bcgov · mishraomp · Oct 25, 2024 · Oct 23, 2024 · Oct 23, 2024 · Oct 23, 2024
diff --git a/.github/workflows/.dbdeployer.yml b/.github/workflows/.dbdeployer.yml
@@ -0,0 +1,116 @@
+name: .Database Deploy
+
+on:
+  workflow_call:
+    inputs: ### Required
+      directory:
+        description: Crunchy Chart directory
+        default: 'charts/crunchy'
+        required: false
+        type: string
+      oc_server:
+        default: https://api.silver.devops.gov.bc.ca:6443
+        description: 'OpenShift server'
+        required: false
+        type: string
+      environment:
+        description: Environment name; omit for PRs
+        required: false
+        type: string
+      s3_enabled:
+        description: Enable S3 backups
+        required: false
+        type: boolean
+    secrets:
+      oc_namespace:
+        description: OpenShift namespace
+        required: true
+      oc_token:
+        description: OpenShift token
+        required: true
+      s3_access_key:
+        description: S3 access key
+        required: false
+      s3_secret_key:
+        description: S3 secret key
+        required: false
+      s3_bucket:
+        description: S3 bucket
+        required: false
+      s3_endpoint:
+        description: S3 endpoint
+        required: false
+jobs:
+  deploy_db:
+    runs-on: ubuntu-24.04
+    name: Deploy Crunchy DB If not Deployed
+    environment: ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install CLI tools from OpenShift Mirror
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          oc: "4.14.37"
+      - name: Validate Inputs
+        shell: bash
+        run: |
+          if [ ${{ inputs.s3_enabled }} == true ]; then
+            echo "S3 ie enabled for backups, checking for mandatory secrets"
+            if [ ! "${{ secrets.s3_access_key }}" ]; then
+              echo "S3 access key not found"
+              exit 1
+            fi
+            if [ ! "${{ secrets.s3_secret_key }}" ]; then
+              echo "S3 secret key not found"
+              exit 1
+            fi
+            if [ ! "${{ secrets.s3_bucket }}" ]; then
+              echo "S3 bucket not found"
+              exit 1
+            fi
+            if [ ! "${{ secrets.s3_endpoint }}" ]; then
+              echo "S3 endpoint not found"
+              exit 1
+            fi
+          fi
+
+      - name: OC Login
+        shell: bash
+        run: |
+          # OC Login
+          OC_TEMP_TOKEN=$(curl -k -X POST ${{ inputs.oc_server }}/api/v1/namespaces/${{ secrets.oc_namespace }}/serviceaccounts/pipeline/token --header "Authorization: Bearer ${{ secrets.oc_token }}" -d '{"spec": {"expirationSeconds": 600}}' -H 'Content-Type: application/json; charset=utf-8' | jq -r '.status.token' )
+
+          oc login --token=$OC_TEMP_TOKEN --server=${{ inputs.oc_server }}
+          oc project ${{ secrets.oc_namespace }} # Safeguard!
+      - name: Deploy Database
+        working-directory: ${{ inputs.directory }}
+        shell: bash
+        run: |
+          echo 'Deploying crunchy helm chart'
+          if [ ${{ secrets.s3_endpoint }} ]; then
+            helm upgrade --install --wait --set crunchy.pgBackRest.s3.enabled=true \
+             --set-string crunchy.pgBackRest.s3.accessKey=${{ secrets.s3_access_key }} \
+              --set-string crunchy.pgBackRest.s3.secretKey=${{ secrets.s3_secret_key }} \
+              --set-string crunchy.pgBackRest.s3.bucket=${{ secrets.s3_bucket }} \
+              --set-string crunchy.pgBackRest.s3.endpoint=${{ secrets.s3_endpoint }} \
+              postgres .
+          else
+            helm upgrade --install --wait postgres .
+          fi
+      - name: Add PR specific user to Crunchy DB # only for PRs
+        shell: bash
+        if: github.event.inputs.environment == ''
+        run: |
+            echo 'Adding PR specific user to Crunchy DB'
+            new_user='{"databases":["app-${{github.event.number}}"],"name":"app-${{github.event.number}}"}'
+            current_users=$(oc get PostgresCluster/postgres-crunchy -o json | jq '.spec.users')
+            echo $current_users
+            # check if current_users already contains the new_user
+            if echo "$current_users" | jq -e ".[] | select(.name == \"app-${{github.event.number}}\")" > /dev/null; then
+            echo "User already exists"
+            exit 0
+            fi
+            updated_users=$(echo $current_users | jq --argjson new_user "$new_user" '. + [$new_user]')
+            patch_json=$(jq -n --argjson users "$updated_users" '{"spec": {"users": $users}}')
+            oc patch PostgresCluster/postgres-crunchy --type=merge -p "$patch_json"
+
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -26,33 +26,10 @@ jobs:
           tag_fallback: latest
           triggers: ('${{ matrix.package }}/')
 
