hpi-schul-cloud · YannickEvers · Apr 25, 2024 · Apr 3, 2024 · Apr 4, 2024 · Apr 4, 2024
diff --git a/ansible/roles/schulcloud-calendar-core/tasks/main.yml b/ansible/roles/schulcloud-calendar-core/tasks/main.yml
@@ -1,3 +1,34 @@
+  - name: Check if secret with database credentials already exists
+    kubernetes.core.k8s_info:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      kind: Secret
+      name: "pg-calendar-secret"
+    register: db_secret_present
+    when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT
+
+  - name: Create Secret for the database (if not existing)
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: secret-database.yml.j2
+    when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT and db_secret_present.resources|length == 0
+
+  - name: Create ConfigMap with database configuration script
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: configmap-database-init.yml.j2
+      apply: yes
+    when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT
+
+  - name: Create/execute database configuration script
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config 
+      namespace: "{{ NAMESPACE }}"
+      template: job-database-init.yml.j2
+    when: WITH_BRANCH_POSTGRES_DB_MANAGEMENT
+
   - name: Service
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 

diff --git a/ansible/roles/schulcloud-calendar-core/templates/configmap-database-init.yml.j2 b/ansible/roles/schulcloud-calendar-core/templates/configmap-database-init.yml.j2
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pg-calendar-configmap-init
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: calendar-postgres-init
+data:
+  config_script.sh: |
+    #!/bin/bash
+    echo "Create owner of the DB"
+    echo "SELECT 'CREATE USER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_user WHERE usename = '$DB_USER')\gexec" | psql -d postgres -w
+    echo "GRANT $DB_USER TO $PGUSER;" | psql -d postgres -w
+    echo "Set/update password for user $DB_USER"
+    echo "ALTER USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_USER_PASSWORD';" | psql -d postgres -w
+    echo "Create database"
+    echo "SELECT 'CREATE DATABASE $DB_NAME OWNER $DB_USER' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$DB_NAME')\gexec" | psql -d postgres -w
+    echo "Revoke permissions for public role"
+    echo "REVOKE ALL ON DATABASE $DB_NAME FROM PUBLIC;" | psql -d postgres -w
diff --git a/ansible/roles/schulcloud-calendar-core/templates/configmap.yml.j2 b/ansible/roles/schulcloud-calendar-core/templates/configmap.yml.j2
@@ -16,3 +16,7 @@ data:
 {% if CAL_IS_MIGRATION is defined %}
   IS_MIGRATION: "{{ CAL_IS_MIGRATION }}"
 {% endif %}
+{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT is defined and WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
+  DB_HOST: "{{ POSTGRES_MANAGEMENT_HOST }}"
+  DB_SSL: "true"
+{% endif %}
diff --git a/ansible/roles/schulcloud-calendar-core/templates/deployment.yml.j2 b/ansible/roles/schulcloud-calendar-core/templates/deployment.yml.j2
@@ -43,10 +43,21 @@ spec:
         ports:
         - containerPort: 3000
         envFrom:
+        - secretRef:
+            name: calendar-secret
         - configMapRef:
             name: calendar-configmap
+{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT is defined and WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
         - secretRef:
-            name: calendar-secret
+            name: pg-calendar-secret
+        env:
+        - name: DB_PASSWORD
+          value: "$(DB_USER_PASSWORD)"
+        - name: DB_USERNAME
+          value: "$(DB_USER)"
+        - name: DB_DATABASE
+          value: "$(DB_NAME)"
+{% endif %}
         livenessProbe:
           failureThreshold: 3
           httpGet:

