Allow for Operator generation of deafult pgBackRest configuration

Jonathan S. Katz · Jonathan S. Katz · commit 8b68b8b1b4bc · 2021-11-22T14:01:22.000-05:00
The "pgo-backrest-repo-config" consists of several default
files that can be generated when the Operator is initially loaded
(and reconciled on initialization as well). This removes additional
manual steps required when deploying the Operator through methods
such as OLM, making it easier to get started.
diff --git a/build/postgres-operator/Dockerfile b/build/postgres-operator/Dockerfile
@@ -28,6 +28,7 @@ RUN if [ "$DFSET" = "rhel" ] ; then \
 fi
 
 ADD bin/postgres-operator /usr/local/bin
+ADD installers/ansible/roles/pgo-operator/files/pgo-backrest-repo /default-pgo-backrest-repo
 ADD installers/ansible/roles/pgo-operator/files/pgo-configs /default-pgo-config
 ADD conf/postgres-operator/pgo.yaml /default-pgo-config/pgo.yaml
 
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -46,14 +46,14 @@ fi
 pgbackrest_aws_s3_key=$(awsKeySecret "aws-s3-key")
 pgbackrest_aws_s3_key_secret=$(awsKeySecret "aws-s3-key-secret")
 
-$PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create secret generic pgo-backrest-repo-config \
-	--from-file=config=${PGO_CONF_DIR}/pgo-backrest-repo/config \
-	--from-file=sshd_config=${PGO_CONF_DIR}/pgo-backrest-repo/sshd_config \
-	--from-file=aws-s3-ca.crt=${PGO_CONF_DIR}/pgo-backrest-repo/aws-s3-ca.crt \
-	--from-literal=aws-s3-key="${pgbackrest_aws_s3_key}" \
-	--from-literal=aws-s3-key-secret="${pgbackrest_aws_s3_key_secret}"
-$PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE label secret pgo-backrest-repo-config \
-	vendor=crunchydata
+if [[ ! -z $pgbackrest_aws_s3_key ]] || [[ ! -z $pgbackrest_aws_s3_key_secret ]]
+then
+	$PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create secret generic pgo-backrest-repo-config \
+		--from-literal=aws-s3-key="${pgbackrest_aws_s3_key}" \
+		--from-literal=aws-s3-key-secret="${pgbackrest_aws_s3_key_secret}"
+	$PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE label secret pgo-backrest-repo-config \
+		vendor=crunchydata
+fi
 
 #
 # credentials for pgo-apiserver TLS REST API
diff --git a/docs/content/installation/other/operator-hub.md b/docs/content/installation/other/operator-hub.md
@@ -15,44 +15,14 @@ that is available in OperatorHub.io.
 
 ## Before You Begin
 
-There are a few manual steps that the cluster administrator must perform prior to installing PGO.
-At the very least, it must be provided with an initial configuration.
+There are some optional Secrets you can add before installing the PostgreSQL Operator into your cluster.
 
-First, make sure OLM and the OperatorHub.io catalog are installed by running
-`kubectl get CatalogSources --all-namespaces`.  You should see something similar to the following:
+### Secrets (optional)
 
