From e7d1c9bdb850666afd2b75083ae1a57256db40d4 Mon Sep 17 00:00:00 2001
From: Yaroslav Kasatikov <yaroslav.kasatikov@gmail.com>
Date: Sun, 8 Oct 2023 22:47:11 +0300
Subject: [PATCH] Add initdb

---
 cnpg-cluster-helm-chart/Chart.yaml            |  1 +
 .../templates/backup/bucket.yaml              |  8 +--
 .../templates/cluster.yaml                    | 14 +++++
 .../templates/initdb/configmap-sql.yaml       | 10 ++++
 .../templates/initdb/secret.yaml              | 10 ++++
 .../templates/initdb/vault-secret.yaml        | 51 +++++++++++++++++++
 cnpg-cluster-helm-chart/values.yaml           | 27 +++++++++-
 7 files changed, 116 insertions(+), 5 deletions(-)
 create mode 100644 cnpg-cluster-helm-chart/templates/initdb/configmap-sql.yaml
 create mode 100644 cnpg-cluster-helm-chart/templates/initdb/secret.yaml
 create mode 100644 cnpg-cluster-helm-chart/templates/initdb/vault-secret.yaml

diff --git a/cnpg-cluster-helm-chart/Chart.yaml b/cnpg-cluster-helm-chart/Chart.yaml
index 9838f16..d8e7949 100644
--- a/cnpg-cluster-helm-chart/Chart.yaml
+++ b/cnpg-cluster-helm-chart/Chart.yaml
@@ -23,5 +23,6 @@ dependencies:
 - name: prometheus-postgres-exporter
   repository: https://prometheus-community.github.io/helm-charts
   version: 4.4.4
+  condition: prometheus-postgres-exporter.enabled 
 
 
diff --git a/cnpg-cluster-helm-chart/templates/backup/bucket.yaml b/cnpg-cluster-helm-chart/templates/backup/bucket.yaml
index 8bb9e70..13bbef2 100644
--- a/cnpg-cluster-helm-chart/templates/backup/bucket.yaml
+++ b/cnpg-cluster-helm-chart/templates/backup/bucket.yaml
@@ -1,3 +1,4 @@
+{{- if ne .Values.backup.type "none" }}
 apiVersion: s3.advatys.com/v1alpha1
 kind: Bucket
 metadata:
@@ -22,9 +23,10 @@ spec:
 
       subjects:
         - type: KubernetesServiceAccount
-          cluster: {{ .Values.kubeClusterName }}
+          authPath: {{ .Values.kubeClusterName }}
           name: {{ include "cnpg-cluster.fullname" . }}-backup
           namespace: {{ .Release.Namespace }} 
+          authPath: jwt
       effect: Allow
       name: {{ include "cnpg-cluster.fullname" . }}-backup-creator
     {{- if eq .Values.bootstrap.type "physical" }}
@@ -40,7 +42,7 @@ spec:
 
       subjects:
         - type: KubernetesServiceAccount
-          cluster: {{ .Values.kubeClusterName }}
+          authPathr: {{ .Values.kubeClusterName }}
           name: {{ include "cnpg-cluster.fullname" . }}-restore
           namespace: {{ .Release.Namespace }} 
       effect: Allow
@@ -181,4 +183,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "cnpg-cluster.fullname" . }}-backup
     namespace: {{ .Release.Namespace }}
-
+{{- end }}
diff --git a/cnpg-cluster-helm-chart/templates/cluster.yaml b/cnpg-cluster-helm-chart/templates/cluster.yaml
index c4f745b..5fdd723 100644
--- a/cnpg-cluster-helm-chart/templates/cluster.yaml
+++ b/cnpg-cluster-helm-chart/templates/cluster.yaml
@@ -26,6 +26,20 @@ spec:
 
