Merge pull request #111 from vshn/add/pg_maintenance

Add patch maintenance script for PostgreSQL

apis/vshn/v1/dbaas_vshn_postgresql.go

@@ -12,6 +12,7 @@ import (
 //go:generate yq -i e ../../generated/vshn.appcat.vshn.io_vshnpostgresqls.yaml --expression "with(.spec.versions[]; .schema.openAPIV3Schema.properties.spec.properties.parameters.properties.size.default={})"
 //go:generate yq -i e ../../generated/vshn.appcat.vshn.io_vshnpostgresqls.yaml --expression "with(.spec.versions[]; .schema.openAPIV3Schema.properties.spec.properties.parameters.properties.service.default={})"
 //go:generate yq -i e ../../generated/vshn.appcat.vshn.io_vshnpostgresqls.yaml --expression "with(.spec.versions[]; .schema.openAPIV3Schema.properties.spec.properties.parameters.properties.backup.default={})"
+//go:generate yq -i e ../../generated/vshn.appcat.vshn.io_vshnpostgresqls.yaml --expression "with(.spec.versions[]; .schema.openAPIV3Schema.properties.spec.properties.parameters.properties.maintenance.default={})"
 
 // +kubebuilder:object:root=true
 
@@ -78,11 +79,11 @@ type VSHNDBaaSSchedulingSpec struct {
 
 // VSHNDBaaSMaintenanceScheduleSpec contains settings to control the maintenance of an instance.
 type VSHNDBaaSMaintenanceScheduleSpec struct {
-	// +kubebuilder:validation:Enum=monday;tuesday;wednesday;thursday;friday;saturday;sunday;never
+	// +kubebuilder:validation:Enum=monday;tuesday;wednesday;thursday;friday;saturday;sunday
 	// +kubebuilder:default="tuesday"
 
 	// DayOfWeek specifies at which weekday the maintenance is held place.
-	// Allowed values are [monday, tuesday, wednesday, thursday, friday, saturday, sunday, never]
+	// Allowed values are [monday, tuesday, wednesday, thursday, friday, saturday, sunday]
 	DayOfWeek string `json:"dayOfWeek,omitempty"`
 
 	// +kubebuilder:validation:Pattern="^([0-1]?[0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9])$"

component/provider.jsonnet

@@ -135,7 +135,7 @@ local controllerConfigRef(config) =
         },
         {
           apiGroups: [ 'stackgres.io' ],
-          resources: [ 'sginstanceprofiles', 'sgclusters', 'sgpgconfigs', 'sgobjectstorages', 'sgbackups' ],
+          resources: [ 'sginstanceprofiles', 'sgclusters', 'sgpgconfigs', 'sgobjectstorages', 'sgbackups', 'sgdbops' ],
           verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
         },
         {
@@ -155,12 +155,12 @@ local controllerConfigRef(config) =
         },
         {
           apiGroups: [ 'batch' ],
-          resources: [ 'jobs' ],
+          resources: [ 'jobs', 'cronjobs' ],
           verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
         },
         {
           apiGroups: [ 'rbac.authorization.k8s.io' ],
-          resources: [ 'clusterrolebindings' ],
+          resources: [ 'clusterrolebindings', 'roles', 'rolebindings' ],
           verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
         },
         {

component/scripts/pg-maintenance.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+kubectl -n ${TARGET_NAMESPACE} delete sgdbops securitymaintenance || true
+cat <<EOF | kubectl create -f -
+apiVersion: stackgres.io/v1
+kind: SGDbOps
+metadata:
+  name: securitymaintenance
+  namespace: ${TARGET_NAMESPACE}
+spec:
+  sgCluster: ${TARGET_INSTANCE}
+  op: securityUpgrade
+  maxRetries: 1
+  securityUpgrade:
+    method: InPlace
+EOF

component/vshn_postgres.jsonnet

@@ -638,6 +638,209 @@ local clusterRestoreConfig = {
   ],
 };
 
