✨ Upgrade keycloak postgresql to version 15

Signed-off-by: Jason Montleon <[email protected]>
konveyor · Apr 3, 2024 · 395e44d · 395e44d
1 parent fec89dc
commit 395e44d
Show file tree

Hide file tree

Showing 9 changed files with 97 additions and 11 deletions.
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -205,7 +205,7 @@ jobs:
         addon_analyzer: quay.io/konveyor/tackle2-addon-analyzer:${{ inputs.version }}
         # The ones we don't own
         oauth_proxy: quay.io/konveyor/origin-oauth-proxy:${{ inputs.version }}
-        tackle_postgres: quay.io/konveyor/postgresql-12-centos7:${{ inputs.version }}
+        tackle_postgres: quay.io/konveyor/postgresql-15-c9s:${{ inputs.version }}
         keycloak_sso: quay.io/konveyor/keycloak:${{ inputs.version }}
         # Bundle specific args
         version: ${{ inputs.version }}

diff --git a/Dockerfile b/Dockerfile
@@ -5,6 +5,12 @@ USER 0
 COPY tools/upgrades/migrate-pathfinder-assessments.py /usr/local/bin/migrate-pathfinder-assessments.py
 COPY tools/upgrades/jwt.sh /usr/local/bin/jwt.sh
 RUN dnf -y install openssl && dnf clean all
+RUN echo -e "[centos8-appstream]" \
+ "\nname = centos8-appstream" \
+ "\nbaseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/" \
+ "\nenabled = 1" \
+ "\ngpgcheck = 0" > /etc/yum.repos.d/centos.repo
+RUN dnf -y module enable postgresql:15 && dnf -y install postgresql && dnf clean all
 USER 1001
 
 COPY requirements.yml ${HOME}/requirements.yml

diff --git a/bundle/manifests/konveyor-operator.clusterserviceversion.yaml b/bundle/manifests/konveyor-operator.clusterserviceversion.yaml
@@ -169,7 +169,7 @@ spec:
                 - name: RELATED_IMAGE_TACKLE_HUB
                   value: quay.io/konveyor/tackle2-hub:latest
                 - name: RELATED_IMAGE_TACKLE_POSTGRES
-                  value: quay.io/centos7/postgresql-12-centos7:centos7
+                  value: quay.io/sclorg/postgresql-15-c9s:latest
                 - name: RELATED_IMAGE_KEYCLOAK_SSO
                   value: quay.io/keycloak/keycloak:18.0.2-legacy
                 - name: RELATED_IMAGE_KEYCLOAK_INIT
@@ -354,7 +354,7 @@ spec:
     name: oauth-proxy
   - image: quay.io/konveyor/tackle2-hub:latest
     name: tackle-hub
-  - image: quay.io/centos7/postgresql-12-centos7:centos7
+  - image: quay.io/sclorg/postgresql-15-c9s:latest
     name: tackle-postgres
   - image: quay.io/keycloak/keycloak:18.0.2-legacy
     name: keycloak-sso

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -14,7 +14,7 @@ images:
   operator: quay.io/konveyor/tackle2-operator:latest
   oauth_proxy: quay.io/openshift/origin-oauth-proxy:latest
   tackle_hub: quay.io/konveyor/tackle2-hub:latest
-  tackle_postgres: quay.io/centos7/postgresql-12-centos7:centos7
+  tackle_postgres: quay.io/sclorg/postgresql-15-c9s:latest
   keycloak_sso: quay.io/keycloak/keycloak:18.0.2-legacy
   keycloak_init: quay.io/konveyor/tackle-keycloak-init:latest
   tackle_ui: quay.io/konveyor/tackle2-ui:latest

diff --git a/roles/tackle/defaults/main.yml b/roles/tackle/defaults/main.yml
@@ -81,9 +81,10 @@ keycloak_database_container_requests_memory: "350Mi"
 keycloak_database_data_volume_name: "{{ keycloak_database_service_name }}-database"
 keycloak_database_data_volume_size: "1Gi"
 keycloak_database_data_volume_path: "/var/lib/pgsql"
-keycloak_database_data_volume_claim_name: "{{ keycloak_database_service_name }}-volume-claim"
+keycloak_database_data_volume_claim_name: "{{ keycloak_database_service_name }}-{{ keycloak_database_db_version }}-volume-claim"
 keycloak_database_db_name: "keycloak_db"
 keycloak_database_db_name_b64: "{{ keycloak_database_db_name | b64encode }}"
+keycloak_database_db_version: "15"
 
 keycloak_sso_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_SSO') }}"
 keycloak_init_image_fqin: "{{ lookup('env', 'RELATED_IMAGE_KEYCLOAK_INIT') }}"

diff --git a/roles/tackle/tasks/main.yml b/roles/tackle/tasks/main.yml
@@ -130,11 +130,6 @@
         name: "{{ keycloak_database_service_name }}"
         namespace: "{{ app_namespace }}"
 
-    - name: "Setup Keycloak PostgreSQL Service"
-      k8s:
-        state: present
-        definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}"
-
     - name: "Setup Keycloak PostgreSQL Deployment"
       k8s:
         state: present
@@ -153,6 +148,65 @@
           status: "True"
         wait_timeout: 240
 
