diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml index 0b86e0d1..abe8139d 100644 --- a/.github/linters/.checkov.yaml +++ b/.github/linters/.checkov.yaml @@ -2,6 +2,12 @@ quiet: true +# Files under Helm templates/ are not valid YAML until `helm template` runs (they contain {{ ... }}). +# Checkov still feeds some of them to YAML-based runners (e.g. CloudFormation), which then fail to parse. +# Excluding template sources is the recommended approach; use the Helm chart scan (values + Chart.yaml) for policy checks. +skip-path: + - ^operator/charts/[^/]+/templates/ + skip-check: # https://www.checkov.io/5.Policy%20Index/kubernetes.html - CKV_K8S_15 # Image Pull Policy should be Always diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 04dc497b..a43f36bc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -26,10 +26,20 @@ on: workflow_dispatch: inputs: publish_docker: - description: "Publish images to ghcr.io/netcracker" + description: "Publish images to ghcr.io/ (lowercase)" type: boolean default: false required: false + tags: + description: "Optional extra tags for metadata-action" + type: string + required: false + default: "" + replace_symbol: + description: "Replace symbol for metadata-action ref names" + type: string + required: false + default: "_" permissions: contents: read @@ -40,7 +50,9 @@ concurrency: env: TAG_NAME: ${{ github.event.release.tag_name || github.head_ref || github.ref_name }} - PUSH: ${{ (github.event_name != 'workflow_dispatch' || inputs.publish_docker) && github.actor != 'dependabot[bot]' }} + # Fork PRs run on the base repo: GITHUB_TOKEN cannot push org packages; still build with push=false. + # Pushes on your fork (push event) publish to ghcr.io//... via GITHUB_GROUP below. + PUSH: ${{ (github.event_name != 'workflow_dispatch' || inputs.publish_docker) && github.actor != 'dependabot[bot]' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} jobs: prepare: @@ -88,7 +100,7 @@ jobs: with: default-template: "{{ref-name}}" extra-tags: ${{ github.event.inputs.tags || '' }} - replace-symbol: ${{ github.event.inputs.replace-symbol || '_'}} + replace-symbol: ${{ github.event.inputs.replace_symbol || '_' }} build: name: ${{ matrix.component.name }} Image Build @@ -103,25 +115,30 @@ jobs: component: ${{ fromJson(needs.prepare.outputs.components) }} steps: - name: Validate + if: ${{ github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/') }} run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.ref }}" == refs/tags* ]]; then - echo -e "\033[91mManual workflow run on tags is not allowed!\033[0m" - exit 1 - fi + echo -e "\033[91mManual workflow run on tags is not allowed!\033[0m" + exit 1 - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${GITHUB_ACTOR} password: ${{secrets.GITHUB_TOKEN}} - name: Prepare Tag run: echo "TAG_NAME=$(echo ${TAG_NAME} | sed 's@refs/tags/@@;s@refs/heads/@@;s@/@_@g')" >> $GITHUB_ENV + - name: Prepare registry namespace + env: + REPO_OWNER: ${{ github.repository_owner }} + run: echo "GITHUB_GROUP=$(echo "$REPO_OWNER" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Get package IDs for delete id: get-ids-for-delete uses: Netcracker/get-package-ids@84bc8eb8bed50218be76e671b3a24c35a1300979 @@ -139,7 +156,7 @@ jobs: platforms: ${{ needs.prepare.outputs.platforms }} push: ${{ env.PUSH }} build-args: PG_VERSION=${{ matrix.component.pg_version }} - tags: ghcr.io/netcracker/${{ matrix.component.name }}:${{ env.TAG_NAME }} + tags: ghcr.io/${{ env.GITHUB_GROUP }}/${{ matrix.component.name }}:${{ env.TAG_NAME }} provenance: false - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 with: diff --git a/.github/workflows/link-checker.yaml b/.github/workflows/link-checker.yaml index 6fb34f2f..df6f5fcf 100644 --- a/.github/workflows/link-checker.yaml +++ b/.github/workflows/link-checker.yaml @@ -14,10 +14,12 @@ jobs: linkChecker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Restore lychee cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: restore-cache with: path: .lycheecache @@ -26,10 +28,11 @@ jobs: - name: Link Checker id: lychee - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1 with: args: >- './**/*.md' + --root-dir ${{ github.workspace }} --verbose --no-progress --user-agent 'Mozilla/5.0 (X11; Linux x86_64) Chrome/134.0.0.0' diff --git a/README.md b/README.md index f23b9a3c..a7be7f93 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,22 @@ Postgres-Operator provides PostgreSQL as a service on Kubernetes and OpenShift. Please refer to the [Quick Start Guide](/docs/public/quickstart.md) +### Integration tests and ATP storage + +Integration test settings live under `tests` in the Helm values for **patroni-core** and **patroni-services** (see [`operator/charts/patroni-core/values.yaml`](operator/charts/patroni-core/values.yaml) and [`operator/charts/patroni-services/values.yaml`](operator/charts/patroni-services/values.yaml)). The test image is based on [qubership-docker-integration-tests](https://github.com/Netcracker/qubership-docker-integration-tests). Optional `tests.atpStorage`, `tests.atpReportViewUiUrl`, and `tests.environmentName` map to the same `ATP_*` / `ENVIRONMENT_NAME` variables as in other Qubership demos (Consul `integrationTests.*`, RabbitMQ `tests.*`). The Patroni Services chart renders these into the custom resource (`operator/charts/patroni-services/templates/cr.yaml`). + +| Value (Helm) | Description | +|------------------------------|-------------| +| `tests.atpStorage.provider` | S3 provider (for example `aws`, `minio`, `s3`). When set, the chart can emit ATP storage environment variables for the test pod. | +| `tests.atpStorage.serverUrl` | S3 API endpoint URL. | +| `tests.atpStorage.serverUiUrl` | Optional storage UI URL. | +| `tests.atpStorage.bucket` | Bucket name; empty usually means no S3 upload in the base image flow. | +| `tests.atpStorage.region` | Region (for example for AWS). | +| `tests.atpStorage.username` | Access key (sensitive; prefer secrets / external overrides in real environments). | +| `tests.atpStorage.password` | Secret key (same as username). | +| `tests.atpReportViewUiUrl` | Optional Allure report UI base URL. | +| `tests.environmentName` | Optional logical name for paths or labels. | + ### Smoke tests There is no smoke tests. diff --git a/docs/public/architecture.md b/docs/public/architecture.md new file mode 100644 index 00000000..94e4075f --- /dev/null +++ b/docs/public/architecture.md @@ -0,0 +1,3 @@ +# Architecture + +## Postgres operator diff --git a/docs/public/features/query-exporter.md b/docs/public/features/query-exporter.md index 05242317..b2d8834e 100644 --- a/docs/public/features/query-exporter.md +++ b/docs/public/features/query-exporter.md @@ -29,7 +29,7 @@ However for managed databases these extensions must be enabled for database inst ## Migration from postgres-exporter -Please check [new queries format](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) for query-exporter. +Please check [new queries format](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) for query-exporter. For custom queries two sections must be used in config: `metrics` and `queries`. Queries section includes map of queries. Each query now include next mandatory fields: @@ -174,7 +174,7 @@ In this case query `pg_example` will be executed for all databases matching at l In postgres-operator new watchers are created for namespaces, listed in deployment parameters. These watchers react to Create, Update, Delete events for config maps with labels from `queryExporter.customQueries.labels` parameter and mandatory label -```query-exporter: custom-queries```. Config maps should contain metrics with custom queries for Query Exporter. Metrics must correspond to the [query exporter format](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) and must meet [metric naming rules](https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels)). +```query-exporter: custom-queries```. Config maps should contain metrics with custom queries for Query Exporter. Metrics must correspond to the [query exporter format](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) and must meet [metric naming rules](https://prometheus.io/docs/concepts/data_model/#metric-names-and-labels)). After the Create event, changes from created config map will be appended to `query-exporter-queries` config map. After the Modify event, changes from config map will be replaced in `query-exporter-queries` config map. After the Delete event, changes from config map will be deleted from `query-exporter-queries` config map. @@ -202,7 +202,7 @@ queryExporter: - "pg_lock_tree_query" - "connection_by_role_with_limit_query" ``` -Names of the queries can be found in [query-exporter-queries](/charts/patroni-services/query-exporter/query-exporter-queries.yaml) configmap. All metrics for excluded query will be automatically excluded. +Names of the queries can be found in [query-exporter-queries](/operator/charts/patroni-services/query-exporter/query-exporter-queries.yaml) configmap. All metrics for excluded query will be automatically excluded. # Self monitoring diff --git a/docs/public/installation.md b/docs/public/installation.md index 3ab9a7d7..09abae73 100644 --- a/docs/public/installation.md +++ b/docs/public/installation.md @@ -88,13 +88,13 @@ For Openshift version 4.8 and above OpenShift Container Platform ships with a de Follow these steps to enable the default seccomp profile for all pods: -1) Export the available restricted SCC to a yaml file: +1) Export the available restricted SCC to a YAML file: ``` $ oc get scc restricted -o yaml > restricted-seccomp.yaml ``` -2) Edit the created restricted SCC yaml file: +2) Edit the created restricted SCC YAML file: ``` $ vi restricted-seccomp.yaml @@ -206,8 +206,8 @@ The general parameters used for the configurations are specified below. | serviceAccount.create | bool | no | true | Specifies whether a service account needs to be created. | | serviceAccount.name | string | no | postgres-sa | Specifies name of the Service Account under which Postgres Operator will work. | | runTestsOnly | bool | no | false | Indicates whether to run Integration Tests (skipping deploy step) only or not. | -| affinity | json | no | n/a | Defines affinity scheduling rules for all components. Can be overridden per component. | -| podLabels | yaml | no | n/a | Specifies custom pod labels for all the components. Can be overridden per component. | +| affinity | JSON | no | n/a | Defines affinity scheduling rules for all components. Can be overridden per component. | +| podLabels | YAML | no | n/a | Specifies custom pod labels for all the components. Can be overridden per component. | **Note**: `postgresUser` is not the user which will be created during deployment. You should mention here the user which is already present with superuser role. If you need to use some other user instead of postgres, you should create the desired user manually with superuser role. @@ -218,11 +218,11 @@ This sections describes all possible deploy parameters for PostgreSQL Operator. | Parameter | Type | Mandatory | Default value | Description | |-------------------------------------------------|--------|-----------|---------------|----------------------------------------------------------------------------------------| | operator.resources.requests.memory | string | no | 50Mi | Specifies memory requests for Postgres Operator. | -| operator.resources.requests.cpu | string | no | 50m | Specifies cpu requests for Postgres Operator. | +| operator.resources.requests.cpu | string | no | 50m | Specifies CPU requests for Postgres Operator. | | operator.resources.limits.memory | string | no | 50Mi | Specifies memory limits for Postgres Operator. | -| operator.resources.limits.cpu | string | no | 50m | Specifies cpu limits for Postgres Operator. | -| operator.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| operator.podLabels | yaml | no | n/a | Specifies custom pod labels for Postgres Operator. | +| operator.resources.limits.cpu | string | no | 50m | Specifies CPU limits for Postgres Operator. | +| operator.