hpi-schul-cloud · YannickEvers · Apr 25, 2024 · Apr 4, 2024 · Apr 4, 2024 · Apr 4, 2024
diff --git a/.github/workflows/clean.yml b/.github/workflows/clean.yml
@@ -29,7 +29,7 @@ jobs:
   clean:
     needs:
       - branch_name
-    uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main
+    uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@BC-7024-migration-to-ionos-postgres-dev
     with:
       branch: ${{ needs.branch_name.outputs.branch }}
     secrets:

diff --git a/.github/workflows/clean_workflow.yml b/.github/workflows/clean_workflow.yml
@@ -117,25 +117,19 @@ jobs:
           echo "${{ secrets.DEV_KUBE_CONFIG_NBC }}" > files/config_nbc
           echo "${{ secrets.DEV_KUBE_CONFIG_THR }}" > files/config_thr
           echo "${{ secrets.DEV_KUBE_CONFIG_DBC }}" > files/config_dbc
-      - name: delete custom resources and namespaces 
+      - name: delete custom resources, databases and namespaces
         run: |
           branch_identifier='${{ needs.create_branch_identifier.outputs.id_branch }}'
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_brb --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_brb delete --ignore-not-found=true ns $branch_identifier
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_nbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_nbc delete --ignore-not-found=true ns $branch_identifier 
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_thr --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_thr delete --ignore-not-found=true ns $branch_identifier 
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
-          kubectl --kubeconfig=files/config_dbc --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
-          kubectl --kubeconfig=files/config_dbc delete --ignore-not-found=true ns $branch_identifier
+          for CLUSTER in brb nbc thr dbc
+          do
+            echo "Cleanup for $CLUSTER"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier patch job/pg-deletion-job -p '{"spec":{"suspend":false}}' || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier wait --for=delete pod/pg-deletion-job --timeout=180s || echo "::warning::Couldn't clean up the postgres databases ($CLUSTER)"
+            kubectl --kubeconfig=files/config_$CLUSTER --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
+            kubectl --kubeconfig=files/config_$CLUSTER delete --ignore-not-found=true ns $branch_identifier
+          done
       - name: remove kubeconfig
         run: |
           rm -rf  files/config_.*
diff --git a/ansible/group_vars/all/postgres.yml b/ansible/group_vars/all/postgres.yml
@@ -0,0 +1,3 @@
+POSTGRES_PREFIX: ""
+POSTGRES_PORT: 5432
+POSTGRES_JOB_IMAGE: "quay.io/schulcloudverbund/infra-tools:4.1"
diff --git a/ansible/group_vars/all/with.yml b/ansible/group_vars/all/with.yml
@@ -2,7 +2,9 @@ WITH_STORAGE: false
 WITH_ERWINIDM: true
 WITH_LDAP: false
 WITH_TSP: false
-WITH_DATABASES: false
+WITH_MONGO_DATABASES: false
+WITH_POSTGRES_DATABASES: false
+WITH_BRANCH_POSTGRES_DB_MANAGEMENT: false
 WITH_SCHULCLOUD_INIT: false
 WITH_CALENDAR_INIT: false
 WITH_OIDCMOCK: false

diff --git a/ansible/group_vars/develop/postgres.yml b/ansible/group_vars/develop/postgres.yml
@@ -0,0 +1 @@
+POSTGRES_PREFIX: "{{ (NAMESPACE | replace('-','_'))[:40] }}__"
diff --git a/ansible/group_vars/develop/with.yml b/ansible/group_vars/develop/with.yml
@@ -1,4 +1,5 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
+WITH_BRANCH_POSTGRES_DB_MANAGEMENT: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_ERWINIDM: true

