BC-7024-migration-to-ionos-postgres-dev

.github/workflows/clean_workflow.yml

@@ -117,25 +117,19 @@ jobs:
           echo "${{ secrets.DEV_KUBE_CONFIG_NBC }}" > files/config_nbc
           echo "${{ secrets.DEV_KUBE_CONFIG_THR }}" > files/config_thr
           echo "${{ secrets.DEV_KUBE_CONFIG_DBC }}" > files/config_dbc
-      - name: delete custom resources and namespaces 
+      - name: delete custom resources, databases and namespaces
         run: |
           branch_identifier='${{ needs.create_branch_identifier.outputs.id_branch }}'
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_brb delete --ignore-not-found=true ns $branch_identifier
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_nbc delete --ignore-not-found=true ns $branch_identifier 
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_thr delete --ignore-not-found=true ns $branch_identifier 
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_dbc delete --ignore-not-found=true ns $branch_identifier
+          for CLUSTER in brb nbc thr dbc
+          do
+            echo "Cleanup for $CLUSTER"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier patch job/pg-deletion-job -p '{"spec":{"suspend":false}}' || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier wait --for=delete pod/pg-deletion-job --timeout=180s || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
+            kubectl --kubeconfig=files/config_$CLUSTER delete --ignore-not-found=true ns $branch_identifier
+          done
       - name: remove kubeconfig
         run: |
           rm -rf  files/config_.*

ansible/group_vars/all/postgres.yml

@@ -0,0 +1,3 @@
+POSTGRES_MANAGEMENT_PREFIX: ""
+POSTGRES_MANAGEMENT_PORT: 5432
+POSTGRES_MANAGEMENT_JOB_IMAGE: "quay.io/schulcloudverbund/infra-tools:4.1"

ansible/group_vars/all/with.yml

@@ -2,7 +2,9 @@ WITH_STORAGE: false
 WITH_ERWINIDM: true
 WITH_LDAP: false
 WITH_TSP: false
-WITH_DATABASES: false
+WITH_MONGO_DATABASES: false
+WITH_POSTGRES_DATABASES: false
+WITH_BRANCH_POSTGRES_DB_MANAGEMENT: false
 WITH_SCHULCLOUD_INIT: false
 WITH_CALENDAR_INIT: false
 WITH_OIDCMOCK: false

ansible/group_vars/develop/postgres.yml

@@ -0,0 +1 @@
+POSTGRES_MANAGEMENT_PREFIX: "{{ (NAMESPACE | replace('-','_'))[:40] }}__"

ansible/group_vars/develop/with.yml

@@ -1,4 +1,5 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
+WITH_BRANCH_POSTGRES_DB_MANAGEMENT: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_ERWINIDM: true

ansible/group_vars/infra/with.yml

@@ -1,4 +1,4 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_STORAGE: true

ansible/group_vars/loadtest/with.yml

@@ -1,4 +1,5 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
+WITH_POSTGRES_DATABASES: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_STORAGE: true

ansible/host_vars/brb_host/postgres.yml

@@ -0,0 +1 @@
+POSTGRES_MANAGEMENT_HOST: "pg-4ifot8r4h0ksummi.postgresql.de-txl.ionos.com"

ansible/host_vars/dbc_host/postgres.yml

@@ -0,0 +1 @@
+POSTGRES_MANAGEMENT_HOST: "pg-0em2c6d51cp7s177.postgresql.de-txl.ionos.com"

ansible/host_vars/nbc_host/postgres.yml

@@ -0,0 +1 @@
+POSTGRES_MANAGEMENT_HOST: "pg-d2n03p780atcj0fk.postgresql.de-txl.ionos.com"

ansible/host_vars/thr_host/postgres.yml

@@ -0,0 +1 @@
+POSTGRES_MANAGEMENT_HOST: "pg-15bkj89e4fo00bve.postgresql.de-txl.ionos.com"

ansible/playbook.yml

@@ -10,6 +10,7 @@
     - namespace-activator-scaled-objects
     - dof_mongo
     - dof_postgresql
+    - dof_postgresql_management
     - dof_rabbitmq
     - dof_redis
     - dof_mailcatcher

ansible/roles/dof_mongo/tasks/main.yml

@@ -3,7 +3,7 @@
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: svc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Service
     kubernetes.core.k8s:
@@ -13,14 +13,14 @@
       api_version: v1
       kind: Service
       name: mongo-svc
-    when: not WITH_DATABASES 
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update ServiceMonitor
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: svc-monitor.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove ServiceMonitor
     kubernetes.core.k8s:
@@ -30,14 +30,14 @@
       api_version: monitoring.coreos.com/v1
       kind: ServiceMonitor
       name: mongo-svc-monitor
-    when: not WITH_DATABASES 
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: onepassword.yml.j2
-    when: WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+    when: WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
 
   - name: remove Secret by 1Password
     kubernetes.core.k8s:
@@ -47,14 +47,14 @@
       api_version: onepassword.com/v1
       kind: OnePasswordItem
       name: mongo-secret
-    when: not WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+    when: not WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
 
