aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-03-10 23:53:31 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-03-10 23:53:31 +0100
commit17547340d42db38a0bca7bca934b01964991301b (patch)
tree5ab91e46b33eae8cf060b0e24f6f16f9a1888cff /kubernetes
parentb8316cdbeaed1c4929531da836f24639c745ab66 (diff)
[COMMON] Allow special characters in postgress passwords
Postgres image that we are currently using uses sed to replace passwords placeholders with their actual values at startup time. This apprach is very fragile and leads to issues if & happens to be a part of password as it has a special meaning in sed. To fix this issue let's just extract the setup.sql file from the container and process it on our own in init container using envsubst and then mount it to the main container to be used. Issue-ID: OOM-2317 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Ifd51d8f0af0099958caa209185fb7a87a0480bd2
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/common/postgres/configs/setup.sql40
-rw-r--r--kubernetes/common/postgres/templates/_deployment.tpl40
-rw-r--r--kubernetes/common/postgres/values.yaml3
3 files changed, 80 insertions, 3 deletions
diff --git a/kubernetes/common/postgres/configs/setup.sql b/kubernetes/common/postgres/configs/setup.sql
new file mode 100644
index 0000000000..f60b473242
--- /dev/null
+++ b/kubernetes/common/postgres/configs/setup.sql
@@ -0,0 +1,40 @@
+--- System Setup
+SET application_name="container_setup";
+
+CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+CREATE EXTENSION IF NOT EXISTS pgaudit;
+
+ALTER USER postgres PASSWORD '${PG_ROOT_PASSWORD}';
+
+CREATE USER ${PG_PRIMARY_USER} WITH REPLICATION;
+ALTER USER ${PG_PRIMARY_USER} PASSWORD '${PG_PRIMARY_PASSWORD}';
+
+CREATE USER "${PG_USER}" LOGIN;
+ALTER USER "${PG_USER}" PASSWORD '${PG_PASSWORD}';
+
+CREATE DATABASE ${PG_DATABASE};
+GRANT ALL PRIVILEGES ON DATABASE ${PG_DATABASE} TO "${PG_USER}";
+
+CREATE TABLE IF NOT EXISTS primarytable (key varchar(20), value varchar(20));
+GRANT ALL ON primarytable TO ${PG_PRIMARY_USER};
+
+--- PG_DATABASE Setup
+
+\c ${PG_DATABASE}
+
+CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+CREATE EXTENSION IF NOT EXISTS pgaudit;
+
+--- Verify permissions via PG_USER
+
+\c ${PG_DATABASE} "${PG_USER}";
+
+CREATE SCHEMA IF NOT EXISTS "${PG_USER}";
+
+CREATE TABLE IF NOT EXISTS "${PG_USER}".testtable (
+ name varchar(30) PRIMARY KEY,
+ value varchar(50) NOT NULL,
+ updatedt timestamp NOT NULL
+);
+
+INSERT INTO "${PG_USER}".testtable (name, value, updatedt) VALUES ('CPU', '256', now());
diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl
index 3777c1b2e4..361e64847e 100644
--- a/kubernetes/common/postgres/templates/_deployment.tpl
+++ b/kubernetes/common/postgres/templates/_deployment.tpl
@@ -40,6 +40,34 @@ spec:
name: "{{ index $dot.Values "container" "name" $pgMode }}"
spec:
initContainers:
+ - command:
+ - sh
+ args:
+ - -c
+ - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+ env:
+ - name: PG_PRIMARY_USER
+ value: primaryuser
+ - name: PG_PRIMARY_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.primaryPasswordUID" .) "key" "password") | indent 10 }}
+ - name: PG_USER
+ {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "login") | indent 10 }}
+ - name: PG_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "password") | indent 10 }}
+ - name: PG_DATABASE
+ value: "{{ $dot.Values.config.pgDatabase }}"
+ - name: PG_ROOT_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }}
+ volumeMounts:
+ - mountPath: /config-input/setup.sql
+ name: config
+ subPath: setup.sql
+ - mountPath: /config
+ name: pgconf
+ image: "{{ $dot.Values.global.envsubstImage }}"
+ imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
+ name: {{ include "common.name" $dot }}-update-config
+
- name: init-sysctl
command:
- /bin/sh
@@ -98,9 +126,12 @@ spec:
- name: PG_ROOT_PASSWORD
{{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }}
volumeMounts:
- - name: pool-hba-conf
+ - name: config
mountPath: /pgconf/pool_hba.conf
subPath: pool_hba.conf
+ - name: pgconf
+ mountPath: /pgconf/setup.sql
+ subPath: setup.sql
- mountPath: /pgdata
name: {{ include "common.fullname" $dot }}-data
- mountPath: /backup
@@ -129,7 +160,10 @@ spec:
{{- else }}
emptyDir: {}
{{ end }}
- - name: pool-hba-conf
+ - name: config
configMap:
name: {{ include "common.fullname" $dot }}
-{{- end -}} \ No newline at end of file
+ - name: pgconf
+ emptyDir:
+ medium: Memory
+{{- end -}}
diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml
index 7aff189ba9..10f9405de6 100644
--- a/kubernetes/common/postgres/values.yaml
+++ b/kubernetes/common/postgres/values.yaml
@@ -21,6 +21,9 @@ global:
readinessRepository: oomk8s
readinessImage: readiness-check:2.0.0
+ # envsusbt
+ envsubstImage: dibi/envsubst
+
#################################################################
# Secrets metaconfig
#################################################################