Skip to content

Add postgres init container to resolve permissions for some k3s deployments#1805

Merged
rooftopcellist merged 2 commits intoansible:develfrom
rooftopcellist:k8s-job-permissions
Apr 3, 2024
Merged

Add postgres init container to resolve permissions for some k3s deployments#1805
rooftopcellist merged 2 commits intoansible:develfrom
rooftopcellist:k8s-job-permissions

Conversation

@rooftopcellist
Copy link
Copy Markdown
Member

@rooftopcellist rooftopcellist commented Apr 2, 2024
edited
Loading

Alternate PR for #1799

Resolves:

This approach allows users to simply set:

spec:
  postgres_data_volume_init: true

This removes the unused postgres_init_container_resource_requirements parameter which was never removed when the last postgres init container was removed. I cannot think of a good reason to not just use postgres_resource_requirements.

cc @kurokobo

ISSUE TYPE
  • New or Enhanced Feature

@rooftopcellist rooftopcellist changed the title Add postgres init container Add postgres init container to resolve permissions for some k3s deployments Apr 2, 2024
This was referenced Apr 2, 2024
Closed
Closed
@fosterseth @rooftopcellist
Add postgres init container
634f52f 
Add postgres init container if
postgres_data_volume_init is true

This allows users to run arbitrary commands

This is aimed to solve the issue where users may
need to chmod or chown the postgres
data volume for user 26, which is the user
that is running postgres in the sclorg image.

For example, one can now set the follow on the AWX spec:
spec:
  postgres_init_container_commands: |
    chown 26:0 /var/lib/pgsql/data
    chmod 700 /var/lib/pgsql/data

In addition, remove the unneeded
postgres_init_container_resource_requirements parameter

Signed-off-by: Seth Foster <[email protected]>
Co-authored-by: Christian M. Adams <[email protected]>
kurokobo
kurokobo reviewed Apr 3, 2024
View reviewed changes
craph
craph reviewed Apr 3, 2024
View reviewed changes
craph
craph reviewed Apr 3, 2024
View reviewed changes
@rooftopcellist
Copy link
Copy Markdown
Member Author

rooftopcellist commented Apr 3, 2024

@kurokobo I just realized that in your awx-on-k3s repo, there are a couple places where you reference postgres_init_container_resource_requirements

image

If a user has this specified on their AWX spec on upgrade or fresh install, they will get this error:

Error from server (BadRequest): error when creating "base": AWX in version "v1beta1" cannot be handled as a AWX: strict decoding error: unknown field "spec.postgres_init_container_resource_requirements"

It's probably safer for me to just add back in that parameter and mark it as deprecated, and add a backwards compat shim. I'll add that now.

@rooftopcellist @craph @kurokobo
Correct the postgres path in description and the condition for the ne…
fbf62d3 
…w param

Deprecate postgres_init_container_resource_requirements param in favor
of postgres_resource_requirements param

Co-authored-by: craph <[email protected]>
Co-authored-by: kurokobo <[email protected]>
@rooftopcellist
Copy link
Copy Markdown
Member Author

rooftopcellist commented Apr 3, 2024

I just added the changes mentioned so that the validator does not error if the user has postgres_init_container_resource_requirements defined. It also accepts that parameter and uses it preferentially over postgres_resource_requirements for the init container only if provided. Though I marked it as deprecated so that we can eventually remove it as there is no real need to have two separate variables for this imo.

Testing

I tested this out with the awx-on-k3s repo with the follow AWX spec:

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  # all of the defaults from https://github.com/kurokobo/awx-on-k3s/blob/main/base/awx.yaml

  postgres_init_container_resource_requirements: {}
  postgres_data_volume_init: true

I confirmed that the deployment came up successfully, and that the pg init param works:

$ kubectl -n awx get pod awx-postgres-15-0 -o yaml | grep resources: -B1
...
    name: init
    resources: {}

Then also tested with:

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  # all of the defaults from https://github.com/kurokobo/awx-on-k3s/blob/main/base/awx.yaml

  # postgres_init_container_resource_requirements: {} #commented out
  postgres_data_volume_init: true
  postgres_init_container_commands: |
    chown 26:0 /var/lib/pgsql/data
    chmod 700 /var/lib/pgsql/data

I confirmed that the deployment came up successfully.

Finally, I did one more with postgres_resource_requirements set to something custom just to make sure there were no regressions introduced there.

spec:
  postgres_resource_requirements:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 512Mi

After the deployment finished, I checked that the requests and limits were set correctly.

$ kubectl -n awx get pod awx-postgres-15-0 -o yaml | grep resources: -B1 -A6
      protocol: TCP
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 256Mi
--
    name: init
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 256Mi

@rooftopcellist rooftopcellist merged commit a5211fe into ansible:devel Apr 3, 2024
@rooftopcellist rooftopcellist mentioned this pull request Apr 3, 2024
Merged
@rooftopcellist
Copy link
Copy Markdown
Member Author

rooftopcellist commented Apr 3, 2024

As follow-up I opened a PR to update the main branch of the awx-on-k3s repo cc @kurokobo

@rooftopcellist rooftopcellist mentioned this pull request Apr 3, 2024
Merged
@kurokobo
Copy link
Copy Markdown
Contributor

kurokobo commented Apr 4, 2024

@rooftopcellist

It's probably safer for me to just add back in that parameter and mark it as deprecated, and add a backwards compat shim. I'll add that now.

Thanks for the confirmation and sending PR, my guide is only unofficial one, so I think my guide should respect the Operator's implementation, and I don't think the Operator needs to adapt my guide. But yes, just marking the param as deprecated is safer. Thanks!

This was referenced Apr 4, 2024
Closed
Merged
This was referenced Apr 9, 2024
Closed
Closed
This was referenced Apr 11, 2024
Closed
Open
@hhk7734 hhk7734 mentioned this pull request May 2, 2024
Closed
@kurokobo kurokobo mentioned this pull request May 12, 2024
Open
@fosterseth fosterseth mentioned this pull request May 14, 2024
Open
3 tasks
@xamindar
Copy link
Copy Markdown

xamindar commented Oct 6, 2024

Thank you, adding this finally got that dang pod to work. This needs to be default:
postgres_data_volume_init: true

@kcjones91
Copy link
Copy Markdown

kcjones91 commented Dec 9, 2024
edited
Loading 

apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-demo
spec:
  admin_user: admin
  service_type: nodeport
  postgres_security_context_settings:
  fsGroup: 26
  postgres_data_volume_init: true
  postgres_init_container_commands: |
    chown 26:0 /var/lib/pgsql/data
    chmod 700 /var/lib/pgsql/data

I am running into this on my end. Probably an easy fix?

kubectl logs awx-demo-postgres-15-0 -n awx-dev -c init
chown: changing ownership of '/var/lib/pgsql/data': Permission denied
chmod: changing permissions of '/var/lib/pgsql/data': Permission denied

swipe@swipe-worker-1:/mnt$ ls -la /mnt/data/postgres/
total 0
drwxrwxrwx. 2 swipe swipe  6 Dec  9 15:48 .
drwxr-xr-x. 3 swipe swipe 22 Dec  9 13:17 ..

@kcjones91 kcjones91 mentioned this pull request Dec 9, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fosterseth fosterseth fosterseth approved these changes

@dsavineau dsavineau Awaiting requested review from dsavineau

@TheRealHaoLiu TheRealHaoLiu Awaiting requested review from TheRealHaoLiu

+2 more reviewers

@kurokobo kurokobo kurokobo left review comments

@craph craph craph left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rooftopcellist @kurokobo @xamindar @kcjones91 @fosterseth @craph