-  # https://github.com/bcgov/quickstart-openshift-helpers
-  deploys:
-    name: Deploys
-    needs: [builds]
-    uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
+  deploy_db:
+    name: Deploys Database
+    uses: ./.github/workflows/.dbdeployer.yml
     secrets:
       oc_namespace: ${{ secrets.OC_NAMESPACE }}
       oc_token: ${{ secrets.OC_TOKEN }}
-    with:
-      triggers: ('backend/' 'frontend/' 'migrations/')
-      params:
-        --set global.secrets.persist=false
 
-  tests:
-    name: Tests
-    if: needs.deploys.outputs.triggered == 'true'
-    needs: [deploys]
-    uses: ./.github/workflows/.tests.yml
-    with:
-      target: ${{ github.event.number }}
-
-  results:
-    name: PR Results
-    needs: [builds, deploys, tests]
-    if: always()
-    runs-on: ubuntu-24.04
-    steps:
-      - if: contains(needs.*.result, 'failure')
-        run: echo "At least one job has failed." && exit 1
-      - run: echo "Success!"
diff --git a/charts/app/values.yaml b/charts/app/values.yaml
@@ -111,103 +111,9 @@ frontend:
     enabled: false # enable it in PRODUCTION for having pod disruption budget.
     minAvailable: 1 # the minimum number of pods that must be available during the disruption budget.
 
-crunchy: # enable it for TEST and PROD, for PR based pipelines simply use single postgres
-  enabled: false
-
-  crunchyImage: artifacts.developer.gov.bc.ca/bcgov-docker-local/crunchy-postgres-gis:ubi8-15.2-3.3-0
-
-  postgresVersion: 15
-  postGISVersion: '3.3'
-  imagePullPolicy: Always
-  instances:
-    name: ha # high availability
-    replicas: 1 # 2 or 3 for high availability in TEST and PROD.
-    metadata:
-      annotations:
-        prometheus.io/scrape: 'true'
-        prometheus.io/port: '9187'
-    dataVolumeClaimSpec:
-      storage: 120Mi
-      storageClassName: netapp-block-standard
-    requests:
-      cpu: 25m
-      memory: 256Mi
-    limits:
-      cpu: 100m
-      memory: 512Mi
-    replicaCertCopy:
-      requests:
-        cpu: 1m
-        memory: 32Mi
-      limits:
-        cpu: 50m
-        memory: 64Mi
-
-  pgBackRest:
-    enabled: false
-    image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-    retention: "1" # Ideally a larger number such as 30 backups/days
-    # If retention-full-type set to 'count' then the oldest backups will expire when the number of backups reach the number defined in retention
-    # If retention-full-type set to 'time' then the number defined in retention will take that many days worth of full backups before expiration
-    retentionFullType: count
-    repos:
-      schedules:
-        full: 0 8 * * *
-        incremental: 0 0,4,12,16,20 * * *
-      volume:
-        accessModes: "ReadWriteOnce"
-        storage: 64Mi
-        storageClassName: netapp-file-backup
-    repoHost:
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-    sidecars:
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-  patroni:
-    postgresql:
-      pg_hba: "host all all 0.0.0.0/0 md5"
-      parameters:
-        shared_buffers: 16MB # default is 128MB; a good tuned default for shared_buffers is 25% of the memory allocated to the pod
-        wal_buffers: "64kB" # this can be set to -1 to automatically set as 1/32 of shared_buffers or 64kB, whichever is larger
-        min_wal_size: 32MB
-        max_wal_size: 64MB # default is 1GB
-        max_slot_wal_keep_size: 128MB # default is -1, allowing unlimited wal growth when replicas fall behind
-
-  proxy:
-    pgBouncer:
-      image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-      replicas: 1
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
-
-  # Postgres Cluster resource values:
-  pgmonitor:
-    enabled: false
-    exporter:
-      image: # it's not necessary to specify an image as the images specified in the Crunchy Postgres Operator will be pulled by default
-      requests:
-        cpu: 1m
-        memory: 64Mi
-      limits:
-        cpu: 50m
-        memory: 128Mi
 