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| operator.podLabels | YAML | no | n/a | Specifies custom pod labels for Postgres Operator. | | operator.waitTimeout | string | no | 10 | Specifies the timeouts in minutes for Postgres Operator to wait for successful checks. | | operator.reconcileRetries | string | no | 3 | Specifies the number of retries in single reconcile loop for Postgres Operator. | @@ -235,15 +235,15 @@ This sections describes all possible deploy parameters for Patroni component. | patroni.install | bool | no | true | Indicates whether to install Patroni component or not. Should be set to `no` in case of Managed DBs. | | patroni.clusterName | string | no | patroni | Specifies Patroni cluster name.. | | patroni.resources.requests.memory | string | no | 250Mi | Specifies memory requests. | -| patroni.resources.requests.cpu | string | no | 125m | Specifies cpu requests. | +| patroni.resources.requests.cpu | string | no | 125m | Specifies CPU requests. | | patroni.resources.limits.memory | string | no | 500Mi | Specifies memory limits. | -| patroni.resources.limits.cpu | string | no | 250m | Specifies cpu limits. | +| patroni.resources.limits.cpu | string | no | 250m | Specifies CPU limits. | | patroni.resources.unlimited | bool | no | false | Specifies if we should skip setting limits for Patroni. | | patroni.postgreSQLParams | []string | no | [Default PostgreSQL parameters](#default-postgresql-parameters) | Specifies PostgreSQL parameters. Values should be specified as a string list of `key: value` parameters. | | patroni.patroniParams | []string | no | n/a | Specifies Patroni configuration parameters. Values should be specified as a string list of `key: value` parameters. | | patroni.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | -| patroni.standbyCluster.host | string | no | n/a | Specifies host of active Postgresql cluster for Patroni standby cluster configuration. | -| patroni.standbyCluster.port | string | no | n/a | Specifies port of active Postgresql cluster for Patroni standby cluster configuration. | +| patroni.standbyCluster.host | string | no | n/a | Specifies host of active PostgreSQL cluster for Patroni standby cluster configuration. | +| patroni.standbyCluster.port | string | no | n/a | Specifies port of active PostgreSQL cluster for Patroni standby cluster configuration. | | patroni.enableShmVolume | bool | no | true | Specifies should tmpfs mount for /dev/shm be used in Patroni pods. | | patroni.powa.install | bool | no | true | Indicates whether to configure POWA for PostgreSQL or not. | | patroni.powa.password | string | no | Pow@pASsWORD | Specifies password for POWA user. | @@ -259,11 +259,11 @@ This sections describes all possible deploy parameters for Patroni component. | patroni.pgWalStorage | Storage Group | no | n/a | Specifies set of storage parameters for separater volume for `pg_wal` directory. Parameters are the same as for `storage`. | | patroni.pgWalStorageAutoManage | bool | no | n/a | Specifies is pg_wal files have to be moved to separate volume `pg_wal` directory automatically. | | patroni.priorityClassName | string | no | n/a | Specifies [Priority Class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass). | -| patroni.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| patroni.podLabels | yaml | no | n/a | Specifies custom pod labels. | -| patroni.external.pvc | yaml | no | n/a | Specifies list of pvcs to mount them to patroni pods. | -| patroni.external.pvc.name | yaml | no | n/a | Specifies name of pvc to mount it to patroni pods. | -| patroni.external.pvc.mountPath | yaml | no | n/a | Specifies path on patroni pod for mounted pvc. | +| patroni.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| patroni.podLabels | YAML | no | n/a | Specifies custom pod labels. | +| patroni.external.pvc | YAML | no | n/a | Specifies list of pvcs to mount them to patroni pods. | +| patroni.external.pvc.name | YAML | no | n/a | Specifies name of pvc to mount it to patroni pods. | +| patroni.external.pvc.mountPath | YAML | no | n/a | Specifies path on patroni pod for mounted pvc. | ## majorUpgrade @@ -303,9 +303,9 @@ Patroni Core Operator allows configuration of TLS for PostgreSQL. By default, re | tls.generateCerts.subjectAlternativeName.additionalDnsNames | []string | no | n/a | Specifies the list of additional DNS names to be added to the "Subject Alternative Name" field of SSL certificate. If access to Postgres Service for external clients is enabled, DNS names from externalHostNames parameter must be specified in here. | | tls.generateCerts.subjectAlternativeName.additionalIpAddresses | []string | no | n/a | Specifies the list of additional IP addresses to be added to the "Subject Alternative Name" field of SSL certificate. If access to Postgres Service for external clients is enabled, IP addresses from externalHostNames parameter must be specified in here. | | tls.generateCerts.clusterIssuerName | string | yes | n/a | Specifies name of `ClusterIssuer` resource. If the parameter is not set or empty, `Issuer` resource in current Kubernetes namespace will be used. | -| tls.certificates.tls_crt | string | no | "" | Specifies the certificate in BASE64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own certificate. | -| tls.certificates.tls_key | string | no | "" | Specifies the private key in BASE64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own key. | -| tls.certificates.ca_crt | string | no | "" | Specifies base 64 encoded CA certificate. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own ca certificate. | +| tls.certificates.tls_crt | string | no | "" | Specifies the certificate in base64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own certificate. | +| tls.certificates.tls_key | string | no | "" | Specifies the private key in base64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own key. | +| tls.certificates.ca_crt | string | no | "" | Specifies base64 encoded CA certificate. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own ca certificate. | ## pgBackRest @@ -347,8 +347,8 @@ The general parameters used for the configurations are specified below. | serviceAccount.create | bool | no | true | Specifies whether a service account needs to be created. | | serviceAccount.name | string | no | postgres-sa | Specifies name of the Service Account under which Postgres Operator will work. | | runTestsOnly | bool | no | false | Indicates whether to run Integration Tests (skipping deploy step) only or not. | -| affinity | json | no | n/a | Defines affinity scheduling rules for all components. Can be overridden per component. | -| podLabels | yaml | no | n/a | Specifies custom pod labels for all the components. Can be overridden per component. | +| affinity | JSON | no | n/a | Defines affinity scheduling rules for all components. Can be overridden per component. | +| podLabels | YAML | no | n/a | Specifies custom pod labels for all the components. Can be overridden per component. | **Note**: `postgresUser` is not the user which will be created during deployment. You should mention here the user which is already present with superuser role. If you need to use some other user instead of postgres, you should create the desired user manually with superuser role. @@ -359,11 +359,11 @@ This sections describes all possible deploy parameters for PostgreSQL Operator. | Parameter | Type | Mandatory | Default value | Description | |-------------------------------------------------|--------|-----------|---------------|----------------------------------------------------------------------------------------| | operator.resources.requests.memory | string | no | 50Mi | Specifies memory requests for Postgres Operator. | -| operator.resources.requests.cpu | string | no | 50m | Specifies cpu requests for Postgres Operator. | +| operator.resources.requests.cpu | string | no | 50m | Specifies CPU requests for Postgres Operator. | | operator.resources.limits.memory | string | no | 50Mi | Specifies memory limits for Postgres Operator. | -| operator.resources.limits.cpu | string | no | 50m | Specifies cpu limits for Postgres Operator. | -| operator.