES
9 changes: 9 additions & 0 deletions ansible/roles/dof_postgresql_management/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
galaxy_info:
role_name: dof_postgresql_management
author: Schul-Cloud Verbund
description: Helper role for creating postgres clsuter secret and deleting branch specific postgres databases
company: Schul-Cloud Verbund
license: license (AGPLv3)
min_ansible_version: 2.8
galaxy_tags: []
dependencies: []
22 changes: 22 additions & 0 deletions ansible/roles/dof_postgresql_management/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
- name: Add or Update Postgres Cluster Secret by 1Password
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: onepassword-pg-cluster.yml.j2
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool

- name: Create ConfigMap with Script for database deletion
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap-database-deletion.yml.j2
apply: yes
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Create suspended Job for database deletion
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: job-database-deletion.yml.j2
apply: yes
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pg-configmap-deletion
namespace: {{ NAMESPACE }}
labels:
app: postgres-management
data:
config_script.sh: |
#!/bin/bash
DB_PREFIX="{{ POSTGRES_MANAGEMENT_PREFIX }}"
if [[ {{ '${#DB_PREFIX}' }} -le 5 ]]; then
echo "Postgres prefix \"{{ POSTGRES_MANAGEMENT_PREFIX }}\" seems too short. Dropping all matching databases could be dangerous. Aborting."
exit 1
fi
echo "Delete databases starting with {{ POSTGRES_MANAGEMENT_PREFIX }}"
echo "SELECT 'DROP DATABASE ' || quote_ident(datname) || ' WITH (FORCE);' FROM pg_database WHERE datname LIKE '{{ POSTGRES_MANAGEMENT_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w
echo "Delete users starting with {{ POSTGRES_MANAGEMENT_PREFIX }}"
echo "SELECT 'DROP USER ' || quote_ident(usename) || ';' FROM pg_catalog.pg_user WHERE usename LIKE '{{ POSTGRES_MANAGEMENT_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
apiVersion: batch/v1
kind: Job
metadata:
name: pg-deletion-job
namespace: {{ NAMESPACE }}
labels:
app: postgres-management
app.kubernetes.io/part-of: schulcloud-verbund
app.kubernetes.io/name: postgres-management
app.kubernetes.io/component: database
app.kubernetes.io/managed-by: ansible
git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
spec:
template:
metadata:
labels:
app: postgres
spec:
volumes:
- name: config-script
configMap:
name: pg-configmap-deletion
# 711 in decimal is 457
defaultMode: 457
containers:
- name: psql-config
image: {{ POSTGRES_MANAGEMENT_JOB_IMAGE }}
command:
- /bin/bash
- -c
args:
- /scripts/config_script.sh
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: config-script
mountPath: /scripts/
env:
- name: PGHOST
value: {{ POSTGRES_MANAGEMENT_HOST }}
- name: PGUSER
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: password
restartPolicy: Never
suspend: true
ttlSecondsAfterFinished: 0
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: pg-cluster-secret
namespace: {{ NAMESPACE }}
labels:
app: postgres-management
spec:
itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/pg-cluster-schulcloud"
31 changes: 31 additions & 0 deletions ansible/roles/erwin-idm/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,34 @@
- name: Check if secret with database credentials already exists
kubernetes.core.k8s_info:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
kind: Secret
name: "pg-erwinidm-secret"
register: db_secret_present
when: WITH_ERWINIDM and WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Create Secret for the database (if not existing)
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: secret-database.yml.j2
when: WITH_ERWINIDM and WITH_BRANCH_POSTGRES_DB_MANAGEMENT and db_secret_present.resources|length == 0

