DB container improvements

List of improvements: - Use Secrets for SSL and DB credentials - Add DB container support to uninstall, start, stop, restart and status - Cleanup the setup from the now unneeded parameters
uyuni-project · Mar 4, 2025 · 2ac90ed · 2ac90ed
1 parent 6ee2c0a
commit 2ac90ed
Show file tree

Hide file tree

Showing 67 changed files with 303 additions and 291 deletions.
diff --git a/mgradm/cmd/inspect/kubernetes.go b/mgradm/cmd/inspect/kubernetes.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/install/kubernetes/kubernetes.go b/mgradm/cmd/install/kubernetes/kubernetes.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/install/kubernetes/kubernetes_test.go b/mgradm/cmd/install/kubernetes/kubernetes_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/install/podman/podman.go b/mgradm/cmd/install/podman/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/install/podman/podman_test.go b/mgradm/cmd/install/podman/podman_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/install/podman/ssl.go b/mgradm/cmd/install/podman/ssl.go
@@ -6,6 +6,7 @@ package podman
 
 import (
 	"fmt"
+	"path"
 	"strings"
 
 	"github.com/rs/zerolog/log"
@@ -92,6 +93,15 @@ func generateSSLCertificates(image string, flags *adm_utils.ServerFlags, fqdn st
 
 	log.Info().Msg(L("SSL certificates generated"))
 
+	// Create secret for the database key and certificate
+	if err := shared_podman.CreateDBTLSSecrets(
+		path.Join(tempDir, "ca.crt"),
+		path.Join(tempDir, "reportdb.crt"),
+		path.Join(tempDir, "reportdb.key"),
+	); err != nil {
+		return []string{}, cleaner, err
+	}
+
 	return []string{"-v", tempDir + ":/ssl"}, cleaner, nil
 }
 
@@ -147,7 +157,7 @@ const sslSetupScript = `
 		--set-country "$CERT_COUNTRY" --set-state "$CERT_STATE" --set-city "$CERT_CITY" \
 	    --set-org "$CERT_O" --set-org-unit "$CERT_OU" \
 	    --set-hostname reportdb.mgr.internal --cert-expiration 3650 --set-email "$CERT_EMAIL" \
-		$cert_args
+		--set-cname reportdb --set-cname db $cert_args
 
 	cp /root/ssl-build/reportdb/server.crt /ssl/reportdb.crt
 	cp /root/ssl-build/reportdb/server.key /ssl/reportdb.key

diff --git a/mgradm/cmd/install/podman/utils.go b/mgradm/cmd/install/podman/utils.go
@@ -102,17 +102,41 @@ func installForPodman(
 		return err
 	}
 
-	// TODO Generate SSL Certificates in a separate container
+	// Create all the database credentials secrets
+	if err := shared_podman.CreateCredentialsSecrets(
+		shared_podman.DBUserSecret, flags.Installation.DB.User,
+		shared_podman.DBPassSecret, flags.Installation.DB.Password,
+	); err != nil {
+		return err
+	}
 
-	// Run the DB container setup
-	// TODO Adjust with the new setup mechanism
-	if err := pgsql.SetupPgsql(systemd, authFile, flags.ServerFlags.Pgsql,
-		flags.Installation.DB.Admin.User,
-		flags.Installation.DB.Admin.Password,
+	if err := shared_podman.CreateCredentialsSecrets(
+		shared_podman.ReportDBUserSecret, flags.Installation.ReportDB.User,
+		shared_podman.ReportDBPassSecret, flags.Installation.ReportDB.Password,
 	); err != nil {
 		return err
 	}
 
+	if flags.ServerFlags.Installation.DB.Host == "db" {
+		// The admin password is not needed for external databases
+		if err := shared_podman.CreateCredentialsSecrets(
+			shared_podman.DBAdminUserSecret, flags.Installation.DB.Admin.User,
+			shared_podman.DBAdminPassSecret, flags.Installation.DB.Admin.Password,
+		); err != nil {
+			return err
+		}
+
+		// Run the DB container setup if the user doesn't set a custom host name for it.
+		if err := pgsql.SetupPgsql(systemd, authFile, &flags.ServerFlags.Pgsql, &flags.Image); err != nil {
+			return err
+		}
+	} else {
+		log.Info().Msgf(
+			L("Skipped database container setup to use external database %s"),
+			flags.ServerFlags.Installation.DB.Host,
+		)
+	}
+
 	log.Info().Msg(L("Run setup command in the container"))
 
 	if err := runSetup(preparedImage, &flags.ServerFlags, fqdn, sslArgs); err != nil {
@@ -127,11 +151,6 @@ func installForPodman(
 		return utils.Error(err, L("failed to add SSL CA certificate to host trusted certificates"))
 	}
 