diff --git a/ansible/group_vars/infra/with.yml b/ansible/group_vars/infra/with.yml
@@ -1,4 +1,4 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_STORAGE: true
diff --git a/ansible/group_vars/loadtest/with.yml b/ansible/group_vars/loadtest/with.yml
@@ -1,4 +1,4 @@
-WITH_DATABASES: true
+WITH_MONGO_DATABASES: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_STORAGE: true
diff --git a/ansible/host_vars/brb_host/postgres.yml b/ansible/host_vars/brb_host/postgres.yml
@@ -0,0 +1 @@
+POSTGRES_HOST: "pg-4ifot8r4h0ksummi.postgresql.de-txl.ionos.com"
diff --git a/ansible/host_vars/dbc_host/postgres.yml b/ansible/host_vars/dbc_host/postgres.yml
@@ -0,0 +1 @@
+POSTGRES_HOST: "pg-0em2c6d51cp7s177.postgresql.de-txl.ionos.com"
diff --git a/ansible/host_vars/nbc_host/postgres.yml b/ansible/host_vars/nbc_host/postgres.yml
@@ -0,0 +1 @@
+POSTGRES_HOST: "pg-d2n03p780atcj0fk.postgresql.de-txl.ionos.com"
diff --git a/ansible/host_vars/thr_host/postgres.yml b/ansible/host_vars/thr_host/postgres.yml
@@ -0,0 +1 @@
+POSTGRES_HOST: "pg-15bkj89e4fo00bve.postgresql.de-txl.ionos.com"
diff --git a/ansible/roles/dof_mongo/tasks/main.yml b/ansible/roles/dof_mongo/tasks/main.yml
@@ -3,7 +3,7 @@
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: svc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Service
     kubernetes.core.k8s:
@@ -13,14 +13,14 @@
       api_version: v1
       kind: Service
       name: mongo-svc
-    when: not WITH_DATABASES 
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update ServiceMonitor
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: svc-monitor.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove ServiceMonitor
     kubernetes.core.k8s:
@@ -30,14 +30,14 @@
       api_version: monitoring.coreos.com/v1
       kind: ServiceMonitor
       name: mongo-svc-monitor
-    when: not WITH_DATABASES 
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: onepassword.yml.j2
-    when: WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+    when: WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
 
   - name: remove Secret by 1Password
     kubernetes.core.k8s:
@@ -47,14 +47,14 @@
       api_version: onepassword.com/v1
       kind: OnePasswordItem
       name: mongo-secret
-    when: not WITH_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+    when: not WITH_MONGO_DATABASES and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
 
   - name: Add or Update Persistent Volumes Claim
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: pvc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Persistent Volumes Claim
     kubernetes.core.k8s:
@@ -64,15 +64,15 @@
       api_version: v1
       kind: PersistentVolumeClaim
       name: mongo-pvc
-    when: not WITH_DATABASES
+    when: not WITH_MONGO_DATABASES
 
   - name: Add or Update Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_MONGO_DATABASES
 
   - name: remove Deployment
     kubernetes.core.k8s:
@@ -82,4 +82,4 @@
       api_version: apps/v1
       kind: Deployment
       name: mongo-deployment
-    when: not WITH_DATABASES
+    when: not WITH_MONGO_DATABASES
diff --git a/ansible/roles/dof_postgresql/tasks/main.yml b/ansible/roles/dof_postgresql/tasks/main.yml
@@ -3,7 +3,7 @@
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: svc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Service
     kubernetes.core.k8s:
@@ -13,14 +13,14 @@
       kind: Service
       name: postgres-svc
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Persistent Volumes Claim  
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: pvc.yml.j2
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Persistent Volumes Claim  
     kubernetes.core.k8s:
@@ -30,15 +30,15 @@
       kind: PersistentVolumeClaim
       name: postgres-pvc
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Configmap
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: configmap.yml.j2
       apply: yes
-    when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
+    when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
 
   - name: remove Configmap
     kubernetes.core.k8s:
@@ -48,15 +48,15 @@
       kind: ConfigMap
       name: postgres-configmap
       state: absent
-    when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
+    when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is undefined or ( ONEPASSWORD_OPERATOR is defined and not ONEPASSWORD_OPERATOR) )
 
   - name: Add or Update init scripts Configmap
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: configmap-init.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove init scripts Configmap
     kubernetes.core.k8s:
@@ -66,14 +66,14 @@
       kind: ConfigMap
       name: postgres-configmap-init
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
 
   - name: Add or Update Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: onepassword.yml.j2
-    when: WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+    when: WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
 
   - name: remove Secret by 1Password
     kubernetes.core.k8s:
@@ -83,15 +83,15 @@
       kind: OnePasswordItem
       name: postgres-secret
       state: absent
-    when: not WITH_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
+    when: not WITH_POSTGRES_DATABASES and (ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool)
 
   - name: Add or Update Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
       apply: yes
-    when: WITH_DATABASES
+    when: WITH_POSTGRES_DATABASES
 