- name: Create ConfigMap with database configuration script
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap-database-init.yml.j2
apply: yes
when: WITH_ERWINIDM and WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Create/execute database configuration script
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: job-database-init.yml.j2
when: WITH_ERWINIDM and WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Service
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
19 changes: 19 additions & 0 deletions ansible/roles/erwin-idm/templates/configmap-database-init.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pg-erwinidm-configmap-init
namespace: {{ NAMESPACE }}
labels:
app: postgres
data:
config_script.sh: |
#!/bin/bash
echo "Create owner of the DB"
echo "SELECT 'CREATE USER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_user WHERE usename = '$DB_USER')\gexec" | psql -d postgres -w
echo "GRANT $DB_USER TO $PGUSER;" | psql -d postgres -w
echo "Set/update password for user $DB_USER"
echo "ALTER USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_USER_PASSWORD';" | psql -d postgres -w
echo "Create database"
echo "SELECT 'CREATE DATABASE $DB_NAME OWNER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME')\gexec" | psql -d postgres -w
echo "Revoke permissions for public role"
echo "REVOKE ALL ON DATABASE $DB_NAME FROM PUBLIC;" | psql -d postgres -w
5 changes: 4 additions & 1 deletion ansible/roles/erwin-idm/templates/configmap.yml.j2
Original file line number Diff line number Diff line change
@@ -12,4 +12,7 @@ data:
KC_HTTP_PORT: "{{ ERWINIDM_PORT }}"
KC_PROXY: "edge"
JAVA_OPTS: "-Djgroups.dns.query=erwinidm-svc.{{ NAMESPACE }}.svc.cluster.local -XX:MaxRAMPercentage=90.0 -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90"
KC_DB_POOL_MAX_SIZE: "100"
KC_DB_POOL_MAX_SIZE: "100"
{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
DB_BASE_URL: "jdbc:postgresql://{{ POSTGRES_MANAGEMENT_HOST }}:{{ POSTGRES_MANAGEMENT_PORT }}"
{% endif %}
13 changes: 12 additions & 1 deletion ansible/roles/erwin-idm/templates/deployment.yml.j2
Original file line number Diff line number Diff line change
@@ -51,10 +51,21 @@ spec:
name: erwinidm
protocol: TCP
envFrom:
- secretRef:
name: erwinidm-secret
- configMapRef:
name: erwinidm-configmap
{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
- secretRef:
name: erwinidm-secret
name: pg-erwinidm-secret
env:
- name: KC_DB_PASSWORD
value: "$(DB_USER_PASSWORD)"
- name: KC_DB_USERNAME
value: "$(DB_USER)"
- name: KC_DB_URL
value: "$(DB_BASE_URL)/$(DB_NAME)"
{% endif %}
resources:
# find reasonable limits
limits:
67 changes: 67 additions & 0 deletions ansible/roles/erwin-idm/templates/job-database-init.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
apiVersion: batch/v1
kind: Job
metadata:
name: pg-erwinidm-init-job-{{ 1000000 | random | hash('md5') }}
namespace: {{ NAMESPACE }}
labels:
app: erwinidm-postgres-init
app.kubernetes.io/part-of: schulcloud-verbund
app.kubernetes.io/name: erwinidm-postgres-init
app.kubernetes.io/component: idm
app.kubernetes.io/managed-by: ansible
git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
spec:
template:
metadata:
labels:
app: erwinidm-postgres-init
app.kubernetes.io/part-of: schulcloud-verbund
app.kubernetes.io/name: erwinidm-postgres-init
app.kubernetes.io/component: idm
app.kubernetes.io/managed-by: ansible
git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
spec:
volumes:
- name: config-script
configMap:
name: pg-erwinidm-configmap-init
# 711 in decimal is 457
defaultMode: 457
containers:
- name: psql-erwinidm-config
image: {{ POSTGRES_MANAGEMENT_JOB_IMAGE }}
command:
- /bin/bash
- -c
args:
- /scripts/config_script.sh
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: config-script
mountPath: /scripts/
envFrom:
- secretRef:
name: pg-erwinidm-secret
env:
- name: PGHOST
value: {{ POSTGRES_MANAGEMENT_HOST }}
- name: PGUSER
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: password
restartPolicy: Never
ttlSecondsAfterFinished: 1800
12 changes: 12 additions & 0 deletions ansible/roles/erwin-idm/templates/secret-database.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: pg-erwinidm-secret
namespace: {{ NAMESPACE }}
labels:
app: erwinidm-postgres-init
type: Opaque
data:
DB_USER: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'erwinidm') | b64encode }}"
DB_USER_PASSWORD: "{{ lookup('ansible.builtin.password', '/dev/null') | b64encode }}"
DB_NAME: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'erwinidm') | b64encode }}"
31 changes: 31 additions & 0 deletions ansible/roles/hydra/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,34 @@
- name: Check if secret with database credentials already exists
kubernetes.core.k8s_info:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
kind: Secret
name: "pg-hydra-secret"
register: db_secret_present
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Create Secret for the database (if not existing)
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: secret-database.yml.j2
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT and db_secret_present.resources|length == 0

- name: Create ConfigMap with database configuration script
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: configmap-database-init.yml.j2
apply: yes
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Create/execute database configuration script
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
namespace: "{{ NAMESPACE }}"
template: job-database-init.yml.j2
when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT

- name: Service
kubernetes.core.k8s:
kubeconfig: ~/.kube/config
19 changes: 19 additions & 0 deletions ansible/roles/hydra/templates/configmap-database-init.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pg-hydra-configmap-init
namespace: {{ NAMESPACE }}
labels:
app: hydra-postgres-init
data:
config_script.sh: |
#!/bin/bash
echo "Create owner of the DB"
echo "SELECT 'CREATE USER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_user WHERE usename = '$DB_USER')\gexec" | psql -d postgres -w
echo "GRANT $DB_USER TO $PGUSER;" | psql -d postgres -w
echo "Set/update password for user $DB_USER"
echo "ALTER USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_USER_PASSWORD';" | psql -d postgres -w
echo "Create database"
echo "SELECT 'CREATE DATABASE $DB_NAME OWNER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME')\gexec" | psql -d postgres -w
echo "Revoke permissions for public role"
echo "REVOKE ALL ON DATABASE $DB_NAME FROM PUBLIC;" | psql -d postgres -w
5 changes: 4 additions & 1 deletion ansible/roles/hydra/templates/configmap.yml.j2
Original file line number Diff line number Diff line change
@@ -6,7 +6,6 @@ metadata:
labels:
app: hydra
data:

