diff --git a/instance-applications/510-550-ibm-mas-suite-app-config/templates/700-702-postsync-db2-manage.yaml b/instance-applications/510-550-ibm-mas-suite-app-config/templates/700-702-postsync-db2-manage.yaml new file mode 100644 index 000000000..4cce1f354 --- /dev/null +++ b/instance-applications/510-550-ibm-mas-suite-app-config/templates/700-702-postsync-db2-manage.yaml @@ -0,0 +1,248 @@ +{{- if eq .Values.mas_app_id "manage" }} +{{- if not (empty .Values.manage_db2u_databases) }} + +{{ $manage_ns := .Values.mas_app_namespace }} +{{ $np_name := "postsync-manage-db2-np" }} +{{ $sa_name := "postsync-manage-db2-sa" }} +{{ $job_label := "postsync-manage-db2-job" }} + +--- +{{- /* + Permit outbound communication by the Job pod (Needed to communicate with the K8S HTTP API) + This single policy is shared by all per-db2 job instances, sit identifies these jobs by $job_label (which is the same for all) +*/}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $np_name }} + namespace: {{ $manage_ns }} + annotations: + argocd.argoproj.io/sync-wave: "700" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + app: {{ $job_label }} + egress: + - {} + policyTypes: + - Egress + +--- +{{- /* + Service account that is authorized to exec into db2u pod + This single service account is shared by all per-db2 job instances + Each per-db2 job is assigned its own role (in the db2 namespace) which is bound to this service account +*/}} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: "{{ $sa_name }}" + namespace: "{{ $manage_ns }}" + annotations: + argocd.argoproj.io/sync-wave: "700" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} + + + + + + +{{- /* + A separate Job is created in the manage namespace per DB2 instance reserved for use by Manage. + For each Job a separate Role and RoleBinding is created in the db2 namespace to permit pod exec access to the (single) service account assigned to each Job. + + NOTE: Most likely there will only ever be a single DB2 reserved for use by Manage; i.e. exactly 1 entry in ibm-db2u-databases.yaml with mas_application_id: "manage". + But our config model (in theory) permits more than one, so it seems prudent to ensure this post Manage-sync DB2 maintenance Job is executed against all. + + NOTE: When inside the range loop below, make sure you prefix any references to chart values NOT under .Values.manage_db2u_databases with $. + For example: {{ $.Values.custom_labels }} (instead of {{ .Values.custom_labels }} ) +*/}} +{{- range $i, $db := .Values.manage_db2u_databases }} + +{{ $db2_namespace := $db.db2_namespace }} +{{ $db2_dbname := $db.db2_dbname }} +{{ $db2_instance_name := $db.db2_instance_name }} + +{{ $job_name := printf "postsync-manage-db2-job-%s" $db2_instance_name }} +{{ $role_name := printf "postsync-manage-db2-role-%s" $db2_instance_name }} +{{ $rb_name := printf "postsync-manage-db2-rb-%s" $db2_instance_name }} + +--- +{{- /* + Role permitting exec into db2u pod + NOTE: created in db2u namespace +*/}} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "{{ $role_name }}" + namespace: "{{ $db2_namespace }}" + annotations: + argocd.argoproj.io/sync-wave: "700" +{{- if $.Values.custom_labels }} + labels: +{{ $.Values.custom_labels | toYaml | indent 4 }} +{{- end }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get + - list + +--- +{{- /* + RoleBinding from the Role in the db2u namespace to the Job ServiceAccount in the app namespace + NOTE: created in db2u namespace +*/}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ $rb_name }}" + namespace: "{{ $db2_namespace }}" + annotations: + argocd.argoproj.io/sync-wave: "701" +{{- if $.Values.custom_labels }} + labels: +{{ $.Values.custom_labels | toYaml | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: "{{ $sa_name }}" + namespace: "{{ $manage_ns }}" +roleRef: + kind: Role + name: "{{ $role_name }}" + apiGroup: rbac.authorization.k8s.io + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + # Suffix the Job name with a hash of all chart values + # This is to ensure that ArgoCD will delete and recreate the job if anything changes in the application config + # The job is idempotent + name: {{ $job_name }}-v1-{{ omit $.Values "junitreporter" | toYaml | adler32sum }} + namespace: "{{ $manage_ns }}" + annotations: + argocd.argoproj.io/sync-wave: "702" +{{- if $.Values.custom_labels }} + labels: +{{ $.Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ $job_label }} +{{- if $.Values.custom_labels }} +{{ $.Values.custom_labels | toYaml | indent 8 }} +{{- end }} + spec: + containers: + - name: run + image: quay.io/ibmmas/cli:latest + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi + env: + # Hard-coded for now: + - name: AVP_TYPE + value: "aws" + - name: DB2_NAMESPACE + value: "{{ $db2_namespace }}" + - name: DB2_DBNAME + value: "{{ $db2_dbname }}" + - name: DB2_INSTANCE_NAME + value: "{{ $db2_instance_name }}" + + volumeMounts: [] + command: + - /bin/sh + - -c + - | + + set -e + source /mascli/functions/gitops_utils + + DB2_POD_NAME="c-${DB2_INSTANCE_NAME}-db2u-0" + + echo "" + echo "================================================================================" + echo "Settings" + echo "================================================================================" + echo "DB2_INSTANCE_ID ..................... ${DB2_INSTANCE_NAME}" + echo "DB2_DBNAME .......................... ${DB2_DBNAME}" + echo "AVP_TYPE ............................ ${AVP_TYPE}" + echo "DB2_NAMESPACE ....................... ${DB2_NAMESPACE}" + echo "DB2_POD_NAME ........................ ${DB2_POD_NAME}" + + # Path to the generated script, on both this pod and on the db2u pod + ALTERSEQ_SH_PATH="/tmp/alterseq.sh" + + echo "" + echo "Create ${ALTERSEQ_SH_PATH}" + echo "--------------------------------------------------------------------------------" + + # Generate a script to copy and run on the db2u pod + cat > ${ALTERSEQ_SH_PATH} << EOF + #!/bin/bash + db2 connect to ${DB2_DBNAME} + if [ \$? != 0 ]; then + echo "Failed to connect to database!" + exit 1 + fi + + db2 "select 'alter sequence maximo.' || sequencename || ' cache 500;' from maximo.maxsequence" | grep "alter sequence" > "${ALTERSEQ_SH_PATH}.sql" + echo "alter sequence maximo.maxseq cache 2000;" >> "${ALTERSEQ_SH_PATH}.sql" + + db2 -tvf "${ALTERSEQ_SH_PATH}.sql" | tee "${ALTERSEQ_SH_PATH}.sql.log" || exit \$? + EOF + # IMPORTANT: Do not make any changes to the "EOF" line above (including its indentation) + + cat ${ALTERSEQ_SH_PATH} + + chmod +x ${ALTERSEQ_SH_PATH} + + echo "" + echo "Copy ${ALTERSEQ_SH_PATH} to ${DB2_NAMESPACE}/${DB2_POD_NAME}" + echo "--------------------------------------------------------------------------------" + oc cp ${ALTERSEQ_SH_PATH} ${DB2_NAMESPACE}/${DB2_POD_NAME}:${ALTERSEQ_SH_PATH} -c db2u || exit $? + echo "... done" + + echo "" + echo "Executing ${ALTERSEQ_SH_PATH} file on ${DB2_NAMESPACE}/${DB2_POD_NAME}" + echo "--------------------------------------------------------------------------------" + oc exec -n ${DB2_NAMESPACE} ${DB2_POD_NAME} -- su -lc "${ALTERSEQ_SH_PATH} | tee ${ALTERSEQ_SH_PATH}.log" db2inst1 || exit $? + + restartPolicy: Never + serviceAccountName: "{{ $sa_name }}" + volumes: [] + backoffLimit: 4 + +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/root-applications/ibm-mas-instance-root/templates/510-550-ibm-mas-masapp-configs.yaml b/root-applications/ibm-mas-instance-root/templates/510-550-ibm-mas-masapp-configs.yaml index 62bc53fd3..bc91caffb 100644 --- a/root-applications/ibm-mas-instance-root/templates/510-550-ibm-mas-masapp-configs.yaml +++ b/root-applications/ibm-mas-instance-root/templates/510-550-ibm-mas-masapp-configs.yaml @@ -100,6 +100,19 @@ spec: devops_build_number: "{{ $.Values.devops.build_number }}" gitops_version: "{{ $.Values.source.revision }}" + {{- if (eq $value.mas_app_id "manage") }} + {{- if not (empty $.Values.ibm_db2u_databases) }} + manage_db2u_databases: + {{- range $j, $db := $.Values.ibm_db2u_databases }} + {{- if (eq $db.mas_application_id "manage") }} + - db2_namespace: {{ $db.db2_namespace }} + db2_instance_name: {{ $db.db2_instance_name }} + db2_dbname: {{ $db.db2_dbname }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + - name: ARGOCD_APP_NAME value: "ma-cfg-{{ $value.mas_app_id }}" {{- if not (empty $.Values.avp.secret) }}