From ae4d2b9abd9013a01fafd73e8d3b1f5d8937cf51 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:44:11 +0100 Subject: [PATCH 1/6] Mount volume in default location but keep data in sub folder Postgres requires an empty folder when running `initdb` --- charts/sda-db/README.md | 2 +- charts/sda-db/templates/_helpers.tpl | 8 ++++++++ charts/sda-db/templates/statefulset.yaml | 6 ++++-- charts/sda-db/values.yaml | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/charts/sda-db/README.md b/charts/sda-db/README.md index 6ea07774..0324749b 100644 --- a/charts/sda-db/README.md +++ b/charts/sda-db/README.md @@ -25,7 +25,7 @@ Parameter | Description | Default `networkPolicy.create` | Use network isolation. | `false` `networkPolicy.matchLabels` | App labels that are allowed to connect to the database. | `app: sda-svc` `persistence.enabled` | Enable persistence. | `true` -`persistence.mountPath` | Mountpoint for persistent volume. | `/var/lib/postgresql` +`persistence.mountPath` | Custom mountpoint for persistent volume. | `"/var/lib/postgresql/data/"` `persistence.storageSize` | Volume size. | `8Gi` `persistence.storageClass` | Use specific storage class, by default dynamic provisioning enabled. | `null` `persistence.existingClaim` | Use existing claim. | `null` diff --git a/charts/sda-db/templates/_helpers.tpl b/charts/sda-db/templates/_helpers.tpl index 18a3cefa..008b3400 100644 --- a/charts/sda-db/templates/_helpers.tpl +++ b/charts/sda-db/templates/_helpers.tpl @@ -99,3 +99,11 @@ Create chart name and version as used by the chart label. {{- end -}} {{- end -}} {{- end -}} + +{{- define "pgData" -}} + {{- if .Values.persistence.mountPath }} + {{ printf "%s/pgdata" .Values.persistence.mountPath }} + {{- else }} + {{- "/var/lib/postgresql/data/pgdata/" }} + {{- end -}} +{{- end -}} diff --git a/charts/sda-db/templates/statefulset.yaml b/charts/sda-db/templates/statefulset.yaml index 187a36e8..e3ab1bb7 100644 --- a/charts/sda-db/templates/statefulset.yaml +++ b/charts/sda-db/templates/statefulset.yaml @@ -46,8 +46,8 @@ spec: - -cx - | {{- if and .Values.persistence.volumePermissions .Values.persistence.enabled }} - mkdir -p /psql/data - chmod 700 /psql/data + mkdir -p /psql/pgdata + chmod 700 /psql/pgdata find /psql -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs chown -R 70:70 {{- end }} {{- if and .Values.global.tls.enabled (not .Values.externalPkiService.tlsPath) }} @@ -109,6 +109,8 @@ spec: - name: NOTLS value: "true" {{- end }} + - name: PGDATA + value: {{ template "pgData" }} ports: - containerPort: 5432 name: postgres diff --git a/charts/sda-db/values.yaml b/charts/sda-db/values.yaml index 946ba385..7ad3b295 100644 --- a/charts/sda-db/values.yaml +++ b/charts/sda-db/values.yaml @@ -48,7 +48,7 @@ networkPolicy: ## set, choosing the default provisioner. persistence: enabled: true - mountPath: /var/lib/postgresql + mountPath: "/var/lib/postgresql/data/" storageSize: 8Gi storageClass: existingClaim: From 71cb88f2c45ad2ee4faf91708d8ef99abab22a47 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:50:50 +0100 Subject: [PATCH 2/6] Fix default path and names for certificates --- charts/sda-db/templates/_helpers.tpl | 36 ++++++++++++++++------------ 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/charts/sda-db/templates/_helpers.tpl b/charts/sda-db/templates/_helpers.tpl index 008b3400..a17860a6 100644 --- a/charts/sda-db/templates/_helpers.tpl +++ b/charts/sda-db/templates/_helpers.tpl @@ -39,32 +39,38 @@ Create chart name and version as used by the chart label. {{- end -}} {{- define "pgCert" -}} - {{- if .Values.externalPkiService.tlsPath }} - {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.certName) "/")}} - {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }} + {{- if .Values.externalPkiService.tlsPath -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/tls.crt" .Values.externalPkiService.tlsPath) "/") -}} + {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.certName -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.certName) "/") -}} + {{- else if and .Values.global.tls.secretName .Values.global.tls.certName -}} + {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls certificate is required" .Values.global.tls.certName) -}} + {{- else -}} {{- printf "%s/tls/tls.crt" .Values.persistence.mountPath -}} - {{- else }} - {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls certificate is required" .Values.global.tls.certName) }} {{- end -}} {{- end -}} {{- define "pgKey" -}} - {{- if .Values.externalPkiService.tlsPath }} - {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.keyName) "/")}} - {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }} + {{- if .Values.externalPkiService.tlsPath -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/tls.key" .Values.externalPkiService.tlsPath) "/") -}} + {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.keyName -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.keyName) "/") -}} + {{- else if and .Values.global.tls.secretname .Values.global.tls.keyName -}} + {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls key is required" .Values.global.tls.keyName) -}} + {{- else -}} {{- printf "%s/tls/tls.key" .Values.persistence.mountPath -}} - {{- else }} - {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of tls key is required" .Values.global.tls.keyName) }} {{- end -}} {{- end -}} {{- define "caCert" -}} - {{- if .Values.externalPkiService.tlsPath }} - {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.CAFile) "/")}} - {{- else if or .Values.global.tls.clusterIssuer .Values.global.tls.issuer }} + {{- if .Values.externalPkiService.tlsPath -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/ca.crt" .Values.externalPkiService.tlsPath "/")) -}} + {{- else if and .Values.externalPkiService.tlsPath .Values.global.tls.CAFile -}} + {{- printf "%s" (regexReplaceAll "^/*|/+" (printf "%s/%s" .Values.externalPkiService.tlsPath .Values.global.tls.CAFile) "/") -}} + {{- else if and .Values.global.tls.secretname .Values.global.tls.CAFile -}} + {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of ca file is required" .Values.global.tls.CAFile) -}} + {{- else -}} {{- printf "%s/tls/ca.crt" .Values.persistence.mountPath -}} - {{- else }} - {{- printf "%s/tls/%s" .Values.persistence.mountPath (required "name of ca file is required" .Values.global.tls.CAFile) }} {{- end -}} {{- end -}} From 268c30af341ea015f7d8d4042f7f2759c18efe88 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:51:07 +0100 Subject: [PATCH 3/6] Update readme --- charts/sda-db/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sda-db/README.md b/charts/sda-db/README.md index 0324749b..2024f2a5 100644 --- a/charts/sda-db/README.md +++ b/charts/sda-db/README.md @@ -13,7 +13,7 @@ Parameter | Description | Default `global.tls.enabled` | Enable TLS for all connections. |`true` `global.tls.issuer` | Issuer for TLS certificate creation. |`""` `global.tls.clusterIssuer` | ClusterIssuer for TLS certificate creation. |`""` -`global.tls.secretName` | Name of the secret holding the certificates. |`` +`global.tls.secretName` | Name of the secret holding the certificates. |`""` `global.tls.certName` | Server certificate. |`tls.crt` `global.tls.keyName` | Server private key. |`tls.key` `global.tls.CAFile` | CA root certificate. |`ca.crt` From 2cfb7564a28e05a20527c2a06debc057bcf7f786 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:51:42 +0100 Subject: [PATCH 4/6] Set default certificate lifetime to 365 days --- charts/sda-db/templates/certificate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/sda-db/templates/certificate.yaml b/charts/sda-db/templates/certificate.yaml index 4bc11891..1a002c49 100644 --- a/charts/sda-db/templates/certificate.yaml +++ b/charts/sda-db/templates/certificate.yaml @@ -6,8 +6,8 @@ metadata: spec: # Secret names are always required. secretName: {{ template "sda.fullname" . }}-certs - - duration: 2160h # 90d + # postgres can not hot reload a new certificate, hence the 1y timelimit + duration: 8760h # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. From d652a5dd22a2ce0a3e50754e4a5723d5d284b881 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:51:52 +0100 Subject: [PATCH 5/6] Bump image version --- charts/sda-db/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sda-db/values.yaml b/charts/sda-db/values.yaml index 7ad3b295..c59f7953 100644 --- a/charts/sda-db/values.yaml +++ b/charts/sda-db/values.yaml @@ -26,7 +26,7 @@ extraSecurityContext: {} image: repository: ghcr.io/neicnordic/sda-db - tag: v1.4.0 + tag: v1.4.14 pullPolicy: IfNotPresent # utilize network isolation From a2c28f3b3a30add6a4c57922210cedd12bdc7a36 Mon Sep 17 00:00:00 2001 From: Joakim Bygdell Date: Mon, 31 Oct 2022 11:52:00 +0100 Subject: [PATCH 6/6] bump chart version --- charts/sda-db/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sda-db/Chart.yaml b/charts/sda-db/Chart.yaml index 74a24ce1..1838651a 100644 --- a/charts/sda-db/Chart.yaml +++ b/charts/sda-db/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: sda-db -version: "0.4.1" +version: "0.4.2" description: Database component for Sensitive Data Archive (SDA) installation home: https://neic-sda.readthedocs.io icon: https://neic.no/assets/images/logo.png