defined persistence storage:

#2 try
cyberark · Jul 8, 2019 · fb27aa7 · fb27aa7
1 parent 8a3c283
commit fb27aa7
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 36 deletions.
diff --git a/6_configure_master.sh b/6_configure_master.sh
@@ -14,62 +14,62 @@ main() {
 
 configure_master_pod() {
   announce "Configuring master pod."
-
   master_pod_name=$(get_master_pod_name)
-
   if [ $CONJUR_VERSION = '5' ]; then
     # Move database to persistent storage if /opt/conjur/dbdata is mounted
     if $cli exec $master_pod_name -- ls /opt/conjur/dbdata &>/dev/null; then
       if ! $cli exec $master_pod_name -- ls /opt/conjur/dbdata/9.4 &>/dev/null; then
         echo "Nessi defined DB persistent storage"
-        # No existing data found, set up database symlink
-        $cli exec $master_pod_name -- mv /var/lib/postgresql/9.4 /opt/conjur/dbdata/
-        $cli exec $master_pod_name -- ln -sf /opt/conjur/dbdata/9.4 /var/lib/postgresql/9.4
-        $cli exec $master_pod_name -- chown -h postgres:postgres /var/lib/postgresql/9.4
-        echo "Master database moved to persistent storage"
+##         No existing data found, set up database symlink
+#        $cli exec $master_pod_name -- mv /var/lib/postgresql/9.4 /opt/conjur/dbdata/
+#        $cli exec $master_pod_name -- ln -sf /opt/conjur/dbdata/9.4 /var/lib/postgresql/9.4
+#        $cli exec $master_pod_name -- chown -h postgres:postgres /var/lib/postgresql/9.4
+#        $cli exec $master_pod_name -- chown -h postgres:postgres /opt/conjur/dbdata
+#        $cli exec $master_pod_name -- chmod 777 /opt/conjur/dbdata
+#        echo "Master database moved to persistent storage"
       fi
     fi
-
     if $cli exec $master_pod_name -- ls /opt/conjur/data &>/dev/null; then
       if ! $cli exec $master_pod_name -- ls /opt/conjur/data/runsvdir &>/dev/null; then
-        echo "Nessi defined runsvdir persistent storage"
-         $cli exec $master_pod_name -- mkdir /opt/conjur/data/runsvdir
-        $cli exec $master_pod_name -- mv /etc/runit/runsvdir/default/conjur /opt/conjur/data/runsvdir
-        $cli exec $master_pod_name -- ln -sf /opt/conjur/data/runsvdir/conjur /etc/runit/runsvdir/default/conjur
+         echo "Nessi defined runsvdir persistent storage"
+#        $cli exec $master_pod_name -- mkdir -p /opt/conjur/data/runsvdir
+#        $cli exec $master_pod_name -- mv /etc/runit/runsvdir /opt/conjur/data
+#        $cli exec $master_pod_name -- ln -sf /opt/conjur/data/runsvdir /etc/runit/runsvdir
+#        $cli exec $master_pod_name -- rm /etc/service
+#        $cli exec $master_pod_name -- ln -sf /opt/conjur/data/runsvdir/default /etc/service
+#        $cli exec $master_pod_name -- chown -h conjur:root /opt/conjur/data
+#        $cli exec $master_pod_name -- chmod 777 /opt/conjur/data
       fi
       if ! $cli exec $master_pod_name -- ls /opt/conjur/data/etc &>/dev/null; then
         echo "Nessi defined etc persistent storage"
         $cli exec $master_pod_name -- mv /opt/conjur/etc /opt/conjur/data/
         $cli exec $master_pod_name -- ln -sf /opt/conjur/data/etc /opt/conjur/etc
+        #$cli exec $master_pod_name -- chown -h conjur:root /opt/conjur/etc
+        $cli exec $master_pod_name -- chown -h conjur:root /opt/conjur/data/etc
+        $cli exec $master_pod_name -- chmod 777 /opt/conjur/data
       fi
-      if ! $cli exec $master_pod_name -- ls /opt/conjur/data/ssl &>/dev/null; then
+      if ! $cli exec $master_pod_name -- ls /opt/conjur/ssl &>/dev/null; then
         echo "Nessi defined ssl persistent storage"
-        $cli exec $master_pod_name -- mv /etc/ssl /opt/conjur/data/
-        $cli exec $master_pod_name -- ln -sf /opt/conjur/data/ssl /etc/ssl
+#        $cli exec $master_pod_name -- mv /etc/ssl /opt/conjur/
+#        $cli exec $master_pod_name -- ln -sf /opt/conjur/ssl /etc/ssl
+#        $cli exec $master_pod_name -- chmod 777 /opt/conjur/ssl
+        #$cli exec $master_pod_name -- chown -h postgres:postgres /opt/conjur/data
       fi
     fi
   fi
-
   $cli label --overwrite pod $master_pod_name role=master
-
   MASTER_ALTNAMES="localhost,conjur-master.$CONJUR_NAMESPACE_NAME.svc.cluster.local"
-
   if [ $PLATFORM = 'openshift' ]; then
     $cli create route passthrough --service=conjur-master
-
     echo "Created passthrough route for conjur-master service."
-
     conjur_master_route=$($cli get routes | grep conjur-master | awk '{ print $2 }')
     MASTER_ALTNAMES="$MASTER_ALTNAMES,$conjur_master_route"
-
     echo "Added conjur-master service route ($conjur_master_route) to Master cert altnames."
   else
     conjur_master_service_external_ip="$(kubectl get --no-headers service conjur-master | awk '{print $3 }')"
     MASTER_ALTNAMES="$MASTER_ALTNAMES,$conjur_master_service_external_ip"
-
     echo "Added conjur-master service external IP ($conjur_master_service_external_ip) to Master cert altnames."
   fi
-
   # Configure Conjur master server using evoke.
   $cli exec $master_pod_name -- evoke configure master \
      -h conjur-master \
@@ -78,7 +78,6 @@ configure_master_pod() {
      -p $CONJUR_ADMIN_PASSWORD \
      $CONJUR_ACCOUNT
   echo "Master pod configured."
-
   # Write standby seed to persistent storage if /opt/conjur/data is mounted
   if $cli exec $master_pod_name -- ls /opt/conjur/data &>/dev/null; then
     $cli exec $master_pod_name -- bash -c "evoke seed standby > /opt/conjur/data/standby-seed.tar"