-```
-NAMESPACE   NAME                    DISPLAY               TYPE   PUBLISHER
-olm         operatorhubio-catalog   Community Operators   grpc   OperatorHub.io
-```
-
-Take note of the name and namespace above, you will need them later on.
-
-Next, select a namespace in which to install the PostgreSQL Operator. PostgreSQL clusters will also be deployed here.
-If it does not exist, create it now.
-
-```
-export PGO_OPERATOR_NAMESPACE=pgo
-kubectl create namespace "$PGO_OPERATOR_NAMESPACE"
-```
-
-Next, clone the PostgreSQL Operator repository locally.
-
-```
-git clone -b v{{< param operatorVersion >}} https://github.com/CrunchyData/postgres-operator.git
-cd postgres-operator
-```
-
-### Secrets
-
-Configure pgBackRest for your environment. If you do not plan to use AWS S3 to store backups, you can omit
-the `aws-s3` keys below.
+If you plan to use AWS S3 to store backups and would like to have the keys available for every backup, you can create a Secret as described below:
 
 ```
 kubectl -n "$PGO_OPERATOR_NAMESPACE" create secret generic pgo-backrest-repo-config \
-  --from-file=./installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/config \
-  --from-file=./installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/sshd_config \
-  --from-file=./installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/aws-s3-ca.crt \
   --from-literal=aws-s3-key="<your-aws-s3-key>" \
   --from-literal=aws-s3-key-secret="<your-aws-s3-key-secret>"
 kubectl -n "$PGO_OPERATOR_NAMESPACE" label secret pgo-backrest-repo-config \
@@ -71,9 +41,6 @@ kubectl -n "$PGO_OPERATOR_NAMESPACE" create secret tls pgo.tls \
   --key=/path/to/server.key
 ```
 
-Once these resources are in place, the PostgreSQL Operator can be installed into the cluster.
-
-
 ## Installation
 
 Create an `OperatorGroup` and a `Subscription` in your chosen namespace.
diff --git a/installers/ansible/roles/pgo-operator/tasks/main.yml b/installers/ansible/roles/pgo-operator/tasks/main.yml
@@ -102,7 +102,7 @@
         when: pgorole_pgoadmin_result.rc == 1
 
     - name: PGO Service Account
-      when: 
+      when:
         - create_rbac|bool
       tags:
         - install
@@ -124,7 +124,7 @@
         when: pgo_service_account_result.rc == 1
 
     - name: Cluster RBAC (namespace_mode 'dynamic')
-      when: 
+      when:
         - create_rbac|bool
         - namespace_mode == "dynamic"
       tags:
@@ -147,7 +147,7 @@
         when: cluster_rbac_result.rc == 1
 
     - name: Cluster RBAC (namespace_mode 'readonly')
-      when: 
+      when:
         - create_rbac|bool
         - namespace_mode == "readonly"
       tags:
@@ -175,7 +175,7 @@
       tags:
         - install
         - update
-      when: 
+      when:
         - create_rbac|bool
         - namespace_mode == "disabled"
 
@@ -263,13 +263,13 @@
         - name: Create PGO BackRest Repo Secret
           command: |
             {{ kubectl_or_oc }} create secret generic pgo-backrest-repo-config \
-              --from-file=config='{{ role_path }}/files/pgo-backrest-repo/config' \
-              --from-file=sshd_config='{{ role_path }}/files/pgo-backrest-repo/sshd_config' \
-              --from-file=aws-s3-ca.crt='{{ role_path }}/files/pgo-backrest-repo/aws-s3-ca.crt' \
               --from-literal=aws-s3-key='{{ backrest_aws_s3_key }}' \
               --from-literal=aws-s3-key-secret='{{ backrest_aws_s3_secret }}' \
               -n {{ pgo_operator_namespace }}
-          when: pgo_backrest_repo_config_result.rc == 1
+          when:
+            - pgo_backrest_repo_config_result.rc == 1
+            - (backrest_aws_s3_key | default('') != '') or
+              (backrest_aws_s3_secret | default('') != '')
 
     - name: PGO ConfigMap
       tags:
@@ -286,7 +286,7 @@
           shell: "{{ kubectl_or_oc }} get configmap pgo-config -n {{ pgo_operator_namespace }}"
           register: pgo_config_result
           failed_when: false
-          
+
         - name: Create PGO ConfigMap
           command: |
             {{ kubectl_or_oc }} create configmap pgo-config \
@@ -382,8 +382,8 @@
       shell: "{{ kubectl_or_oc }} get -f {{ output_dir }}/pgo-client.json"
       register: pgo_client_json_result
       failed_when: false
-      
+
     - name: Create PGO-Client deployment
       command: |
         {{ kubectl_or_oc }} create --filename='{{ output_dir }}/pgo-client.json'
-      when: pgo_client_json_result.rc == 1
+      when: pgo_client_json_result.rc == 1
diff --git a/installers/olm/description.openshift.md b/installers/olm/description.openshift.md
@@ -56,20 +56,12 @@ edit `conf/postgres-operator/pgo.yaml` and set `DisableFSGroup` to `true`.
 
