Support for Dedicated IP Addresses (#513)

* Downgrade deps

* Add new field

* Initial implementation of dedicated IP

* update status controller as well

* cleanup + logging

* cleanup

* Use "" for deletion but ignore nil

* Revert "Use "" for deletion but ignore nil"

This reverts commit a0f21d8.

* Add todo/comment

* Check if the IP could actually be assigned before updating the status

* Use correct errror variable

* Add support for dedicatedLoadBalancerPort

* Add support for dedicatedLoadBalancerPort

* Replace the whole spec

* Replace the whole spec

* Refactor

* Add support for additional sockets in status

* Reworked the Status Socket handling to keep existing replications going

* Apply suggestions from code review

Co-authored-by: Stefan Majer <[email protected]>

* Move consts for DedicatedLoadBalancerIP tags to postgreslet

* capitalization

* capitalization

---------

Co-authored-by: Stefan Majer <[email protected]>

Author: eberlep

api/v1/postgres_types.go

@@ -83,6 +83,13 @@ const (
 	defaultPostgresParamValueSSLCiphers             = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 	defaultPostgresParamValueWalKeepSegements       = "64"
 	defaultPostgresParamValueWalKeepSize            = "1GB"
+
+	// PostgresAutoAssignedIPNamePrefix a prefix to add to the generated random name
+	PostgresAutoAssignedIPNamePrefix = "pgaas-autoassign-"
+	// PostgresAutoAssignedIPLabelKey tag to identify ips auto-assigned for a postgres
+	PostgresAutoAssignedIPLabelKey = "postgres.database.fits.cloud/auto-assigned-ip"
+	// PostgresAutoAssignedIPLabel tag to identify ips auto-assigned for a postgres
+	PostgresAutoAssignedIPLabel = PostgresAutoAssignedIPLabelKey + "=true"
 )
 
 var (
@@ -188,6 +195,12 @@ type PostgresSpec struct {
 
 	// PostgresParams additional parameters that are passed along to the postgres config
 	PostgresParams map[string]string `json:"postgresParams,omitempty"`
+
+	// DedicatedLoadBalancerIP The ip to use for the load balancer
+	DedicatedLoadBalancerIP *string `json:"dedicatedLoadBalancerIP,omitempty"`
+
+	// DedicatedLoadBalancerPort The port to use for the load balancer
+	DedicatedLoadBalancerPort *int32 `json:"dedicatedLoadBalancerPort,omitempty"`
 }
 
 // AccessList defines the type of restrictions to access the database
@@ -228,6 +241,8 @@ type PostgresStatus struct {
 
 	Socket Socket `json:"socket,omitempty"`
 
+	AdditionalSockets []Socket `json:"additionalSockets,omitempty"`
+
 	ChildName string `json:"childName,omitempty"`
 }
 
@@ -324,7 +339,7 @@ func (p *Postgres) ToKey() *types.NamespacedName {
 	}
 }
 
-func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelector bool, enableLegacyStandbySelector bool, standbyClustersSourceRanges []string) *corev1.Service {
+func (p *Postgres) ToSharedSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelector bool, enableLegacyStandbySelector bool, standbyClustersSourceRanges []string) *corev1.Service {
 	lb := &corev1.Service{}
 	lb.Spec.Type = "LoadBalancer"
 
@@ -333,7 +348,7 @@ func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelecto
 	}
 
 	lb.Namespace = p.ToPeripheralResourceNamespace()
-	lb.Name = p.ToSvcLBName()
+	lb.Name = p.ToSharedSvcLBName()
 	lb.SetLabels(SvcLoadBalancerLabel)
 
 	lbsr := []string{}
@@ -385,17 +400,82 @@ func (p *Postgres) ToSvcLB(lbIP string, lbPort int32, enableStandbyLeaderSelecto
 	return lb
 }
 
-// ToSvcLBName returns the name of the peripheral resource Service LoadBalancer.
+// ToSharedSvcLBName returns the name of the peripheral resource Service LoadBalancer.
 // It's different from all other peripheral resources because the operator
 // already generates one service with that name.
-func (p *Postgres) ToSvcLBName() string {
+func (p *Postgres) ToSharedSvcLBName() string {
 	return p.ToPeripheralResourceName() + "-external"
 }
 