diff --git a/ansible/roles/schulcloud-calendar-core/templates/job-database-init.yml.j2 b/ansible/roles/schulcloud-calendar-core/templates/job-database-init.yml.j2
@@ -0,0 +1,65 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pg-calendar-init-job-{{ 1000000 | random | hash('md5') }}
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: calendar-postgres-init
+    app.kubernetes.io/part-of: schulcloud-verbund
+    app.kubernetes.io/name: calendar-postgres-init
+    app.kubernetes.io/component: calendar
+    app.kubernetes.io/managed-by: ansible
+    git.repo: {{ SCHULCLOUD_CALENDAR_REPO_NAME }}
+spec:
+  template:
+    metadata:
+      labels:
+        app: calendar-postgres-init
+        app.kubernetes.io/part-of: schulcloud-verbund
+        app.kubernetes.io/name: calendar-postgres-init
+        app.kubernetes.io/component: calendar
+        app.kubernetes.io/managed-by: ansible
+        git.repo: {{ SCHULCLOUD_CALENDAR_REPO_NAME }}
+    spec:
+      volumes:
+        - name: config-script
+          configMap:
+            name: pg-calendar-configmap-init
+            # 711 in decimal is 457
+            defaultMode: 457
+      containers:
+        - name:  psql-calendar-config
+          image: {{ POSTGRES_MANAGEMENT_JOB_IMAGE }}
+          command:
+            - /bin/bash
+            - -c
+          args:
+            - /scripts/config_script.sh
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+            requests:
+              cpu: 100m
+              memory: 200Mi
+          volumeMounts:
+            - name: config-script
+              mountPath: /scripts/
+          envFrom:
+            - secretRef:
+                name: pg-calendar-secret
+          env:
+            - name: PGHOST
+              value: {{ POSTGRES_MANAGEMENT_HOST }}
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: pg-cluster-secret
+                  key: username
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: pg-cluster-secret
+                  key: password
+      restartPolicy: Never
+  ttlSecondsAfterFinished: 1800
diff --git a/ansible/roles/schulcloud-calendar-core/templates/secret-database.yml.j2 b/ansible/roles/schulcloud-calendar-core/templates/secret-database.yml.j2
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pg-calendar-secret
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: calendar-postgres-init
+type: Opaque
+data:
+    DB_USER: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'calendar') | b64encode }}"
+    DB_USER_PASSWORD: "{{ lookup('ansible.builtin.password', '/dev/null') | b64encode }}"
+    DB_NAME: "{{ (POSTGRES_MANAGEMENT_PREFIX + 'calendar') | b64encode }}"
diff --git a/ansible/roles/schulcloud-calendar-init/tasks/main.yml b/ansible/roles/schulcloud-calendar-init/tasks/main.yml
@@ -15,12 +15,22 @@
       name: calendar-db-init-file
     when: not WITH_CALENDAR_INIT
 
+  - name: Test if init job exists
+    kubernetes.core.k8s_info:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      api_version: batch/v1
+      kind: Job
+      name: calendar-db-init-job
+    register: calendar_init_job_present
+    when: WITH_CALENDAR_INIT
+
   - name: Calendar db init job
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config
       namespace: "{{ NAMESPACE }}"
       template: job_init_db.yml.j2
-    when: WITH_CALENDAR_INIT
+    when: WITH_CALENDAR_INIT and calendar_init_job_present.resources|length == 0
 
   - name: Calendar db init job
     kubernetes.core.k8s:

diff --git a/ansible/roles/schulcloud-calendar-init/templates/job_init_db.yml.j2 b/ansible/roles/schulcloud-calendar-init/templates/job_init_db.yml.j2
@@ -11,10 +11,21 @@ spec:
       - name: calendar-db-init
         image: schulcloud/infra-tools:latest
         envFrom:
+        - secretRef:
+            name: calendar-secret
         - configMapRef:
             name: calendar-configmap
+{% if WITH_BRANCH_POSTGRES_DB_MANAGEMENT is defined and WITH_BRANCH_POSTGRES_DB_MANAGEMENT|bool %}
         - secretRef:
-            name: calendar-secret
+            name: pg-calendar-secret
+        env:
+        - name: DB_PASSWORD
+          value: "$(DB_USER_PASSWORD)"
+        - name: DB_USERNAME
+          value: "$(DB_USER)"
+        - name: DB_DATABASE
+          value: "$(DB_NAME)"
+{% endif %}
         volumeMounts:
         - name: script
           mountPath: /update.sh