diff --git a/openshift/conjur-cluster-stateful.yaml b/openshift/conjur-cluster-stateful.yaml
@@ -41,6 +41,8 @@ spec:
           # Only required for Conjur v5
           - name: CONJUR_DATA_KEY
             value: "{{ CONJUR_DATA_KEY }}"
+        command: ["/bin/sh"]
+        args: ["-c", "bash -c 'if [ ! -d /opt/conjur/dbdata/9.4 ]; then mv /var/lib/postgresql/9.4 /opt/conjur/dbdata; mv /opt/conjur/etc /opt/conjur/data;mv /etc/runit/runsvdir /opt/conjur/data; mv /etc/ssl /opt/conjur/ssl;mv /etc/service /opt/conjur/data/runsvdir/default; fi; rm -rf /etc/service ;rm -rf /etc/runit/runsvdir; ln -sf /opt/conjur/data/runsvdir /etc/runit/runsvdir;ln -sf /opt/conjur/data/runsvdir/default /etc/service; chown -h conjur:root /opt/conjur/data; chmod 777 /opt/conjur/data;ln -sf /opt/conjur/data/etc /opt/conjur/etc;chown -h conjur:root /opt/conjur/etc ;chown -h conjur:root /opt/conjur/data/etc;chmod 777 /opt/conjur/data/etc; ln -sf /opt/conjur/ssl/ssl /etc/ssl; chmod 777 /opt/conjur/ssl; ln -sf /opt/conjur/dbdata/9.4 /var/lib/postgresql/9.4; chown -h postgres:postgres /var/lib/postgresql/9.4; chown -h postgres:postgres /opt/conjur/dbdata; chown -h conjur:root /opt/conjur/data; chmod 777 /opt/conjur/dbdata; chmod 777 /opt/conjur/ssl;' & /bin/keyctl session - /sbin/my_init" ]
         ports:
         - containerPort: 443
           name: https
@@ -55,9 +57,8 @@ spec:
           mountPath: /opt/conjur/dbdata
         - name: conjur-data
           mountPath: /opt/conjur/data
-      securitycontext:
-        fsGroup:
-          type: 104
+        - name: conjur-ssl
+          mountPath: /opt/conjur/ssl
       imagePullSecrets:
         - name: dockerpullsecret
   volumeClaimTemplates:
@@ -75,3 +76,11 @@ spec:
       resources:
         requests:
           storage: 1Gi
+  - metadata:
+      name: conjur-ssl
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 500Mi
+
diff --git a/start b/start
@@ -25,18 +25,18 @@ if [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
   ./3_deploy_conjur_master_cluster.sh
 fi
 
-./4_deploy_conjur_followers.sh
+#./4_deploy_conjur_followers.sh
 
 if [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
   ./5_create_load_balancer.sh
   ./6_configure_master.sh
-  ./7_configure_standbys.sh
+#  ./7_configure_standbys.sh
 fi
 
-if [[ -f "${FOLLOWER_SEED}" ]] || [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
-    ./8_configure_followers.sh
-fi
-
-if [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
-  ./9_print_cluster_info.sh
-fi
+#if [[ -f "${FOLLOWER_SEED}" ]] || [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
+#    ./8_configure_followers.sh
+#fi
+#
+#if [[ "${DEPLOY_MASTER_CLUSTER}" = "true" ]]; then
+#  ./9_print_cluster_info.sh
+#fi