Skip to content

Commit 67247a1

Browse files
horshors
authored
Merge pull request #1214 from percona/K8SPG-624
K8SPG-624 Add support for S3ForcePathStyle and verifyTLS for custom extensions
2 parents bf547dc + 478aa1d commit 67247a1

29 files changed

+499
-48
lines changed

build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8340,8 +8340,12 @@ spec:
83408340
properties:
83418341
bucket:
83428342
type: string
8343+
disableSSL:
8344+
type: string
83438345
endpoint:
83448346
type: string
8347+
forcePathStyle:
8348+
type: string
83458349
region:
83468350
type: string
83478351
secret:

build/postgres-operator/install-extensions.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,14 @@ if [[ -n $STORAGE_ENDPOINT ]]; then
1616
args+=(-endpoint "$STORAGE_ENDPOINT")
1717
fi
1818

19+
if [[ ${STORAGE_DISABLE_SSL} == "true" ]]; then
20+
args+=(-disable-ssl)
21+
fi
22+
23+
if [[ ${STORAGE_FORCE_PATH_STYLE} == "true" ]]; then
24+
args+=(-force-path-style)
25+
fi
26+
1927
for key in "${extensions[@]}"; do
2028
if [ -f "${PGDATA_EXTENSIONS}"/"${key}".installed ]; then
2129
echo "Extension ${key} already installed"

cmd/extension-installer/main.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ import (
1212

1313
func main() {
1414
var storageType, endpoint, region, bucket, key, extensionPath string
15-
var install, uninstall bool
15+
var install, uninstall, forcePathStyle, disableSSL bool
1616

1717
flag.StringVar(&storageType, "type", "", "Storage type")
1818
flag.StringVar(&endpoint, "endpoint", "", "Storage endpoint")
@@ -23,6 +23,8 @@ func main() {
2323

2424
flag.BoolVar(&install, "install", false, "Install extension")
2525
flag.BoolVar(&uninstall, "uninstall", false, "Uninstall extension")
26+
flag.BoolVar(&forcePathStyle, "force-path-style", false, "Force path style")
27+
flag.BoolVar(&disableSSL, "disable-ssl", false, "Disable SSL")
2628
flag.Parse()
2729

2830
if (install && uninstall) || (!install && !uninstall) {
@@ -31,7 +33,7 @@ func main() {
3133

3234
log.Printf("starting extension installer for %s/%s (%s) in %s", bucket, key, storageType, region)
3335

34-
storage := initStorage(extensions.StorageType(storageType), endpoint, bucket, region)
36+
storage := initStorage(extensions.StorageType(storageType), endpoint, bucket, region, forcePathStyle, disableSSL)
3537

3638
packageName := key + ".tar.gz"
3739

@@ -70,10 +72,10 @@ func main() {
7072
}
7173
}
7274

73-
func initStorage(storageType extensions.StorageType, endpoint, bucket, region string) extensions.ObjectGetter {
75+
func initStorage(storageType extensions.StorageType, endpoint, bucket, region string, s3ForcePathStyle, disableSSL bool) extensions.ObjectGetter {
7476
switch storageType {
7577
case extensions.StorageTypeS3:
76-
return extensions.NewS3(endpoint, region, bucket)
78+
return extensions.NewS3(endpoint, region, bucket, s3ForcePathStyle, disableSSL)
7779
default:
7880
log.Fatalf("unknown storage type: %s", os.Getenv("STORAGE_TYPE"))
7981
}

config/crd/bases/pgv2.percona.com_perconapgclusters.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8747,8 +8747,12 @@ spec:
87478747
properties:
87488748
bucket:
87498749
type: string
8750+
disableSSL:
8751+
type: string
87508752
endpoint:
87518753
type: string
8754+
forcePathStyle:
8755+
type: string
87528756
region:
87538757
type: string
87548758
secret:

deploy/bundle.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9044,8 +9044,12 @@ spec:
90449044
properties:
90459045
bucket:
90469046
type: string
9047+
disableSSL:
9048+
type: string
90479049
endpoint:
90489050
type: string
9051+
forcePathStyle:
9052+
type: string
90499053
region:
90509054
type: string
90519055
secret:

