From 5b1b4bcd0cc21f56476b8e5822ba9ca563efefbb Mon Sep 17 00:00:00 2001 From: YuChen Date: Thu, 14 Aug 2025 14:45:53 -0700 Subject: [PATCH 1/7] Add IDP configuration update function for mcsp BR Signed-off-by: YuChen --- .../cs-db-br-script-cm-4.6.10.4.11.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml index 3e923b760..dea05d5f7 100644 --- a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml +++ b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml @@ -98,6 +98,9 @@ data: if [[ $ACCOUNT_IAM != "False" ]]; then info "Beginning restore of account_iam database..." oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- pg_restore -U postgres --dbname account_iam --format=c --clean --exit-on-error -v /run/cs-db_backup/cs-db_account_iam_backup.dump + + # Update IDP configuration with actual cluster domain + update_idp_config fi oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" -c "\dn" -c "\du" else @@ -115,6 +118,42 @@ data: wait_for_oidc } + function update_idp_config { + info "Updating IDP configuration with actual cluster domain..." + + # Get the cluster domain from the management ingress + CLUSTER_DOMAIN=$(oc get route console -n openshift-console -o jsonpath='{.spec.host}' | sed 's/^console-openshift-console\.//') + + if [[ -z $CLUSTER_DOMAIN ]]; then + error "Could not determine cluster domain. Please update IDP configuration manually." + return 1 + fi + + info "Detected cluster domain: $CLUSTER_DOMAIN" + + # Construct the new IDP URL based on the cluster domain and namespace + NEW_IDP_URL="https://cp-console.${CSDB_NAMESPACE}.${CLUSTER_DOMAIN}/idprovider/v1/auth" + + info "Updating IDP URLs to: $NEW_IDP_URL" + + # Check if account_iam database exists + ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) + + if [[ $ACCOUNT_IAM_EXISTS != "False" ]]; then + # Update the idp column in the idp_config table + oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + UPDATE accountiam.idp_config + SET idp = '$NEW_IDP_URL', + modified_ts = NOW() + WHERE idp LIKE '%/idprovider/v1/%'; + " + + success "IDP configuration updated successfully." + else + warning "account_iam database not found, skipping IDP configuration update." + fi + } + function wait_for_oidc { job_name="oidc-client-registration" info "Waiting for job $job_name to complete in namespace $CSDB_NAMESPACE." From be3cab95942da86897b91964acc5ac4ac3e75efb Mon Sep 17 00:00:00 2001 From: YuChen Date: Thu, 14 Aug 2025 14:49:26 -0700 Subject: [PATCH 2/7] update modify idp function to verification step Signed-off-by: YuChen --- .../cs-db-br-script-cm-4.6.10.4.11.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml index dea05d5f7..a8a44e1a7 100644 --- a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml +++ b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml @@ -131,7 +131,6 @@ data: info "Detected cluster domain: $CLUSTER_DOMAIN" - # Construct the new IDP URL based on the cluster domain and namespace NEW_IDP_URL="https://cp-console.${CSDB_NAMESPACE}.${CLUSTER_DOMAIN}/idprovider/v1/auth" info "Updating IDP URLs to: $NEW_IDP_URL" @@ -140,7 +139,6 @@ data: ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) if [[ $ACCOUNT_IAM_EXISTS != "False" ]]; then - # Update the idp column in the idp_config table oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " UPDATE accountiam.idp_config SET idp = '$NEW_IDP_URL', @@ -148,6 +146,13 @@ data: WHERE idp LIKE '%/idprovider/v1/%'; " + info "Verifying IDP configuration update..." + oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + SELECT uid, realm, idp, modified_ts + FROM accountiam.idp_config + ORDER BY modified_ts DESC; + " + success "IDP configuration updated successfully." else warning "account_iam database not found, skipping IDP configuration update." From 1eddfb2c9f4b7f76e00b75b8281f389ad75ed097 Mon Sep 17 00:00:00 2001 From: YuChen Date: Fri, 15 Aug 2025 08:07:46 -0700 Subject: [PATCH 3/7] test idp config update Signed-off-by: YuChen --- .../common-service-db/test-idp-update.sh | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100755 velero/schedule/common-service-db/test-idp-update.sh diff --git a/velero/schedule/common-service-db/test-idp-update.sh b/velero/schedule/common-service-db/test-idp-update.sh new file mode 100755 index 000000000..6af75a382 --- /dev/null +++ b/velero/schedule/common-service-db/test-idp-update.sh @@ -0,0 +1,70 @@ +#!