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| operator.podLabels | yaml | no | n/a | Specifies custom pod labels for Postgres Operator. | +| operator.resources.limits.cpu | string | no | 50m | Specifies CPU limits for Postgres Operator. | +| operator.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| operator.podLabels | YAML | no | n/a | Specifies custom pod labels for Postgres Operator. | | operator.waitTimeout | string | no | 10 | Specifies the timeouts in minutes for Postgres Operator to wait for successful checks. | | operator.reconcileRetries | string | no | 3 | Specifies the number of retries in single reconcile loop for Postgres Operator. | @@ -383,9 +383,9 @@ This sections describes all possible deploy parameters for PostgreSQL Backup Dae |----------------------------------------|---------------------------------------------------------------------------------|-----------|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | backupDaemon.install | bool | no | true | Indicates whether to install PostgreSQL Backup Daemon component or not. | | backupDaemon.resources.requests.memory | string | no | 256Mi | Specifies memory requests. | -| backupDaemon.resources.requests.cpu | string | no | 100m | Specifies cpu requests. | +| backupDaemon.resources.requests.cpu | string | no | 100m | Specifies CPU requests. | | backupDaemon.resources.limits.memory | string | no | 512Mi | Specifies memory limits. | -| backupDaemon.resources.limits.cpu | string | no | 250m | Specifies cpu limits. | +| backupDaemon.resources.limits.cpu | string | no | 250m | Specifies CPU limits. | | backupDaemon.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | backupDaemon.pgHost | string | no | pg-patroni | Specifies PostgreSQL host. | | backupDaemon.walArchiving | bool | no | false | Indicates whether to save WALs files in PostgreSQL Backup Daemon. This setting can cause major disk usage impact, because each postgres WAL file size is 16MB. Also, please, note, that in case of enabled `walArchiving` memory limits for PostgreSQL Backup Daemon should be set as `1 Gib` minimal. | @@ -406,7 +406,7 @@ This sections describes all possible deploy parameters for PostgreSQL Backup Dae | backupDaemon.storage.selectors | []string | no | n/a | Specifies list of selector to choose PVCs. | | backupDaemon.storage.volumes | []string | no | n/a | Specifies list of Persistence Volumes that will be used for PVCs. Should be specified only in case of `pv` storageClass. | | backupDaemon.storage.accessMode | []string | no | n/a | Specifies list of [Access Modes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) that will be used for PVCs. | -| backupDaemon.s3Storage.url | string | no | n/a | Specifies url address to S3 storage. | +| backupDaemon.s3Storage.url | string | no | n/a | Specifies URL address to S3 storage. | | backupDaemon.s3Storage.accessKeyId | string | no | n/a | Specifies S3 accessKeyId credential. | | backupDaemon.s3Storage.secretAccessKey | string | no | n/a | Specifies S3 secretAccessKey credential. | | backupDaemon.s3Storage.bucket | string | no | n/a | Specifies name of S3 Bucket. | @@ -417,8 +417,8 @@ This sections describes all possible deploy parameters for PostgreSQL Backup Dae | backupDaemon.externalPv.capacity | string | no | n/a | Specifies capacity of External PV. | | backupDaemon.externalPv.storageClass | string | no | n/a | Specifies StorageClass of External PV. | | backupDaemon.priorityClassName | string | no | n/a | Specifies [Priority Class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass). | -| backupDaemon.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| backupDaemon.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| backupDaemon.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| backupDaemon.podLabels | YAML | no | n/a | Specifies custom pod labels. | ## metricCollector @@ -428,14 +428,14 @@ This sections describes all possible deploy parameters for PostgreSQL Metric Col |-------------------------------------------------------------------------------|---------------------------------------------------------------------------------|-----------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | metricCollector.install | bool | no | true | Indicates whether to install PostgreSQL Metric Collector component or not. | | metricCollector.resources.requests.memory | string | no | 128Mi | Specifies memory requests. | -| metricCollector.resources.requests.cpu | string | no | 150m | Specifies cpu requests. | +| metricCollector.resources.requests.cpu | string | no | 150m | Specifies CPU requests. | | metricCollector.resources.limits.memory | string | no | 256Mi | Specifies memory limits. | -| metricCollector.resources.limits.cpu | string | no | 300m | Specifies cpu limits. | +| metricCollector.resources.limits.cpu | string | no | 300m | Specifies CPU limits. | | metricCollector.