-func (p *Postgres) ToSvcLBNamespacedName() *types.NamespacedName {
+func (p *Postgres) ToSharedSvcLBNamespacedName() *types.NamespacedName {
+	return &types.NamespacedName{
+		Namespace: p.ToPeripheralResourceNamespace(),
+		Name:      p.ToSharedSvcLBName(),
+	}
+}
+
+func (p *Postgres) ToDedicatedSvcLB(lbIP string, lbPort int32, standbyClustersSourceRanges []string) *corev1.Service {
+	lb := &corev1.Service{}
+	lb.Spec.Type = "LoadBalancer"
+
+	lb.Spec.ExternalTrafficPolicy = corev1.ServiceExternalTrafficPolicyTypeLocal
+
+	lb.Namespace = p.ToPeripheralResourceNamespace()
+	lb.Name = p.ToDedicatedSvcLBName()
+	lb.SetLabels(SvcLoadBalancerLabel)
+
+	lbsr := []string{}
+	if p.HasSourceRanges() {
+		for _, src := range p.Spec.AccessList.SourceRanges {
+			lbsr = append(lbsr, src)
+		}
+	}
+	for _, scsr := range standbyClustersSourceRanges {
+		lbsr = append(lbsr, scsr)
+	}
+	if len(lbsr) == 0 {
+		// block by default
+		lbsr = append(lbsr, "255.255.255.255/32")
+	}
+	lb.Spec.LoadBalancerSourceRanges = lbsr
+
+	port := corev1.ServicePort{}
+	port.Name = "postgresql"
+	port.Port = lbPort
+	port.Protocol = corev1.ProtocolTCP
+	port.TargetPort = intstr.FromInt(5432)
+	lb.Spec.Ports = []corev1.ServicePort{port}
+
+	lb.Spec.Selector = map[string]string{
+		ApplicationLabelName: ApplicationLabelValue,
+		"cluster-name":       p.ToPeripheralResourceName(),
+		"team":               p.generateTeamID(),
+	}
+	if p.IsReplicationPrimary() {
+		lb.Spec.Selector[SpiloRoleLabelName] = SpiloRoleLabelValueMaster
+	} else {
+		// select the first pod in the statefulset
+		lb.Spec.Selector[StatefulsetPodNameLabelName] = p.ToPeripheralResourceName() + "-0"
+	}
+
+	if len(lbIP) > 0 {
+		lb.Spec.LoadBalancerIP = lbIP
+	}
+
+	return lb
+}
+
+// ToSharedSvcLBName returns the name of the peripheral resource Service LoadBalancer.
+// It's different from all other peripheral resources because the operator
+// already generates one service with that name.
+func (p *Postgres) ToDedicatedSvcLBName() string {
+	return p.ToPeripheralResourceName() + "-dedicated"
+}
+
+func (p *Postgres) ToDedicatedSvcLBNamespacedName() *types.NamespacedName {
 	return &types.NamespacedName{
 		Namespace: p.ToPeripheralResourceNamespace(),
-		Name:      p.ToSvcLBName(),
+		Name:      p.ToDedicatedSvcLBName(),
 	}
 }
 

api/v1/zz_generated.deepcopy.go

@@ -99,6 +99,14 @@ spec:
                       replication is used for the standby postgres
                     type: boolean
                 type: object
+              dedicatedLoadBalancerIP:
+                description: DedicatedLoadBalancerIP The ip to use for the load balancer
+                type: string
+              dedicatedLoadBalancerPort:
+                description: DedicatedLoadBalancerPort The port to use for the load
+                  balancer
+                format: int32
+                type: integer
               description:
                 description: Description
                 type: string
@@ -169,6 +177,17 @@ spec:
           status:
             description: PostgresStatus defines the observed state of Postgres
             properties:
+              additionalSockets:
+                items:
+                  description: Socket represents load-balancer socket of Postgres
+                  properties:
+                    ip:
+                      type: string
+                    port:
+                      format: int32
+                      type: integer
+                  type: object
+                type: array
               childName:
                 type: string
               description:

config/crd/bases/database.fits.cloud_postgres.yaml

@@ -131,11 +131,16 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		}
 		log.Info("corresponding CRD ClusterwideNetworkPolicy deleted")
 
