chore(database): use env replace creds volume

Author: duanhongyi

charts/database/templates/_helper.tpl

@@ -1,16 +1,44 @@
-{{- define "database.envs" -}}
+{{- define "database.envs" }}
 env:
 - name: DATABASE_STORAGE
   value: "{{.Values.global.storage}}"
 - name: PGCTLTIMEOUT
   value: "{{.Values.timeout}}"
-{{- if eq .Values.global.minioLocation "on-cluster" }}
+- name: "DRYCC_DATABASE_USER"
+  valueFrom:
+    secretKeyRef:
+      name: database-creds
+      key: user
+- name: "DRYCC_DATABASE_PASSWORD"
+  valueFrom:
+    secretKeyRef:
+      name: database-creds
+      key: password
+- name: "DRYCC_MINIO_LOOKUP"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: lookup
+- name: "DRYCC_MINIO_BUCKET"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: database-bucket
 - name: "DRYCC_MINIO_ENDPOINT"
-  value: ${DRYCC_MINIO_SERVICE_HOST}:${DRYCC_MINIO_SERVICE_PORT}
-{{- else }}
-- name: "DRYCC_MINIO_ENDPOINT"
-  value: "{{ .Values.minio.endpoint }}"
-{{- end }}
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: endpoint
+- name: "DRYCC_MINIO_ACCESSKEY"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: accesskey
+- name: "DRYCC_MINIO_SECRETKEY"
+  valueFrom:
+    secretKeyRef:
+      name: minio-creds
+      key: secretkey
 {{- end }}
 
 {{/* Generate database deployment limits */}}

charts/database/templates/database-deployment.yaml

@@ -28,17 +28,17 @@ spec:
         args:
           - netcat
           - -v
-          - -a
+          - -u
           - $(DRYCC_MINIO_ENDPOINT)
-        {{- include "builder.envs" . | indent 8 }}
+        {{- include "database.envs" . | indent 8 }}
       containers:
       - name: drycc-database
         image: {{.Values.imageRegistry}}/{{.Values.imageOrg}}/postgres:{{.Values.imageTag}}
         imagePullPolicy: {{.Values.imagePullPolicy}}
         ports:
         - containerPort: 5432
-        {{- include "builder.limits" . | indent 8 }}
-        {{- include "builder.envs" . | indent 8 }}
+        {{- include "database.limits" . | indent 8 }}
+        {{- include "database.envs" . | indent 8 }}
         lifecycle:
           preStop:
             exec:
@@ -54,25 +54,13 @@ spec:
             - is_running
           initialDelaySeconds: 30
           timeoutSeconds: 1
+      {{- if .Values.persistence.enabled }}
         volumeMounts:
-        - name: database-creds
-          mountPath: /var/run/secrets/drycc/database/creds
-        - name: minio-creds
-          mountPath: /var/run/secrets/drycc/minio/creds
-        {{- if .Values.persistence.enabled }}
         - name: database-data
           mountPath: /data
-        {{- end }}
       volumes:
-      {{- if .Values.persistence.enabled }}
       - name: database-data
         persistentVolumeClaim:
           claimName: drycc-database
       {{- end }}
-      - name: database-creds
-        secret:
-          secretName: database-creds
-      - name: minio-creds
-        secret:
-          secretName: minio-creds
 {{- end }}

charts/database/templates/database-secret-creds.yaml

@@ -9,6 +9,6 @@ metadata:
   annotations:
     "helm.sh/hook": pre-install
 data:
-  user: {{ if .Values.username | default "" | ne "" }}{{ .Values.username | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
+  user: {{ if .Values.user | default "" | ne "" }}{{ .Values.user | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
   password: {{ if .Values.password | default "" | ne "" }}{{ .Values.password | b64enc }}{{ else }}{{ randAlphaNum 32 | b64enc }}{{ end }}
 {{- end }}

contrib/ci/test-minio.sh

@@ -18,30 +18,32 @@ create-postgres-creds
 
 puts-step "creating fake minio credentials"
 
-mkdir -p "${CURRENT_DIR}"/tmp/aws-user
-echo "us-east-1" > "${CURRENT_DIR}"/tmp/aws-user/region
-echo "database-bucket" > "${CURRENT_DIR}"/tmp/aws-user/database-bucket
-echo "1234567890123456789012345678901234567890" > "${CURRENT_DIR}"/tmp/aws-user/accesskey
-echo "1234567890123456789012345678901234567890" > "${CURRENT_DIR}"/tmp/aws-user/secretkey
-
+s3Accesskey="1234567890123456789012345678901234567890"
+s3Secretkey="1234567890123456789012345678901234567890"
 # boot minio
 mkdir -p "${CURRENT_DIR}"/tmp/bin
-echo "ls /data/database-bucket/*/basebackups_005" > "${CURRENT_DIR}"/tmp/bin/backups.sh
+echo "ls /data/database/*/basebackups_005" > "${CURRENT_DIR}"/tmp/bin/backups.sh
 MINIO_JOB=$(docker run -d \
+  -e DRYCC_MINIO_ACCESSKEY=$s3Accesskey \
+  -e DRYCC_MINIO_SECRETKEY=$s3Secretkey \
   -v "${CURRENT_DIR}"/tmp/bin:/tmp/bin \
-  -v "${CURRENT_DIR}"/tmp/aws-user:/var/run/secrets/drycc/minio/creds \
   "${DEV_REGISTRY}"/drycc/minio:canary server /data/)
 