 [Security Context Constraint]: https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html
 
-### Secrets
+### Secrets (optional)
 
-Configure pgBackRest for your environment. If you do not plan to use AWS S3 to store backups, you can omit
-the `aws-s3` keys below.
+If you plan to use AWS S3 to store backups, you can configure your environment to automatically provide your AWS S3 credentials to all newly created PostgreSQL clusters:
 
 ```
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/config > config
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/sshd_config > sshd_config
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/aws-s3-ca.crt > aws-s3-ca.crt
-
 oc -n "$PGO_OPERATOR_NAMESPACE" create secret generic pgo-backrest-repo-config \
-  --from-file=./config \
-  --from-file=./sshd_config \
-  --from-file=./aws-s3-ca.crt \
   --from-literal=aws-s3-key="<your-aws-s3-key>" \
   --from-literal=aws-s3-key-secret="<your-aws-s3-key-secret>"
 oc -n "$PGO_OPERATOR_NAMESPACE" label secret pgo-backrest-repo-config vendor=crunchydata
diff --git a/installers/olm/description.upstream.md b/installers/olm/description.upstream.md
@@ -49,20 +49,12 @@ export PGO_OPERATOR_NAMESPACE=pgo
 kubectl create namespace "$PGO_OPERATOR_NAMESPACE"
 ```
 
-### Secrets
+### Secrets (optional)
 
-Configure pgBackRest for your environment. If you do not plan to use AWS S3 to store backups, you can omit
-the `aws-s3` keys below.
+If you plan to use AWS S3 to store backups, you can configure your environment to automatically provide your AWS S3 credentials to all newly created PostgreSQL clusters:
 
 ```
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/config > config
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/sshd_config > sshd_config
-curl https://raw.githubusercontent.com/CrunchyData/postgres-operator/v${PGO_VERSION}/installers/ansible/roles/pgo-operator/files/pgo-backrest-repo/aws-s3-ca.crt > aws-s3-ca.crt
-
 kubectl -n "$PGO_OPERATOR_NAMESPACE" create secret generic pgo-backrest-repo-config \
-  --from-file=./config \
-  --from-file=./sshd_config \
-  --from-file=./aws-s3-ca.crt \
   --from-literal=aws-s3-key="<your-aws-s3-key>" \
   --from-literal=aws-s3-key-secret="<your-aws-s3-key-secret>"
 kubectl -n "$PGO_OPERATOR_NAMESPACE" label secret pgo-backrest-repo-config vendor=crunchydata
diff --git a/internal/config/secrets.go b/internal/config/secrets.go
@@ -0,0 +1,18 @@
+package config
+
+/*
+ Copyright 2020 Crunchy Data Solutions, Inc.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+const SecretOperatorBackrestRepoConfig = "pgo-backrest-repo-config"
diff --git a/internal/operator/common.go b/internal/operator/common.go
@@ -18,7 +18,9 @@ package operator
 import (
 	"bytes"
 	"encoding/json"
+	"io/ioutil"
 	"os"
+	"path"
 	"strings"
 
 	"github.com/crunchydata/postgres-operator/internal/config"
@@ -27,10 +29,15 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	v1 "k8s.io/api/core/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 )
 
 const (
+	// defaultBackrestRepoConfigPath contains the default configuration that are used
+	// to set up a pgBackRest repository
+	defaultBackrestRepoConfigPath = "/default-pgo-backrest-repo/"
 	// defaultRegistry is the default registry to pull the container images from
 	defaultRegistry = "registry.developers.crunchydata.com/crunchydata"
 )
@@ -62,6 +69,10 @@ type containerResourcesTemplateFields struct {
 	RequestsMemory, RequestsCPU string
 }
 
+// defaultBackrestRepoConfigKeys are the default keys expected to be in the
+// pgBackRest repo config secret
+var defaultBackrestRepoConfigKeys = []string{"config", "sshd_config", "aws-s3-ca.crt"}
+
 func Initialize(clientset kubernetes.Interface) {
 
 	tmp := os.Getenv("CRUNCHY_DEBUG")
@@ -89,16 +100,15 @@ func Initialize(clientset kubernetes.Interface) {
 		os.Exit(2)
 	}
 
-	var err error
-
-	err = Pgo.GetConfig(clientset, PgoNamespace)
-	if err != nil {
+	if err := Pgo.GetConfig(clientset, PgoNamespace); err != nil {
 		log.Error(err)
-		log.Error("pgo-config files and templates did not load")
-		os.Exit(2)
+		log.Fatal("pgo-config files and templates did not load")
 	}
 
-	log.Printf("PrimaryStorage=%v\n", Pgo.Storage["storage1"])
+	// initialize the general pgBackRest secret
+	if err := initializeOperatorBackrestSecret(clientset, PgoNamespace); err != nil {
+		log.Fatal(err)
+	}
 
 	if Pgo.Cluster.CCPImagePrefix == "" {
 		log.Debugf("pgo.yaml CCPImagePrefix not set, using default %q", defaultRegistry)
@@ -360,6 +370,69 @@ func initializeControllerWorkerCounts() {
 	}
 }
 
+// initializeOperatorBackrestSecret ensures the generic pgBackRest configuration
+// is available
+func initializeOperatorBackrestSecret(clientset kubernetes.Interface, namespace string) error {
+	var isNew, isModified bool
+
+	// determine if the Secret already exists
+	secret, err := clientset.
+		CoreV1().Secrets(namespace).
+		Get(config.SecretOperatorBackrestRepoConfig, metav1.GetOptions{})
+
+	// if there is a true error, return. Otherwise, initialize a new Secret
+	if err != nil {
+		if !kerrors.IsNotFound(err) {
+			return err
+		}
+
+		secret = &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: config.SecretOperatorBackrestRepoConfig,
+			},
+			Data: map[string][]byte{},
+		}
+		isNew = true
+	}
+
+	// set any missing defaults
+	for _, filename := range defaultBackrestRepoConfigKeys {
+		// skip if there is already content
+		if len(secret.Data[filename]) != 0 {
+			continue
+		}
+
+		file := path.Join(defaultBackrestRepoConfigPath, filename)
+
+		// if we can't read the contents of the file for whatever reason, warn,
+		// but continue
+		// otherwise, update the entry in the Secret
+		if contents, err := ioutil.ReadFile(file); err != nil {
+			log.Warn(err)
+			continue
+		} else {
+			secret.Data[filename] = contents
+		}
+
+		isModified = true
+	}
+
+	// do not make any updates if the secret is not modified at all
+	if !isModified {
+		return nil
+	}
+
+	// make the API calls based on if we are creating or updating
+	if isNew {
+		_, err := clientset.CoreV1().Secrets(namespace).Create(secret)
+		return err
+	}
+
+	_, err = clientset.CoreV1().Secrets(namespace).Update(secret)
+
+	return err
+}
+
 // SetupNamespaces is responsible for the initial namespace configuration for the Operator
 // install.  This includes setting the proper namespace operating mode, creating and/or updating
 // namespaces as needed (or as permitted by the current operator mode), and returning a valid list
diff --git a/internal/util/cluster.go b/internal/util/cluster.go
@@ -150,7 +150,7 @@ func CreateBackrestRepoSecrets(clientset kubernetes.Interface,
 	// SSHD(...?) and possible S3 credentials
 	configs, configErr := clientset.
 		CoreV1().Secrets(backrestRepoConfig.OperatorNamespace).
-		Get("pgo-backrest-repo-config", metav1.GetOptions{})
+		Get(config.SecretOperatorBackrestRepoConfig, metav1.GetOptions{})
 
 	if configErr != nil {
 		log.Error(configErr)