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | metricCollector.collectionInterval | int | no | 60 | Specifies interval in seconds to execute Telegraf's plugins. | | metricCollector.scrapeTimeout | int | no | 20 | Specifies timeout in seconds to wait metric be gathered. | | metricCollector.telegrafPluginTimeout | int | no | 60 | Specifies timeout in seconds to execute Telegraf's plugins. | -| metricCollector.userPassword | yaml | no | p@ssWOrD1 | Specifies the password for metric collector user. | +| metricCollector.userPassword | YAML | no | p@ssWOrD1 | Specifies the password for metric collector user. | | metricCollector.ocExecTimeout | int | no | 10 | Specifies timeout in seconds to execute `exec` commands. | | metricCollector.devMetricsInterval | int | no | 10 | Specifies interval in minutes to execute Telegraf's plugins for additional metrics. | | metricCollector.devMetricsTimeout | int | no | 10 | Timeout in minutes to execute command for additional metrics. | @@ -453,8 +453,8 @@ This sections describes all possible deploy parameters for PostgreSQL Metric Col | metricCollector.prometheusRules.maxConnectionExceedPercentageThreshold | int | no | 90 | Specifies the value of exceed max_connection percentage threshold. Value can be set from 0 to 100. | | metricCollector.prometheusRules.maxConnectionReachedPercentageThreshold | int | no | 80 | Specifies the value of reached max_connection percentage threshold. Value can be set from 0 to 100. | | metricCollector.priorityClassName | string | no | n/a | Specifies [Priority Class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass). | -| metricCollector.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| metricCollector.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| metricCollector.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| metricCollector.podLabels | YAML | no | n/a | Specifies custom pod labels. | ## dbaas @@ -464,9 +464,9 @@ This sections describes all possible deploy parameters for PostgreSQL DBaaS Adap |---------------------------------------------|-------------------|-----------|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------| | dbaas.install | bool | no | true | Indicates whether to install PostgreSQL DBaaS Adapter component or not. | | dbaas.resources.requests.memory | string | no | 64Mi | Specifies memory requests. | -| dbaas.resources.requests.cpu | string | no | 200m | Specifies cpu requests. | +| dbaas.resources.requests.cpu | string | no | 200m | Specifies CPU requests. | | dbaas.resources.limits.memory | string | no | 64Mi | Specifies memory limits. | -| dbaas.resources.limits.cpu | string | no | 200m | Specifies cpu limits. | +| dbaas.resources.limits.cpu | string | no | 200m | Specifies CPU limits. | | dbaas.pgHost | string | no | pg-patroni. | Specifies PostgreSQL host.. | | dbaas.pgPort | string | no | 5432 | Specifies port for connection to PostgreSQL. | | dbaas.dbName | string | no | postgres | Specifies name of PostgreSQL database to connect by default. | @@ -483,8 +483,8 @@ This sections describes all possible deploy parameters for PostgreSQL DBaaS Adap | dbaas.apiVersion | string | no | v2 | Specifies the version of DBaaS API. | | dbaas.multiUsers | bool | no | true | Specifies if Multi Users functionality is enabled. | | dbaas.priorityClassName | string | no | n/a | Specifies [Priority Class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass). | -| dbaas.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| dbaas.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| dbaas.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| dbaas.podLabels | YAML | no | n/a | Specifies custom pod labels. | | dbaas.debug | bool | no | false | Specifies if debug logs are enabled. | | dbaas.updateRoles | bool | no | false | Specifies if roles migration process must be performed. | | INTERNAL_TLS_ENABLED | bool | no | false | Specifies if HTTPS should be enabled for DBaaS Adapter Endpoints and specification of certificates in requests to DBaaS Aggregator. | @@ -589,13 +589,13 @@ This sections describes all possible deploy parameters for Query Exporter compon | queryExporter.install | bool | no | false | Indicates that Query Exporter should be installed or not. | | queryExporter.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | queryExporter.resources.requests.memory | string | no | 128Mi | Specifies memory requests. | -| queryExporter.resources.requests.cpu | string | no | 150m | Specifies cpu requests. | +| queryExporter.resources.requests.cpu | string | no | 150m | Specifies CPU requests. | | queryExporter.resources.limits.memory | string | no | 128Mi | Specifies memory limits. | -| queryExporter.resources.limits.cpu | string | no | 300m | Specifies cpu limits. | +| queryExporter.resources.limits.cpu | string | no | 300m | Specifies CPU limits. | | queryExporter.scrapeTimeout | int | no | 10 | Specifies the timeout in seconds after which the scrape is ended. | | queryExporter.queryTimeout | int | no | 30 | Specifies the timeout in seconds for single query execution. | -| queryExporter.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| queryExporter.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| queryExporter.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| queryExporter.podLabels | YAML | no | n/a | Specifies custom pod labels. | | queryExporter.pgUser | string | no | query-exporter | Specifies name of user to create for postgres exporter. | | queryExporter.pgPassword | string | no | PaSsw0rDfoRExporT3r | Specifies password for postgres exporter user. | | queryExporter.maxMasterConnections | int | no | 10 | Specifies the number of simultaneous connections for master database. | @@ -619,12 +619,12 @@ This sections describes all possible deploy parameters for PoWA UI component. | powaUI.ingress.enabled | bool | no | true | Specifies Ingress should be enabled. | | powaUI.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | powaUI.resources.requests.memory | string | no | 256Mi | Specifies memory requests. | -| powaUI.resources.requests.cpu | string | no | 200m | Specifies cpu requests. | +| powaUI.resources.requests.cpu | string | no | 200m | Specifies CPU requests. | | powaUI.resources.limits.memory | string | no | 512Mi | Specifies memory limits. | -| powaUI.resources.limits.cpu | string | no | 500m | Specifies cpu limits. | +| powaUI.resources.limits.cpu | string | no | 500m | Specifies CPU limits. | | powaUI.cookieSecret | sting | no | n/a | Specifies the secret for Powa UI cookies. | -| powaUI.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| powaUI.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| powaUI.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| powaUI.podLabels | YAML | no | n/a | Specifies custom pod labels. | ## connectionPooler @@ -635,14 +635,14 @@ This sections describes all possible deploy parameters for Connection Pooler (PG | connectionPooler.install | bool | no | false | Indicates that PG Bouncer should be installed or not. | | connectionPooler.