   - name: Add or Update Persistent Volumes Claim
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: pvc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Persistent Volumes Claim
     kubernetes.core.k8s:
@@ -64,15 +64,15 @@
       api_version: v1
       kind: PersistentVolumeClaim
       name: mongo-pvc
-    when: not WITH_DATABASES
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Deployment
     kubernetes.core.k8s:
@@ -82,4 +82,4 @@
       api_version: apps/v1
       kind: Deployment
       name: mongo-deployment
-    when: not WITH_DATABASES
+    when: not WITH_MONGO_DATABASES

ansible/roles/dof_postgresql/tasks/main.yml

@@ -3,7 +3,7 @@
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: svc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Service
     kubernetes.core.k8s:
@@ -13,14 +13,14 @@
       kind: Service
       name: postgres-svc
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Persistent Volumes Claim  
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: pvc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Persistent Volumes Claim  
     kubernetes.core.k8s:
@@ -30,15 +30,15 @@
       kind: PersistentVolumeClaim
       name: postgres-pvc
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Configmap
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: configmap.yml.j2
       apply: yes
-    when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
+    when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
 
   - name: remove Configmap
     kubernetes.core.k8s:
@@ -48,15 +48,15 @@
       kind: ConfigMap
       name: postgres-configmap
       state: absent
-    when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
+    when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
 
   - name: Add or Update init scripts Configmap
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: configmap-init.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove init scripts Configmap
     kubernetes.core.k8s:
@@ -66,14 +66,14 @@
       kind: ConfigMap
       name: postgres-configmap-init
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: onepassword.yml.j2
-    when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+    when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
 
   - name: remove Secret by 1Password
     kubernetes.core.k8s:
@@ -83,15 +83,15 @@
       kind: OnePasswordItem
       name: postgres-secret
       state: absent
-    when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+    when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
 
   - name: Add or Update Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Deployment
     kubernetes.core.k8s:
@@ -101,4 +101,4 @@
       kind: Deployment
       name: postgres-deployment
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES

ansible/roles/dof_postgresql_management/meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  role_name: dof_postgresql_management
+  author: Schul-Cloud Verbund
+  description: Helper role for creating postgres clsuter secret and deleting branch specific postgres databases
+  company: Schul-Cloud Verbund
+  license: license (AGPLv3)
+  min_ansible_version: 2.8
+  galaxy_tags: []
+dependencies: []

ansible/roles/dof_postgresql_management/tasks/main.yml

@@ -0,0 +1,22 @@
+- name: Add or Update Postgres Cluster Secret by 1Password
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config 
+    namespace: "{{ NAMESPACE }}"
+    template: onepassword-pg-cluster.yml.j2
+  when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+
+- name: Create ConfigMap with Script for database deletion
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: configmap-database-deletion.yml.j2
+    apply: yes
+  when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT
+
+- name: Create suspended Job for database deletion
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: job-database-deletion.yml.j2
+    apply: yes
+  when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT

ansible/roles/dof_postgresql_management/templates/configmap-database-deletion.yml.j2

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pg-configmap-deletion
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: postgres-management
+data:
+  config_script.sh: |
+    #!/bin/bash
+    DB_PREFIX="{{ POSTGRES_MANAGEMENT_PREFIX }}"
+    if [[ {{ '${#DB_PREFIX}' }} -le 5 ]]; then 
+      echo "Postgres prefix \"{{ POSTGRES_MANAGEMENT_PREFIX }}\" seems too short. Dropping all matching databases could be dangerous. Aborting."
+      exit 1
+    fi
+    echo "Delete databases starting with {{ POSTGRES_MANAGEMENT_PREFIX }}"
+    echo "SELECT 'DROP DATABASE ' || quote_ident(datname) || ' WITH (FORCE);' FROM pg_database WHERE datname LIKE '{{ POSTGRES_MANAGEMENT_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w
+    echo "Delete users starting with {{ POSTGRES_MANAGEMENT_PREFIX  }}"
+    echo "SELECT 'DROP USER ' || quote_ident(usename) || ';' FROM pg_catalog.pg_user WHERE usename LIKE '{{ POSTGRES_MANAGEMENT_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w

ansible/roles/dof_postgresql_management/templates/job-database-deletion.yml.j2

@@ -0,0 +1,59 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pg-deletion-job
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: postgres-management
+    app.kubernetes.io/part-of: schulcloud-verbund
+    app.kubernetes.io/name: postgres-management
+    app.kubernetes.io/component: database
+    app.kubernetes.io/managed-by: ansible
+    git.branch: {{ DOF_APP_DEPLOY_BRANCH_NAME }}
+    git.repo: {{ DOF_APP_DEPLOY_REPO_NAME }}
+spec:
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      volumes:
+        - name: config-script
+          configMap:
+            name: pg-configmap-deletion
+            # 711 in decimal is 457
+            defaultMode: 457
+      containers:
+        - name:  psql-config
+          image: {{ POSTGRES_MANAGEMENT_JOB_IMAGE }}
+          command:
+            - /bin/bash
+            - -c
+          args:
+            - /scripts/config_script.sh
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+            requests:
+              cpu: 100m
+              memory: 200Mi
+          volumeMounts:
+            - name: config-script
+              mountPath: /scripts/
+          env:
+            - name: PGHOST
+              value: {{ POSTGRES_MANAGEMENT_HOST }}
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: pg-cluster-secret
+                  key: username
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: pg-cluster-secret
+                  key: password
+      restartPolicy: Never
+  suspend: true
+  ttlSecondsAfterFinished: 0