   {{- if not (eq .Values.bootstrap.type "none") }}
   bootstrap:
+    {{- if eq .Values.bootstrap.type "initdb" }}
+    initdb:
+      database: {{ .Values.bootstrap.initdb.database }}
+      owner: {{ .Values.bootstrap.initdb.databaseOwner }}
+      secret:
+        name: {{ .Release.Name }}-app-secret
+    {{- if  .Values.bootstrap.initdb.configmapSQL }}
+      postInitApplicationSQLRefs:
+        configMapRefs:
+        - name: {{ .Release.Name }}-sql
+          key: script.sql
+  
+    {{- end }} 
+    {{- end -}}
     {{- if eq .Values.bootstrap.type "physical" }}
     recovery:
       source: {{ .Values.bootstrap.sourceClusterName }}
diff --git a/cnpg-cluster-helm-chart/templates/initdb/configmap-sql.yaml b/cnpg-cluster-helm-chart/templates/initdb/configmap-sql.yaml
new file mode 100644
index 0000000..1fe7a47
--- /dev/null
+++ b/cnpg-cluster-helm-chart/templates/initdb/configmap-sql.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.bootstrap.initdb.configmapSQL }}
+apiVersion: v1
+data:
+  {{ toYaml .Values.bootstrap.initdb.configmapSQL | nindent 2}}  
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-sql
+
+
+{{- end }}
diff --git a/cnpg-cluster-helm-chart/templates/initdb/secret.yaml b/cnpg-cluster-helm-chart/templates/initdb/secret.yaml
new file mode 100644
index 0000000..b0a9c51
--- /dev/null
+++ b/cnpg-cluster-helm-chart/templates/initdb/secret.yaml
@@ -0,0 +1,10 @@
+{{- if eq .Values.bootstrap.initdb.secret.type  "kubernetes" }}
+apiVersion: v1
+stringData:
+  username: {{ .Values.bootstrap.initdb.secret.kuberentes.username }}
+  password: {{ .Values.bootstrap.initdb.secret.kuberentes.password }}
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-app-secret
+type: kubernetes.io/basic-auth
+{{- end }}
diff --git a/cnpg-cluster-helm-chart/templates/initdb/vault-secret.yaml b/cnpg-cluster-helm-chart/templates/initdb/vault-secret.yaml
new file mode 100644
index 0000000..2df59fb
--- /dev/null
+++ b/cnpg-cluster-helm-chart/templates/initdb/vault-secret.yaml
@@ -0,0 +1,51 @@
+{{- if eq .Values.bootstrap.initdb.secret.type  "vault" }}
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: VaultDynamicSecret
+metadata:
+  name: "{{ include "cnpg-cluster.fullname" . }}-init-user"
+spec:
+  path: {{ .Values.bootstrap.initdb.secret.vault.path }}
+  method: "GET"
+  provider:
+    server: "{{ .Values.bootstrap.initdb.secret.vault.address }}"
+    auth:
+      jwt:
+        path: "{{ .Values.bootstrap.initdb.secret.vault.authPath }}"
+        role: "{{ .Values.bootstrap.initdb.secret.vault.autRole }}"
+
+        # ... or retrieve a Kubernetes service account token via the `TokenRequest` API
+        kubernetesServiceAccountToken:
+          serviceAccountRef:
+            name: "{{ include "cnpg-cluster.fullname" . }}-init-user"
+          # `audiences` defaults to `["vault"]` it not supplied
+          audiences:
+          - "{{ .Values.bootstrap.initdb.secret.vault.address }}"
+          # `expirationSeconds` defaults to 10 minutes if not supplied
+          expirationSeconds: 600
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "{{ include "cnpg-cluster.fullname" . }}-init-user"
+spec:
+  refreshInterval: "1h"
+  target:
+    name: "{{ include "cnpg-cluster.fullname" . }}-init-user"
+    template:
+      engineVersion: v2
+      data:
+        username:  "{{ `{{ .username }}` }}"
+        password: "{{ `{{ .password }}` }}"
+  dataFrom:
+  - sourceRef:
+      generatorRef:
+        apiVersion: generators.external-secrets.io/v1alpha1
+        kind: VaultDynamicSecret
+        name: "{{ include "cnpg-cluster.fullname" . }}-init-user"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cnpg-cluster.fullname" . }}-init-user
+
+{{- end }}
diff --git a/cnpg-cluster-helm-chart/values.yaml b/cnpg-cluster-helm-chart/values.yaml
index 2a60a0d..95e32da 100644
--- a/cnpg-cluster-helm-chart/values.yaml
+++ b/cnpg-cluster-helm-chart/values.yaml
@@ -5,6 +5,7 @@ nameOverride: ""
 fullnameOverride: ""
 
 prometheus-postgres-exporter:
+  enabled: false
   config:
     datasource:
       host: grafana-psql-pgcluster-r.grafana.svc
@@ -62,14 +63,36 @@ backup:
       address: "https://vault.vault.svc.cluster.local:8200"
 
 bootstrap:
-  # Options: 
+  # Options:
   #   - none
   #   - empty-db
   #   - offline-logical
   #   - physical
   #   - streaming-replication
   #   - online-logical
-  type: "none"
+  #   - initdb
+  type: "initdb"
+
+  initdb:
+    database: app
+    databaseOwner: app
+    secret:
+      type: "kubernetes" # Options - "kubernetes, vault-dynamic"
+      kuberentes:
+        username: "app"
+        password: "app"
+      vault:
+        path: "secret/kv"
+        address: "http://vault:8200"
+        authPath: "jwt-hub"
+        authRole: "default"
+#    configmapSQL:
+#      script.sql: |
+#        -- SQL Plain Text Here
+#
+
+
+
 
   # Reovery target for PITR. Only works for type: physical
   # recoveryTarget: