Role for auditing-timescaledb.

Author: Gerrit91

control-plane/roles/auditing-timescaledb/README.md

@@ -0,0 +1,9 @@
+# auditing-timescaledb
+
+This role provides a database for the metal-api that can be used for storing audit traces. The auditing feature has to be explicitly enabled in the metal-api in order to make use of this database.
+
+This role just wraps the [postgres-backup-restore](/control-plane/roles/postgres-backup-restore) role. Refer to this role for further documentation.
+
+## Variables
+
+The role should take the same variables as the wrapped role, but prefixed with `auditing_timescaledb_` instead of `postgres_`.

control-plane/roles/auditing-timescaledb/defaults/main/control-plane-defaults

@@ -0,0 +1 @@
+../../../../control-plane-defaults/

control-plane/roles/auditing-timescaledb/defaults/main/global-defaults

@@ -0,0 +1 @@
+../../../../../defaults

control-plane/roles/auditing-timescaledb/defaults/main/main.yaml

@@ -0,0 +1,40 @@
+---
+auditing_timescaledb_name: auditing-timescaledb
+auditing_timescaledb_namespace: "{{ metal_control_plane_namespace }}"
+
+auditing_timescaledb_image_pull_policy: "{{ metal_control_plane_image_pull_policy }}"
+
+auditing_timescaledb_storage_size: 10Gi
+auditing_timescaledb_storage_class:
+auditing_timescaledb_db: auditing
+auditing_timescaledb_user: postgres
+auditing_timescaledb_password: change-me
+auditing_timescaledb_max_connections: 100
+
+auditing_timescaledb_backup_restore_sidecar_image_pull_policy: "{{ metal_control_plane_image_pull_policy }}"
+auditing_timescaledb_backup_restore_sidecar_provider: local
+auditing_timescaledb_backup_restore_sidecar_backup_cron_schedule: "0 * * * *"
+auditing_timescaledb_backup_restore_sidecar_log_level: debug
+auditing_timescaledb_backup_restore_sidecar_object_prefix: "{{ auditing_timescaledb_name }}-{{ metal_control_plane_stage_name }}"
+auditing_timescaledb_backup_restore_sidecar_object_max_keep:
+
+auditing_timescaledb_backup_restore_sidecar_gcp_bucket_name:
+auditing_timescaledb_backup_restore_sidecar_gcp_backup_location:
+auditing_timescaledb_backup_restore_sidecar_gcp_project_id:
+auditing_timescaledb_backup_restore_sidecar_gcp_serviceaccount_json:
+
+auditing_timescaledb_resources:
+  requests:
+    memory: "256Mi"
+    cpu: "500m"
+  limits:
+    memory: "1Gi"
+    cpu: "1"
+
+auditing_timescaledb_registry_auth_enabled: "{{ metal_registry_auth_enabled }}"
+auditing_timescaledb_registry_auth:
+  auths:
+    https://index.docker.io/v1/:
+      username: "{{ metal_registry_auth_user }}"
+      password: "{{ metal_registry_auth_password }}"
+      auth: "{{ (metal_registry_auth_user + ':' + metal_registry_auth_password) | b64encode }}"