+    - name: "Check for old postgresql version deployment"
+      k8s_info:
+        api_version: v1
+        kind: Deployment
+        name: "{{ keycloak_database_service_name }}"
+        namespace: "{{ app_namespace }}"
+      register: pgsql_old_deployment
+
+    - when: ( pgsql_old_deployment.resources | length ) > 0
+      block:
+        - name: Set up the temporary migration service
+          k8s:
+            state: present
+            definition: "{{ lookup('template', 'service-keycloak-postgresql-migration.yml.j2') }}"
+
+        - name: Get the keycloak DB secret
+          k8s_info:
+            api_version: v1
+            kind: Secret
+            name: "tackle-keycloak-postgresql"
+            namespace: "konveyor-tackle"
+          register: pgsql_secret
+
+        - name: Set the keycloak DB credentials
+          set_fact:
+            dbm_user: "{{ pgsql_secret.resources[0].data['database-user'] | b64decode }}"
+            dbm_pass: "{{ pgsql_secret.resources[0].data['database-password'] | b64decode }}"
+
+        - name: Perform the DB upgrade
+          shell: |
+                 set -o pipefail
+                 sleep 10 # give the service a few seconds to be available
+                 pg_dump postgresql://{{ dbm_user }}:{{ dbm_pass }}@{{ keycloak_database_service_k8s_resource_name }}/{{ keycloak_database_db_name }} | psql postgresql://{{ dbm_user }}:{{ dbm_pass }}@{{ keycloak_database_service_k8s_resource_name }}-migration/{{ keycloak_database_db_name }}
+          changed_when: false
+
+        - name: Remove the temporary migration service
+          k8s:
+            state: absent
+            definition: "{{ lookup('template', 'service-keycloak-postgresql-migration.yml.j2') }}"
+
+        - name: Remove the old deployment
+          k8s:
+            state: absent
+            api_version: v1
+            kind: Deployment
+            name: "{{ keycloak_database_service_name }}"
+            namespace: "{{ app_namespace }}"
+
+        - name: Remove the service so it can be recreated
+          k8s:
+            state: absent
+            definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}"
+
+
+    - name: "Setup Keycloak PostgreSQL Service"
+      k8s:
+        state: present
+        definition: "{{ lookup('template', 'service-keycloak-postgresql.yml.j2') }}"
+
     - name: "Check if Keycloak SSO Secret exists already so we don't update it"
       k8s_info:
         api_version: v1

diff --git a/roles/tackle/templates/deployment-keycloak-postgresql.yml.j2 b/roles/tackle/templates/deployment-keycloak-postgresql.yml.j2
@@ -2,19 +2,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ keycloak_database_deployment_name }}
+  name: {{ keycloak_database_deployment_name }}-{{ keycloak_database_db_version }}
   namespace: {{ app_namespace }}
   labels:
     app.kubernetes.io/name: {{ keycloak_database_service_name }}
     app.kubernetes.io/component: {{ keycloak_database_component_name }}
     app.kubernetes.io/part-of: {{ app_name }}
+    version: "{{ keycloak_database_db_version }}"
 spec:
   replicas: {{ keycloak_database_deployment_replicas }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ keycloak_database_service_name }}
       app.kubernetes.io/component: {{ keycloak_database_component_name }}
       app.kubernetes.io/part-of: {{ app_name }}
+      version: "{{ keycloak_database_db_version }}"
 {% if keycloak_database_deployment_strategy == 'Recreate' %}
   strategy:
     type: {{ keycloak_database_deployment_strategy }}
@@ -27,6 +29,7 @@ spec:
         app.kubernetes.io/part-of: {{ app_name }}
         app: {{ app_name }}
         role: {{ keycloak_database_service_name }}
+        version: "{{ keycloak_database_db_version }}"
     spec:
       containers:
         - name: {{ keycloak_database_container_name }}

diff --git a/roles/tackle/templates/service-keycloak-postgresql-migration.yml.j2 b/roles/tackle/templates/service-keycloak-postgresql-migration.yml.j2
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ keycloak_database_service_name }}
+    app.kubernetes.io/component: {{ keycloak_database_component_name }}
+    app.kubernetes.io/part-of: {{ app_name }}
+  name: {{ keycloak_database_service_k8s_resource_name }}-migration
+  namespace: {{ app_namespace }}
+spec:
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: {{ keycloak_database_service_name }}
+    app.kubernetes.io/component: {{ keycloak_database_component_name }}
+    app.kubernetes.io/part-of: {{ app_name }}
+    version: "{{ keycloak_database_db_version }}"
diff --git a/roles/tackle/templates/service-keycloak-postgresql.yml.j2 b/roles/tackle/templates/service-keycloak-postgresql.yml.j2
@@ -18,3 +18,4 @@ spec:
     app.kubernetes.io/name: {{ keycloak_database_service_name }}
     app.kubernetes.io/component: {{ keycloak_database_component_name }}
     app.kubernetes.io/part-of: {{ app_name }}
+    version: "{{ keycloak_database_db_version }}"