Deploy postgres db using kubernetes secret for configuration.

* Update CRD to consume a secret for the db configuration
* Update playbook for default settings configuration
* Update postgres role to check for secret or create one based on the CR
* Postgres will be deployed specific to CR
* Pulp deployments updated to reference the db secret as a volume mount

closes #8289
https://pulp.plan.io/issues/8289

CHANGES/8289.feature

@@ -0,0 +1 @@
+Deploy postgres database using a secret to store configuration instead of it existing in the custom resource; allows credentials to be kept secret.

containers/images/pulp/container-assets/wait_on_postgres.py

@@ -15,7 +15,8 @@
         tries += 1
         try:
             print("Checking postgres host %s" % os.environ["POSTGRES_SERVICE_HOST"])
-            s.connect((os.environ["POSTGRES_SERVICE_HOST"], 5432))
+            print("Checking postgres port %s" % os.environ["POSTGRES_SERVICE_PORT"])
+            s.connect((os.environ["POSTGRES_SERVICE_HOST"], os.environ["POSTGRES_SERVICE_PORT"]))
         except socket.error:
             time.sleep(3)
         else:
@@ -25,5 +26,5 @@
         print("Postgres started!")
         sys.exit(0)
     else:
-        print("Unable to reach postgres on port 5432")
+        print("Unable to reach postgres on port %s" % os.environ["POSTGRES_SERVICE_PORT"])
         sys.exit(1)

deploy/crds/pulpproject_v1beta1_pulp_cr.ci.yaml

@@ -9,7 +9,3 @@ spec:
     access_mode: "ReadWriteOnce"
     # We have a little over 10GB free on GHA VMs/instances
     size: "10Gi"
-  database_connection:
-    username: pulp
-    password: pulp
-    admin_password: pulp

deploy/crds/pulpproject_v1beta1_pulp_cr.default.yaml

@@ -31,12 +31,8 @@ metadata:
 #                      If on a cluster, you should set this manually until
 #                      ingress(es) are implemented. Example:
 #                      http://myserver.fqdn:24816
-  # PostrgreSQL container settings for user accounts
-# database_connection:
-#   username: pulp
-#   password: pulp
-    # Password for db admin user 'postgres'.
-#   admin_password:
+  # PostgreSQL container settings
+# postgres_configuration_secret: pg_secret_name
   # Configuration for the persistentVolumeClaim for /var/lib/pulp
 # pulp_file_storage:
      # If your K8s cluster is only 1 node, and its StorageClass /

deploy/crds/pulpproject_v1beta1_pulp_crd.yaml

@@ -22,6 +22,9 @@ spec:
         properties:
           spec:
             properties:
+              deployment_type:
+                description: Name of the deployment type
+                type: string
               registry:
                 description: The container image registry to use for pulling images.
                 type: string
@@ -41,16 +44,46 @@ spec:
               pulp_settings:
                 description: The pulp settings.
                 type: object
-              database_connection:
-                description: The configuration for the database connection.
+              postgres_configuration_secret:
+                  description: Secret where the database configuration can be found
+                  type: string
+              postgres_initdb_args:
+                  description: The arguments to be passed to initialize the database
+                  type: string
+              postgres_host_auth_method:
+                  description: The method to be used for database host authentication
+                  type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_resource_requirements:
+                description: Resource requirements for the PostgreSQL container
                 properties:
-                  username:
-                    type: string
-                  password:
-                    type: string
-                  admin_password:
-                    type: string
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                      storage:
+                        type: string
+                    type: object
                 type: object
+              postgres_storage_class:
+                description: Storage class to use for the PostgreSQL PVC
+                type: string
+              postgres_data_path:
+                description: Path where the PostgreSQL data are located
+                type: string
               pulp_file_storage:
                 description: Configuration for the persistentVolumeClaim for /var/lib/pulp.
                 properties:
@@ -150,4 +183,3 @@ spec:
             type: object
         type: object
         x-kubernetes-preserve-unknown-fields: true
-

