Chart/Dockerfile for Postgresql Utility Container

This postgresql utility container will help the operation user
 to perform the operations on postgresql server in the K8s Cluster.

Change-Id: Ib6dc67f88e32b047531d0d07e5667ec7da73eb0f
This commit is contained in:
Varagini Karthik 2019-08-12 15:57:46 +05:30 committed by varagini karthik
parent 449e7608b2
commit c905ac41f9
16 changed files with 665 additions and 0 deletions

View File

@ -0,0 +1,19 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: PostgreSQL Client
name: postgresql-utility
version: 0.1.0

View File

@ -0,0 +1,19 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

View File

@ -0,0 +1,19 @@
#!/bin/sh
{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
sudo ./tmp/start.sh
tail -f /var/log/syslog

View File

@ -0,0 +1,29 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf
/etc/init.d/rsyslog start
{{/*
These lines will disable extra handler, extra formatter, extra level to the
root logger by oslo-rootwrap module, imported in _openstack-utility-rootwrap.tpl.
These lines will get rid of duplicate logs, generated because of the formatter
attached by oslo-rootwrap.
*/}}
sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py
sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py

View File

@ -0,0 +1,13 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
nobody ALL=SETENV: NOPASSWD: /tmp/start.sh, /tmp/bootstrap.sh, /usr/local/bin/postgresql-utility-rootwrap /etc/postgresql/rootwrap.conf *

View File

@ -0,0 +1,57 @@
#!/usr/bin/python
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
# PBR Generated from u'console_scripts'
import logging
import os
import sys
from oslo_rootwrap.cmd import main
exec_name = sys.argv[0]
host_name = os.environ.get("HOSTNAME")
log_level = {{.Values.conf.postgresqlrootwrap.DEFAULT.syslog_log_level | quote}}
facility = {{.Values.conf.postgresqlrootwrap.DEFAULT.syslog_log_facility | quote}}
if "AUSER" in os.environ:
user_id = os.environ["AUSER"]
elif {{.Values.conf.utility.always_log_user | quote}} == 'true':
user_id = 'development site'
else:
print("No username set in AUSER environment variable, " +
"for security reasons access restricted from " +
"connecting to container.")
exit()
try:
handler = logging.handlers.SysLogHandler(
address='/dev/log', facility=facility)
except IOError:
print("Unable to setup logging, for security " +
"reasons access restricted from connecting to container.")
exit()
formatter = logging.Formatter(
'%(asctime)s ' + host_name + ' ' +
'%(levelname)s' + os.path.basename(exec_name) + ': ' +
'ActualUser=' + user_id + ': %(message)s')
handler.setFormatter(formatter)
root = logging.getLogger()
root.setLevel(log_level)
root.addHandler(handler)
if __name__ == "__main__":
sys.exit(main())

View File

@ -0,0 +1,17 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
script -f -a -q /var/log/syslog -c "sudo -E /usr/local/bin/postgresql-utility-rootwrap /etc/postgresql/rootwrap.conf $*"

View File

@ -0,0 +1,28 @@
{{- if and .Values.manifests.configmap_bin .Values.deployment.postgresql }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
data:
{{- if .Values.images.local_registry.active }}
image-repo-sync.sh: |
{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
{{- end }}
{{- if .Values.bootstrap.enabled }}
bootstrap.sh: |
{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
start.sh: |
{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
postgresql-utility-rootwrap: |
{{ tuple "bin/utility/_postgresql-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
utilscli: |
{{ tuple "bin/utility/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

View File

@ -0,0 +1,16 @@
{{- if or (.Values.deployment.postgresql) (.Values.deployment.client_secrets) }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
data:
rootwrap.conf: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.postgresqlrootwrap | indent 4 }}
postgresql-rootwrap-filter: |
{{ include "helm-toolkit.utils.to_ini" .Values.conf.postgresqlfilter | indent 4 }}
{{- end }}

View File

@ -0,0 +1,11 @@
{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.postgresql }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
data:
utilscli-sudo: |
{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

