Merge branch 'release/v12.15-1'

Author: ppxl

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v12.15-1] - 2023-06-13
+### Fixed
+- [#22] Allow connections from all nodes of a cluster (cidr /16) in kubernetes environments.
+
 ## [v12.14-2] - 2023-04-21
 ### Changed
 - [#20] Upgrade Base Image to 3.17.3-2

Dockerfile

@@ -18,12 +18,12 @@ RUN set -x -o errexit \
 FROM registry.cloudogu.com/official/base:3.17.3-2
 
 LABEL NAME="official/postgresql" \
-        VERSION="12.14-2" \
+        VERSION="12.15-1" \
         maintainer="[email protected]"
 
 ENV LANG=en_US.utf8 \
     PGDATA=/var/lib/postgresql \
-    POSTGRESQL_VERSION=12.14-r0
+    POSTGRESQL_VERSION=12.15-r0
 
 # install postgresql and gosu
 # Note: the current postgresql version from alpine is installed

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/ces-build-lib@1.64.1', 'github.com/cloudogu/dogu-build-lib@v2.0.0'])
+@Library(['github.com/cloudogu/ces-build-lib@1.65.0', 'github.com/cloudogu/dogu-build-lib@v2.1.0'])
 import com.cloudogu.ces.cesbuildlib.*
 import com.cloudogu.ces.dogubuildlib.*
 
@@ -17,6 +17,11 @@ node('docker') {
             Markdown markdown = new Markdown(this, "3.11.0")
             markdown.check()
         }
+
+        stage('Bats Tests') {
+            Bats bats = new Bats(this, docker)
+            bats.checkAndExecuteTests()
+        }
 }
 
 node('vagrant') {

Makefile

@@ -5,3 +5,4 @@ MAKEFILES_VERSION=7.5.0
 include build/make/variables.mk
 include build/make/self-update.mk
 include build/make/release.mk
+include build/make/bats.mk

batsTests/startup.bats

@@ -0,0 +1,71 @@
+#! /bin/bash
+# Bind an unbound BATS variables that fail all tests when combined with 'set -o nounset'
+export BATS_TEST_START_TIME="0"
+export BATSLIB_FILE_PATH_REM=""
+export BATSLIB_FILE_PATH_ADD=""
+
+load '/workspace/target/bats_libs/bats-support/load.bash'
+load '/workspace/target/bats_libs/bats-assert/load.bash'
+load '/workspace/target/bats_libs/bats-mock/load.bash'
+load '/workspace/target/bats_libs/bats-file/load.bash'
+
+setup() {
+  export STARTUP_DIR=/workspace/resources
+  export WORKDIR=/workspace
+  netstat="$(mock_create)"
+  export netstat
+  export PATH="${BATS_TMPDIR}:${PATH}"
+  ln -s "${netstat}" "${BATS_TMPDIR}/netstat"
+}
+
+teardown() {
+  unset STARTUP_DIR
+  unset WORKDIR
+  rm "${BATS_TMPDIR}/netstat"
+}
+
+@test "create_hba() should use cidr 16 if the dogu is running in a k8s cluster" {
+  mock_set_output "${netstat}" "Kernel-IP-Routentabelle
+Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
+192.168.179.0   0.0.0.0         255.255.255.0   U         0 0          0 wlp0s20f3"
+
+  source /workspace/resources/startup.sh
+  local POD_NAMESPACE
+  export POD_NAMESPACE="ecosystem"
+
+  run create_hba
+
+  assert_success
+  assert_equal "$(mock_get_call_num "${netstat}")" "1"
+  assert_line '# generated, do not override'
+  assert_line '# "local" is for Unix domain socket connections only'
+  assert_line 'local   all             all                                     trust'
+  assert_line '# IPv4 local connections:'
+  assert_line 'host    all             all             127.0.0.1/32            trust'
+  assert_line '# IPv6 local connections:'
+  assert_line 'host    all             all             ::1/128                 trust'
+  assert_line '# container networks'
+  assert_line "host    all             all             192.168.179.0/16          password"
+}
+
+@test "create_hba() should use regular cidr if the dogu is not running in a k8s cluster" {
+  mock_set_output "${netstat}" "Kernel-IP-Routentabelle
+Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
+192.168.179.0   0.0.0.0         255.255.255.0   U         0 0          0 wlp0s20f3"
+
+  source /workspace/resources/startup.sh
+
+  run create_hba
+
+  assert_success
+  assert_equal "$(mock_get_call_num "${netstat}")" "1"
+  assert_line '# generated, do not override'
+  assert_line '# "local" is for Unix domain socket connections only'
+  assert_line 'local   all             all                                     trust'
+  assert_line '# IPv4 local connections:'
+  assert_line 'host    all             all             127.0.0.1/32            trust'
+  assert_line '# IPv6 local connections:'
+  assert_line 'host    all             all             ::1/128                 trust'
+  assert_line '# container networks'
+  assert_line "host    all             all             192.168.179.0/24          password"
+}