SERVE_PUBLIC_CORS_ENABLED: "true"
SERVE_PUBLIC_CORS_ALLOWED_METHODS: "POST,GET,PUT,DELETE"
URLS_SELF_ISSUER: "https://{{ HYDRA_DNS_PREFIX }}{{ DOMAIN }}"
@@ -19,3 +18,7 @@ data:
SC_FRONTEND: "https://{{ DOMAIN }}"
SQA_OPT_OUT: "true"
LOG_LEVEL: "info"
{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
POSTGRES_HOST: "{{ POSTGRES_MANAGEMENT_HOST }}"
POSTGRES_PORT: "{{ POSTGRES_MANAGEMENT_PORT }}"
{% endif %}
9 changes: 8 additions & 1 deletion ansible/roles/hydra/templates/deployment.yml.j2
Original file line number Diff line number Diff line change
@@ -56,10 +56,17 @@ spec:
periodSeconds: 10
failureThreshold: 5
envFrom:
- secretRef:
name: hydra-secret
- configMapRef:
name: hydra-configmap
{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
- secretRef:
name: hydra-secret
name: pg-hydra-secret
env:
- name: DSN
value: "postgres://$(DB_USER):$(DB_USER_PASSWORD)@$(POSTGRES_HOST):$(POSTGRES_PORT)/$(DB_NAME)"
{% endif %}
resources:
limits:
cpu: "{{ HYDRA_CPU_MAX|default("1000m", true) }}"
67 changes: 67 additions & 0 deletions ansible/roles/hydra/templates/job-database-init.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
apiVersion: batch/v1
kind: Job
metadata:
name: pg-hydra-init-job-{{ 1000000 | random | hash('md5') }}
namespace: {{ NAMESPACE }}
labels:
app: hydra-postgres-init
app.kubernetes.io/part-of: schulcloud-verbund
app.kubernetes.io/name: hydra-postgres-init
app.kubernetes.io/component: oauth
app.kubernetes.io/managed-by: ansible
git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
spec:
template:
metadata:
labels:
app: hydra-postgres-init
app.kubernetes.io/part-of: schulcloud-verbund
app.kubernetes.io/name: hydra-postgres-init
app.kubernetes.io/component: oauth
app.kubernetes.io/managed-by: ansible
git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
spec:
volumes:
- name: config-script
configMap:
name: pg-hydra-configmap-init
# 711 in decimal is 457
defaultMode: 457
containers:
- name: psql-hydra-config
image: {{ POSTGRES_MANAGEMENT_JOB_IMAGE }}
command:
- /bin/bash
- -c
args:
- /scripts/config_script.sh
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: config-script
mountPath: /scripts/
envFrom:
- secretRef:
name: pg-hydra-secret
env:
- name: PGHOST
value: {{ POSTGRES_MANAGEMENT_HOST }}
- name: PGUSER
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: pg-cluster-secret
key: password
restartPolicy: Never
ttlSecondsAfterFinished: 1800
9 changes: 8 additions & 1 deletion ansible/roles/hydra/templates/job.yml.j2
Original file line number Diff line number Diff line change
@@ -16,10 +16,17 @@ spec:
image: {{ HYDRA_IMAGE_NAME }}:{{ HYDRA_IMAGE_TAG }}
imagePullPolicy: Always
envFrom:
- secretRef:
name: hydra-secret
- configMapRef:
name: hydra-configmap
{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
- secretRef:
name: hydra-secret
name: pg-hydra-secret
env:
- name: DSN
value: "postgres://$(DB_USER):$(DB_USER_PASSWORD)@$(POSTGRES_HOST):$(POSTGRES_PORT)/$(DB_NAME)"
{% endif %}
volumeMounts:
- name: script
mountPath: /update.sh
12 changes: 12 additions & 0 deletions ansible/roles/hydra/templates/secret-database.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: pg-hydra-secret
namespace: {{ NAMESPACE }}
labels:
app: hydra-postgres-init
type: Opaque
data:
DB_USER: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'hydra') | b64encode }}"
DB_USER_PASSWORD: "{{ lookup('ansible.builtin.password', '/dev/null') | b64encode }}"
DB_NAME: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'hydra') | b64encode }}"

0 comments on commit e44c85e

Please sign in to comment.