playbook.yml

@@ -6,24 +6,20 @@
     - operator_sdk.util
   vars:
     project_name: "{{ meta.namespace }}"
-    database_connection:
-      username: pulp
-      password: pulp
     pulp_default_settings:
       databases:
         default:
-          HOST: postgres
+          HOST: "{{ postgres_host }}"
           ENGINE: django.db.backends.postgresql_psycopg2
-          NAME: pulp
-          USER: "{{ database_connection.username }}"
-          PASSWORD: "{{ database_connection.password }}"
-          PORT: 5432
+          NAME: "{{ postgres_database }}"
+          USER: "{{ postgres_user }}"
+          PASSWORD: "{{ postgres_pass }}"
+          PORT: "{{ postgres_port }}"
           CONN_MAX_AGE: 0
       debug: "True"
       redis_host: redis
       redis_port:  6379
       redis_password: ''
-#     content_origin: # Queried and set in pulp-api role
     deployment_state: present
     registry: quay.io
     project: pulp

roles/postgres/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+deployment_type: pulp
+
+postgres_image: postgres:12
+postgres_resource_requirements:
+  requests:
+    storage: 8Gi
+postgres_storage_class: ''
+postgres_data_path: '/var/lib/postgresql/data/pgdata'
+
+# Secret to lookup that provide the PostgreSQL configuration
+postgres_configuration_secret: ''
+
+postgres_initdb_args: '--auth-host=scram-sha-256'
+postgres_host_auth_method: 'scram-sha-256'

roles/postgres/tasks/main.yml

@@ -1,21 +1,53 @@
 ---
-- name: postgres persistent volume claim
-  community.kubernetes.k8s:
-    state: "{{ deployment_state }}"
-    definition: "{{ lookup('template', 'templates/' + item + '.pvc.yaml.j2') | from_yaml }}"
-  with_items:
-    - postgres
-
-- name: postgres service
-  community.kubernetes.k8s:
-    state: "{{ deployment_state }}"
-    definition: "{{ lookup('template', 'templates/' + item + '.service.yaml.j2') | from_yaml }}"
-  with_items:
-    - postgres
-
-- name: postgres deployment
-  community.kubernetes.k8s:
-    state: "{{ deployment_state }}"
-    definition: "{{ lookup('template', 'templates/' + item + '.deployment.yaml.j2') | from_yaml }}"
-  with_items:
-    - postgres
+- name: Check for specified PostgreSQL configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ postgres_configuration_secret }}'
+  register: _custom_pg_config_resources
+  when: postgres_configuration_secret | length
+
+- name: Check for default PostgreSQL configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-postgres-configuration'
+  register: _default_pg_config_resources
+
+- name: Set PostgreSQL configuration
+  set_fact:
+    _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}'
+
+- block:
+    - name: Create Database configuration
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'postgres.secret.yaml.j2') }}"
+
+    - name: Read Database Configuration
+      k8s_info:
+        kind: Secret
+        namespace: '{{ meta.namespace }}'
+        name: '{{ meta.name }}-postgres-configuration'
+      register: _generated_pg_config_resources
+
+  when: not _pg_config['resources'] | default([]) | length
+
+- name: Set PostgreSQL Configuration
+  set_fact:
+    pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}'
+
+- name: Create Database if no database is specified
+  k8s:
+    apply: true
+    definition: "{{ lookup('template', 'postgres.yaml.j2') }}"
+  when:
+    - pg_config['resources'][0]['data']['type'] | default('') | b64decode == 'managed'
+
+- name: Store Database Configuration
+  set_fact:
+    postgres_user: "{{ pg_config['resources'][0]['data']['username'] | b64decode }}"
+    postgres_pass: "{{ pg_config['resources'][0]['data']['password'] | b64decode }}"
+    postgres_database: "{{ pg_config['resources'][0]['data']['database'] | b64decode }}"
+    postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
+    postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"

roles/postgres/templates/postgres.secret.yaml.j2

@@ -0,0 +1,14 @@
+# Postgres Secret.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-postgres-configuration'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
+  username: '{{ deployment_type }}'
+  database: '{{ deployment_type }}'
+  port: '5432'
+  host: {{ meta.name }}-postgres
+  type: 'managed'