/bin/bash + +# Test script to check IDP update functionality +CSDB_NAMESPACE=$1 + +if [[ -z $CSDB_NAMESPACE ]]; then + echo "No namespace provided. please provide the namespace as an argument." + exit 1 +fi + +echo "Getting primary PostgreSQL pod..." +CNPG_PRIMARY_POD=$(oc get cluster.postgresql.k8s.enterprisedb.io common-service-db -o jsonpath="{.status.currentPrimary}" -n $CSDB_NAMESPACE) + +if [[ -z $CNPG_PRIMARY_POD ]]; then + echo "Error: Could not find primary PostgreSQL pod" + exit 1 +fi + +echo "Primary pod: $CNPG_PRIMARY_POD" + +echo "Checking if account_iam database exists..." +ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) + +if [[ $ACCOUNT_IAM_EXISTS == "False" ]]; then + echo "account_iam database not found. Creating test data..." + exit 1 +fi + +echo "Current IDP configuration BEFORE update:" +oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + SELECT uid, realm, idp, modified_ts + FROM accountiam.idp_config + ORDER BY modified_ts DESC; +" + +echo "Getting cluster domain..." +CLUSTER_DOMAIN=$(oc get route console -n openshift-console -o jsonpath='{.spec.host}' | sed 's/^console-openshift-console\.//') + +if [[ -z $CLUSTER_DOMAIN ]]; then + echo "Warning: Could not determine cluster domain from console route, trying alternative method..." + CLUSTER_DOMAIN=$(oc get ingress.config.openshift.io cluster -o jsonpath='{.spec.domain}') +fi + +if [[ -z $CLUSTER_DOMAIN ]]; then + echo "Error: Could not determine cluster domain. Using example.com for testing." + CLUSTER_DOMAIN="example.com" +fi + +echo "Detected cluster domain: $CLUSTER_DOMAIN" + +NEW_IDP_URL="https://cp-console.${CSDB_NAMESPACE}.${CLUSTER_DOMAIN}/idprovider/v1/auth" +echo "New IDP URL will be: $NEW_IDP_URL" + +# Perform the update +echo "Updating IDP configuration..." +oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + UPDATE accountiam.idp_config + SET idp = '$NEW_IDP_URL', + modified_ts = NOW() + WHERE idp LIKE '%/idprovider/v1/%'; +" + +echo "IDP configuration AFTER update:" +oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + SELECT uid, realm, idp, modified_ts + FROM accountiam.idp_config + ORDER BY modified_ts DESC; +" + +echo "Test completed!" From bf8dbbf48f28cbfd70a4612791387b919a6863fd Mon Sep 17 00:00:00 2001 From: YuChen Date: Thu, 21 Aug 2025 09:26:01 -0700 Subject: [PATCH 4/7] get route from IM configmap Signed-off-by: YuChen --- .../cs-db-br-script-cm-4.6.10.4.11.yaml | 52 ++++++++++++------- .../common-service-db/test-idp-update.sh | 49 ++++++++++------- 2 files changed, 61 insertions(+), 40 deletions(-) diff --git a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml index a8a44e1a7..5bcc61749 100644 --- a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml +++ b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml @@ -121,41 +121,53 @@ data: function update_idp_config { info "Updating IDP configuration with actual cluster domain..." - # Get the cluster domain from the management ingress - CLUSTER_DOMAIN=$(oc get route console -n openshift-console -o jsonpath='{.spec.host}' | sed 's/^console-openshift-console\.//') + # Get the cluster domain from ibmcloud-cluster-info configmap + CLUSTER_DOMAIN=$(oc get cm ibmcloud-cluster-info -n $CSDB_NAMESPACE -o jsonpath='{.data.cluster_address}' 2>/dev/null || echo "") if [[ -z $CLUSTER_DOMAIN ]]; then - error "Could not determine cluster domain. Please update IDP configuration manually." + error "Could not determine cluster domain from ibmcloud-cluster-info configmap. Please update IDP configuration manually." return 1 fi info "Detected cluster domain: $CLUSTER_DOMAIN" - NEW_IDP_URL="https://cp-console.${CSDB_NAMESPACE}.