 puts-step "minio starting, wait 30s."
 sleep 30
 
 # boot postgres, linking the minio container and setting DRYCC_MINIO_ENDPOINT
 MINIO_IP=$(docker inspect --format "{{ .NetworkSettings.IPAddress }}" "${MINIO_JOB}")
-PG_CMD="docker run -d --add-host minio:${MINIO_IP} -e PGCTLTIMEOUT=1200 \
-  -e BACKUP_FREQUENCY=1s -e DATABASE_STORAGE=minio \
-  -e DRYCC_MINIO_ENDPOINT=minio:9000 \
-  -v ${CURRENT_DIR}/tmp/creds:/var/run/secrets/drycc/database/creds \
-  -v ${CURRENT_DIR}/tmp/aws-user:/var/run/secrets/drycc/minio/creds $1"
+PG_CMD="docker run -d \
+  --add-host minio.local:${MINIO_IP} \
+  -e PGCTLTIMEOUT=1200 \
+  -e BACKUP_FREQUENCY=1s \
+  -e DATABASE_STORAGE=minio \
+  -e DRYCC_MINIO_LOOKUP=path \
+  -e DRYCC_MINIO_BUCKET=database \
+  -e DRYCC_MINIO_ENDPOINT=http://minio.local:9000 \
+  -e DRYCC_MINIO_ACCESSKEY=$s3Accesskey \
+  -e DRYCC_MINIO_SECRETKEY=$s3Secretkey $1"
 
 start-postgres "${PG_CMD}"
 

rootfs/bin/create_bucket

@@ -2,18 +2,22 @@
 
 set -e
 
-# shellcheck disable=SC1091
-source /bin/normalize_storage
+mc config host add minio \
+  "${DRYCC_MINIO_ENDPOINT}" \
+  "${DRYCC_MINIO_ACCESSKEY}" \
+  "${DRYCC_MINIO_SECRETKEY}" \
+  --lookup "${DRYCC_MINIO_LOOKUP}" \
+  --api s3v4
 
 has_bucket(){
-    mc ls minio -json|jq -r '.key'|grep -w "${MINIO_BUCKET}"
+    mc ls minio -json|jq -r '.key'|grep -w "${DRYCC_MINIO_BUCKET}"
 }
 
 if  [ -z "$(has_bucket)" ] ;then
-    mc mb minio/"${MINIO_BUCKET}"
+    mc mb minio/"${DRYCC_MINIO_BUCKET}"
     if  [ -z "$(has_bucket)" ] ;then
-        echo "create bucket ${MINIO_BUCKET} error"
+        echo "create bucket ${DRYCC_MINIO_BUCKET} error"
         exit 1
     fi
 fi
-echo "create bucket ${MINIO_BUCKET} success"
+echo "create bucket ${DRYCC_MINIO_BUCKET} success"

rootfs/bin/normalize_storage

@@ -2,21 +2,11 @@
 
 cd "$WALG_ENVDIR"
 
-AWS_ACCESS_KEY_ID=$(cat /var/run/secrets/drycc/minio/creds/accesskey)
-AWS_SECRET_ACCESS_KEY=$(cat /var/run/secrets/drycc/minio/creds/secretkey)
-
-BUCKET_FILE="/var/run/secrets/drycc/minio/creds/database-bucket"
-if [ -f $BUCKET_FILE ]; then
-  BUCKET_NAME=$(cat "$BUCKET_FILE")
-  export BUCKET_NAME
-else
-  export BUCKET_NAME="database"
+echo $DRYCC_MINIO_ACCESSKEY > AWS_ACCESS_KEY_ID
+echo $DRYCC_MINIO_SECRETKEY > AWS_SECRET_ACCESS_KEY
+echo "s3://$DRYCC_MINIO_BUCKET/$PG_MAJOR" > WALE_S3_PREFIX
+echo "${DRYCC_MINIO_ENDPOINT}" > AWS_ENDPOINT
+if [ "${DRYCC_MINIO_LOOKUP}" == "path" ]; then
+  echo "true" > AWS_S3_FORCE_PATH_STYLE
 fi
-
-echo $AWS_ACCESS_KEY_ID > AWS_ACCESS_KEY_ID
-echo $AWS_SECRET_ACCESS_KEY > AWS_SECRET_ACCESS_KEY
-echo "s3://$BUCKET_NAME/$PG_MAJOR" > WALE_S3_PREFIX
-echo "http://${DRYCC_MINIO_ENDPOINT}" > AWS_ENDPOINT
-echo "true" > AWS_S3_FORCE_PATH_STYLE
-echo $AWS_REGION > S3_REGION
-echo $BUCKET_NAME > BUCKET_NAME
+echo $DRYCC_MINIO_BUCKET > BUCKET_NAME

rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh

@@ -10,8 +10,8 @@ set_listen_addresses() {
 	sed -ri "s/^#?(listen_addresses\s*=\s*)\S+/\1'$sedEscapedValue'/" "$PGDATA/postgresql.conf"
 }
 
-POSTGRES_USER="$(cat /var/run/secrets/drycc/database/creds/user)"
-POSTGRES_PASSWORD="$(cat /var/run/secrets/drycc/database/creds/password)"
+POSTGRES_USER="${DRYCC_DATABASE_USER}"
+POSTGRES_PASSWORD="${DRYCC_DATABASE_PASSWORD}"
 
 if [ "$1" = 'postgres' ]; then
 	mkdir -p "$PGDATA"