Add OpenShift sidecar support

Author: tomach

crate/operator/bootstrap.py

@@ -19,14 +19,11 @@
 # with Crate these terms will supersede the license and you may use the
 # software solely pursuant to the terms of the relevant commercial agreement.
 
-import json
 import logging
 from typing import Any, Dict, List, Optional
 
-from aiohttp.client_exceptions import WSServerHandshakeError
 from kopf import TemporaryError
-from kubernetes_asyncio.client import ApiException, CoreV1Api
-from kubernetes_asyncio.stream import WsApiClient
+from kubernetes_asyncio.client import CoreV1Api
 
 from crate.operator.config import config
 from crate.operator.constants import (
@@ -36,6 +33,7 @@
     SYSTEM_USERNAME,
 )
 from crate.operator.cratedb import create_user, get_connection
+from crate.operator.sql import execute_sql_via_crate_control
 from crate.operator.utils import crate
 from crate.operator.utils.k8s_api_client import GlobalApiClient
 from crate.operator.utils.kopf import StateBasedSubHandler
@@ -78,121 +76,121 @@ async def bootstrap_system_user(
         when SSL/TLS is enabled, and encrypted connections aren't possible when
         no SSL/TLS is configured.
     """
-    scheme = "https" if has_ssl else "http"
     password = await get_system_user_password(core, namespace, name)
 
-    def get_curl_command(payload: dict) -> List[str]:
-        return [
-            "curl",
-            "-s",
-            "-k",
-            "-X",
-            "POST",
-            f"{scheme}://localhost:4200/_sql",
-            "-H",
-            "Content-Type: application/json",
-            "-d",
-            json.dumps(payload),
-            "-w",
-            "\\n",
-        ]
-
-    command_create_user = get_curl_command(
-        {
-            "stmt": 'CREATE USER "{}" WITH (password = $1)'.format(SYSTEM_USERNAME),
-            "args": [password],
-        }
-    )
-    command_alter_user = get_curl_command(
+    control_host = f"crate-control-{name}.{namespace}.svc.cluster.local"
+    bootstrap_token = await resolve_secret_key_ref(
+        core,
+        namespace,
         {
-            "stmt": 'ALTER USER "{}" SET (password = $1)'.format(SYSTEM_USERNAME),
-            "args": [password],
-        }
+            "key": "token",
+            "name": f"crate-control-{name}",
+        },
     )
-    command_grant = get_curl_command(
-        {"stmt": 'GRANT ALL PRIVILEGES TO "{}" '.format(SYSTEM_USERNAME)}
+    logger.info("************************** new handling **************************")
+    logger.info(
+        "Bootstrapping system user '%s' via sidecar at %s",
+        SYSTEM_USERNAME,
+        control_host,
     )
+    logger.info("bootstrap_token: %s", bootstrap_token)
+
+    command_create_user: Dict[str, Any] = {
+        "stmt": f'CREATE USER "{SYSTEM_USERNAME}" WITH (password = ?)',
+        "args": [password],
+    }
+
+    command_alter_user: Dict[str, Any] = {
+        "stmt": f'ALTER USER "{SYSTEM_USERNAME}" SET (password = ?)',
+        "args": [password],
+    }
+
+    # Grant doesn't usually need args since it's all identifiers
+    command_grant: Dict[str, Any] = {
+        "stmt": f'GRANT ALL PRIVILEGES TO "{SYSTEM_USERNAME}"',
+        "args": [],
+    }
+
     exception_logger = logger.exception if config.TESTING else logger.error
 
-    async def pod_exec(cmd):
-        return await core_ws.connect_get_namespaced_pod_exec(
+    needs_update = False
+    try:
+        logger.info("Trying to create system user ...")
+        result = await execute_sql_via_crate_control(
             namespace=namespace,
-            name=master_node_pod,
-            command=cmd,
-            container="crate",
-            stderr=True,
-            stdin=False,
-            stdout=True,
-            tty=False,
+            name=name,
+            sql=command_create_user["stmt"],
+            args=command_create_user["args"],
+            logger=logger,
         )
+    except Exception as e:
+        # We don't use `logger.exception()` to not accidentally include the
+        # password in the log messages which might be part of the string
+        # representation of the exception.
+        exception_logger("... failed. %s", str(e))
+        raise _temporary_error()
+    else:
+        logger.info("Create user result: %s", result)
+        if "rowcount" in result:
+            logger.info("... success")
+        elif (
+            "error" in result
+            and "RoleAlreadyExistsException" in result["error"]["message"]
+        ):
+            needs_update = True
+            logger.info("... success. Already present")
+        else:
+            logger.info("... error. %s", result)
+            raise _temporary_error()
 
