fix postgres impl

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

.github/workflows/lint-test.yml

@@ -67,6 +67,9 @@ jobs:
           - component: helm-charts
             make_command: 'make helm-lint'
             step_name: 'Validate Helm charts'
+          - component: postgres-schema
+            make_command: 'make validate-postgres-schema'
+            step_name: 'Validate PostgreSQL schema consistency'
           - component: scripts
             make_command: 'make -C scripts lint'
             step_name: 'Run shellcheck on scripts'

Makefile

@@ -821,3 +821,16 @@ help: ## Display available make targets
 	@echo "  CTLPTL_CONFIG_FILE=$(CTLPTL_CONFIG_FILE), REGISTRY_PORT=$(REGISTRY_PORT)"
 	@echo ""
 	@echo "Sub-Makefiles: health-monitors/, docker/, distros/kubernetes/, tests/"
+
+#==============================================================================
+# PostgreSQL Schema Management
+#==============================================================================
+
+.PHONY: validate-postgres-schema
+validate-postgres-schema: ## Validate PostgreSQL schema consistency between docs and Helm values
+	@./scripts/validate-postgres-schema.sh
+
+.PHONY: update-helm-postgres-schema
+update-helm-postgres-schema: ## Update Helm values file with schema from docs/postgresql-schema.sql
+	@./scripts/update-helm-postgres-schema.sh
+

distros/kubernetes/nvsentinel/templates/configmap.yaml

@@ -24,7 +24,8 @@ data:
       "enableK8sPlatformConnector": "{{ .Values.platformConnector.k8sConnector.enabled }}",
       "K8sConnectorQps": {{ printf "%.2f" .Values.platformConnector.k8sConnector.qps }},
       "K8sConnectorBurst": {{ .Values.platformConnector.k8sConnector.burst }},
-      "enableMongoDBStorePlatformConnector": "{{ .Values.global.mongodbStore.enabled }}"
+      "enableMongoDBStorePlatformConnector": "{{ .Values.global.mongodbStore.enabled }}",
+      "enablePostgresDBStorePlatformConnector": {{ if and .Values.global.datastore .Values.global.datastore.provider }}{{ eq .Values.global.datastore.provider "postgresql" | quote }}{{ else }}"false"{{ end }},
       {{- if .Values.platformConnector.nodeMetadata }}
       ,"nodeMetadataAugmentationEnabled": "{{ .Values.platformConnector.nodeMetadata.enabled }}"
       ,"nodeMetadataCacheSize": {{ .Values.platformConnector.nodeMetadata.cacheSize }}

distros/kubernetes/nvsentinel/templates/daemonset.yaml

@@ -41,8 +41,42 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "nvsentinel.serviceAccountName" . }}
+      {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+      initContainers:
+        - name: fix-cert-permissions
+          image: "docker.io/bitnamilegacy/os-shell:12-debian-12-r30"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+          command:
+            - sh
+            - -c
+            - |
+              echo "Copying PostgreSQL client certificates with correct permissions..."
+              cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/
+              chmod 644 /etc/ssl/client-certs-fixed/tls.crt
+              chmod 644 /etc/ssl/client-certs-fixed/ca.crt
+              chmod 600 /etc/ssl/client-certs-fixed/tls.key
+              echo "Certificate permissions fixed:"
+              ls -la /etc/ssl/client-certs-fixed/
+          volumeMounts:
+            - name: postgresql-client-cert-original
+              mountPath: /etc/ssl/client-certs-original
+              readOnly: true
+            - name: client-certs-fixed
+              mountPath: /etc/ssl/client-certs-fixed
+      {{- end }}
       containers:
         - name: platform-connector
+          image: "{{ .Values.platformConnector.image.repository }}:{{ .Values.platformConnector.image.tag | default .Values.global.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.platformConnector.image.pullPolicy }}
+          securityContext:
+            runAsUser: 0
+            capabilities:
+              drop:
+              - ALL
           ports:
             - name: metrics
               containerPort: {{ .Values.global.metricsPort }}
@@ -62,17 +96,14 @@ spec:
             periodSeconds: 10
             timeoutSeconds: 3
             failureThreshold: 3
-          securityContext:
-            runAsUser: 0
-            capabilities:
-              drop:
-              - ALL
-          image: "{{ .Values.platformConnector.image.repository }}:{{ .Values.platformConnector.image.tag | default .Values.global.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.platformConnector.image.pullPolicy }}
           args:
           - "--config=/etc/config/config.json"
           - "--metrics-port={{ .Values.global.metricsPort }}"
-          - "--mongo-client-cert-mount-path=/etc/ssl/mongo-client"
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - "--database-client-cert-mount-path={{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}"
+          {{- else }}
+          - "--mongo-client-cert-mount-path={{ .Values.platformConnector.mongodbStore.clientCertMountPath }}"
+          {{- end }}
           - "--socket={{ .Values.socketPath }}"
           resources:
             {{- toYaml .Values.platformConnector.resources | nindent 12 }}
@@ -81,9 +112,15 @@ spec:
               mountPath: /var/run
             - name: platform-connector-configmap
               mountPath: /etc/config/
+            {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+            - name: client-certs-fixed
+              mountPath: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}
+              readOnly: true
+            {{- else }}
             - name: mongo-app-client-cert
-              mountPath: /etc/ssl/mongo-client
+              mountPath: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }}
               readOnly: true
+            {{- end }}
           env:
             - name: NODE_NAME
               valueFrom:
@@ -92,8 +129,13 @@ spec:
                   fieldPath: spec.nodeName
             - name: LOG_LEVEL
               value: "{{ .Values.platformConnector.logLevel }}"
+            {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+            - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH
+              value: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}
+            {{- else }}
             - name: MONGODB_CLIENT_CERT_MOUNT_PATH
               value: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }}
+            {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }}
@@ -106,10 +148,19 @@ spec:
         - name: platform-connector-configmap
           configMap:
             name: {{ include "nvsentinel.fullname" . }}
+        {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+        - name: postgresql-client-cert-original
+          secret:
+            secretName: postgresql-client-cert
+            optional: false
+        - name: client-certs-fixed
+          emptyDir: {}
+        {{- else }}
         - name: mongo-app-client-cert
           secret:
             secretName: mongo-app-client-cert-secret
             optional: true
+        {{- end }}
       {{- with (.Values.global.tolerations | default .Values.platformConnector.tolerations) }}
       tolerations:
         {{- toYaml . | nindent 8 }}