The 'add-targeted-namespace.sh' script now only

andrewlecuyer · jkatz · commit 73d962907e14 · 2019-12-30T18:21:43.000-06:00
creates (or recreates) the 'pgo-pg' service
account, along with the role and role binding for
that service account, if there aren't any pods
(i.e. PG DB pods) already running in the
namespace utilizing the 'pgo-pg' ServiceAccount.
This is to prevent any undesired behavior with
any PG DB pods that are relying on this SA to
effectively communicate with the Kuburnetes API,
i.e. the Patroni DCS (e.g. if the connection is
broken the primary will not be able to renew the
leader lock).
diff --git a/ansible/roles/pgo-operator/templates/add-targeted-namespace.sh.j2 b/ansible/roles/pgo-operator/templates/add-targeted-namespace.sh.j2
@@ -23,6 +23,9 @@ PGO_IMAGE_PULL_SECRET='{{ pgo_image_pull_secret }}'
 PGO_IMAGE_PULL_SECRET_MANIFEST='{{ pgo_image_pull_secret_manifest }}'
 TARGET_NAMESPACE='{{ item }}'
 
+# the name of the service account utilized by the PG pods
+PG_SA="pgo-pg"
+
 # create the namespace if necessary
 {{ kubectl_or_oc }} get ns {{ item }}  > /dev/null
 if [ $? -eq 0 ]; then
@@ -37,10 +40,26 @@ fi
 {{ kubectl_or_oc }} label namespace/{{ item }} vendor=crunchydata
 {{ kubectl_or_oc }} label namespace/{{ item }} pgo-installation-name={{ pgo_installation_name }}
 
+# determine if an existing pod is using the 'pgo-pg' service account.  if so, do not delete
+# and recreate the SA or its associated role and role binding.  this is to avoid any undesired
+# behavior with existing PG clusters that are actively utilizing the SA.
+{{ kubectl_or_oc }} -n {{ item }} get pods -o yaml | grep "serviceAccount: ${PG_SA}"  > /dev/null
+if [ $? -ne 0 ]; then
+	{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found sa pgo-pg
+	{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found role pgo-pg-role
+	{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found rolebinding pgo-pg-role-binding
+
+	cat {{ role_path }}/files/pgo-configs/pgo-pg-sa.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
+	cat {{ role_path }}/files/pgo-configs/pgo-pg-role.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
+	cat {{ role_path }}/files/pgo-configs/pgo-pg-role-binding.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
+else
+	echo "Running pods found using SA '${PG_SA}' in namespace {{ item }}, will not recreate"
+fi
+
 # create RBAC
-{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found sa pgo-backrest pgo-default pgo-pg pgo-target
-{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found role pgo-backrest-role pgo-pg-role pgo-target-role
-{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found rolebinding pgo-backrest-role-binding pgo-pg-role-binding pgo-target-role-binding
+{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found sa pgo-backrest pgo-default pgo-target
+{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found role pgo-backrest-role pgo-target-role
+{{ kubectl_or_oc }} -n {{ item }} delete --ignore-not-found rolebinding pgo-backrest-role-binding pgo-target-role-binding
 
 cat {{ role_path }}/files/pgo-configs/pgo-default-sa.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
 cat {{ role_path }}/files/pgo-configs/pgo-target-sa.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
@@ -49,9 +68,6 @@ cat {{ role_path }}/files/pgo-configs/pgo-target-role-binding.json | sed 's/{{ t
 cat {{ role_path }}/files/pgo-configs/pgo-backrest-sa.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
 cat {{ role_path }}/files/pgo-configs/pgo-backrest-role.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
 cat {{ role_path }}/files/pgo-configs/pgo-backrest-role-binding.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
-cat {{ role_path }}/files/pgo-configs/pgo-pg-sa.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
-cat {{ role_path }}/files/pgo-configs/pgo-pg-role.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
-cat {{ role_path }}/files/pgo-configs/pgo-pg-role-binding.json | sed 's/{{ target_namespace }}/'"{{ item }}"'/' | {{ kubectl_or_oc }} -n {{ item }} create -f -
 
 if [ -r "$PGO_IMAGE_PULL_SECRET_MANIFEST" ]; then
 	$PGO_CMD -n "$TARGET_NAMESPACE" create -f "$PGO_IMAGE_PULL_SECRET_MANIFEST"
diff --git a/deploy/add-targeted-namespace.sh b/deploy/add-targeted-namespace.sh
@@ -14,6 +14,10 @@
 
