Skip to content

Commit 36d6fdd

Browse files
YCShen1010YCShen1010
authored
Add MCSP IDP configuration update to common service database restore process (#2602)
* Add IDP configuration update function for mcsp BR Signed-off-by: YuChen <[email protected]> * update modify idp function to verification step Signed-off-by: YuChen <[email protected]> * test idp config update Signed-off-by: YuChen <[email protected]> * get route from IM configmap Signed-off-by: YuChen <[email protected]> * remove xargs vulnerability Signed-off-by: YuChen <[email protected]> * removed test script Signed-off-by: YuChen <[email protected]> * add restart account iam pod after updating idp Signed-off-by: YuChen <[email protected]> --------- Signed-off-by: YuChen <[email protected]>
1 parent f36e515 commit 36d6fdd

File tree

1 file changed

+91
-0
lines changed

1 file changed

+91
-0
lines changed

velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,9 @@ data:
9898
if [[ $ACCOUNT_IAM != "False" ]]; then
9999
info "Beginning restore of account_iam database..."
100100
oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- pg_restore -U postgres --dbname account_iam --format=c --clean --exit-on-error -v /run/cs-db_backup/cs-db_account_iam_backup.dump
101+
102+
# Update IDP configuration with actual cluster domain
103+
update_idp_config
101104
fi
102105
oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" -c "\dn" -c "\du"
103106
else
@@ -115,6 +118,94 @@ data:
115118
wait_for_oidc
116119
}
117120
121+
function update_idp_config {
122+
info "Updating IDP configuration with actual cluster domain..."
123+
124+
# Get the cluster domain from ibmcloud-cluster-info configmap
125+
CLUSTER_DOMAIN=$(oc get cm ibmcloud-cluster-info -n $CSDB_NAMESPACE -o jsonpath='{.data.cluster_address}' 2>/dev/null || echo "")
126+
127+
if [[ -z $CLUSTER_DOMAIN ]]; then
128+
error "❌ Could not determine cluster domain from ibmcloud-cluster-info configmap. Please update IDP configuration manually."
129+
return 1
130+
fi
131+
132+
info "✅ Detected cluster domain: $CLUSTER_DOMAIN"
133+
134+
NEW_IDP_URL="https://${CLUSTER_DOMAIN}/idprovider/v1/auth"
135+
136+
info "🎯 Target IDP URL: $NEW_IDP_URL"
137+
138+
# Check if account_iam database exists
139+
ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False)
140+
141+
if [[ $ACCOUNT_IAM_EXISTS != "False" ]]; then
142+
# Check current IDP configuration
143+
CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT TRIM(idp) FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" 2>/dev/null | head -n1 | tr -d '\r\n' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' || echo "")
144+
info "🌐 Current IDP URL: $CURRENT_IDP"
145+
echo ""
146+
147+
if [[ -n $CURRENT_IDP ]] && [[ $CURRENT_IDP != $NEW_IDP_URL ]]; then
148+
info "🔄 Updating IDP configuration..."
149+
150+
oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c "
151+
UPDATE accountiam.idp_config
152+
SET idp = '$NEW_IDP_URL',
153+
modified_ts = NOW()
154+
WHERE idp LIKE '%/idprovider/v1/%';
155+
"
156+
echo ""
157+
info "Verifying IDP configuration update..."
158+
oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c "
159+
SELECT uid, realm, idp, modified_ts
160+
FROM accountiam.idp_config
161+
ORDER BY modified_ts DESC;
162+
"
163+
164+
success "IDP configuration updated successfully in account_iam database."
165+
166+
# Restart account-iam pod to pick up the new configuration
167+
info "🔄 Restarting account-iam pod to apply new IDP configuration..."
168+
ACCOUNT_IAM_POD=$(oc get pods -n $CSDB_NAMESPACE -l app.kubernetes.io/name=account-iam --no-headers -o custom-columns=":metadata.name" | head -n1 || echo "")
169+
170+
if [[ -n $ACCOUNT_IAM_POD ]]; then
171+
info "Found account-iam pod: $ACCOUNT_IAM_POD"
172+
oc delete pod $ACCOUNT_IAM_POD -n $CSDB_NAMESPACE
173+
174+
info "⏳ Waiting for new account-iam pod to be ready..."
175+
# Wait for new pod to be running and ready
176+
retry_count=30
177+
while [[ $retry_count > 0 ]]; do
178+
NEW_POD=$(oc get pods -n $CSDB_NAMESPACE -l app.kubernetes.io/name=account-iam --no-headers -o custom-columns=":metadata.name,:status.phase" | grep Running | head -n1)
179+
if [[ -n $NEW_POD ]]; then
180+
POD_NAME=$(echo $NEW_POD | awk '{print $1}')
181+
READY_STATUS=$(oc get pod $POD_NAME -n $CSDB_NAMESPACE -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
182+
if [[ $READY_STATUS == "True" ]]; then
183+
info "✅ New account-iam pod is ready: $POD_NAME"
184+
break
185+
fi
186+
fi
187+
sleep 2
188+
retry_count=$((retry_count-1))
189+
done
190+
191+
if [[ $retry_count == 0 ]]; then
192+
warning "⚠️ Timeout waiting for new account-iam pod to be ready"
193+
fi
194+
195+
info "✅ Account-iam pod restart completed"
196+
else
197+
warning "⚠️ Could not find account-iam pod to restart. Please restart manually if needed."
198+
fi
199+
elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then
200+
info "✅ IDP configuration already matches target URL, no update needed."
201+
else
202+
info "No IDP configuration found in database, skipping update."
203+
fi
204+
else
205+
info "account_iam database not found, IDP configuration update not applicable."
206+
fi
207+
}
208+
118209
function wait_for_oidc {
119210
job_name="oidc-client-registration"
120211
info "Waiting for job $job_name to complete in namespace $CSDB_NAMESPACE."

0 commit comments

Comments
 (0)