${CLUSTER_DOMAIN}/idprovider/v1/auth" + NEW_IDP_URL="https://${CLUSTER_DOMAIN}/idprovider/v1/auth" - info "Updating IDP URLs to: $NEW_IDP_URL" + info "Target IDP URL: $NEW_IDP_URL" # Check if account_iam database exists ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) if [[ $ACCOUNT_IAM_EXISTS != "False" ]]; then - oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - UPDATE accountiam.idp_config - SET idp = '$NEW_IDP_URL', - modified_ts = NOW() - WHERE idp LIKE '%/idprovider/v1/%'; - " + # Check current IDP configuration + CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT DISTINCT idp FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" | xargs || echo "") - info "Verifying IDP configuration update..." - oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - SELECT uid, realm, idp, modified_ts - FROM accountiam.idp_config - ORDER BY modified_ts DESC; - " - - success "IDP configuration updated successfully." + if [[ -n $CURRENT_IDP ]] && [[ $CURRENT_IDP != $NEW_IDP_URL ]]; then + info "Current IDP URL: $CURRENT_IDP" + info "Updating IDP configuration..." + + oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + UPDATE accountiam.idp_config + SET idp = '$NEW_IDP_URL', + modified_ts = NOW() + WHERE idp LIKE '%/idprovider/v1/%'; + " + echo "" + info "Verifying IDP configuration update..." + oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + SELECT uid, realm, idp, modified_ts + FROM accountiam.idp_config + ORDER BY modified_ts DESC; + " + + success "IDP configuration updated successfully in account_iam database." + elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then + info "IDP configuration already matches target URL, no update needed." + else + info "No IDP configuration found in database, skipping update." + fi else - warning "account_iam database not found, skipping IDP configuration update." + info "account_iam database not found, IDP configuration update not applicable." fi } diff --git a/velero/schedule/common-service-db/test-idp-update.sh b/velero/schedule/common-service-db/test-idp-update.sh index 6af75a382..1fdba8a2a 100755 --- a/velero/schedule/common-service-db/test-idp-update.sh +++ b/velero/schedule/common-service-db/test-idp-update.sh @@ -33,32 +33,41 @@ oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres ORDER BY modified_ts DESC; " -echo "Getting cluster domain..." -CLUSTER_DOMAIN=$(oc get route console -n openshift-console -o jsonpath='{.spec.host}' | sed 's/^console-openshift-console\.//') +echo "Getting cluster domain from ibmcloud-cluster-info configmap..." +CLUSTER_DOMAIN=$(oc get cm ibmcloud-cluster-info -n $CSDB_NAMESPACE -o jsonpath='{.data.cluster_address}' 2>/dev/null || echo "") if [[ -z $CLUSTER_DOMAIN ]]; then - echo "Warning: Could not determine cluster domain from console route, trying alternative method..." - CLUSTER_DOMAIN=$(oc get ingress.config.openshift.io cluster -o jsonpath='{.spec.domain}') -fi - -if [[ -z $CLUSTER_DOMAIN ]]; then - echo "Error: Could not determine cluster domain. Using example.com for testing." - CLUSTER_DOMAIN="example.com" + echo "Error: Could not determine cluster domain from ibmcloud-cluster-info configmap." + echo "Please ensure the ibmcloud-cluster-info configmap exists in namespace $CSDB_NAMESPACE" + exit 1 fi echo "Detected cluster domain: $CLUSTER_DOMAIN" -NEW_IDP_URL="https://cp-console.${CSDB_NAMESPACE}.${CLUSTER_DOMAIN}/idprovider/v1/auth" -echo "New IDP URL will be: $NEW_IDP_URL" - -# Perform the update -echo "Updating IDP configuration..." -oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - UPDATE accountiam.idp_config - SET idp = '$NEW_IDP_URL', - modified_ts = NOW() - WHERE idp LIKE '%/idprovider/v1/%'; -" +NEW_IDP_URL="https://${CLUSTER_DOMAIN}/idprovider/v1/auth" +echo "Target IDP URL: $NEW_IDP_URL" + +# Check current IDP configuration first +echo "Checking current IDP configuration..." +CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT DISTINCT idp FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" | xargs || echo "") + +if [[ -n $CURRENT_IDP ]] && [[ $CURRENT_IDP != $NEW_IDP_URL ]]; then + echo "Current IDP URL: $CURRENT_IDP" + echo "Updating IDP configuration..." + + # Perform the update + oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " + UPDATE accountiam.idp_config + SET idp = '$NEW_IDP_URL', + modified_ts = NOW() + WHERE idp LIKE '%/idprovider/v1/%'; + " +elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then + echo "IDP configuration already matches target URL, no update needed." + echo "Current IDP URL: $CURRENT_IDP" +else + echo "No IDP configuration found in database, skipping update." +fi echo "IDP configuration AFTER update:" oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " From fc1f1b08adcb79109364d6c1f714615127d28bd2 Mon Sep 17 00:00:00 2001 From: YuChen Date: Tue, 26 Aug 2025 08:22:30 -0700 Subject: [PATCH 5/7] remove xargs vulnerability Signed-off-by: YuChen --- .../cs-db-br-script-cm-4.6.10.4.11.