dogu.json

@@ -1,6 +1,6 @@
 {
   "Name": "official/postgresql",
-  "Version": "12.14-2",
+  "Version": "12.15-1",
   "DisplayName": "PostgreSQL",
   "Description": "PostgreSQL Database.",
   "Url": "https://www.postgresql.org/",

resources/startup.sh

@@ -9,33 +9,33 @@ function mask2cidr() {
   IFS=.
   for DEC in $1; do
     case $DEC in
-    255) (( NBITS+=8 ));;
+    255) ((NBITS += 8)) ;;
     254)
-      (( NBITS+=7 ))
+      ((NBITS += 7))
       break
       ;;
     252)
-      (( NBITS+=6 ))
+      ((NBITS += 6))
       break
       ;;
     248)
-      (( NBITS+=5 ))
+      ((NBITS += 5))
       break
       ;;
     240)
-      (( NBITS+=4 ))
+      ((NBITS += 4))
       break
       ;;
     224)
-      (( NBITS+=3 ))
+      ((NBITS += 3))
       break
       ;;
     192)
-      (( NBITS+=2 ))
+      ((NBITS += 2))
       break
       ;;
     128)
-      (( NBITS+=1 ))
+      ((NBITS += 1))
       break
       ;;
     0) ;;
@@ -59,10 +59,23 @@ function create_hba() {
   echo 'host    all             all             ::1/128                 trust'
   echo '# container networks'
   for NETWITHMASK in $(netstat -nr | tail -n +3 | grep -v '^0' | awk '{print $1"/"$3}'); do
+    local NET
     NET=$(echo "${NETWITHMASK}" | awk -F'/' '{print $1}')
+    local MASK
     MASK=$(echo "${NETWITHMASK}" | awk -F'/' '{print $2}')
+    local CIDR
     CIDR=$(mask2cidr "$MASK")
-    echo "host    all             all             ${NET}/${CIDR}  password"
+    local isNotRunningUnderK8s="${POD_NAMESPACE:-"not running k8s"}"
+    local netmaskCidrValue
+    if [ "${isNotRunningUnderK8s}" == "not running k8s" ]; then
+      netmaskCidrValue="${NET}/${CIDR}"
+    else
+      # Hyper-scalers default to a CIDR of /32 which blocks any network traffic from others pods esp. from other nodes.
+      # /16 allows traffic from a sufficiently large network range from the kubernetes cluster, independently how the
+      # cluster is configured.
+      netmaskCidrValue="${NET}/16"
+    fi
+    echo "host    all             all             ${netmaskCidrValue}          password"
   done
 }
 