 bitnami-pg:
-  enabled: true
+  enabled: false
   image:
     registry: ghcr.io
     repository: bcgov/nr-containers/bitnami/postgresql
@@ -250,67 +156,3 @@ bitnami-pg:
         cpu: 150m
         memory: 250Mi
 
-backup:
-  enabled: true
-  pvc:
-    enabled: true
-    size: 256Mi
-    storageClassName: netapp-file-standard
-    accessModes: ReadWriteOnce
-  cronjob:
-    enabled: true
-    volumes:
-      - name: "{{.Release.Name}}-backup"
-        persistentVolumeClaim:
-          claimName: "{{.Release.Name}}-backup"
-    restartPolicy: "Never"
-    schedule: "0 0 * * *"
-    concurrencyPolicy: "Replace"
-    failedJobsHistoryLimit: 7
-    successfulJobsHistoryLimit: 30
-    startingDeadlineSeconds: 3600
-  containers:
-    - name: backup
-      registry: 'docker.io'
-      repository: 'bcgovimages' # example, it includes registry and repository
-      image: backup-container # the exact component name, be it backend, api-1 etc...
-      tag: latest # the tag of the image, it can be latest, 1.0.0 etc..., or the sha256 hash
-      command:
-        - "/bin/bash"
-        - "-c"
-        - "/backup.sh -1"
-      volumeMounts:
-        - mountPath: "/backups/"
-          name: "{{.Release.Name}}-backup"
-      env:
-        fromValues:
-          - name: BACKUP_DIR
-            value: "/backups/"
-          - name: BACKUP_STRATEGY
-            value: "rolling"
-          - name: NUM_BACKUPS
-            value: '5'
-          - name: DAILY_BACKUPS
-            value: '7'
-          - name: WEEKLY_BACKUPS
-            value: '4'
-          - name: MONTHLY_BACKUPS
-            value: '1'
-          - name: DATABASE_SERVICE_NAME # depends on which chart being used, adjust accordingly.
-            value: '{{.Release.Name}}-{{.Values.global.databaseAlias}}'
-          - name: DEFAULT_PORT
-            value: "5432"
-        fromGlobalSecret:
-          - name: DATABASE_PASSWORD
-            key: password
-          - name: POSTGRESQL_DATABASE
-            key: databaseName
-          - name: DATABASE_USER
-            key: databaseUser
-      resources:
-        limits:
-          cpu: 50m
-          memory: 256Mi
-        requests:
-          cpu: 20m
-          memory: 128Mi
diff --git a/charts/crunchy/Chart.yaml b/charts/crunchy/Chart.yaml
@@ -0,0 +1,26 @@
+apiVersion: v2
+name: crunchy
+description: A Helm chart for Kubernetes deployment.
+icon: https://www.nicepng.com/png/detail/521-5211827_bc-icon-british-columbia-government-logo.png
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 5.5.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "5.5.1"
+