diff --git a/services/comms/mas-db-ensure-job.yaml b/services/comms/mas-db-ensure-job.yaml index 9a8cebd..a56b76f 100644 --- a/services/comms/mas-db-ensure-job.yaml +++ b/services/comms/mas-db-ensure-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: mas-db-ensure-6 + name: mas-db-ensure-7 namespace: comms spec: backoffLimit: 0 @@ -11,59 +11,28 @@ spec: spec: serviceAccountName: mas-db-ensure restartPolicy: OnFailure - volumes: - - name: work - emptyDir: {} - initContainers: - - name: prepare + containers: + - name: ensure image: bitnami/kubectl:latest command: ["/bin/sh", "-c"] args: - | set -eu umask 077 - echo "ensuring postgres auth secret" - if kubectl -n postgres get secret postgres-auth >/dev/null 2>&1; then - kubectl -n postgres get secret postgres-auth -o jsonpath='{.data.POSTGRES_PASSWORD}' | base64 -d > /work/postgres_password - else - POSTGRES_PASS="$(kubectl -n postgres get statefulset postgres -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="POSTGRES_PASSWORD")].value}')" - if [ -z "${POSTGRES_PASS}" ]; then - echo "postgres password not found in statefulset env" >&2 - exit 1 - fi - printf '%s' "${POSTGRES_PASS}" > /work/postgres_password - kubectl -n postgres create secret generic postgres-auth --from-file=POSTGRES_PASSWORD=/work/postgres_password >/dev/null - fi - echo "ensuring mas db secret" if kubectl -n comms get secret mas-db >/dev/null 2>&1; then - kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d > /work/mas_password + MAS_PASS="$(kubectl -n comms get secret mas-db -o jsonpath='{.data.password}' | base64 -d)" else - head -c 32 /dev/urandom | base64 | tr -d '\n' > /work/mas_password - kubectl -n comms create secret generic mas-db --from-file=password=/work/mas_password >/dev/null + MAS_PASS="$(head -c 32 /dev/urandom | base64 | tr -d '\n')" + kubectl -n comms create secret generic mas-db --from-literal=password="${MAS_PASS}" >/dev/null fi - volumeMounts: - - name: work - mountPath: /work - containers: - - name: ensure - image: postgres:15 - env: - - name: PGHOST - value: postgres-service.postgres.svc.cluster.local - - name: PGPORT - value: "5432" - - name: PGDATABASE - value: postgres - - name: PGUSER - value: postgres - command: ["/bin/sh", "-c"] - args: - - | - set -eu - export PGPASSWORD="$(cat /work/postgres_password)" - MAS_PASS="$(cat /work/mas_password)" - echo "ensuring mas role/database" - psql -v ON_ERROR_STOP=1 -v mas_pass="${MAS_PASS}" <<'SQL' + + POD_NAME="postgres-0" + if ! kubectl -n postgres get pod "${POD_NAME}" >/dev/null 2>&1; then + echo "postgres pod ${POD_NAME} not found" >&2 + exit 1 + fi + + kubectl -n postgres exec -i "${POD_NAME}" -- psql -U postgres -d postgres -v ON_ERROR_STOP=1 -v mas_pass="${MAS_PASS}" <<'SQL' DO $$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = 'mas') THEN @@ -81,6 +50,3 @@ spec: END $$; SQL - volumeMounts: - - name: work - mountPath: /work diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml index 547b29b..39aa898 100644 --- a/services/comms/mas-db-ensure-rbac.yaml +++ b/services/comms/mas-db-ensure-rbac.yaml @@ -12,12 +12,16 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - resourceNames: ["postgres-auth", "mas-db"] + resourceNames: ["mas-db"] verbs: ["get", "create", "patch", "update"] - - apiGroups: ["apps"] - resources: ["statefulsets"] - resourceNames: ["postgres"] + - apiGroups: [""] + resources: ["pods"] + resourceNames: ["postgres-0"] verbs: ["get"] + - apiGroups: [""] + resources: ["pods/exec"] + resourceNames: ["postgres-0"] + verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding