Switch mysql and postgresql tests to HA Production configs (#471)

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

.github/kind/conf/kind-config.yaml

@@ -16,3 +16,5 @@ kubeadmConfigPatches:
 nodes:
   - role: control-plane
   - role: worker
+  - role: worker
+  - role: worker

examples/external-mysql/run-tests.sh

@@ -12,31 +12,35 @@ source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh"
 # shellcheck source=/dev/null
 source "${TESTDIR}/common.sh"
 
-helm_install=(helm upgrade --install --create-namespace)
-ns=spire-system
-
 teardown() {
-  helm uninstall --namespace "${ns}" spire 2>/dev/null || true
-  kubectl delete ns "${ns}" 2>/dev/null || true
-
+  helm uninstall --namespace "spire-server" spire 2>/dev/null || true
   helm uninstall --namespace mysql mysql 2>/dev/null || true
-  kubectl delete ns mysql 2>/dev/null || true
+  kubectl delete ns spire-server 2>/dev/null || true
+  kubectl delete ns spire-system 2>/dev/null || true
 }
 
 trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT
 
-"${helm_install[@]}" mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
-  --namespace mysql \
+kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true
+kubectl create namespace spire-server --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted || true
+
+helm upgrade --install mysql mysql --version "$VERSION_MYSQL" --repo "$HELM_REPO_MYSQL" \
+  --namespace spire-server \
   --values "${DEPS}/mysql.yaml" \
   --wait
 
-"${helm_install[@]}" --namespace "${ns}" --values "${SCRIPTPATH}/values.yaml" \
+helm upgrade --install --namespace "spire-server" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
-helm test --namespace "${ns}" spire
+helm test --namespace "spire-server" spire
 
 print_helm_releases
-print_spire_workload_status "${ns}"
+print_spire_workload_status spire-server
+print_spire_workload_status spire-system
 
 if [[ "$1" -ne 0 ]]; then
-  get_namespace_details "${ns}"
+  get_namespace_details spire-server
+  get_namespace_details spire-system
 fi

examples/external-mysql/values.yaml

@@ -1,9 +1,10 @@
 spire-server:
+  replicaCount: 2
   dataStore:
     sql:
       databaseType: mysql
       databaseName: spire-server
-      host: mysql.mysql
+      host: mysql
       port: 3306
       username: spire
       # password: CHANGE_ME

examples/external-postgresql/run-tests.sh

@@ -12,31 +12,35 @@ source "${SCRIPTPATH}/../../.github/scripts/parse-versions.sh"
 # shellcheck source=/dev/null
 source "${TESTDIR}/common.sh"
 
-helm_install=(helm upgrade --install --create-namespace)
-ns=spire-system
-
 teardown() {
-  helm uninstall --namespace "${ns}" spire 2>/dev/null || true
-  kubectl delete ns "${ns}" 2>/dev/null || true
-
-  helm uninstall --namespace postgresql postgresql 2>/dev/null || true
-  kubectl delete ns postgresql 2>/dev/null || true
+  helm uninstall --namespace "spire-server" spire 2>/dev/null || true
+  helm uninstall --namespace "spire-server" postgresql 2>/dev/null || true
+  kubectl delete ns spire-server 2>/dev/null || true
+  kubectl delete ns spire-system 2>/dev/null || true
 }
 
 trap 'trap - SIGTERM && teardown' SIGINT SIGTERM EXIT
 
-"${helm_install[@]}" postgresql postgresql --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
-  --namespace postgresql \
-  --values "${DEPS}/postgresql.yaml" \
+kubectl create namespace spire-system --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-system pod-security.kubernetes.io/enforce=privileged || true
+kubectl create namespace spire-server --dry-run=client -o yaml | kubectl apply -f -
+kubectl label namespace spire-server pod-security.kubernetes.io/enforce=restricted || true
+
+helm upgrade --install postgresql postgresql --version "$VERSION_POSTGRESQL" --repo "$HELM_REPO_POSTGRESQL" \
+  --namespace spire-server \
+  --values "${DEPS}/postgresql.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
   --wait
 
-"${helm_install[@]}" --namespace "${ns}" --values "${SCRIPTPATH}/values.yaml" \
+helm upgrade --install --namespace "spire-server" \
+  --values "${SCRIPTPATH}/values.yaml,${SCRIPTPATH}/../production/values.yaml,${SCRIPTPATH}/../production/values-node-pod-antiaffinity.yaml" \
   --set 'spire-server.dataStore.sql.password=sp1ff3Test' --wait spire charts/spire
-helm test --namespace "${ns}" spire
+helm test --namespace "spire-server" spire
 
 print_helm_releases
-print_spire_workload_status "${ns}"
+print_spire_workload_status spire-server
+print_spire_workload_status spire-system
 
 if [[ "$1" -ne 0 ]]; then
-  get_namespace_details "${ns}"
+  get_namespace_details spire-server
+  get_namespace_details spire-system
 fi

examples/external-postgresql/values.yaml

@@ -1,9 +1,10 @@
 spire-server:
+  replicaCount: 2
   dataStore:
     sql:
       databaseType: postgres
       databaseName: spire-server
-      host: postgresql.postgresql
+      host: postgresql
       port: 5432
       username: spire
       # password: CHANGE_ME

examples/production/values-node-pod-antiaffinity.yaml

@@ -0,0 +1,11 @@
+spire-server:
+  affinity:
+    podAntiAffinity: 
+      requiredDuringSchedulingIgnoredDuringExecution: 
+      - labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/component
+            operator: In
+            values:
+            - server
+        topologyKey: kubernetes.io/hostname