View File

@ -0,0 +1,126 @@
{{- if and .Values.manifests.deployment_utility ( and .Values.deployment.postgresql .Values.conf.features.utility) }}
{{- $envAll := . }}
{{- $serviceAccountName := printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "postgresql" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
replicas: {{ .Values.pod.replicas.utility }}
selector:
matchLabels:
{{ tuple $envAll "postgresql" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
name: {{ printf "%s" $envAll.Release.Name }}
labels:
{{ tuple $envAll "postgresql" "utility" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
securityContext:
runAsUser: 65534
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "postgresql" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
containers:
- name: {{ printf "%s" $envAll.Release.Name }}
{{ tuple $envAll "postgresql_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.postgresql_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/bootstrap.sh
volumeMounts:
- name: postgresql-utility-bin
mountPath: /tmp/bootstrap.sh
subPath: bootstrap.sh
readOnly: true
- name: postgresql-utility-bin
mountPath: /tmp/start.sh
subPath: start.sh
readOnly: true
- name: postgresql-utility-bin
mountPath: /usr/local/bin/utilscli
subPath: utilscli
readOnly: true
- name: postgresql-utility-bin
mountPath: /usr/local/bin/postgresql-utility-rootwrap
subPath: postgresql-utility-rootwrap
readOnly: true
- name: postgresql-utility-sudoers
mountPath: /etc/sudoers.d/utilscli-sudo
subPath: utilscli-sudo
readOnly: true
- name: postgresql-etc
mountPath: /etc/postgresql/postgresql.conf
subPath: postgresql.conf
readOnly: true
- name: postgresql-client-admin-password
mountPath: /opt/client-password
subPath: key
- name: postgresql-utility-etc
mountPath: /etc/postgresql/rootwrap.d/postgresql-rootwrap.filter
subPath: postgresql-rootwrap-filter
readOnly: true
- name: postgresql-utility-etc
mountPath: /etc/postgresql/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
volumes:
- name: postgresql-utility-sudoers
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }}
defaultMode: 0644
- name: postgresql-utility-bin
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "bin" }}
defaultMode: 0555
- name: postgresql-utility-etc
configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "etc" }}
defaultMode: 0555
- name: postgresql-etc
configMap:
name: {{ .Values.conf.postgresqlconf.etc }}
defaultMode: 0600
- name: postgresql-client-admin-password
secret:
secretName: {{ .Values.secrets.password.admin | quote }}
defaultMode: 0600
{{- end }}

View File

@ -0,0 +1,169 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for postgresql-utility.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
deployment:
postgresql: true
release_group: null
images:
pull_policy: IfNotPresent
tags:
postgresql_utility: 'quay.io/airshipit/porthole-postgresql-utility:latest-ubuntu_xenial'
image_repo_sync: docker.io/docker:18.09.02
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
utility:
node_selector_key: openstack-helm-node-class
node_selector_value: primary
pod:
dns_policy: "ClusterFirstWithHostNet"
replicas:
utility: 1
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
resources:
enabled: false
utility:
requests:
memory: "100Mi"
cpu: "250m"
limits:
memory: "250Mi"
cpu: "500m"
jobs:
bootstrap:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
secrets:
password:
admin: postgresql-admin
conf:
features:
utility: true
postgresqlconf:
etc: postgresql-etc
postgresqlfilter:
Filters:
# postgresql-rootwrap command filters for postgresql utility container
# This file should be owned by (and only-writeable by) the root user
# Below are example command filters. access to postgresql cluster can be restricted by creating a user with less privilages
psql: CommandFilter, psql, root
kubectl: CommandFilter, kubectl, root
postgresqlrootwrap:
DEFAULT:
# Configuration for postgresql-rootwrap
# This file should be owned by (and only-writeable by) the root user
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path: /etc/postgresql/rootwrap.d
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/tmp
# Enable logging to syslog
# Default value is False
use_syslog: True
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility: syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level: INFO
utility:
# Set to true for development sites,
# Set to false otherwise
always_log_user: true
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- postgresql-utility-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
bootstrap:
jobs: null
postgresqlfs_client_key_generator:
jobs: null
namespace_client_key_cleaner:
jobs: null
namespace_client_key_generator:
jobs: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
bootstrap:
enabled: true
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
monitoring:
prometheus:
enabled: true
manifests:
configmap_bin: true
configmap_etc_client: true
configmap_etc_sudoers: true
deployment_utility: true