deploy/cr.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -629,6 +629,8 @@ spec:
629629
# bucket: pg-extensions
630630
# region: eu-central-1
631631
# endpoint: s3.eu-central-1.amazonaws.com
632+
# forcePathStyle: false
633+
# disableSSL: false
632634
# secret:
633635
# name: cluster1-extensions-secret
634636
# builtin:

deploy/crd.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9044,8 +9044,12 @@ spec:
90449044
properties:
90459045
bucket:
90469046
type: string
9047+
disableSSL:
9048+
type: string
90479049
endpoint:
90489050
type: string
9051+
forcePathStyle:
9052+
type: string
90499053
region:
90509054
type: string
90519055
secret:

deploy/cw-bundle.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9044,8 +9044,12 @@ spec:
90449044
properties:
90459045
bucket:
90469046
type: string
9047+
disableSSL:
9048+
type: string
90479049
endpoint:
90489050
type: string
9051+
forcePathStyle:
9052+
type: string
90499053
region:
90509054
type: string
90519055
secret:

e2e-tests/conf/minio-secret.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: minio-secret
5+
type: Opaque
6+
data:
7+
AWS_ACCESS_KEY_ID: c29tZS1hY2Nlc3Mta2V5
8+
AWS_SECRET_ACCESS_KEY: c29tZS1zZWNyZXQta2V5

e2e-tests/functions

Lines changed: 99 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,56 @@ get_operator_pod() {
125125
echo $(kubectl get pods -n "${OPERATOR_NS:-$NAMESPACE}" --selector=app.kubernetes.io/name=percona-postgresql-operator -o jsonpath='{.items[].metadata.name}')
126126
}
127127

128+
retry() {
129+
local max=$1
130+
local delay=$2
131+
shift 2 # cut delay and max args
132+
local n=1
133+
134+
until "$@"; do
135+
if [[ $n -ge $max ]]; then
136+
echo "The command ${*} has failed after $n attempts."
137+
exit 1
138+
fi
139+
((n++))
140+
sleep $delay
141+
done
142+
}
143+
144+
deploy_minio() {
145+
local access_key
146+
local secret_key
147+
access_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d)"
148+
secret_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)"
149+
150+
helm uninstall -n "${NAMESPACE}" minio-service || :
151+
helm repo remove minio || :
152+
helm repo add minio https://charts.min.io/
153+
retry 10 60 helm install minio-service \
154+
-n "${NAMESPACE}" \
155+
--version "${MINIO_VER}" \
156+
--set replicas=1 \
157+
--set mode=standalone \
158+
--set resources.requests.memory=256Mi \
159+
--set rootUser=rootuser \
160+
--set rootPassword=rootpass123 \
161+
--set "users[0].accessKey"="$(printf '%q' "$(printf '%q' "$access_key")")" \
162+
--set "users[0].secretKey"="$(printf '%q' "$(printf '%q' "$secret_key")")" \
163+
--set "users[0].policy"=consoleAdmin \
164+
--set service.type=ClusterIP \
165+
--set configPathmc=/tmp/.minio/ \
166+
--set persistence.size=2G \
167+
--set securityContext.enabled=false \
168+
minio/minio
169+
MINIO_POD=$(kubectl -n "${NAMESPACE}" get pods --selector=release=minio-service -o 'jsonpath={.items[].metadata.name}')
170+
wait_pod $MINIO_POD
171+
172+
# create bucket
173+
kubectl -n "${NAMESPACE}" run -i --rm aws-cli --image=perconalab/awscli --restart=Never -- \
174+
bash -c "AWS_ACCESS_KEY_ID='$access_key' AWS_SECRET_ACCESS_KEY='$secret_key' AWS_DEFAULT_REGION=us-east-1 \
175+
/usr/bin/aws --endpoint-url http://minio-service:9000 s3 mb s3://operator-testing"
176+
}
177+
128178
deploy_s3_secrets() {
129179
set +o xtrace
130180
printf "[global]\nrepo1-s3-key=%s\nrepo1-s3-key-secret=%s\n" \
@@ -147,6 +197,7 @@ deploy_s3_secrets() {
147197
;;
148198
"custom-extensions" | "major-upgrade")
149199
kubectl -n "${NAMESPACE}" apply -f "${TESTS_CONFIG_DIR}/cloud-secret.yml"
200+
kubectl -n "${NAMESPACE}" apply -f "${TESTS_CONFIG_DIR}/minio-secret.yml"
150201
;;
151202
*)
152203
kubectl -n "${NAMESPACE}" create secret generic "${test_name}-pgbackrest-secrets" --from-file=cloud.conf="${TEMP_DIR}/pgbackrest-secret.ini"
@@ -229,13 +280,20 @@ get_cr() {
229280
.spec.backups.pgbackrest.repos += [{"name":"repo3","azure":{"container":"'$BUCKET'"}}]
230281
' $TEMP_DIR/cr.yaml
231282
;;
232-
"custom-extensions" | "major-upgrade")
283+
"major-upgrade")
233284
yq eval -i '
234285
.spec.extensions.image = "'$IMAGE'" |
235286
.spec.extensions.imagePullPolicy = "Always" |
236287
.spec.extensions.storage = {"type": "s3", "bucket": "pg-extensions", "region": "eu-central-1", "secret": {"name": "aws-s3-secret"}}
237288
' $TEMP_DIR/cr.yaml
238289
;;
290+
"custom-extensions")
291+
yq eval -i '
292+
.spec.extensions.image = "'$IMAGE'" |
293+
.spec.extensions.imagePullPolicy = "Always" |
294+
.spec.extensions.storage = {"type": "s3", "bucket": "operator-testing", "region": "us-east-1", "endpoint": "http://minio-service:9000", "forcePathStyle": "true", "disableSSL": "true", "secret": {"name": "minio-secret"}}
295+
' $TEMP_DIR/cr.yaml
296+
;;
239297
esac
240298
cat $TEMP_DIR/cr.yaml
241299
}
@@ -283,12 +341,52 @@ get_psql_user_host() {
283341
kubectl -n ${NAMESPACE} get "secret/${secret_name}" --template='{{.data.host | base64decode }}'
284342
}
285343