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | connectionPooler.resources.requests.memory | string | no | 256Mi | Specifies memory requests. | -| connectionPooler.resources.requests.cpu | string | no | 200m | Specifies cpu requests. | +| connectionPooler.resources.requests.cpu | string | no | 200m | Specifies CPU requests. | | connectionPooler.resources.limits.memory | string | no | 512Mi | Specifies memory limits. | -| connectionPooler.resources.limits.cpu | string | no | 500m | Specifies cpu limits. | +| connectionPooler.resources.limits.cpu | string | no | 500m | Specifies CPU limits. | | connectionPooler.replicas | int | no | 1 | Specifies the number of replicas. | | connectionPooler.username | string | no | pgbouncer | Specifies the username for connection to Postgres. | | connectionPooler.password | string | no | pgbouncer | Specifies the password for connection to Postgres. | | connectionPooler.config | map[string]map[string]string | no | [Default PG Bouncer parameters](#default-pg-bouncer-parameters) | Specifies the config parameters for PGBouncer. [Config parameters](https://www.pgbouncer.org/config.html) | -| connectionPooler.affinity | json | no | n/a | Specifies the affinity scheduling rules. | +| connectionPooler.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | ## replicationController @@ -653,11 +653,11 @@ This sections describes all possible deploy parameters for Replication Controlle | replicationController.install | bool | no | false | Indicates that Replication Controller should be installed or not. | | replicationController.securityContext | [Kubernetes Sec Context](https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext) | no | n/a | Specifies pod level security attributes and common container settings. | | replicationController.resources.requests.memory | string | no | 64Mi | Specifies memory requests. | -| replicationController.resources.requests.cpu | string | no | 200m | Specifies cpu requests. | +| replicationController.resources.requests.cpu | string | no | 200m | Specifies CPU requests. | | replicationController.resources.limits.memory | string | no | 64Mi | Specifies memory limits. | -| replicationController.resources.limits.cpu | string | no | 200m | Specifies cpu limits. | -| replicationController.affinity | json | no | n/a | Specifies the affinity scheduling rules. | -| replicationController.podLabels | yaml | no | n/a | Specifies custom pod labels. | +| replicationController.resources.limits.cpu | string | no | 200m | Specifies CPU limits. | +| replicationController.affinity | JSON | no | n/a | Specifies the affinity scheduling rules. | +| replicationController.podLabels | YAML | no | n/a | Specifies custom pod labels. | | replicationController.apiUser | string | no | n/a | Specifies the user for API usage. | | replicationController.apiPassword | string | no | n/a | Specifies the password for API usage. | @@ -680,15 +680,15 @@ Postgres Operator allows configuration of TLS for supplementary and other compon | Parameter | Type | Mandatory | Default value | Description | |----------------------------------------------------------------|----------|-----------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | tls.enabled | bool | no | false | Indicates that TLS should be enabled or not. | -| tls.certificateSecretName | string | no | pg-cert | Specifies the name of secret with certificate in PostgreSQL namespace. See [TLS Configuration](/docs/features/tls-configuration.md) | -| tls.generateCerts.enabled | bool | yes | false | Specifies whether to generate SSL certificates by cert-manager or not. If `false` specified, follow [manual certificate configuration guid](/docs/features/tls-configuration.md#manual). | +| tls.certificateSecretName | string | no | pg-cert | Specifies the name of secret with certificate in PostgreSQL namespace. See [TLS Configuration](/docs/public/features/tls-configuration.md) | +| tls.generateCerts.enabled | bool | yes | false | Specifies whether to generate SSL certificates by cert-manager or not. If `false` specified, follow [manual certificate configuration guid](/docs/public/features/tls-configuration.md#manual). | | tls.generateCerts.duration | int | no | 365 | Specifies SSL certificate validity duration in days. The default value is 365. | | tls.generateCerts.subjectAlternativeName.additionalDnsNames | []string | no | n/a | Specifies the list of additional DNS names to be added to the "Subject Alternative Name" field of SSL certificate. If access to Postgres Service for external clients is enabled, DNS names from externalHostNames parameter must be specified in here. | | tls.generateCerts.subjectAlternativeName.additionalIpAddresses | []string | no | n/a | Specifies the list of additional IP addresses to be added to the "Subject Alternative Name" field of SSL certificate. If access to Postgres Service for external clients is enabled, IP addresses from externalHostNames parameter must be specified in here. | | tls.generateCerts.clusterIssuerName | string | yes | n/a | Specifies name of `ClusterIssuer` resource. If the parameter is not set or empty, `Issuer` resource in current Kubernetes namespace will be used. | -| tls.certificates.tls_crt | string | no | "" | Specifies the certificate in BASE64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own certificate. | -| tls.certificates.tls_key | string | no | "" | Specifies the private key in BASE64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own key. | -| tls.certificates.ca_crt | string | no | "" | Specifies base 64 encoded CA certificate. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own ca certificate. | +| tls.certificates.tls_crt | string | no | "" | Specifies the certificate in base64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own certificate. | +| tls.certificates.tls_key | string | no | "" | Specifies the private key in base64 format. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own key. | +| tls.certificates.ca_crt | string | no | "" | Specifies base64 encoded CA certificate. It is required if tls.enabled is true and tls.generateCerts.enabled is false. This allows user to specify their own ca certificate. | ## pgBackRest diff --git a/operator/charts/patroni-core/templates/cr.yaml b/operator/charts/patroni-core/templates/cr.yaml index 4643ab0c..8a08896a 100644 --- a/operator/charts/patroni-core/templates/cr.yaml +++ b/operator/charts/patroni-core/templates/cr.yaml @@ -243,6 +243,44 @@ spec: {{- end }} {{ end }} pgNodeQty: {{ ( include "postgres.replicasCount" . ) }} + {{- $atp := .Values.tests.atpStorage | default dict }} + env: + {{- if .Values.tests.environmentName }} + - name: ENVIRONMENT_NAME + value: {{ .Values.tests.environmentName | quote }} + {{- end }} + - name: ATP_STORAGE_PROVIDER + value: {{ ($atp.provider | default "aws") | quote }} + - name: ATP_STORAGE_REGION + value: {{ ($atp.region | default "us-east-1") | quote }} + {{- if $atp.serverUrl }} + - name: ATP_STORAGE_SERVER_URL + value: {{ $atp.serverUrl | quote }} + {{- end }} + {{- if $atp.serverUiUrl }} + - name: ATP_STORAGE_SERVER_UI_URL + value: {{ $atp.serverUiUrl | quote }} + {{- end }} + {{- if $atp.bucket }} + - name: ATP_STORAGE_BUCKET + value: {{ $atp.bucket | quote }} + {{- end }} + - name: ATP_REPORT_ENABLED + value: {{ .Values.tests.atpReport.enabled | quote }} + - name: ATP_STORAGE_USERNAME + valueFrom: + secretKeyRef: + name: {{ include "patroni-core.fullname" . }}-tests-atp-storage-secret + key: atp-storage-username + - name: ATP_STORAGE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "patroni-core.fullname" . }}-tests-atp-storage-secret + key: atp-storage-password + {{- if .Values.tests.atpReportViewUiUrl }} + - name: ATP_REPORT_VIEW_UI_URL + value: {{ .Values.tests.atpReportViewUiUrl | quote }} + {{- end }} {{ end }} {{ if .Values.runTestsOnly }} runTestsTime: {{ now | unixEpoch | quote }} diff --git a/operator/charts/patroni-core/templates/tests-atp-storage-secret.yaml b/operator/charts/patroni-core/templates/tests-atp-storage-secret.yaml new file mode 100644 index 00000000..fa3ec3fa --- /dev/null +++ b/operator/charts/patroni-core/templates/tests-atp-storage-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.tests.install }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "patroni-core.fullname" . }}-tests-atp-storage-secret + labels: + {{- include "kubernetes.labels" . | nindent 4 }} +type: Opaque +stringData: + atp-storage-username: {{ .Values.tests.atpStorage.username }} + atp-storage-password: {{ .Values.tests.atpStorage.password }} +{{- end }} diff --git a/operator/charts/patroni-core/values.yaml b/operator/charts/patroni-core/values.yaml index 95cc749e..7667d661 100644 --- a/operator/charts/patroni-core/values.yaml +++ b/operator/charts/patroni-core/values.yaml @@ -274,6 +274,19 @@ tests: install: true dockerImage: ghcr.io/netcracker/pgskipper-operator-tests:main podLabels: {} + # S3/ATP storage for test results (defaults; override from GitHub vars/secrets in workflow) + atpStorage: + provider: "aws" + serverUrl: "https://s3.amazonaws.com" + serverUiUrl: "https://console.test.com" + bucket: "" + region: "us-east-1" + username: "" + password: "" + atpReport: + enabled: false + atpReportViewUiUrl: "https://test.com" + environmentName: "pgskipper-operator" # One of "full", "basic"or one from testScenarios runTestScenarios: "basic" testScenarios: diff --git a/operator/charts/patroni-services/templates/cr.yaml b/operator/charts/patroni-services/templates/cr.yaml index d397a2b5..a7e0a685 100644 --- a/operator/charts/patroni-services/templates/cr.yaml +++ b/operator/charts/patroni-services/templates/cr.yaml @@ -423,6 +423,49 @@ spec: {{- end }} {{ end }} pgNodeQty: {{ default "1" .Values.patroni.replicas }} + {{- if or .Values.tests.environmentName (and .Values.tests.atpStorage .Values.tests.atpStorage.provider) }} + env: + {{- if .Values.tests.environmentName }} + - name: ENVIRONMENT_NAME + value: {{ .Values.tests.environmentName | quote }} + {{- end }} + {{- if .Values.tests.atpStorage.provider }} + - name: ATP_STORAGE_PROVIDER + value: {{ .Values.tests.atpStorage.provider | quote }} + {{- end }} + {{- if .Values.tests.atpStorage.serverUrl }} + - name: ATP_STORAGE_SERVER_URL + value: {{ .Values.tests.atpStorage.serverUrl | quote }} + {{- end }} + {{- if .Values.tests.atpStorage.serverUiUrl }} + - name: ATP_STORAGE_SERVER_UI_URL + value: {{ .Values.tests.atpStorage.serverUiUrl | quote }} + {{- end }} + {{- if .Values.tests.atpStorage.bucket }} + - name: ATP_STORAGE_BUCKET + value: {{ .Values.tests.atpStorage.bucket | quote }} + {{- end }} + {{- if .Values.tests.atpStorage.region }} + - name: ATP_STORAGE_REGION + value: {{ .Values.tests.atpStorage.region | quote }} + {{- end }} + - name: ATP_REPORT_ENABLED + value: {{ .Values.tests.atpReport.enabled | quote }} + - name: ATP_STORAGE_USERNAME + valueFrom: + secretKeyRef: + name: {{ include "helm-chart.fullname" . }}-tests-atp-storage-secret + key: atp-storage-username + - name: ATP_STORAGE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "helm-chart.fullname" . }}-tests-atp-storage-secret + key: atp-storage-password + {{- if .Values.tests.atpReportViewUiUrl }} + - name: ATP_REPORT_VIEW_UI_URL + value: {{ .Values.tests.atpReportViewUiUrl | quote }} + {{- end }} + {{- end }} {{ end }} {{ if .Values.runTestsOnly }} runTestsTime: {{ now | unixEpoch | quote }} diff --git a/operator/charts/patroni-services/templates/tests-atp-storage-secret.yaml b/operator/charts/patroni-services/templates/tests-atp-storage-secret.yaml new file mode 100644 index 00000000..f0182071 --- /dev/null +++ b/operator/charts/patroni-services/templates/tests-atp-storage-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.tests.install }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "helm-chart.fullname" . }}-tests-atp-storage-secret + labels: + {{- include "kubernetes.labels" . | nindent 4 }} +type: Opaque +stringData: + atp-storage-username: {{ .Values.tests.atpStorage.username }} + atp-storage-password: {{ .Values.tests.atpStorage.password }} +{{- end }} diff --git a/operator/charts/patroni-services/values.yaml b/operator/charts/patroni-services/values.yaml index b6eca4e7..e71b129d 100644 --- a/operator/charts/patroni-services/values.yaml +++ b/operator/charts/patroni-services/values.yaml @@ -177,6 +177,7 @@ backupDaemon: backupSchedule: "0 0/7 * * *" # pgHost: pg-patroni.postgres-service + # clusterDomain: cluster.local # K8s cluster DNS domain; used to build FQDN for pgHost (e.g. pg-patroni.NAMESPACE.svc.cluster.local) # The eviction policy for backup daemon: period and action. The default value is 7d/delete. evictionPolicy: "7d/delete" backupTimeout: 300 @@ -432,6 +433,19 @@ tests: install: true dockerImage: ghcr.io/netcracker/pgskipper-operator-tests:main podLabels: {} + # S3/ATP storage for test results upload (e.g. AWS install, run_tests pipeline) + atpStorage: + provider: "aws" + serverUrl: "https://s3.amazonaws.com" + serverUiUrl: "https://console.test.com" + bucket: "" + region: "us-east-1" + username: "" + password: "" + atpReport: + enabled: false + atpReportViewUiUrl: "https://test.com" + environmentName: "pgskipper-operator" # One of "full", "basic"or one from testScenarios runTestScenarios: "basic" testScenarios: @@ -474,3 +488,4 @@ CLOUD_PUBLIC_HOST: "k8s.default" # DBAAS_CLUSTER_DBA_CREDENTIALS_PASSWORD: "user-2" # MONITORING_ENABLED: false # INFRA_POSTGRES_FS_GROUP: 26 + diff --git a/operator/pkg/deployment/tests.go b/operator/pkg/deployment/tests.go index ecd2e663..24102c33 100644 --- a/operator/pkg/deployment/tests.go +++ b/operator/pkg/deployment/tests.go @@ -75,7 +75,12 @@ func NewIntegrationTestsPod(cr *v1.PatroniServices, cluster *patroniv1.PatroniCl Image: dockerImage, ImagePullPolicy: cr.Spec.ImagePullPolicy, SecurityContext: util.GetDefaultSecurityContext(), - Args: []string{"robot", "-i", tastsTags, "/test_runs/"}, + // Args are not set: the integration-tests image is built with ENTRYPOINT/CMD that run + // the wrapper flow (see tests/Dockerfile: pgskipper-robot-entrypoint.sh, run-robot). + // Kubernetes Container.Args replaces the image CMD and would bypass that flow. + // Test selection is passed via TESTS_TAGS in env below. + // Previous explicit invocation was: + // Args: []string{"robot", "-i", tastsTags, "/test_runs/"}, Env: []corev1.EnvVar{ { Name: "POSTGRES_USER", @@ -192,7 +197,12 @@ func NewCoreIntegrationTests(cr *patroniv1.PatroniCore, cluster *patroniv1.Patro Image: dockerImage, ImagePullPolicy: cr.Spec.ImagePullPolicy, SecurityContext: util.GetDefaultSecurityContext(), - Args: []string{"robot", "-i", tastsTags, "/test_runs/"}, + // Args are not set: the integration-tests image is built with ENTRYPOINT/CMD that run + // the wrapper flow (see tests/Dockerfile: pgskipper-robot-entrypoint.sh, run-robot). + // Kubernetes Container.Args replaces the image CMD and would bypass that flow. + // Test selection is passed via TESTS_TAGS in env below. + // Previous explicit invocation was: + // Args: []string{"robot", "-i", tastsTags, "/test_runs/"}, Env: []corev1.EnvVar{ { Name: "POSTGRES_USER", diff --git a/services/backup-daemon/Dockerfile b/services/backup-daemon/Dockerfile index b77c1929..19d17f49 100644 --- a/services/backup-daemon/Dockerfile +++ b/services/backup-daemon/Dockerfile @@ -1,3 +1,4 @@ +#checkov:skip=CKV_DOCKER_3:User is not required for backup daemon container FROM --platform=$BUILDPLATFORM golang:1.25-alpine3.23 AS builder ENV GO111MODULE=on diff --git a/tests/Dockerfile b/tests/Dockerfile index 43606367..bfc90e5f 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,11 +1,16 @@ -FROM ghcr.io/netcracker/qubership-docker-integration-tests:0.3.9 +FROM ghcr.io/netcracker/qubership-docker-integration-tests:main ENV LC_ALL=en_US.UTF-8 \ LANG=en_US.UTF-8 +# Base image may run as non-root; install as root so /root and site-packages are writable +USER root + COPY docker/pip.conf /root/.pip/pip.conf COPY docker/requirements.txt /root/requirements.txt +# Base image defines Alpine release; pinning apk packages here would duplicate index and break on parent bumps. +# hadolint ignore=DL3018 RUN set -x \ && apk add --update --no-cache build-base postgresql-dev \ && pip3 install --no-cache-dir -r /root/requirements.txt \ @@ -15,15 +20,22 @@ RUN chmod -R g=u /etc/passwd && \ mkdir /app && \ mkdir /test_runs +# Project structure (unchanged): app and robot under /app, /test_runs COPY ./app/* /app/ COPY robot /test_runs/ +# Also expose tests under base image layout so new scripts (adapter-S3, etc.) can run +COPY robot ${ROBOT_HOME}/tests + COPY docker/uid_entrypoint /opt/uid_entrypoint +# Wrapper: set TAGS from TESTS_TAGS then run base entrypoint (adapter-S3, run-robot) +COPY docker/pgskipper-robot-entrypoint.sh /opt/pgskipper-robot-entrypoint.sh RUN chgrp -R 0 /app && chmod g+w /app && \ chgrp -R 0 /test_runs && chmod -R g+w /test_runs && \ - chmod +x /opt/uid_entrypoint + chmod +x /opt/uid_entrypoint /opt/pgskipper-robot-entrypoint.sh && \ + chown -R 1000:0 "${ROBOT_HOME}" && chmod -R 775 "${ROBOT_HOME}" -# Volumes are defined to support read-only root file system +# Volumes as in original (read-only root FS support, etc.) VOLUME /etc VOLUME /app VOLUME /test_runs @@ -32,5 +44,6 @@ VOLUME /tmp USER 1001 WORKDIR /app -ENTRYPOINT [ "/opt/uid_entrypoint" ] -CMD ["robot -i ${TESTS_TAGS} /test_runs/"] +ENTRYPOINT ["/opt/uid_entrypoint"] +# Use new scripts flow (base entrypoint + adapter-S3); tags from TESTS_TAGS env +CMD ["/opt/pgskipper-robot-entrypoint.sh", "run-robot"] diff --git a/tests/docker/pgskipper-robot-entrypoint.sh b/tests/docker/pgskipper-robot-entrypoint.sh new file mode 100755 index 00000000..0970e7e3 --- /dev/null +++ b/tests/docker/pgskipper-robot-entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# Bridge TESTS_TAGS (set by operator) to TAGS (expected by base image entrypoint). +export TAGS="${TESTS_TAGS:-$TAGS}" +# Base scripts use ./tests and ./output relative to cwd; image has WORKDIR=/app but tests live in ROBOT_HOME/tests +cd "${ROBOT_HOME:-/opt/robot}" || exit 1 +exec /docker-entrypoint.sh "$@" diff --git a/tests/docker/requirements.txt b/tests/docker/requirements.txt index f1fe70d8..e7fd341e 100644 --- a/tests/docker/requirements.txt +++ b/tests/docker/requirements.txt @@ -1,3 +1,5 @@ +# Keep same set as before; align versions with base image to avoid pip conflicts +allure-robotframework==2.15.0 aniso8601==10.0.1 cachetools==4.2.4 certifi==2024.7.4 @@ -11,19 +13,23 @@ importlib-metadata==8.7.1 ipaddress==1.0.23 itsdangerous==2.1.2 Jinja2==3.1.6 -kubernetes==31.0.0 +# Align with base image to avoid K8s API/SSL errors (was 31.0.0) +kubernetes==34.1.0 MarkupSafe==3.0.3 oauthlib==3.3.1 +# Binary build — no build-base/postgresql-dev needed if aws (psycopg2-binary==2.9.10) psycopg2==2.9.10 pyasn1==0.6.3 pyasn1-modules==0.4.2 +# Match base image (was 2.4.0) PyJWT==2.4.0 python-dateutil==2.9.0.post0 python-string-utils==1.0.0 pytz==2026.1.post1 requests==2.32.5 requests-oauthlib==2.0.0 -robotframework==5.0 +# Match base image — avoid downgrade conflict (was 5.0) +robotframework==7.3.2 robotframework-databaselibrary==1.2.4 robotframework-requests==0.9.7 rsa==4.8 @@ -31,7 +37,8 @@ ruamel.yaml==0.19.1 ruamel.yaml.clib==0.2.12 six==1.16.0 typing_extensions==4.2.0 -urllib3==2.6.3 +# Align with base image (was 2.6.3) +urllib3~=2.3.0 websocket-client==1.9.0 Werkzeug==3.1.5 zipp==3.23.0