Configure SQL as helm storage backend

Configmap is the default helmv2 storage backend to store release information but its 1MB resource limit prevents scaling up stx openstack worker nodes, so we want to use SQL as helm storage backend. Add class in helm puppet manifest to setup helm database during ansible bootstrap. This commit also fixes the IP address in postgres pg_hba.conf. Currently, we have the following rules for both IPv4 and IPv6 systems: Rule Name: allow access to all users with encrypted password from all IPv4 addresses. host all all 0.0.0.0/0 md5 Rule Name: deny access to postgresql user. host all postgres 0.0.0.0/32 reject For the IPv6 system, the address of pods is IPv6. The CIDR address in the rule should be changed to corresponding IPv6 address (::0/0) to allow tiller running in container to access helm database. Depends-On: https://review.opendev.org/#/c/761645/ Change-Id: Ifd072000e0680a59d5be0f2f1ef2ce1cbabc1e4f Partial-Bug: 1887677 Signed-off-by: Angie Wang <angie.wang@windriver.com>
2020-09-28 11:39:17 -04:00 · 2020-09-28 11:39:17 -04:00 · 0f7418e761
parent 8c75eabee4
commit 0f7418e761
4 changed files with 43 additions and 7 deletions
--- a/puppet-manifests/src/hieradata/controller.yaml
+++ b/puppet-manifests/src/hieradata/controller.yaml
@ -81,8 +81,6 @@ platform::influxdb::logrotate::params::log_file_rotate: 10
 # postgresql
 postgresql::globals::needs_initdb: false
 postgresql::server::service_enable: false
-postgresql::server::ip_mask_deny_postgres_user: '0.0.0.0/32'
-postgresql::server::ip_mask_allow_all_users: '0.0.0.0/0'
 postgresql::server::pg_hba_conf_path: "/etc/postgresql/pg_hba.conf"
 postgresql::server::pg_ident_conf_path: "/etc/postgresql/pg_ident.conf"
 postgresql::server::postgresql_conf_path: "/etc/postgresql/postgresql.conf"
--- a/puppet-manifests/src/manifests/ansible_bootstrap.pp
+++ b/puppet-manifests/src/manifests/ansible_bootstrap.pp
@ -21,6 +21,9 @@ include ::platform::client::bootstrap

 include ::platform::sysinv::bootstrap

+# Puppet class to setup helm database
+include ::platform::helm::bootstrap
+
 # Puppet classes to enable the bring up of kubernetes master
 include ::platform::docker::bootstrap
 include ::platform::etcd::bootstrap
--- a/puppet-manifests/src/modules/platform/manifests/helm.pp
+++ b/puppet-manifests/src/modules/platform/manifests/helm.pp
@ -111,3 +111,22 @@ class platform::helm::runtime {

  Exec['sm-restart-lighttpd'] -> Class['::platform::helm::repositories']
 }
+
+class platform::helm::v2::db::postgresql (
+  $password,
+  $dbname = 'helmv2',
+  $user   = 'helmv2',
+  $encoding   = undef,
+  $privileges = 'ALL',
+) {
+    ::postgresql::server::db { $dbname:
+      user     => $user,
+      password => postgresql_password($user, $password),
+      encoding => $encoding,
+      grant    => $privileges,
+    }
+}
+
+class platform::helm::bootstrap {
+  include ::platform::helm::v2::db::postgresql
+}
--- a/puppet-manifests/src/modules/platform/manifests/postgresql.pp
+++ b/puppet-manifests/src/modules/platform/manifests/postgresql.pp
@ -7,12 +7,20 @@ class platform::postgresql::params
  $data_dir = "${root_dir}/${::platform::params::software_version}"

  $password = undef
+
+  include ::platform::network::mgmt::params
+  if $::platform::network::mgmt::params::subnet_version == $::platform::params::ipv6 {
+    $ip_mask_allow_all_users = '::0/0'
+    $ip_mask_deny_postgres_user = '::0/128'
+  } else {
+    $ip_mask_allow_all_users = '0.0.0.0/0'
+    $ip_mask_deny_postgres_user = '0.0.0.0/32'
+  }
 }


-class platform::postgresql::server (
-  $ipv4acl = undef,
-) inherits ::platform::postgresql::params {
+class platform::postgresql::server
+  inherits ::platform::postgresql::params {

  include ::platform::params

@ -100,8 +108,9 @@ class platform::postgresql::server (
  }

  -> class {'::postgresql::server':
-    ip_mask_allow_all_users => $ipv4acl,
-    service_ensure          => 'stopped',
+    ip_mask_allow_all_users    => $ip_mask_allow_all_users,
+    ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,
+    service_ensure             => 'stopped',
  }
 }

@ -154,6 +163,8 @@ class platform::postgresql::bootstrap
  }

  -> class {'::postgresql::server':
+    ip_mask_allow_all_users    => $ip_mask_allow_all_users,
+    ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user
  }

  # Allow local postgres user as trusted for simplex upgrade scripts
@ -185,12 +196,15 @@ class platform::postgresql::upgrade
  }

  -> class {'::postgresql::server':
+    ip_mask_allow_all_users    => $ip_mask_allow_all_users,
+    ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user
  }

  include ::barbican::db::postgresql
  include ::sysinv::db::postgresql
  include ::keystone::db::postgresql
  include ::fm::db::postgresql
+  include ::platform::helm::v2::db::postgresql
 }

 class platform::postgresql::sc::configured {
@ -212,6 +226,8 @@ class platform::postgresql::sc::runtime
  }

  -> class {'::postgresql::server':
+    ip_mask_allow_all_users    => $ip_mask_allow_all_users,
+    ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user
  }

  include ::platform::dcmanager::runtime