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# the name of the service account utilized by the PG pods
+PG_SA="pgo-pg"
+
 # Enforce required environment variables
 test="${PGO_CMD:?Need to set PGO_CMD env variable}"
 test="${PGOROOT:?Need to set PGOROOT env variable}"
@@ -39,10 +43,26 @@ $PGO_CMD label namespace/$1 pgo-created-by=add-script
 $PGO_CMD label namespace/$1 vendor=crunchydata
 $PGO_CMD label namespace/$1 pgo-installation-name=$PGO_INSTALLATION_NAME
 
+# determine if an existing pod is using the 'pgo-pg' service account.  if so, do not delete
+# and recreate the SA or its associated role and role binding.  this is to avoid any undesired
+# behavior with existing PG clusters that are actively utilizing the SA.
+$PGO_CMD -n $1 get pods -o yaml | grep "serviceAccount: ${PG_SA}"  > /dev/null
+if [ $? -ne 0 ]; then
+	$PGO_CMD -n $1 delete --ignore-not-found sa pgo-pg
+	$PGO_CMD -n $1 delete --ignore-not-found role pgo-pg-role
+	$PGO_CMD -n $1 delete --ignore-not-found rolebinding pgo-pg-role-binding
+
+	cat $PGOROOT/conf/postgres-operator/pgo-pg-sa.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
+	cat $PGOROOT/conf/postgres-operator/pgo-pg-role.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
+	cat $PGOROOT/conf/postgres-operator/pgo-pg-role-binding.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
+else
+	echo "Running pods found using SA '${PG_SA}' in namespace $1, will not recreate"
+fi
+
 # create RBAC
-$PGO_CMD -n $1 delete --ignore-not-found sa pgo-backrest pgo-default pgo-pg pgo-target
-$PGO_CMD -n $1 delete --ignore-not-found role pgo-backrest-role pgo-pg-role pgo-target-role
-$PGO_CMD -n $1 delete --ignore-not-found rolebinding pgo-backrest-role-binding pgo-pg-role-binding pgo-target-role-binding
+$PGO_CMD -n $1 delete --ignore-not-found sa pgo-backrest pgo-default pgo-target
+$PGO_CMD -n $1 delete --ignore-not-found role pgo-backrest-role pgo-target-role
+$PGO_CMD -n $1 delete --ignore-not-found rolebinding pgo-backrest-role-binding pgo-target-role-binding
 
 cat $PGOROOT/conf/postgres-operator/pgo-default-sa.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
 cat $PGOROOT/conf/postgres-operator/pgo-target-sa.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
@@ -51,9 +71,6 @@ cat $PGOROOT/conf/postgres-operator/pgo-target-role-binding.json | sed 's/{{.Tar
 cat $PGOROOT/conf/postgres-operator/pgo-backrest-sa.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
 cat $PGOROOT/conf/postgres-operator/pgo-backrest-role.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
 cat $PGOROOT/conf/postgres-operator/pgo-backrest-role-binding.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
-cat $PGOROOT/conf/postgres-operator/pgo-pg-sa.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
-cat $PGOROOT/conf/postgres-operator/pgo-pg-role.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
-cat $PGOROOT/conf/postgres-operator/pgo-pg-role-binding.json | sed 's/{{.TargetNamespace}}/'"$1"'/' | $PGO_CMD -n $1 create -f -
 
 if [ -r "$PGO_IMAGE_PULL_SECRET_MANIFEST" ]; then
 	$PGO_CMD -n $1 create -f "$PGO_IMAGE_PULL_SECRET_MANIFEST"