-	log.Info().Msg(L("Enabling SSL in the postgres container"))
-	if err := pgsql.EnableSSL(systemd); err != nil {
-		return err
-	}
-
 	if path, err := exec.LookPath("uyuni-payg-extract-data"); err == nil {
 		// the binary is installed
 		err = utils.RunCmdStdMapping(zerolog.DebugLevel, path)
@@ -141,10 +160,6 @@ func installForPodman(
 	}
 
 	if flags.Coco.Replicas > 0 {
-		// This may need to be moved up later once more containers require DB access
-		if err := shared_podman.CreateDBSecrets(flags.Installation.DB.User, flags.Installation.DB.Password); err != nil {
-			return err
-		}
 		if err := coco.SetupCocoContainer(
 			systemd, authFile, flags.Image.Registry, flags.Coco, flags.Image,
 			flags.Installation.DB.Name, flags.Installation.DB.Port,
@@ -206,7 +221,7 @@ func runSetup(image string, flags *adm_utils.ServerFlags, fqdn string, sslArgs [
 	if err != nil {
 		return err
 	}
-	command = append(command, "/usr/bin/sh", "-c", script)
+	command = append(command, "/usr/bin/sh", "-e", "-c", script)
 
 	if _, err := newRunner("podman", command...).Env(envValues).StdMapping().Exec(); err != nil {
 		return utils.Error(err, L("server setup failed"))

diff --git a/mgradm/cmd/install/shared/flags.go b/mgradm/cmd/install/shared/flags.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/kubernetes/kubernetes.go b/mgradm/cmd/migrate/kubernetes/kubernetes.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/kubernetes/kubernetes_test.go b/mgradm/cmd/migrate/kubernetes/kubernetes_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/kubernetes/utils.go b/mgradm/cmd/migrate/kubernetes/utils.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/podman/podman.go b/mgradm/cmd/migrate/podman/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/podman/podman_test.go b/mgradm/cmd/migrate/podman/podman_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/podman/utils.go b/mgradm/cmd/migrate/podman/utils.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/migrate/shared/flags.go b/mgradm/cmd/migrate/shared/flags.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/restart/podman.go b/mgradm/cmd/restart/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -19,8 +19,10 @@ func podmanRestart(
 	_ *cobra.Command,
 	_ []string,
 ) error {
-	err1 := systemd.RestartService(podman.ServerService)
-	err2 := systemd.RestartInstantiated(podman.ServerAttestationService)
-	err3 := systemd.RestartInstantiated(podman.HubXmlrpcService)
-	return utils.JoinErrors(err1, err2, err3)
+	return utils.JoinErrors(
+		systemd.RestartService(podman.DBService),
+		systemd.RestartService(podman.ServerService),
+		systemd.RestartInstantiated(podman.ServerAttestationService),
+		systemd.RestartInstantiated(podman.HubXmlrpcService),
+	)
 }
diff --git a/mgradm/cmd/start/podman.go b/mgradm/cmd/start/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -19,8 +19,10 @@ func podmanStart(
 	_ *cobra.Command,
 	_ []string,
 ) error {
-	err1 := systemd.StartInstantiated(podman.ServerAttestationService)
-	err2 := systemd.StartInstantiated(podman.HubXmlrpcService)
-	err3 := systemd.StartService(podman.ServerService)
-	return utils.JoinErrors(err1, err2, err3)
+	return utils.JoinErrors(
+		systemd.StartService(podman.DBService),
+		systemd.StartInstantiated(podman.ServerAttestationService),
+		systemd.StartInstantiated(podman.HubXmlrpcService),
+		systemd.StartService(podman.ServerService),
+	)
 }
diff --git a/mgradm/cmd/status/podman.go b/mgradm/cmd/status/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -24,6 +24,10 @@ func podmanStatus(
 	_ *cobra.Command,
 	_ []string,
 ) error {
+	if systemd.HasService(podman.DBService) {
+		_ = utils.RunCmdStdMapping(zerolog.DebugLevel, "systemctl", "status", "--no-pager", podman.DBService)
+	}
+
 	// Show the status and that's it if the service is not running
 	if !systemd.IsServiceRunning(podman.ServerService) {
 		_ = utils.RunCmdStdMapping(zerolog.DebugLevel, "systemctl", "status", "--no-pager", podman.ServerService)

diff --git a/mgradm/cmd/stop/podman.go b/mgradm/cmd/stop/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -19,8 +19,10 @@ func podmanStop(
 	_ *cobra.Command,
 	_ []string,
 ) error {
-	err1 := systemd.StopInstantiated(podman.ServerAttestationService)
-	err2 := systemd.StopInstantiated(podman.HubXmlrpcService)
-	err3 := systemd.StopService(podman.ServerService)
-	return utils.JoinErrors(err1, err2, err3)
+	return utils.JoinErrors(
+		systemd.StopInstantiated(podman.ServerAttestationService),
+		systemd.StopInstantiated(podman.HubXmlrpcService),
+		systemd.StopService(podman.ServerService),
+		systemd.StopService(podman.DBService),
+	)
 }
diff --git a/mgradm/cmd/support/ptf/podman/podman.go b/mgradm/cmd/support/ptf/podman/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 //go:build ptf