-		if err := r.LBManager.DeleteSvcLB(ctx, instance); err != nil {
-			r.recorder.Eventf(instance, "Warning", "Error", "failed to delete Service: %v", err)
+		if err := r.LBManager.DeleteSharedSvcLB(ctx, instance); err != nil {
+			r.recorder.Eventf(instance, "Warning", "Error", "failed to delete Service with shared ip: %v", err)
 			return ctrl.Result{}, err
 		}
-		log.Info("corresponding Service of type LoadBalancer deleted")
+
+		if err := r.LBManager.DeleteDedicatedSvcLB(ctx, instance); err != nil {
+			r.recorder.Eventf(instance, "Warning", "Error", "failed to delete Service with dedicated ip: %v", err)
+			return ctrl.Result{}, err
+		}
+		log.Info("corresponding Service(s) of type LoadBalancer deleted")
 
 		// delete the postgres-exporter service
 		if err := r.deleteExporterSidecarService(ctx, namespace); client.IgnoreNotFound(err) != nil {
@@ -279,7 +284,7 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		return ctrl.Result{}, fmt.Errorf("failed to create or update zalando postgresql: %w", err)
 	}
 
-	if err := r.LBManager.CreateSvcLBIfNone(ctx, instance); err != nil {
+	if err := r.LBManager.ReconcileSvcLBs(ctx, instance); err != nil {
 		r.recorder.Eventf(instance, "Warning", "Error", "failed to create Service: %v", err)
 		return ctrl.Result{}, err
 	}

controllers/postgres_controller.go

@@ -57,7 +57,7 @@ var _ = Describe("postgres controller", func() {
 			Eventually(func() bool {
 				return svcClusterClient.Get(newCtx(), types.NamespacedName{
 					Namespace: instance.ToPeripheralResourceNamespace(),
-					Name:      instance.ToSvcLBName(),
+					Name:      instance.ToSharedSvcLBName(),
 				}, &core.Service{}) == nil
 			}, timeout, interval).Should(BeTrue())
 		})
@@ -96,7 +96,7 @@ var _ = Describe("postgres controller", func() {
 			Eventually(func() bool {
 				return svcClusterClient.Get(newCtx(), types.NamespacedName{
 					Namespace: instance.ToPeripheralResourceNamespace(),
-					Name:      instance.ToSvcLBName(),
+					Name:      instance.ToSharedSvcLBName(),
 				}, &core.Service{}) == nil
 			}, timeout, interval).ShouldNot(BeTrue())
 		})

controllers/postgres_controller_test.go

@@ -34,6 +34,7 @@ type StatusReconciler struct {
 	Scheme                *runtime.Scheme
 	PartitionID           string
 	ControlPlaneNamespace string
+	EnableForceSharedIP   bool
 }
 
 // Reconcile updates the status of the remote Postgres object based on the status of the local zalando object.
@@ -69,6 +70,7 @@ func (r *StatusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, fmt.Errorf("could not find the owner")
 	}
 
+	log.Info("updating status")
 	retryErr := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		// get a fresh copy of the owner object
 		if err := r.CtrlClient.Get(ctx, types.NamespacedName{Name: owner.Name, Namespace: owner.Namespace}, owner); err != nil {
@@ -91,18 +93,81 @@ func (r *StatusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, retryErr
 	}
 
-	lb := &corev1.Service{}
-	if err := r.SvcClient.Get(ctx, *owner.ToSvcLBNamespacedName(), lb); err == nil {
-		owner.Status.Socket.IP = lb.Spec.LoadBalancerIP
-		owner.Status.Socket.Port = lb.Spec.Ports[0].Port
+	log.Info("updating socket")
+	if owner.Spec.DedicatedLoadBalancerIP == nil {
+		// no dedicated load balancer configured, use the shared one
+		shared := &corev1.Service{}
+		if err := r.SvcClient.Get(ctx, *owner.ToSharedSvcLBNamespacedName(), shared); err == nil {
+			// update IP and port
+			owner.Status.Socket.IP = shared.Spec.LoadBalancerIP
+			owner.Status.Socket.Port = shared.Spec.Ports[0].Port
+
+		} else {
+			// Todo: Handle errors other than `NotFound`
+			log.Info("unable to fetch the shared LoadBalancer to update postgres status socket")
+			owner.Status.Socket = pg.Socket{}
+		}
 
 		if err := r.CtrlClient.Status().Update(ctx, owner); err != nil {
-			return ctrl.Result{}, fmt.Errorf("failed to update lbSocket of Postgres: %w", err)
+			return ctrl.Result{}, fmt.Errorf("failed to update simple postgres status socket: %w", err)
 		}
-		log.Info("postgres status socket updated")
+		log.Info("simple postgres status socket updated")
+
 	} else {
-		// Todo: Handle errors other than `NotFound`
-		log.Info("unable to fetch the corresponding Service of type LoadBalancer")
+		// dedicated load balancer configured, so we fetch it
+		dedicated := &corev1.Service{}
+		derr := r.SvcClient.Get(ctx, *owner.ToDedicatedSvcLBNamespacedName(), dedicated)
+
+		if r.EnableForceSharedIP {
+
+			// we still have a shared load balancer, so we keep using this one as primary socket
+			shared := &corev1.Service{}
+			serr := r.SvcClient.Get(ctx, *owner.ToSharedSvcLBNamespacedName(), shared)
+			if serr == nil {
+				// the shared load balancer is usable, use it for status
+				owner.Status.Socket.IP = shared.Spec.LoadBalancerIP
+				owner.Status.Socket.Port = shared.Spec.Ports[0].Port
+				log.Info("using shared loadbalancer as primary status socket")
+			} else {
+				// we couldn't use the shared load balancer, use empty socket instead
+				log.Info("failed to use shared loadbalancer as primary status socket")
+				owner.Status.Socket = pg.Socket{}
+			}
+
+			// now we use the dedicated load balancer as additional socket
+			if derr == nil && dedicated.Status.LoadBalancer.Ingress != nil && len(dedicated.Status.LoadBalancer.Ingress) == 1 {
+				// the dedicated load balancer is usable, use it for status
+				additionalSocket := pg.Socket{
+					IP:   dedicated.Spec.LoadBalancerIP,
+					Port: dedicated.Spec.Ports[0].Port,
+				}
+				owner.Status.AdditionalSockets = []pg.Socket{additionalSocket}
+				log.Info("using dedicated loadbalancer as additional status socket")
+			} else {
+				log.Info("failed to use dedicated loadbalancer as additional status socket")
+			}
+
+		} else {
+
+			// no more shared load balancer, only use the dedicated one
+			if derr == nil && dedicated.Status.LoadBalancer.Ingress != nil && len(dedicated.Status.LoadBalancer.Ingress) == 1 {
+				// the dedicated load balancer is usable, use it for status
+				owner.Status.Socket.IP = dedicated.Spec.LoadBalancerIP
+				owner.Status.Socket.Port = dedicated.Spec.Ports[0].Port
+				log.Info("using dedicated loadbalancer as primary status socket")
+			} else {
+				// we couldn't use the dedicated load balancer, use empty socket instead
+				log.Info("failed to use dedicated loadbalancer as primary status socket")
+				owner.Status.Socket = pg.Socket{}
+			}
+		}
+
+		// actually perform the status update
+		if err := r.CtrlClient.Status().Update(ctx, owner); err != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to update advanced postgres status socket: %w", err)
+		}
+		log.Info("advanced postgres status socket updated")
+
 	}
 
 	// TODO also update the port/ip of databases mentioned in owner.Spec.PostgresConnectionInfo so that e.g. CWNP are always up to date
@@ -123,6 +188,8 @@ func (r *StatusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, err
 	}
 
+	log.Info("status reconciled")
+
 	return ctrl.Result{}, nil
 }