[DDO-1292] Rawls Liquibase Migration Pre-sync Job

charts/rawls/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: rawls
-version: 0.8.0
+version: 0.8.1
 appVersion: latest
 description: Chart for Rawls service in Terra
 type: application

charts/rawls/templates/migration/job.yaml

@@ -0,0 +1,88 @@
+{{- if .Values.migration.enabled }}
+{{- $imageTag := .Values.migration.imageTag | default .Values.global.applicationVersion -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rawls-liquibase-migration
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+  labels: 
+    {{- include "rawls.labels" . | nindent 4 }}
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      name: rawls-liquibase-migration
+      labels:
+        {{- include "rawls.labels" . | nindent 8 }}
+    spec:
+      # Allow migration-liquibase to kill migration-sqlproxy's process
+      shareProcessNamespace: true
+      restartPolicy: Never
+      serviceAccountName: rawls-migration-sa
+      hostAliases:
+      - ip: 127.0.0.1
+        hostnames:
+        - sqlproxy
+      volumes:
+      - name: app-ctmpls
+        secret:
+          secretName: {{ .Values.migration.secretPrefix }}-app-ctmpls
+      - name: sqlproxy-ctmpls
+        secret:
+          secretName: {{ .Values.migration.secretPrefix }}-sqlproxy-ctmpls
+      containers:
+      - name: migration-liquibase
+        image: "gcr.io/broad-dsp-gcr-public/rawls:{{ $imageTag }}"
+        command: ['bash', '-c']
+        # Sleep for 15s to allow CloudSQL proxy time to start up. See DDO-1284 / BT-296
+        # The `find /rawls -name 'rawls*.jar'` is from Rawls's own Dockerfile CMD
+        # References templated liquibase.properties, see https://docs.google.com/document/d/19ethQWyH29H-jUWwgFoCxKfjmzcG-NCmSgXNAUJAYaU/edit#
+        args:
+        - |-
+          sleep 15s && \
+          java -cp $(find /rawls -name 'rawls*.jar') liquibase.integration.commandline.Main \
+            --defaultsFile='/etc/liquibase.properties' \
+            --classpath="$(find /rawls -name 'rawls*.jar')" \
+            --username="$DB_USERNAME" \
+            --password="$DB_PASSWORD" \
+            {{ .Values.migration.dryRun | ternary "updateSQL" "update" }}; \
+          EXIT={{ .Values.migration.failBasedOnLiquibase | ternary "$?" "0" }}; \
+          pkill -SIGTERM cloud_sql_proxy; \
+          exit $EXIT
+        env:
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: rawls-sql-secrets
+              key: db-username
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: rawls-sql-secrets
+              key: db-password
+        volumeMounts:
+        - mountPath: /etc/liquibase.properties
+          subPath: liquibase.properties
+          name: app-ctmpls
+          readOnly: true
+      - name: migration-sqlproxy
+        # alpine provides `sh`
+        image: gcr.io/cloudsql-docker/gce-proxy:1.23.0-alpine
+        envFrom:
+        - secretRef:
+            name: {{ .Values.migration.secretPrefix }}-sqlproxy-env
+        volumeMounts:
+        - mountPath: /etc/sqlproxy-service-account.json
+          subPath: sqlproxy-service-account.json
+          name: sqlproxy-ctmpls
+          readOnly: true
+        command: ['sh', '-c']
+        args:
+        - |-
+          /cloud_sql_proxy ${CLOUDSQL_LOGGING:-"-verbose"} \
+            -max_connections=${CLOUDSQL_MAXCONNS:-0} \
+            -instances="${CLOUDSQL_CONNECTION_LIST:-${GOOGLE_PROJECT}:${CLOUDSQL_ZONE}:${CLOUDSQL_INSTANCE}=tcp:0.0.0.0:${PORT:-3306}}" \
+            -credential_file=${CLOUDSQL_CREDENTIAL_FILE:-"/etc/sqlproxy-service-account.json"}
+{{- end -}}

charts/rawls/templates/migration/role.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.migration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rawls-migration-role
+  labels:
+    {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - terra-default-psp
+{{- end -}}

charts/rawls/templates/migration/roleBinding.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.migration.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: rawls-migration-sa-binding
+  labels:
+    {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
+subjects:
+- kind: ServiceAccount
+  name: rawls-migration-sa
+roleRef:
+  kind: Role
+  name: rawls-migration-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}

charts/rawls/templates/migration/secretDefinition.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.migration.enabled }}
+apiVersion: secrets-manager.tuenti.io/v1alpha1
+kind: SecretDefinition
+metadata:
+  name: rawls-migration-secretdef
+  labels: 
+    {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  name: rawls-sql-secrets
+  keysMap:
+    db-username:
+      key: {{ .Values.vault.migration.dbUsernameKey }}
+      path: {{ required "A valid vault.migration.path is required" .Values.vault.migration.path }}
+      encoding: text
+    db-password:
+      key: {{ .Values.vault.migration.dbPasswordKey }}
+      path: {{ required "A valid vault.migration.path is required" .Values.vault.migration.path }}
+      encoding: text
+{{- end -}}

charts/rawls/templates/migration/serviceAccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.migration.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rawls-migration-sa
+  labels:
+    {{- include "rawls.labels" . | nindent 4 }}
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocr.argoproj.io/hook-delete-policy: BeforeHookCreation
+    argocd.argoproj.io/sync-wave: "-1"
+{{- end -}}

charts/rawls/values.yaml

@@ -41,7 +41,7 @@ deploymentDefaults:
   # Example: `"rawls1-reader"`
   name: null
   # deploymentDefaults.imageTag -- Image tag to be used when deploying Pods
-  # @defautl global.applicationVersion
+  # @default global.applicationVersion
   imageTag: null
   # deploymentDefaults.replicas -- Number of replicas for the deployment
   replicas: 0
@@ -92,3 +92,28 @@ deploymentDefaults:
         periodSeconds: 10
         failureThreshold: 1080 # 3 hours before restarted, to prevent liveness probes from interrupting long-running liquibase migrations
         successThreshold: 1
+
+vault:
+  # Migration credentials only referenced if migration.enabled == true
+  migration:
+    # vault.migration.path -- Vault path to secret containing DB credentials
+    path: null
+    # vault.migration.dbUsernameKey -- Key in Vault secret to DB username
+    dbUsernameKey: "slick_db_user"
+    # vault.migration.DbPasswordKey -- Key in Vault secret to DB password
+    dbPasswordKey: "slick_db_password"
+
+migration:
+  # migration.enabled -- Whether to run a Liquibase migration job pre-sync
+  enabled: false
+  # migration.dryRun -- When true, merely print migration SQL; when false, execute it
+  dryRun: true
+  # migration.failBasedOnLiquibase -- When true, fail the job (and ArgoCD sync!) if the Liquibase command fails
+  failBasedOnLiquibase: true
+  # migration.imageTag -- Override the image tag to run the migration on
+  # @default global.applicationVersion
+  # WARNING: App may behave unexpectedly if its database has been migrated to a different version than the app
+  imageTag: null
+  # migration.secretPrefix -- Prefix for ctmpl and env secrets
+  # NOTE: Generally equals some deploymentDefaults.name, as secrets are per-deployment but migrations are per-namespace
+  secretPrefix: "rawls-backend"