View File

@ -0,0 +1,31 @@
ARG FROM=ubuntu:16.04
FROM ${FROM}
LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \
org.opencontainers.image.url='https://airshipit.org' \
org.opencontainers.image.documentation='https://opendev.org/airship/porthole' \
org.opencontainers.image.source='https://opendev.org/airship/porthole' \
org.opencontainers.image.vendor='The Airship Authors' \
org.opencontainers.image.licenses='Apache-2.0'
RUN set -xe && \
export DEBIAN_FRONTEND=noninteractive && \
sed -i '/nobody/d' /etc/passwd && \
echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd && \
apt-get update && \
apt-get install -y wget curl \
apt-transport-https ca-certificates gnupg \
bash \
moreutils \
postgresql-client \
postgresql-common \
python-oslo.rootwrap \
python3-oslo.rootwrap \
rsyslog \
screen \
sudo && \
apt-get clean -y && \
rm -rf /var/cache/debconf/* /var/lib/apt/lists/* \
/var/log/* /tmp/* /var/tmp/*
CMD ["/bin/bash"]

View File

@ -0,0 +1,67 @@
# PostgreSQL Utility Container
## Prerequisites: Deploy Airship in a Bottle(AIAB)
## Installation
1. Add the below to /etc/sudoers
```
root ALL=(ALL) NOPASSWD: ALL
ubuntu ALL=(ALL) NOPASSWD: ALL
```
2. Install the latest versions of Git, CA Certs & bundle & Make if necessary
```
set -xe
sudo apt-get update
sudo apt-get install --no-install-recommends -y \
ca-certificates \
git \
make \
jq \
nmap \
curl \
uuid-runtime
```
3. Deploy Porthole
```
git clone https://opendev.org/airship/porthole
```
4. Modify the test case test-postgresqlutility-running.yaml
## Testing
Get in to the utility pod using kubectl exec.
To perform any operation on the ucp PostgreSQL cluster use the below example.
example:
```
utilscli psql -h hostname -U username -d database
psql -h hostaddress -U username -p port --password password
root@ubuntu:~# kubectl exec -it postgresql-655989696f-79246 -n utility /bin/bash
nobody@postgresql-655989696f-79246:/$ utilscli psql -h <hostaddress> -U postgresadmin -p <portnumber> --password <password>
Password for user postgresadmin:
WARNING: psql major version 9.5, server major version 10.
Some psql features might not work.
Type "help" for help.
postgresdb=# \d
List of relations
Schema | Name | Type | Owner
--------+------------------+----------+---------------
public | company | table | postgresadmin
public | role | table | postgresadmin
public | role_role_id_seq | sequence | postgresadmin
public | test | table | postgresadmin
(4 rows)
postgresdb=#
```

View File

@ -19,6 +19,7 @@
- airship-porthole-images-build-gate-ceph-utility
- airship-porthole-images-build-gate-etcdctl-utility
- airship-porthole-images-build-gate-mysqlclient-utility
- airship-porthole-images-build-gate-postgresql-utility
gate:
jobs:
@ -26,12 +27,14 @@
- airship-porthole-images-build-gate-ceph-utility
- airship-porthole-images-build-gate-etcdctl-utility
- airship-porthole-images-build-gate-mysqlclient-utility
- airship-porthole-images-build-gate-postgresql-utility
post:
jobs:
- airship-porthole-images-publish-ceph-utility
- airship-porthole-images-publish-etcdctl-utility
- airship-porthole-images-publish-mysqlclient-utility
- airship-porthole-images-publish-postgresql-utility
- nodeset:
name: airship-porthole-single-node

View File

@ -0,0 +1,41 @@
# Copyright 2019 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- job:
name: airship-porthole-images-build-gate-postgresql-utility
parent: &parent airship-porthole-images
vars:
image_name: &image_name porthole-postgresql-utility
distro_suffix: &distro_suffix ubuntu_xenial
files:
- ^charts/postgresql-utility/.*$
- ^images/postgresql-utility/.*$
- ^Makefile$
- ^tools/.*$
- ^zuul.d/.*$
- job:
name: airship-porthole-images-publish-postgresql-utility
parent: *parent
secrets:
- name: quay_credentials
secret: quay_credentials
pass-to-parent: true
vars:
image_name: *image_name
distro_suffix: *distro_suffix
publish: true
tags:
dynamic:
commit: true