+local maintenanceServiceAccount = {
+  base: comp.KubeObject('v1', 'ServiceAccount') + {
+    spec+: {
+      forProvider+: {
+        manifest+: kube.ServiceAccount('maintenanceserviceaccount'),
+      },
+    },
+  },
+  patches: [
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'metadata.name', 'maintenanceserviceaccount'),
+    comp.FromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.namespace', 'vshn-postgresql'),
+  ],
+};
+
+local maintenanceRole = {
+  base: comp.KubeObject('rbac.authorization.k8s.io/v1', 'Role') + {
+    spec+: {
+      forProvider+: {
+        manifest+: kube.Role('crossplane:appcat:job:postgres:maintenance') + {
+          rules: [
+            {
+              apiGroups: [ 'stackgres.io' ],
+              resources: [ 'sgdbops' ],
+              verbs: [
+                'delete',
+                'create',
+              ],
+            },
+          ],
+        },
+      },
+    },
+  },
+  patches: [
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'metadata.name', 'maintenancerole'),
+    comp.FromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.namespace', 'vshn-postgresql'),
+  ],
+};
+
+local maintenanceRoleBinding = {
+  base: comp.KubeObject('rbac.authorization.k8s.io/v1', 'RoleBinding') + {
+    spec+: {
+      forProvider+: {
+        manifest+: {
+          roleRef: {
+            apiGroup: 'rbac.authorization.k8s.io',
+            kind: 'Role',
+            name: 'crossplane:appcat:job:postgres:maintenance',
+          },
+          subjects: [
+            {
+              apiGroup: '',
+              kind: 'ServiceAccount',
+              name: 'maintenanceserviceaccount',
+            },
+          ],
+        },
+      },
+    },
+  },
+  patches: [
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'metadata.name', 'maintenancerolebinding'),
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.name', 'maintenancerolebinding'),
+    comp.FromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.namespace', 'vshn-postgresql'),
+  ],
+};
+
+local convertToCron() = [
+  // This function produces patches, that will convert dayOdWeek and timeOfDay
+  // to a proper cron string. It does that by using maps and regex. As well as
+  // environment patches.
+  {
+    type: 'FromCompositeFieldPath',
+    fromFieldPath: 'spec.parameters.maintenance.dayOfWeek',
+    toFieldPath: 'metadata.annotations[dayOfWeek]',
+    transforms: [
+      {
+        type: 'map',
+        map: {
+          monday: '1',
+          tuesday: '2',
+          wednesday: '3',
+          thursday: '4',
+          friday: '5',
+          saturday: '6',
+          sunday: '0',
+        },
+      },
+    ],
+  },
+  {
+    type: 'FromCompositeFieldPath',
+    fromFieldPath: 'spec.parameters.maintenance.timeOfDay',
+    toFieldPath: 'metadata.annotations[hour]',
+    transforms: [
+      {
+        type: 'string',
+        string: {
+          type: 'Regexp',
+          regexp: {
+            match: '(\\d+):(\\d+):.*',
+            group: 1,
+          },
+        },
+      },
+    ],
+  },
+  {
+    type: 'FromCompositeFieldPath',
+    fromFieldPath: 'spec.parameters.maintenance.timeOfDay',
+    toFieldPath: 'metadata.annotations[minute]',
+    transforms: [
+      {
+        type: 'string',
+        string: {
+          type: 'Regexp',
+          regexp: {
+            match: '(\\d+):(\\d+):.*',
+            group: 2,
+          },
+        },
+      },
+    ],
+  },
+  {
+    type: 'ToEnvironmentFieldPath',
+    fromFieldPath: 'metadata.annotations[minute]',
+    toFieldPath: 'maintenance.minute',
+  },
+  {
+    type: 'ToEnvironmentFieldPath',
+    fromFieldPath: 'metadata.annotations[hour]',
+    toFieldPath: 'maintenance.hour',
+  },
+  {
+    type: 'ToEnvironmentFieldPath',
+    fromFieldPath: 'metadata.annotations[dayOfWeek]',
+    toFieldPath: 'maintenance.dayOfWeek',
+  },
+  {
+    type: 'CombineFromEnvironment',
+    toFieldPath: 'spec.forProvider.manifest.spec.schedule',
+    combine: {
+      variables: [
+        { fromFieldPath: 'maintenance.minute' },
+        { fromFieldPath: 'maintenance.hour' },
+        { fromFieldPath: 'maintenance.dayOfWeek' },
+      ],
+      strategy: 'string',
+      string: {
+        fmt: '%s %s * * %s',
+      },
+    },
+  },
+];
+
+local maintenanceJob = {
+  base: comp.KubeObject('batch/v1', 'CronJob') + {
+    spec+: {
+      forProvider+: {
+        manifest+: {
+          spec: {
+            successfulJobsHistoryLimit: 0,
+            jobTemplate: {
+              spec: {
+                template: {
+                  spec: {
+                    restartPolicy: 'Never',
+                    serviceAccountName: 'maintenanceserviceaccount',
+                    containers: [
+                      {
+                        name: 'maintenancejob',
+                        image: 'bitnami/kubectl:latest',
+                        command: [ 'sh', '-c' ],
+                        args: [ importstr 'scripts/pg-maintenance.sh' ],
+                        env: [
+                          {
+                            name: 'TARGET_NAMESPACE',
+                          },
+                          {
+                            name: 'TARGET_INSTANCE',
+                          },
+                        ],
+                      },
+                    ],
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+  },
+  patches: [
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'metadata.name', 'maintenancejob'),
+    comp.FromCompositeFieldPathWithTransformSuffix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.name', 'maintenancejob'),
+    comp.FromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.metadata.namespace', 'vshn-postgresql'),
+    comp.FromCompositeFieldPathWithTransformPrefix('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.spec.jobTemplate.spec.template.spec.containers[0].env[0].value', 'vshn-postgresql'),
+    comp.FromCompositeFieldPath('metadata.labels[crossplane.io/composite]', 'spec.forProvider.manifest.spec.jobTemplate.spec.template.spec.containers[0].env[1].value'),
+  ] + convertToCron(),
+};
+
 local composition(restore=false) =
 
   local metadata = if restore then common.VshnMetaVshn('PostgreSQLRestore', 'standalone', 'false') else common.VshnMetaVshn('PostgreSQL', 'standalone');
@@ -666,6 +869,10 @@ local composition(restore=false) =
                    secret,
                    xobjectBucket,
                    sgObjectStorage,
+                   maintenanceServiceAccount,
+                   maintenanceRole,
+                   maintenanceRoleBinding,
+                   maintenanceJob,
                  ] + if pgParams.enableNetworkPolicy == true then [
         networkPolicy,
       ] else [],

crds/vshn.appcat.vshn.io_vshnpostgresqls.yaml

@@ -53,7 +53,7 @@ spec:
                       properties:
                         dayOfWeek:
                           default: tuesday
-                          description: DayOfWeek specifies at which weekday the maintenance is held place. Allowed values are [monday, tuesday, wednesday, thursday, friday, saturday, sunday, never]
+                          description: DayOfWeek specifies at which weekday the maintenance is held place. Allowed values are [monday, tuesday, wednesday, thursday, friday, saturday, sunday]
                           enum:
                             - monday
                             - tuesday
@@ -62,14 +62,14 @@ spec:
                             - friday
                             - saturday
                             - sunday
-                            - never
                           type: string
                         timeOfDay:
                           default: "22:30:00"
                           description: 'TimeOfDay for installing updates in UTC. Format: "hh:mm:ss".'
                           pattern: ^([0-1]?[0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9])$
                           type: string
                       type: object
+                      default: {}
                     network:
                       description: Network contains any network related settings.
                       properties:

tests/golden/apiserver/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml

@@ -11,6 +11,7 @@ rules:
       - api.appcat.vshn.io
     resources:
       - appcats
+      - vshnpostgresbackups
     verbs:
       - get
       - list

tests/golden/cloudscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -99,6 +99,7 @@ rules:
       - sgpgconfigs
       - sgobjectstorages
       - sgbackups
+      - sgdbops
     verbs:
       - get
       - list
@@ -148,6 +149,7 @@ rules:
       - batch
     resources:
       - jobs
+      - cronjobs
     verbs:
       - get
       - list
@@ -160,6 +162,8 @@ rules:
       - rbac.authorization.k8s.io
     resources:
       - clusterrolebindings
+      - roles
+      - rolebindings
     verbs:
       - get
       - list

tests/golden/cloudscale/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml

@@ -11,6 +11,7 @@ rules:
       - api.appcat.vshn.io
     resources:
       - appcats
+      - vshnpostgresbackups
     verbs:
       - get
       - list

tests/golden/defaults/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml

@@ -11,6 +11,7 @@ rules:
       - api.appcat.vshn.io
     resources:
       - appcats
+      - vshnpostgresbackups
     verbs:
       - get
       - list

tests/golden/exoscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -99,6 +99,7 @@ rules:
       - sgpgconfigs
       - sgobjectstorages
       - sgbackups
+      - sgdbops
     verbs:
       - get
       - list
@@ -148,6 +149,7 @@ rules:
       - batch
     resources:
       - jobs
+      - cronjobs
     verbs:
       - get
       - list
@@ -160,6 +162,8 @@ rules:
       - rbac.authorization.k8s.io
     resources:
       - clusterrolebindings
+      - roles
+      - rolebindings
     verbs:
       - get
       - list

tests/golden/exoscale/appcat/appcat/apiserver/10_cluster_role_basic_users.yaml

@@ -11,6 +11,7 @@ rules:
       - api.appcat.vshn.io
     resources:
       - appcats
+      - vshnpostgresbackups
     verbs:
       - get
       - list