From a5211fe511788931343fe3b34a02802ae62c9676 Mon Sep 17 00:00:00 2001 From: Christian Adams Date: Wed, 3 Apr 2024 10:19:57 -0700 Subject: [PATCH] Add postgres init container to resolve permissions for some k3s deployments (#1805) Add postgres init container if postgres_data_volume_init is true This is aimed to solve the issue where users may need to chmod or chown the postgres data volume for user 26, which is the user that is running postgres in the sclorg image. For example, one can now set the follow on the AWX spec: spec: postgres_init_container_commands: | chown 26:0 /var/lib/pgsql/data chmod 700 /var/lib/pgsql/data Deprecate postgres_init_container_resource_requirements param in favor of postgres_resource_requirements param. Signed-off-by: Seth Foster Co-authored-by: craph <14820052+craph@users.noreply.github.com> Co-authored-by: kurokobo Co-authored-by: Christian M. Adams --- config/crd/bases/awx.ansible.com_awxs.yaml | 8 ++++- .../awx-operator.clusterserviceversion.yaml | 15 ++++++-- .../awx_v1beta1_awx_resource_limits.yaml | 7 ---- .../containers-resource-requirements.md | 26 +++++--------- docs/user-guide/database-configuration.md | 36 ++++++++++++++----- .../default/templates/awx_cr_molecule.yml.j2 | 3 +- roles/installer/defaults/main.yml | 10 +++--- .../templates/statefulsets/postgres.yaml.j2 | 23 +++++++++++- 8 files changed, 84 insertions(+), 44 deletions(-) diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index e8c850e2..5137f5fa 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -1460,7 +1460,7 @@ spec: type: object type: object postgres_init_container_resource_requirements: - description: Resource requirements for the postgres init container + description: (Deprecated, use postgres_resource_requirements parameter) Resource requirements for the postgres init container properties: requests: properties: @@ -1811,6 +1811,12 @@ spec: type: array items: type: string + postgres_data_volume_init: + description: Sets permissions on the /var/lib/pgdata/data for postgres container using an init container (not Openshift) + type: boolean + postgres_init_container_commands: + description: Customize the postgres init container commands (Non Openshift) + type: string postgres_extra_volumes: description: Specify extra volumes to add to the application pod type: string diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml index 127aac71..679585ca 100644 --- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml @@ -456,12 +456,21 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: The PostgreSQL init container is not used when an external DB - is configured + - description: Sets permissions on the /var/lib/pgsql/data for postgres container using an init container (not Openshift) + displayName: PostgreSQL initialize data volume + path: postgres_data_volume_init + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:hidden + - description: Customize the postgres init container commands (Non Openshift) + displayName: PostgreSQL Init Container Commands + path: postgres_init_container_commands + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:hidden + - description: (Deprecated, use postgres_resource_requirements parameter instead) displayName: PostgreSQL Init Container Resource Requirements path: postgres_init_container_resource_requirements x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - displayName: Redis Container Resource Requirements path: redis_resource_requirements diff --git a/config/samples/awx_v1beta1_awx_resource_limits.yaml b/config/samples/awx_v1beta1_awx_resource_limits.yaml index 45681d56..1a69baf7 100644 --- a/config/samples/awx_v1beta1_awx_resource_limits.yaml +++ b/config/samples/awx_v1beta1_awx_resource_limits.yaml @@ -46,10 +46,3 @@ spec: limits: cpu: 1000m memory: 2Gi - postgres_init_container_resource_requirements: - requests: - cpu: 10m - memory: 64Mi - limits: - cpu: 1000m - memory: 2Gi diff --git a/docs/user-guide/advanced-configuration/containers-resource-requirements.md b/docs/user-guide/advanced-configuration/containers-resource-requirements.md index 23cf702f..a014c3bf 100644 --- a/docs/user-guide/advanced-configuration/containers-resource-requirements.md +++ b/docs/user-guide/advanced-configuration/containers-resource-requirements.md @@ -22,16 +22,15 @@ spec: The resource requirements for both, the task and the web containers are configurable - both the lower end (requests) and the upper end (limits). -| Name | Description | Default | -| -------------------------- | ------------------------------------------------ | ------------------------------------ | -| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} | -| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} | -| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 50m, memory: 64Mi} | -| redis_resource_requirements | Redis container resource requirements | requests: {cpu: 100m, memory: 128Mi} | -| postgres_resource_requirements | Postgres container resource requirements | requests: {cpu: 10m, memory: 64Mi} | -| rsyslog_resource_requirements | Rsyslog container resource requirements | requests: {cpu: 100m, memory: 128Mi} | -| init_container_resource_requirements | Init Container resource requirements | requests: {cpu: 100m, memory: 128Mi} | -| postgres_init_container_resource_requirements | Postgres Init Container resource requirements | requests: {cpu: 10m, memory: 64Mi} | +| Name | Description | Default | +| ------------------------------------ | ------------------------------------------------------------ | ------------------------------------ | +| web_resource_requirements | Web container resource requirements | requests: {cpu: 100m, memory: 128Mi} | +| task_resource_requirements | Task container resource requirements | requests: {cpu: 100m, memory: 128Mi} | +| ee_resource_requirements | EE control plane container resource requirements | requests: {cpu: 50m, memory: 64Mi} | +| redis_resource_requirements | Redis container resource requirements | requests: {cpu: 100m, memory: 128Mi} | +| postgres_resource_requirements | Postgres container (and initContainer) resource requirements | requests: {cpu: 10m, memory: 64Mi} | +| rsyslog_resource_requirements | Rsyslog container resource requirements | requests: {cpu: 100m, memory: 128Mi} | +| init_container_resource_requirements | Init Container resource requirements | requests: {cpu: 100m, memory: 128Mi} | Example of customization could be: @@ -85,13 +84,6 @@ spec: limits: cpu: 1000m memory: 2Gi - postgres_init_container_resource_requirements: - requests: - cpu: 10m - memory: 64Mi - limits: - cpu: 1000m - memory: 2Gi ``` diff --git a/docs/user-guide/database-configuration.md b/docs/user-guide/database-configuration.md index 8fcc9fa5..2f1bcffe 100644 --- a/docs/user-guide/database-configuration.md +++ b/docs/user-guide/database-configuration.md @@ -56,15 +56,14 @@ If you don't have access to an external PostgreSQL service, the AWX operator can The following variables are customizable for the managed PostgreSQL service -| Name | Description | Default | -| --------------------------------------------- | --------------------------------------------- | --------------------------------------- | -| postgres_image | Path of the image to pull | quay.io/sclorg/postgresql-15-c9s | -| postgres_image_version | Image version to pull | latest | -| postgres_init_container_resource_requirements | Database init container resource requirements | requests: {cpu: 10m, memory: 64Mi} | -| postgres_resource_requirements | PostgreSQL container resource requirements | requests: {cpu: 10m, memory: 64Mi} | -| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} | -| postgres_storage_class | PostgreSQL PV storage class | Empty string | -| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string | +| Name | Description | Default | +| --------------------------------------------- | --------------------------------------------------------------- | --------------------------------------- | +| postgres_image | Path of the image to pull | quay.io/sclorg/postgresql-15-c9s | +| postgres_image_version | Image version to pull | latest | +| postgres_resource_requirements | PostgreSQL container (and initContainer) resource requirements | requests: {cpu: 10m, memory: 64Mi} | +| postgres_storage_requirements | PostgreSQL container storage requirements | requests: {storage: 8Gi} | +| postgres_storage_class | PostgreSQL PV storage class | Empty string | +| postgres_priority_class | Priority class used for PostgreSQL pod | Empty string | Example of customization could be: @@ -99,3 +98,22 @@ We recommend you use the default image sclorg image. If you are coming from a de You can no longer configure a custom `postgres_data_path` because it is hardcoded in the quay.io/sclorg/postgresql-15-c9s image. If you override the postgres image to use a custom postgres image like postgres:15 for example, the default data directory path may be different. These images cannot be used interchangeably. + +#### Initialize Postgres data volume + +When using a hostPath backed PVC and some other storage classes like longhorn storagfe, the postgres data directory needs to be accessible by the user in the postgres pod (UID 26). + +To initialize this directory with the correct permissions, configure the following setting, which will use an init container to set the permissions in the postgres volume. + +```yaml +spec: + postgres_data_volume_init: true +``` + +Should you need to modify the init container commands, there is an example below. + +```yaml +postgres_init_container_commands: | + chown 26:0 /var/lib/pgsql/data + chmod 700 /var/lib/pgsql/data +``` diff --git a/molecule/default/templates/awx_cr_molecule.yml.j2 b/molecule/default/templates/awx_cr_molecule.yml.j2 index 13f0b768..f581ecbe 100644 --- a/molecule/default/templates/awx_cr_molecule.yml.j2 +++ b/molecule/default/templates/awx_cr_molecule.yml.j2 @@ -32,11 +32,10 @@ spec: memory: 16M no_log: false postgres_resource_requirements: {} - postgres_init_container_resource_requirements: {} redis_resource_requirements: {} additional_labels: - my/team - my/service {% if additional_fields is defined %} {{ additional_fields | to_nice_yaml | indent(2) }} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index 582f095e..ed162060 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -395,10 +395,7 @@ postgres_resource_requirements: requests: cpu: 10m memory: 64Mi -postgres_init_container_resource_requirements: - requests: - cpu: 10m - memory: 64Mi + # Assign a preexisting priority class to the postgres pod postgres_priority_class: '' @@ -412,6 +409,11 @@ projects_existing_claim: '' # Define postgres configuration arguments to use postgres_extra_args: '' +postgres_data_volume_init: false +postgres_init_container_commands: | + chown 26:0 /var/lib/pgsql/data + chmod 700 /var/lib/pgsql/data + # Configure postgres connection keepalive postgres_keepalives: true postgres_keepalives_idle: 5 diff --git a/roles/installer/templates/statefulsets/postgres.yaml.j2 b/roles/installer/templates/statefulsets/postgres.yaml.j2 index 08c02312..15ce45f7 100644 --- a/roles/installer/templates/statefulsets/postgres.yaml.j2 +++ b/roles/installer/templates/statefulsets/postgres.yaml.j2 @@ -46,6 +46,27 @@ spec: {% endif %} {% if postgres_priority_class is defined %} priorityClassName: '{{ postgres_priority_class }}' +{% endif %} +{% if postgres_data_volume_init and not is_openshift %} + initContainers: + - name: init + image: '{{ _postgres_image }}' + imagePullPolicy: '{{ image_pull_policy }}' + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - | + {{ postgres_init_container_commands | indent(width=14) }} + resources: {{ postgres_init_container_resource_requirements | default(postgres_resource_requirements) }} + volumeMounts: + - name: postgres-{{ supported_pg_version }} + mountPath: '{{ _postgres_data_path | dirname }}' + subPath: '{{ _postgres_data_path | dirname | basename }}' +{% if postgres_extra_volume_mounts %} + {{ postgres_extra_volume_mounts | indent(width=12, first=True) }} +{% endif %} {% endif %} containers: - image: '{{ _postgres_image }}' @@ -113,7 +134,7 @@ spec: - name: postgres-{{ supported_pg_version }} mountPath: '{{ _postgres_data_path | dirname }}' subPath: '{{ _postgres_data_path | dirname | basename }}' -{% if postgres_extra_volume_mounts -%} +{% if postgres_extra_volume_mounts %} {{ postgres_extra_volume_mounts | indent(width=12, first=True) }} {% endif %} resources: {{ postgres_resource_requirements }}