chore(v2.0): Consolidate REST service DBs into shared nico-pg-cluster#3182
Conversation
<!-- Describe what this PR does --> Move the NICo REST API database from the standalone `postgres.postgres` StatefulSet onto the Zalando-managed `nico-pg-cluster`, eliminating the separate REST database instance. ## Changes - **`postgresql.yaml`**: add `nico-rest.nico` user and `nico_rest` database, gated on `rest.enabled` (default: `true`) - **`eso-external-secrets.yaml`**: add `nico-rest-db-eso` ClusterExternalSecret syncing Zalando credentials to the `nico-rest` namespace as `nico-rest-pg-creds` — named to avoid collision with the `db-creds` hook managed by `nico-rest-common` (`hook-delete-policy: before-hook-creation` causes a Helm/ESO race if ESO targets `db-creds` directly) - **`values.yaml`**: add `rest.enabled` / `rest.namespace` toggles with documentation - **`setup.sh`**: - Wait (up to 120 s) for `nico-rest-pg-creds` to be synced by ESO; extract Zalando credentials and write to a `chmod 600` temp file; pass via `-f` to `helm upgrade --install` to populate `nico-rest-common.secrets.dbCreds.*` at install time (avoids `--set` credential exposure and Helm special-char escaping issues) - Install `pg_trgm` extension on `nico_rest` after the cluster reaches `Running` state, with a 120 s bounded retry loop - **`nico-rest-db/values.yaml`**: update `db.host` / `db.name` / `db.user` defaults to `nico-pg-cluster.postgres.svc.cluster.local` / `nico_rest` / `nico-rest.nico` - **`nico-rest-api/values.yaml`**: same db defaults plus `secrets.dbCreds: db-creds` to enable the secret-based password path for live rotation ## Related Issues N/A ## Type of Change Change - Changes in existing functionality ## Breaking Changes **This PR contains breaking changes.** `rest.enabled` defaults to `true`. On upgrade, `nico-prereqs` will create a `nico-rest.nico` Postgres user, a `nico_rest` database on `nico-pg-cluster`, and a `nico-rest-db-eso` ClusterExternalSecret in every site that does not explicitly set `rest.enabled: false`. Sites that do **not** run `nico-rest` should add `rest.enabled: false` to their nico-prereqs site values before upgrading to prevent these resources from being created. Additionally, `nico-rest-api` and `nico-rest-db` chart defaults now point at `nico-pg-cluster` (`host`, `name`, `user`). Any site running `nico-rest` against the old standalone instance must either migrate to `nico-pg-cluster` via `setup.sh` or override these values explicitly. ## Testing Manual end-to-end validation performed on dev6 (rg-forge-dev6, 3-node cluster). ## Additional Notes
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-07-07 00:19:15 UTC | Commit: 68114bf |
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
nv-dmendoza
left a comment
There was a problem hiding this comment.
LGTM, needed consolidation of DB that landed after initial RC cutover
…elease/v2.0) (#3340) <!-- Describe what this PR does --> Cherry-pick of #3284 (`7b35d52`) onto `release/v2.0`, following the same process as #3182. Bind the site-agent to a REST-created site and fix the workflow-worker DB target. Two defects left a fresh site with an empty `nicocli site list` despite a healthy, handshaked site-agent: the site UUID was minted without any REST database record behind it (the bootstrap Job's `POST /v1/site` creates only the Site CR + OTP), and the workflow workers missed the nico-pg-cluster consolidation (#3081), failing every DB activity with SQLSTATE 42P01 so no site could ever leave `Pending`. ## Changes - **`setup.sh`**: resolve the site UUID instead of blindly minting — explicit `NICO_SITE_UUID` (bind to a pre-existing site), else the prior install's `CLUSTER_ID` (site-agent ConfigMap), else adopt an existing REST site with the same name, else mint. Then seed the REST DB directly (same record shape as forged's per-env `site.sql`): a `default` `infrastructure_provider` for the org plus a `Pending` site row named after `siteName`, with the v2 networking capabilities (`native_networking`, `network_security_group`, `flow`) enabled and the `status_detail` row the REST create handler writes. All inserts idempotent (`WHERE NOT EXISTS`); waits up to 120 s for the REST migrations. IdP-agnostic — no API token needed. The bootstrap Job's existing `POST /v1/site` flow is untouched and runs after the DB row exists, under the same UUID. - **`setup.sh`**: inject workflow-worker DB values at install time via the existing REST creds temp file — `nico-rest-workflow` now targets `nico-pg-cluster`/`nico_rest` as `nico-rest.nico` with the `db-creds` secret, aligned with `nico-rest-api`. - **`setup.sh`**: delete a `site-registration` secret bound to a stale UUID so rebinding `CLUSTER_ID` re-bootstraps; input validation (UUID format, site-name/org charset) before SQL interpolation; quoting-agnostic `siteName` parsing. - **Docs** (`quick-start.md`, `helm-prereqs/README.md`, `configurability.md`): `NICO_SITE_UUID` resolution behavior documented consistently. ## Related Issues N/A ## Type of Change Fix - Bug fixes ## Breaking Changes None. ## Testing Manual end-to-end validation on dev6
Cherry-pick of #3081 (12ef832) onto
release/v2.0, following the same process as #3181Move the NICo REST API database from the standalone
postgres.postgresStatefulSet onto the Zalando-managednico-pg-cluster, eliminating the separate REST database instance.Changes
postgresql.yaml: addnico-rest.nicouser andnico_restdatabase, gated onrest.enabled(default:true)eso-external-secrets.yaml: addnico-rest-db-esoClusterExternalSecret syncing Zalando credentials to thenico-restnamespace asnico-rest-pg-creds— named to avoid collision with thedb-credshook managed bynico-rest-common(hook-delete-policy: before-hook-creationcauses a Helm/ESO race if ESO targetsdb-credsdirectly)values.yaml: addrest.enabled/rest.namespacetoggles with documentationsetup.sh:nico-rest-pg-credsto be synced by ESO; extract Zalando credentials and write to achmod 600temp file; pass via-ftohelm upgrade --installto populatenico-rest-common.secrets.dbCreds.*at install time (avoids--setcredential exposure and Helm special-char escaping issues)pg_trgmextension onnico_restafter the cluster reachesRunningstate, with a 120 s bounded retry loopnico-rest-db/values.yaml: updatedb.host/db.name/db.userdefaults tonico-pg-cluster.postgres.svc.cluster.local/nico_rest/nico-rest.niconico-rest-api/values.yaml: same db defaults plussecrets.dbCreds: db-credsto enable the secret-based password path for live rotationRelated Issues
N/A
Type of Change
Change - Changes in existing functionality
Breaking Changes
This PR contains breaking changes.
Testing
Manual end-to-end validation performed on dev6 (rg-forge-dev6, 3-node cluster).