344+
get_aws_access_key() {
345+
local secret_name=${1}
346+
347+
kubectl -n ${NAMESPACE} get "secret/${secret_name}" --template='{{.data.AWS_SECRET_ACCESS_KEY | base64decode }}'
348+
}
349+
350+
get_aws_access_key_id() {
351+
local secret_name=${1}
352+
353+
kubectl -n ${NAMESPACE} get "secret/${secret_name}" --template='{{.data.AWS_ACCESS_KEY_ID | base64decode }}'
354+
}
355+
356+
get_psql_user_host() {
357+
local secret_name=${1}
358+
359+
kubectl -n ${NAMESPACE} get "secret/${secret_name}" --template='{{.data.host | base64decode }}'
360+
}
286361
get_instance_set_pods() {
287362
local instance=${1:-instance1}
288363

289364
kubectl get pods -n ${NAMESPACE} --selector postgres-operator.crunchydata.com/instance-set=${instance} -o custom-columns='NAME:.metadata.name' --no-headers
290365
}
291366

367+
copy_custom_extensions_form_aws() {
368+
set +o xtrace
369+
370+
access_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d)"
371+
secret_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)"
372+
373+
kubectl -n "${NAMESPACE}" run -i --rm aws-cli \
374+
--image=perconalab/awscli \
375+
--restart=Never -- \
376+
bash -c "
377+
AWS_ACCESS_KEY_ID=$(get_aws_access_key_id aws-s3-secret) \
378+
AWS_SECRET_ACCESS_KEY=$(get_aws_access_key aws-s3-secret) \
379+
AWS_DEFAULT_REGION=eu-central-1 \
380+
/usr/bin/aws --endpoint-url https://s3.amazonaws.com s3 cp s3://pg-extensions/ /tmp/ --recursive &&
381+
382+
AWS_ACCESS_KEY_ID='${access_key}' \
383+
AWS_SECRET_ACCESS_KEY='${secret_key}' \
384+
AWS_DEFAULT_REGION=us-east-1 \
385+
/usr/bin/aws --endpoint-url http://minio-service:9000 s3 cp /tmp/ s3://operator-testing/ --recursive
386+
"
387+
set -o xtrace
388+
}
389+
292390
get_psql_pod_host() {
293391
local pod=${1}
294392

0 commit comments

Comments
 (0)