diff --git a/mgradm/cmd/support/ptf/podman/utils.go b/mgradm/cmd/support/ptf/podman/utils.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 //go:build ptf

diff --git a/mgradm/cmd/uninstall/podman.go b/mgradm/cmd/uninstall/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -27,7 +27,7 @@ func uninstallForPodman(
 		podman.GetServiceImage(podman.ServerAttestationService + "@"),
 		podman.GetServiceImage(podman.HubXmlrpcService),
 		podman.GetServiceImage(podman.ServerSalineService + "@"),
-		podman.GetServiceImage(podman.PgsqlService),
+		podman.GetServiceImage(podman.DBService),
 	}
 
 	// Uninstall the service
@@ -38,7 +38,7 @@ func uninstallForPodman(
 	systemd.UninstallInstantiatedService(podman.ServerAttestationService, !flags.Force)
 	systemd.UninstallInstantiatedService(podman.HubXmlrpcService, !flags.Force)
 	systemd.UninstallInstantiatedService(podman.ServerSalineService, !flags.Force)
-	systemd.UninstallInstantiatedService(podman.PgsqlService, !flags.Force)
+	systemd.UninstallService(podman.DBService, !flags.Force)
 
 	// Remove the volumes
 	if flags.Purge.Volumes {
@@ -76,8 +76,15 @@ func uninstallForPodman(
 
 	podman.DeleteNetwork(!flags.Force)
 
+	podman.DeleteSecret(podman.ReportDBUserSecret, !flags.Force)
+	podman.DeleteSecret(podman.ReportDBPassSecret, !flags.Force)
 	podman.DeleteSecret(podman.DBUserSecret, !flags.Force)
 	podman.DeleteSecret(podman.DBPassSecret, !flags.Force)
+	podman.DeleteSecret(podman.DBAdminUserSecret, !flags.Force)
+	podman.DeleteSecret(podman.DBAdminPassSecret, !flags.Force)
+	podman.DeleteSecret(podman.DBSSLCertSecret, !flags.Force)
+	podman.DeleteSecret(podman.DBSSLKeySecret, !flags.Force)
+	podman.DeleteSecret(podman.CASecret, !flags.Force)
 
 	err := systemd.ReloadDaemon(!flags.Force)
 

diff --git a/mgradm/cmd/upgrade/kubernetes/kubernetes.go b/mgradm/cmd/upgrade/kubernetes/kubernetes.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/upgrade/kubernetes/kubernetes_test.go b/mgradm/cmd/upgrade/kubernetes/kubernetes_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/upgrade/podman/podman.go b/mgradm/cmd/upgrade/podman/podman.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/upgrade/podman/podman_test.go b/mgradm/cmd/upgrade/podman/podman_test.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/upgrade/podman/utils.go b/mgradm/cmd/upgrade/podman/utils.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/cmd/upgrade/shared/flags.go b/mgradm/cmd/upgrade/shared/flags.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 

diff --git a/mgradm/shared/coco/coco.go b/mgradm/shared/coco/coco.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -33,7 +33,10 @@ func Upgrade(
 		return nil
 	}
 
-	if err := podman.CreateDBSecrets(dbUser, dbPassword); err != nil {
+	if err := podman.CreateCredentialsSecrets(
+		podman.DBUserSecret, dbUser,
+		podman.DBPassSecret, dbPassword,
+	); err != nil {
 		return err
 	}
 

diff --git a/mgradm/shared/hub/xmlrpcapi.go b/mgradm/shared/hub/xmlrpcapi.go
@@ -1,4 +1,4 @@
-// SPDX-FileCopyrightText: 2024 SUSE LLC
+// SPDX-FileCopyrightText: 2025 SUSE LLC
 //
 // SPDX-License-Identifier: Apache-2.0
 
@@ -32,12 +32,11 @@ func SetupHubXmlrpc(
 	if hubXmlrpcFlags.Replicas == 0 {
 		log.Debug().Msg("No HUB requested.")
 	}
-	if !hubXmlrpcFlags.IsChanged {
+	if !hubXmlrpcFlags.IsChanged && hubXmlrpcFlags.Replicas == currentReplicas {
 		log.Info().Msgf(L("No changes requested for hub. Keep %d replicas."), currentReplicas)
 	}
 
-	pullEnabled := (hubXmlrpcFlags.Replicas > 0 && hubXmlrpcFlags.IsChanged) ||
-		(currentReplicas > 0 && !hubXmlrpcFlags.IsChanged)
+	pullEnabled := hubXmlrpcFlags.Replicas > 0 || (currentReplicas > 0 && !hubXmlrpcFlags.IsChanged)
 
 	hubXmlrpcImage, err := utils.ComputeImage(registry, tag, image)