   - name: remove Deployment
     kubernetes.core.k8s:
@@ -101,4 +101,4 @@
       kind: Deployment
       name: postgres-deployment
       state: absent
-    when: not WITH_DATABASES
+    when: not WITH_POSTGRES_DATABASES
diff --git a/ansible/roles/dof_postgresql_management/meta/main.yml b/ansible/roles/dof_postgresql_management/meta/main.yml
@@ -0,0 +1,9 @@
+galaxy_info:
+  role_name: dof_postgresql_management
+  author: Schul-Cloud Verbund
+  description: Helper role for creating and deleting branch specific postgres databases
+  company: Schul-Cloud Verbund
+  license: license (AGPLv3)
+  min_ansible_version: 2.8
+  galaxy_tags: []
+dependencies: []
diff --git a/ansible/roles/dof_postgresql_management/tasks/main.yml b/ansible/roles/dof_postgresql_management/tasks/main.yml
@@ -0,0 +1,48 @@
+- name: Add or Update Postgres Cluster Secret by 1Password
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config 
+    namespace: "{{ NAMESPACE }}"
+    template: onepassword-pg-cluster.yml.j2
+  when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+
+- name: Check if secret with database credentials already exists
+  kubernetes.core.k8s_info:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    kind: Secret
+    name: "pg-{{ database_name }}-secret"
+  register: db_secret_present
+
+- name: Create Secret for the database (if not existing)
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: secret-database.yml.j2
+  when: db_secret_present.resources|length == 0
+
+- name: Create ConfigMap with Script
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: configmap-database-init.yml.j2
+    apply: yes
+
+- name: Create/execute database configuration script
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config 
+    namespace: "{{ NAMESPACE }}"
+    template: job-database-init.yml.j2
+
+- name: Create ConfigMap with Script for database deletion
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: configmap-database-deletion.yml.j2
+    apply: yes
+
+- name: Create suspended Job for database deletion
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: job-database-deletion.yml.j2
+    apply: yes
diff --git a/ansible/roles/dof_postgresql_management/templates/configmap-database-deletion.yml.j2 b/ansible/roles/dof_postgresql_management/templates/configmap-database-deletion.yml.j2
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pg-configmap-deletion
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: postgres
+data:
+  config_script.sh: |
+    #!/bin/bash
+    DB_PREFIX="{{ POSTGRES_PREFIX }}"
+    if [[ {{ '${#DB_PREFIX}' }} -le 5 ]]; then 
+      echo "Postgres prefix \"{{ POSTGRES_PREFIX }}\" seems too short. Dropping all matching databases could be dangerous. Aborting."
+      exit 1
+    fi
+    echo "Delete databases starting with {{ POSTGRES_PREFIX }}"
+    echo "SELECT 'DROP DATABASE ' || quote_ident(datname) || ' WITH (FORCE);' FROM pg_database WHERE datname LIKE '{{ POSTGRES_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w
+    echo "Delete users starting with {{ POSTGRES_PREFIX  }}"
+    echo "SELECT 'DROP USER ' || quote_ident(usename) || ';' FROM pg_catalog.pg_user WHERE usename LIKE '{{ POSTGRES_PREFIX | replace('_','#_')}}%' ESCAPE '#' \gexec" | psql -d postgres -w
diff --git a/ansible/roles/dof_postgresql_management/templates/configmap-database-init.yml.j2 b/ansible/roles/dof_postgresql_management/templates/configmap-database-init.yml.j2
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pg-{{ database_name }}-configmap-init
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: postgres
+data:
+  config_script.sh: |
+    #!/bin/bash
+    echo "Create owner of the DB"
+    echo "SELECT 'CREATE USER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_user WHERE usename = '$DB_USER')\gexec" | psql -d postgres -w
+    echo "GRANT $DB_USER TO $PGUSER;" | psql -d postgres -w
+    echo "Set/update password for user $DB_USER"
+    echo "ALTER USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_USER_PASSWORD';" | psql -d postgres -w
+    echo "Create database"
+    echo "SELECT 'CREATE DATABASE $DB_NAME OWNER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME')\gexec" | psql -d postgres -w
+    echo "Revoke permissions for public role"
+    echo "REVOKE ALL ON DATABASE $DB_NAME FROM PUBLIC;" | psql -d postgres -w
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		POSTGRES_PREFIX: "{{ (NAMESPACE \| replace('-','_'))[:40] }}__"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		POSTGRES_HOST: "pg-4ifot8r4h0ksummi.postgresql.de-txl.ionos.com"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		POSTGRES_HOST: "pg-0em2c6d51cp7s177.postgresql.de-txl.ionos.com"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		POSTGRES_HOST: "pg-d2n03p780atcj0fk.postgresql.de-txl.ionos.com"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		POSTGRES_HOST: "pg-15bkj89e4fo00bve.postgresql.de-txl.ionos.com"