-    needs_update = False
-    async with WsApiClient() as ws_api_client:
-        core_ws = CoreV1Api(ws_api_client)
+    if needs_update:
         try:
-            logger.info("Trying to create system user ...")
-            result = await pod_exec(command_create_user)
-        except ApiException as e:
-            # We don't use `logger.exception()` to not accidentally include the
-            # password in the log messages which might be part of the string
-            # representation of the exception.
-            exception_logger("... failed. Status: %s Reason: %s", e.status, e.reason)
-            raise _temporary_error()
-        except WSServerHandshakeError as e:
+            logger.info("Trying to update system user password ...")
+            result = await execute_sql_via_crate_control(
+                namespace=namespace,
+                name=name,
+                sql=command_alter_user["stmt"],
+                args=command_alter_user["args"],
+                logger=logger,
+            )
+        except Exception as e:
             # We don't use `logger.exception()` to not accidentally include the
             # password in the log messages which might be part of the string
             # representation of the exception.
-            exception_logger("... failed. Status: %s Message: %s", e.status, e.message)
+            exception_logger("... failed: %s", str(e))
             raise _temporary_error()
         else:
             if "rowcount" in result:
                 logger.info("... success")
-            elif "AlreadyExistsException" in result:
-                needs_update = True
-                logger.info("... success. Already present")
             else:
                 logger.info("... error. %s", result)
                 raise _temporary_error()
 
-        if needs_update:
-            try:
-                logger.info("Trying to update system user password ...")
-                result = await pod_exec(command_alter_user)
-            except ApiException as e:
-                # We don't use `logger.exception()` to not accidentally include the
-                # password in the log messages which might be part of the string
-                # representation of the exception.
-                exception_logger(
-                    "... failed. Status: %s Reason: %s", e.status, e.reason
-                )
-                raise _temporary_error()
-            except WSServerHandshakeError as e:
-                # We don't use `logger.exception()` to not accidentally include the
-                # password in the log messages which might be part of the string
-                # representation of the exception.
-                exception_logger(
-                    "... failed. Status: %s Message: %s", e.status, e.message
-                )
-                raise _temporary_error()
-            else:
-                if "rowcount" in result:
-                    logger.info("... success")
-                else:
-                    logger.info("... error. %s", result)
-                    raise _temporary_error()
-
-        try:
-            logger.info("Trying to grant system user all privileges ...")
-            result = await pod_exec(command_grant)
-        except (ApiException, WSServerHandshakeError):
-            logger.exception("... failed")
-            raise _temporary_error()
+    try:
+        logger.info("Trying to grant system user all privileges ...")
+        result = await execute_sql_via_crate_control(
+            namespace=namespace,
+            name=name,
+            sql=command_grant["stmt"],
+            args=command_grant["args"],
+            logger=logger,
+        )
+    except Exception:
+        logger.exception("... failed")
+        raise _temporary_error()
+    else:
+        if "rowcount" in result:
+            logger.info("... success")
         else:
-            if "rowcount" in result:
-                logger.info("... success")
-            else:
-                logger.info("... error. %s", result)
-                raise _temporary_error()
+            logger.info("... error. %s", result)
+            raise _temporary_error()
+    logger.info(
+        "************************** new handling finished **************************"
+    )
+
+
+def get_control_service_host(namespace: str, name: str) -> str:
+    return f"crate-control-{name}.{namespace}.svc.cluster.local"
 
 
 async def bootstrap_gc_admin_user(core: CoreV1Api, namespace: str, name: str):

crate/operator/config.py

@@ -62,6 +62,9 @@ class Config:
     #: The Docker image that contains scripts to run cluster backups.
     CLUSTER_BACKUP_IMAGE: Optional[str] = None
 
+    #: The Docker image that contains CrateControl sidecar.
+    CRATE_CONTROL_IMAGE: Optional[str] = None
+
     #: The volume size for the ``PersistentVolume`` that is used as a storage
     #: location for Java heap dumps.
     DEBUG_VOLUME_SIZE: bitmath.Byte = bitmath.GiB(64)
@@ -233,6 +236,10 @@ def load(self):
             "CLUSTER_BACKUP_IMAGE", default=self.CLUSTER_BACKUP_IMAGE
         )
 
+        self.CRATE_CONTROL_IMAGE = self.env(
+            "CRATE_CONTROL_IMAGE", default=self.CRATE_CONTROL_IMAGE
+        )
+
         debug_volume_size = self.env(
             "DEBUG_VOLUME_SIZE", default=str(self.DEBUG_VOLUME_SIZE)
         )