control-plane/roles/auditing-timescaledb/tasks/main.yaml

@@ -0,0 +1,54 @@
+---
+- name: Gather release versions
+  setup_yaml:
+
+- name: Check mandatory variables for this role are set
+  assert:
+    fail_msg: "not all mandatory variables given, check role documentation"
+    quiet: yes
+    that:
+      - auditing_timescaledb_image_name is defined
+      - auditing_timescaledb_image_tag is defined
+      - auditing_timescaledb_backup_restore_sidecar_image_name is defined
+      - auditing_timescaledb_backup_restore_sidecar_image_tag is defined
+
+- name: Create namespace
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ auditing_timescaledb_namespace }}"
+        labels:
+          name: "{{ auditing_timescaledb_namespace }}"
+
+- name: Deploy auditing timescale db
+  include_role:
+    name: metal-roles/control-plane/roles/postgres-backup-restore
+  vars:
+    postgres_name: "{{ auditing_timescaledb_name }}"
+    postgres_namespace: "{{ auditing_timescaledb_namespace }}"
+    postgres_image_pull_policy: "{{ auditing_timescaledb_image_pull_policy }}"
+    postgres_image_name: "{{ auditing_timescaledb_image_name }}"
+    postgres_image_tag: "{{ auditing_timescaledb_image_tag }}"
+    postgres_registry_auth_enabled: "{{ auditing_timescaledb_registry_auth_enabled }}"
+    postgres_registry_auth: "{{ auditing_timescaledb_registry_auth }}"
+    postgres_storage_size: "{{ auditing_timescaledb_storage_size }}"
+    postgres_storage_class: "{{ auditing_timescaledb_storage_class }}"
+    postgres_db: "{{ auditing_timescaledb_db }}"
+    postgres_user: "{{ auditing_timescaledb_user }}"
+    postgres_password: "{{ auditing_timescaledb_password }}"
+    postgres_max_connections: "{{ auditing_timescaledb_max_connections }}"
+    postgres_backup_restore_sidecar_image_pull_policy: "{{ auditing_timescaledb_backup_restore_sidecar_image_pull_policy }}"
+    postgres_backup_restore_sidecar_image_name: "{{ auditing_timescaledb_backup_restore_sidecar_image_name }}"
+    postgres_backup_restore_sidecar_image_tag: "{{ auditing_timescaledb_backup_restore_sidecar_image_tag }}"
+    postgres_backup_restore_sidecar_provider: "{{ auditing_timescaledb_backup_restore_sidecar_provider }}"
+    postgres_backup_restore_sidecar_backup_cron_schedule: "{{ auditing_timescaledb_backup_restore_sidecar_backup_cron_schedule }}"
+    postgres_backup_restore_sidecar_log_level: "{{ auditing_timescaledb_backup_restore_sidecar_log_level }}"
+    postgres_backup_restore_sidecar_object_prefix: "{{ auditing_timescaledb_backup_restore_sidecar_object_prefix }}"
+    postgres_backup_restore_sidecar_gcp_bucket_name: "{{ auditing_timescaledb_backup_restore_sidecar_gcp_bucket_name }}"
+    postgres_backup_restore_sidecar_gcp_backup_location: "{{ auditing_timescaledb_backup_restore_sidecar_gcp_backup_location }}"
+    postgres_backup_restore_sidecar_gcp_project_id: "{{ auditing_timescaledb_backup_restore_sidecar_gcp_project_id }}"
+    postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ auditing_timescaledb_backup_restore_sidecar_gcp_serviceaccount_json }}"
+    postgres_resources: "{{ auditing_timescaledb_resources }}"
+    postgres_backup_restore_sidecar_object_max_keep: "{{ auditing_timescaledb_backup_restore_sidecar_object_max_keep }}"

defaults/main.yaml

@@ -46,6 +46,8 @@ metal_stack_release:
     headscale_db_backup_restore_sidecar_image_name: "docker-images.metal-stack.generic.backup-restore-sidecar.name"
     auditing_meili_backup_restore_sidecar_image_tag: "docker-images.metal-stack.generic.backup-restore-sidecar.tag"
     auditing_meili_backup_restore_sidecar_image_name: "docker-images.metal-stack.generic.backup-restore-sidecar.name"
+    auditing_timescaledb_backup_restore_sidecar_image_tag: "docker-images.metal-stack.generic.backup-restore-sidecar.tag"
+    auditing_timescaledb_backup_restore_sidecar_image_name: "docker-images.metal-stack.generic.backup-restore-sidecar.name"
     # gardener
     firewall_controller_manager_image_tag: "docker-images.metal-stack.gardener.firewall-controller-manager.tag"
     firewall_controller_manager_image_name: "docker-images.metal-stack.gardener.firewall-controller-manager.name"
@@ -92,6 +94,8 @@ metal_stack_release:
     headscale_db_image_name: "docker-images.third-party.control-plane.headscale-db.name"
     auditing_meili_image_name: "docker-images.third-party.control-plane.meilisearch.name"
     auditing_meili_image_tag: "docker-images.third-party.control-plane.meilisearch.tag"
+    auditing_timescaledb_image_name: "docker-images.third-party.control-plane.timescaledb.name"
+    auditing_timescaledb_image_tag: "docker-images.third-party.control-plane.timescaledb.tag"
     image_cache_coredns_image_tag: "docker-images.third-party.partition.image-cache-coredns.tag"
     image_cache_coredns_image_name: "docker-images.third-party.partition.image-cache-coredns.name"
     image_cache_haproxy_image_tag: "docker-images.third-party.partition.image-cache-haproxy.tag"