Major update (#566)

* Bump controller-runtime

* Fix metricsserver BindAddress

* ...

* Use same keys for logging in both reconcilers

* Use common ns key in operatormanager as well

* Add keys in lbmanager as well

* Use both keys

* Revert "Use both keys"

This reverts commit d66c243.

* Pass along logger

* key naming

* Logging

* Logging

* Logging

* Logging

* Logging

* Logging

* Logging

* Logging

* Logging

* Set RequeueAfter

* Logging

* Logging

* Logging

* Logging

* Logging

* Add delay for requeueing

* Add privileged label for initial development

* operator-update step 1:
bump version

* operator update step 2:
make svc-postgres-operator-yaml

* operator update step 3:
check config

* operator update:
update securityContext

* Update YAML

* Update YAML

* Update securityContext of initDBJob

* Add TODO

* Add securityContext to etcd

* Add runAsUser

* Disable readonly filesystem

* Update backup-restore-sidecar (and etcd)

* Update etcd configMap

* Revert "Set RequeueAfter"

This reverts commit bdd9df0.

* #88 Use default serviceAccount

* Update existing namespaces with new label

* Rename, logging and cleanup

* (Temporarily) removing call to patroni for testing

* Update to latest v0.16.x bugfix release

* Add option for patroni failsafe mode (for e.g. when using K8s as DCS)

* Change name again (fix for old cert-manager versions)

* Revert "Change name again (fix for old cert-manager versions)"

This reverts commit 9a5e7d6.

* Set to nil when not needed (so it will actually be removed from the CR)

* Sync mode reloaded (#572)

* Check patronic config and only update if neccessary

* Refactoring

* ...

* Refactoring

* Fix linter warnings

* Fix linter warning

* Delay requeue by 10 secs

* Check before updating standby configs as well

* Improve logging

* Improve logging

* Improve logging

* Fix check for SynchronousNodesAdditional

* Fix comparison, improve logging

* Additional nil check...

* Test different execution order for primaries and standbies

* Revert "Test different execution order for primaries and standbies"

This reverts commit 3f57b1c.

* Logging

* Refactoring

* Make requeue duration configurable

* Rename variable

* Add additional check (but only log the result for now)

* Only requeue when REST call was successful

* Fix linter errors

* Set to nil when not needed (so it will actually be removed from the CR)

* Only set the params required for sync replication and leave the rest to the postgres operator

* Remove unneccessary code

* logging

* Remove unused code

* Fix logic

* Update logic

* Revert "Remove unused code"

This reverts commit 7e525ec.

* Revert "Remove unneccessary code"

This reverts commit 00cc28f.

* Update previously reverted code

* Set all values when paching

* Logging

* Back to status quo: set the whole config

* typo

* Logging

* Remove TODOs after review

* Simplify

Author: eberlep

Makefile

@@ -19,7 +19,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
 # Postgres operator variables for YAML download
-POSTGRES_OPERATOR_VERSION ?= v1.6.0
+POSTGRES_OPERATOR_VERSION ?= v1.11.0
 POSTGRES_OPERATOR_URL ?= https://raw.githubusercontent.com/zalando/postgres-operator/$(POSTGRES_OPERATOR_VERSION)/manifests
 POSTGRES_CRD_URL ?= https://raw.githubusercontent.com/zalando/postgres-operator/$(POSTGRES_OPERATOR_VERSION)/charts/postgres-operator/crds/postgresqls.yaml
 

controllers/postgres_controller.go

@@ -33,6 +33,7 @@ import (
 	zalando "github.com/zalando/postgres-operator/pkg/apis/acid.zalan.do/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -101,8 +102,10 @@ var _ = BeforeSuite(func() {
 		Expect(ctrlClusterMgr).ToNot(BeNil())
 
 		svcClusterMgr, err := cr.NewManager(svcClusterCfg, cr.Options{
-			MetricsBindAddress: "0",
-			Scheme:             scheme,
+			Metrics: metricsserver.Options{
+				BindAddress: "0",
+			},
+			Scheme: scheme,
 		})
 		Expect(err).ToNot(HaveOccurred())
 		Expect(svcClusterMgr).ToNot(BeNil())

controllers/suite_test.go

@@ -66,6 +66,8 @@ items:
       backup-cron-schedule: "*/1 * * * *"
       object-prefix: etcd-psql
       compression-method: tarlz4
+      post-exec-cmds:
+      - etcd --data-dir=/data/etcd --listen-metrics-urls http://0.0.0.0:2381
 - kind: StatefulSet
   apiVersion: apps/v1
   metadata:
@@ -96,7 +98,7 @@ items:
       spec:
         serviceAccountName: patroni-etcd
         containers:
-        - image: quay.io/coreos/etcd:v3.5.4
+        - image: quay.io/coreos/etcd:v3.5.13
           # can also be gcr.io/etcd-development/etcd
           env:
           - name: ETCD_ENABLE_V2
@@ -113,12 +115,8 @@ items:
             value: default=http://etcd-psql-headless.ft-etcd-psql.svc.cluster.local:2380
           name: etcd
           command:
-          - tini
-          - --
-          args:
-          - sh
-          - -c
-          - backup-restore-sidecar wait && etcd --data-dir=/data/etcd --listen-metrics-urls http://0.0.0.0:2381
+          - backup-restore-sidecar
+          - wait
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:
@@ -155,6 +153,16 @@ items:
             requests:
               cpu: 300m
               memory: 1G
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
@@ -165,10 +173,7 @@ items:
             mountPath: /usr/local/bin/backup-restore-sidecar
           - name: backup-restore-sidecar-config
             mountPath: /etc/backup-restore-sidecar
-          - name: bin-provision
-            subPath: tini
-            mountPath: /usr/local/bin/tini
-        - image:  quay.io/coreos/etcd:v3.5.4
+        - image:  quay.io/coreos/etcd:v3.5.13
           name: backup-restore-sidecar
           env:
             - name: BACKUP_RESTORE_SIDECAR_S3_BUCKET_NAME
@@ -197,37 +202,52 @@ items:
                   key: secret-key
                   name: etcd-backup-restore-s3-config
           command:
-          - tini
-          - --
-          args:
-          - sh
-          - -c
-          - mkdir -p /data/etcd && backup-restore-sidecar start --log-level debug
+          - backup-restore-sidecar
+          - start
+          - --log-level=debug
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
           - name: etcd
             mountPath: /data
+          - name: tmp-backup
+            mountPath: /backup
           - name: bin-provision
             subPath: backup-restore-sidecar
             mountPath: /usr/local/bin/backup-restore-sidecar
           - name: backup-restore-sidecar-config
             mountPath: /etc/backup-restore-sidecar
-          - name: bin-provision
-            subPath: tini
-            mountPath: /usr/local/bin/tini
           - name: bin-provision
             subPath: certs
             mountPath: /etc/ssl/certs
         initContainers:
         - name: backup-restore-sidecar-provider
-          image: ghcr.io/metal-stack/backup-restore-sidecar:latest
+          image: ghcr.io/metal-stack/backup-restore-sidecar:v0.10.2
           imagePullPolicy: IfNotPresent
           command:
           - cp
           - -r
           - /etc/ssl/certs
           - /backup-restore-sidecar
-          - /ubuntu/tini
           - /bin-provision
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
           ports:
           - containerPort: 2112
           volumeMounts:
@@ -242,6 +262,9 @@ items:
         - emptyDir:
             sizeLimit: 1Gi
           name: etcd
+        - emptyDir:
+            sizeLimit: 1Gi
+          name: tmp-backup
 - kind: Service
   apiVersion: v1
   metadata: