gitops-template/civo-github/registry/environments/production/postgres.yaml at 6cc3002b5b1a617bc7ea3c407dd319724a281ec6 · kryptokrauts/gitops-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: prd-postgres
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
  annotations:
    argocd.argoproj.io/sync-wave: '45'
spec:
  project: default
  source:
    repoURL: 'https://charts.bitnami.com/bitnami'
    chart: postgresql
    targetRevision: 13.1.4
    helm:
      values: |-
        auth:
          existingSecret: postgres-secrets
        primary:
          initdb:
            scriptsConfigMap: postgres-initdb
          extraEnvVarsSecret: postgres-secrets
  destination:
    name: in-cluster
    namespace: production
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: postgres-secrets
  namespace: production
  annotations:
    argocd.argoproj.io/sync-wave: '0'
spec:
  dataFrom:
    - extract:
        key: /production/postgres
  refreshInterval: 10s
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault-kv-secret
  target:
    name: postgres-secrets
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: postgres-initdb
  namespace: production
data:
  init.sh: |
    #!/bin/bash

    set -e
    set -u

    # use admin password from env to execute psql commands
    export PGPASSWORD="$POSTGRES_PASSWORD"

    USER_POSTGRES=postgres
    USER_PRD_SOONY=prd-soony

    # we created a special readonly user that will be granted rights to view all databases
    ROLE_AND_USER_PRD_READ_ACCESS=prd-read-access

    function create_users() {
      local USERS=(
        "prd-write-access"
        "$USER_PRD_SOONY")
      local USER_PASSWORDS=(
        "$PG_WRITE_ACCESS_PASSWORD"
        "$PG_SOONY_PASSWORD")

      echo "Creating ${#USERS[@]} users..."
      local USER_INDEX=0
      for user in ${USERS[@]}; do
        psql -v ON_ERROR_STOP=1 --username "$USER_POSTGRES" <<-EOSQL
          CREATE USER "$user" WITH PASSWORD '${USER_PASSWORDS[USER_INDEX]}';
    EOSQL
        USER_INDEX=${USER_INDEX}+1
        echo "Created user: $user"
      done
    }

    function create_read_role_and_user() {
      echo "Creating read-only role (with user) to access to all databases within the cluster..."
      psql -v ON_ERROR_STOP=1 --username "$USER_POSTGRES" <<-EOSQL
        CREATE ROLE "$ROLE_AND_USER_PRD_READ_ACCESS" WITH LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER PASSWORD '${PG_READ_ACCESS_PASSWORD}';
    EOSQL
    }

    function create_databases_with_and_set_grant_privileges() {
      local DATABASES=(
        "soon-market-backend"
        "soony")

      echo "Creating ${#DATABASES[@]} databases"
      for db in ${DATABASES[@]}; do
        psql -v ON_ERROR_STOP=1 --username "$USER_POSTGRES" <<-EOSQL
          CREATE DATABASE "$db";
    EOSQL
        if [ "$db" = "soony" ]
        then
          psql -v ON_ERROR_STOP=1 --username "$USER_POSTGRES" <<-EOSQL
            GRANT ALL PRIVILEGES ON DATABASE "$db" TO "$USER_PRD_SOONY";
    EOSQL
        fi
        echo "Created database: $db"
        grant_read_access "$db"
        restore "$db"
      done
    }

    # grant read access within given database, schema public
    # create function for checking HTTP method
    function grant_read_access() {
      local DATABASE=$1
      psql -v ON_ERROR_STOP=1 --username "$USER_POSTGRES" -d "$DATABASE" <<-EOSQL
        GRANT CONNECT ON DATABASE "$DATABASE" TO "$ROLE_AND_USER_PRD_READ_ACCESS";
        GRANT USAGE ON SCHEMA public TO "$ROLE_AND_USER_PRD_READ_ACCESS";
        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "$ROLE_AND_USER_PRD_READ_ACCESS";
        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO "$ROLE_AND_USER_PRD_READ_ACCESS";
    EOSQL
      echo "Granted read-only access to database: $DATABASE"
    }

    # restore existing schema
    # --no-acl: prevent restoration of access privileges (grant/revoke commands)
    # -v: verbose mode output
    function restore() {
      local DATABASE=$1
      local DUMPFILE="$BACKUP_DIRECTORY/$2.tar"

      if [ -f "$DUMPFILE"]
      then
        echo "Restoring $DATABASE from dumpfile $DUMPFILE"
        pg_restore -d $DATABASE --no-acl -v $DUMPFILE
        echo "Finished restoring $DATABASE from dumpfile $DUMPFILE"
      fi
    }

    echo "Executing custom initdb ..."
    create_users
    create_read_role_and_user
    create_databases_with_and_set_grant_privileges