@@ -116,69 +129,74 @@ function setDoguLogLevel() {
   currentLogLevel=$(doguctl config --default "WARN" "logging/root")
 
   case "${currentLogLevel}" in
-    "ERROR")
-      export POSTGRESQL_LOGLEVEL="ERROR"
+  "ERROR")
+    export POSTGRESQL_LOGLEVEL="ERROR"
     ;;
-    "INFO")
-      export POSTGRESQL_LOGLEVEL="INFO"
+  "INFO")
+    export POSTGRESQL_LOGLEVEL="INFO"
     ;;
-    "DEBUG")
-      export POSTGRESQL_LOGLEVEL="DEBUG5"
+  "DEBUG")
+    export POSTGRESQL_LOGLEVEL="DEBUG5"
     ;;
-    *)
-      export POSTGRESQL_LOGLEVEL="WARNING"
+  *)
+    export POSTGRESQL_LOGLEVEL="WARNING"
     ;;
   esac
   # Remove old log level setting, if existent
   sed -i '/^log_min_messages/d' /var/lib/postgresql/postgresql.conf
   # Append new log level setting
-  echo "log_min_messages = ${POSTGRESQL_LOGLEVEL}" >> /var/lib/postgresql/postgresql.conf
+  echo "log_min_messages = ${POSTGRESQL_LOGLEVEL}" >>/var/lib/postgresql/postgresql.conf
 }
 
+function runMain() {
+  chown -R postgres "$PGDATA"
+
+  # create /run/postgresql, if not existent
+  mkdir -p /run/postgresql
+  chown postgres:postgres /run/postgresql
+
+  if [ -z "$(ls -A "$PGDATA")" ]; then
+    initializePostgreSQL
+    write_pg_hba_conf
+  elif [ -e "${PGDATA}"/postgresqlFullBackup.dump ]; then
+    # Moving backup and emptying PGDATA directory
+    mv "${PGDATA}"/postgresqlFullBackup.dump /tmp/postgresqlFullBackup.dump
+    # New PostgreSQL version requires completely empty folder
+
+    rm -rf "${PGDATA:?}"/.??*
+    rm -rf "${PGDATA:?}"/*
+
+    initializePostgreSQL
+
+    echo "Restoring database dump..."
+    # Start postgres to restore backup
+    gosu postgres postgres &
+    PID=$!
+    waitForPostgreSQLStartup
+    # Restore backup
+    psql -U postgres -f /tmp/postgresqlFullBackup.dump postgres
+    rm /tmp/postgresqlFullBackup.dump
+    # Kill postgres
+    pkill -P ${PID}
+    kill ${PID}
+    waitForPostgreSQLShutdown
+    echo "Database dump successfully restored"
+
+    write_pg_hba_conf
+  else
+    write_pg_hba_conf
+  fi
+
+  setDoguLogLevel
 
+  # set stage for health check
+  doguctl state ready
 
-chown -R postgres "$PGDATA"
-
-# create /run/postgresql, if not existent
-mkdir -p /run/postgresql
-chown postgres:postgres /run/postgresql
-
-if [ -z "$(ls -A "$PGDATA")" ]; then
-  initializePostgreSQL
-  write_pg_hba_conf
-elif [ -e "${PGDATA}"/postgresqlFullBackup.dump ]; then
-  # Moving backup and emptying PGDATA directory
-  mv "${PGDATA}"/postgresqlFullBackup.dump /tmp/postgresqlFullBackup.dump
-  # New PostgreSQL version requires completely empty folder
-
-  rm -rf "${PGDATA:?}"/.??*
-  rm -rf "${PGDATA:?}"/*
-
-  initializePostgreSQL
-
-  echo "Restoring database dump..."
-  # Start postgres to restore backup
-  gosu postgres postgres &
-  PID=$!
-  waitForPostgreSQLStartup
-  # Restore backup
-  psql -U postgres -f /tmp/postgresqlFullBackup.dump postgres
-  rm /tmp/postgresqlFullBackup.dump
-  # Kill postgres
-  pkill -P ${PID}
-  kill ${PID}
-  waitForPostgreSQLShutdown
-  echo "Database dump successfully restored"
+  # start database
+  exec gosu postgres postgres
+}
 
-  write_pg_hba_conf
-else
-  write_pg_hba_conf
+# make the script only run when executed, not when sourced from bats tests
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  runMain
 fi
-
-setDoguLogLevel
-
-# set stage for health check
-doguctl state ready
-
-# start database
-exec gosu postgres postgres