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml index 5bcc61749..72974a380 100644 --- a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml +++ b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml @@ -125,26 +125,27 @@ data: CLUSTER_DOMAIN=$(oc get cm ibmcloud-cluster-info -n $CSDB_NAMESPACE -o jsonpath='{.data.cluster_address}' 2>/dev/null || echo "") if [[ -z $CLUSTER_DOMAIN ]]; then - error "Could not determine cluster domain from ibmcloud-cluster-info configmap. Please update IDP configuration manually." + error "❌ Could not determine cluster domain from ibmcloud-cluster-info configmap. Please update IDP configuration manually." return 1 fi - info "Detected cluster domain: $CLUSTER_DOMAIN" + info "✅ Detected cluster domain: $CLUSTER_DOMAIN" NEW_IDP_URL="https://${CLUSTER_DOMAIN}/idprovider/v1/auth" - info "Target IDP URL: $NEW_IDP_URL" + info "🎯 Target IDP URL: $NEW_IDP_URL" # Check if account_iam database exists ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) if [[ $ACCOUNT_IAM_EXISTS != "False" ]]; then # Check current IDP configuration - CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT DISTINCT idp FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" | xargs || echo "") + CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT TRIM(idp) FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" 2>/dev/null | head -n1 | tr -d '\r\n' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' || echo "") + info "🌐 Current IDP URL: $CURRENT_IDP" + echo "" if [[ -n $CURRENT_IDP ]] && [[ $CURRENT_IDP != $NEW_IDP_URL ]]; then - info "Current IDP URL: $CURRENT_IDP" - info "Updating IDP configuration..." + info "🔄 Updating IDP configuration..." oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " UPDATE accountiam.idp_config @@ -162,7 +163,7 @@ data: success "IDP configuration updated successfully in account_iam database." elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then - info "IDP configuration already matches target URL, no update needed." + info "✅ IDP configuration already matches target URL, no update needed." else info "No IDP configuration found in database, skipping update." fi From ad3c4d8418bedc1538bb1a993b492bffb6f66983 Mon Sep 17 00:00:00 2001 From: YuChen Date: Thu, 28 Aug 2025 09:53:30 -0700 Subject: [PATCH 6/7] removed test script Signed-off-by: YuChen --- .../common-service-db/test-idp-update.sh | 79 ------------------- 1 file changed, 79 deletions(-) delete mode 100755 velero/schedule/common-service-db/test-idp-update.sh diff --git a/velero/schedule/common-service-db/test-idp-update.sh b/velero/schedule/common-service-db/test-idp-update.sh deleted file mode 100755 index 1fdba8a2a..000000000 --- a/velero/schedule/common-service-db/test-idp-update.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash - -# Test script to check IDP update functionality -CSDB_NAMESPACE=$1 - -if [[ -z $CSDB_NAMESPACE ]]; then - echo "No namespace provided. please provide the namespace as an argument." - exit 1 -fi - -echo "Getting primary PostgreSQL pod..." -CNPG_PRIMARY_POD=$(oc get cluster.postgresql.k8s.enterprisedb.io common-service-db -o jsonpath="{.status.currentPrimary}" -n $CSDB_NAMESPACE) - -if [[ -z $CNPG_PRIMARY_POD ]]; then - echo "Error: Could not find primary PostgreSQL pod" - exit 1 -fi - -echo "Primary pod: $CNPG_PRIMARY_POD" - -echo "Checking if account_iam database exists..." -ACCOUNT_IAM_EXISTS=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -c "\list" | grep "account_iam" || echo False) - -if [[ $ACCOUNT_IAM_EXISTS == "False" ]]; then - echo "account_iam database not found. Creating test data..." - exit 1 -fi - -echo "Current IDP configuration BEFORE update:" -oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - SELECT uid, realm, idp, modified_ts - FROM accountiam.idp_config - ORDER BY modified_ts DESC; -" - -echo "Getting cluster domain from ibmcloud-cluster-info configmap..." -CLUSTER_DOMAIN=$(oc get cm ibmcloud-cluster-info -n $CSDB_NAMESPACE -o jsonpath='{.data.cluster_address}' 2>/dev/null || echo "") - -if [[ -z $CLUSTER_DOMAIN ]]; then - echo "Error: Could not determine cluster domain from ibmcloud-cluster-info configmap." - echo "Please ensure the ibmcloud-cluster-info configmap exists in namespace $CSDB_NAMESPACE" - exit 1 -fi - -echo "Detected cluster domain: $CLUSTER_DOMAIN" - -NEW_IDP_URL="https://${CLUSTER_DOMAIN}/idprovider/v1/auth" -echo "Target IDP URL: $NEW_IDP_URL" - -# Check current IDP configuration first -echo "Checking current IDP configuration..." -CURRENT_IDP=$(oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -t -c "SELECT DISTINCT idp FROM accountiam.idp_config WHERE idp LIKE '%/idprovider/v1/%' LIMIT 1;" | xargs || echo "") - -if [[ -n $CURRENT_IDP ]] && [[ $CURRENT_IDP != $NEW_IDP_URL ]]; then - echo "Current IDP URL: $CURRENT_IDP" - echo "Updating IDP configuration..." - - # Perform the update - oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - UPDATE accountiam.idp_config - SET idp = '$NEW_IDP_URL', - modified_ts = NOW() - WHERE idp LIKE '%/idprovider/v1/%'; - " -elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then - echo "IDP configuration already matches target URL, no update needed." - echo "Current IDP URL: $CURRENT_IDP" -else - echo "No IDP configuration found in database, skipping update." -fi - -echo "IDP configuration AFTER update:" -oc -n $CSDB_NAMESPACE exec -t $CNPG_PRIMARY_POD -c postgres -- psql -U postgres -d account_iam -c " - SELECT uid, realm, idp, modified_ts - FROM accountiam.idp_config - ORDER BY modified_ts DESC; -" - -echo "Test completed!" From 1a79f09fc013cbecd7fa900abdb732b29ff763b6 Mon Sep 17 00:00:00 2001 From: YuChen Date: Fri, 29 Aug 2025 07:04:13 -0700 Subject: [PATCH 7/7] add restart account iam pod after updating idp Signed-off-by: YuChen --- .../cs-db-br-script-cm-4.6.10.4.11.yaml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml index 72974a380..9480fbf11 100644 --- a/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml +++ b/velero/schedule/common-service-db/cs-db-br-script-cm-4.6.10.4.11.yaml @@ -162,6 +162,40 @@ data: " success "IDP configuration updated successfully in account_iam database." + + # Restart account-iam pod to pick up the new configuration + info "🔄 Restarting account-iam pod to apply new IDP configuration..." + ACCOUNT_IAM_POD=$(oc get pods -n $CSDB_NAMESPACE -l app.kubernetes.io/name=account-iam --no-headers -o custom-columns=":metadata.name" | head -n1 || echo "") + + if [[ -n $ACCOUNT_IAM_POD ]]; then + info "Found account-iam pod: $ACCOUNT_IAM_POD" + oc delete pod $ACCOUNT_IAM_POD -n $CSDB_NAMESPACE + + info "⏳ Waiting for new account-iam pod to be ready..." + # Wait for new pod to be running and ready + retry_count=30 + while [[ $retry_count > 0 ]]; do + NEW_POD=$(oc get pods -n $CSDB_NAMESPACE -l app.kubernetes.io/name=account-iam --no-headers -o custom-columns=":metadata.name,:status.phase" | grep Running | head -n1) + if [[ -n $NEW_POD ]]; then + POD_NAME=$(echo $NEW_POD | awk '{print $1}') + READY_STATUS=$(oc get pod $POD_NAME -n $CSDB_NAMESPACE -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') + if [[ $READY_STATUS == "True" ]]; then + info "✅ New account-iam pod is ready: $POD_NAME" + break + fi + fi + sleep 2 + retry_count=$((retry_count-1)) + done + + if [[ $retry_count == 0 ]]; then + warning "⚠️ Timeout waiting for new account-iam pod to be ready" + fi + + info "✅ Account-iam pod restart completed" + else + warning "⚠️ Could not find account-iam pod to restart. Please restart manually if needed." + fi elif [[ $CURRENT_IDP == $NEW_IDP_URL ]]; then info "✅ IDP configuration already matches target URL, no update needed." else