Skip to content

v2.6.0
Compare
Choose a tag to compare
@github-actions github-actions released this 15 Jun 09:23
v2.6.0
1086b0b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

2.6.0 (2024-06-14)

Features

  • ✨ add dsc.global.platform (Vanilla) (682512f)
  • ✨ Add gitlab-ci-pipelines-exporter (9c47614)
  • ✨ Add keycloak binding, dashboards + refactor (f447b31)
  • ✨ Add Keycloak CNPG PodMonitor (f582691)
  • ✨ Add PodMonitor for remaining CNPG clusters (d8ba40f)
  • ✨ Declare CNPG Dashboard (76350c2)
  • ✨ enable keycloak dsfr theme (445b819)
  • ✨ Reset Keycloak admin when keycloak secret disapeared (42bd6cc)
  • ✨ Set OTP encryption algorithm (da9c416)
  • ✨ use cnpg clusters for all services (400f429)
  • ✨ use console chart instead of embed helm in console repo (64620a2)
  • 🧑‍💻 enable oidc connection for admins (df339a9)
  • ⚡ Improve Grafana stack install and uninstall (406c202)
  • ⚡ We might need allowCrossNamespaceImport (ece35a0)

Bug Fixes

  • 🚑 Add trailing slash to URLs (6f6beaf)
  • 🚑 Fix dso-config secret (c6ce806)
  • 🚑 Fix GitLab CI Pipelines Exporter role (token retrieval) (7949c3e)
  • 🚑 Removing YAML anchors generating Ansible errors (5b6d23c)
  • 🎨 Fix Argo CD Dashboard (fcba600)
  • 🎨 Fix Keycloak and SonarQube dashboards (588f986)
  • 🎨 Fix Nexus dashboard (6126c2b)
  • 🎨 Fix Vault dashboard (ea42530)
  • 🎨 Manage datasource UID (47c8451)
  • 🎨 use native console cnpg cluster (2f74868)
  • 🐛 Adapt join command for Vault node 3 (41aa2c1)
  • 🐛 Add conditions to prevent some tasks from failing (ca79f57)
  • 🐛 Add missing postgres delete command (78bce70)
  • 🐛 add wait endpoints tasks (8f371ab)
  • 🐛 cnpg backups management (5bece28)
  • 🐛 console deployment related tasks and templates (742f2ab)
  • 🐛 Fix Argo CD job name (4a4f6bf)
  • 🐛 Fix CNPG Dashboard namespace selector (3261b76)
  • 🐛 Fix conf kind + decoding values (8504b71)
  • 🐛 Fix GitLab Runner and Gitaly dashboards (960e98f)
  • 🐛 Fix HA enablement + OIDC + get credentials (76a8aa1)
  • 🐛 Fix Harbor dashboard (95e317f)
  • 🐛 Fix missing admin-creds secret update (5724454)
  • 🐛 Fix Nexus admin password setting tasks (b5707f3)
  • 🐛 Fix some tasks (9d5bcf8)
  • 🐛 Fix Vault metric call (76ded42)
  • 🐛 get-credentials playbook (7d91efd)
  • 🐛 gitlab catalog shell script (e598083)
  • 🐛 handle cnpg backups deactivation (5563dd9)
  • 🐛 missing pg secret on first console deployment (dd101d8)
  • 🐛 Refactor check tasks and fix root_token (8bcc42a)
  • 🐛 Remove unneeded time range (a0a2a17)
  • 🐛 Upgrade Argo CD to fix servicemonitor deployment (2d2f417)
  • 🐛 vault oidc group mapping need full group path (292d6eb)
  • 📝 Corrections de typos et reformulations (477b6ad)
  • ⚡ Update retries count (85602eb)

Performance Improvements

Reverts

⚠️ This new version includes several migrations described in the following sections ⚠️

Databases

Harbor and Console databases have been migrated to CNPG clusters, to perform the migration, follow the steps bellow :

  1. Scale down deployments
  2. Backup database
  3. Deploy CNPG cluster
  4. Restore database
  5. Scale up deployments

To change Harbor database permission from the old user registry to the new one harbor, connect to the primary instance of the fresh CNPG cluster and run the following command :

for tbl in `psql -U postgres -qAt -c "select tablename from pg_tables where schemaname = 'public';" registry`; do
  psql -U postgres -c "alter table \"$tbl\" owner to harbor" registry
done

for tbl in `psql -U postgres -qAt -c "select sequence_name from information_schema.sequences where sequence_schema = 'public';" registry`; do  
  psql -U postgres -c "alter sequence \"$tbl\" owner to harbor" registry
done

for tbl in `psql  -U postgres -qAt -c "select table_name from information_schema.views where table_schema = 'public';" registry`; do  
  psql -U postgres -c "alter view \"$tbl\" owner to harbor" registry
done

For more informations, see. https://stackoverflow.com/questions/1348126/postgresql-modify-owner-on-all-tables-simultaneously-in-postgresql

Vault

The vault server is now running in HA, which involves migrating to the raft storage backend by following the steps below :

  1. Retrieve the credentials for our standalone Vault instance, e.g. :

    ansible-playbook admin-tools/get-credentials.yaml -t vault

  2. Connect to Vault and create a test secret if necessary, or check the secrets already present.

  3. Launch Vault HA installation via Vault's Ansible role :

    ansible-playbook install.yaml -t vault

    The installation will create two new pods which will act as standby instances, but it will fail to add them to the raft cluster. This is normal, as the active instance does not yet have raft storage.

  4. Open a shell in the vault container on the active Vault pod (vault-0), example in the context of a Vault configured via the conf-dso dsc :

    kubectl -n dso-vault exec -it -c vault conf-dso-vault-0 -- sh

    The vi command is available in the pod. Use it to create a migration configuration file in the /home/vault directory, which is writable :

    vi /home/vault/migrate.hcl

    With the following contents:

    storage_source "file" {
  path = "/vault/data
}

storage_destination "raft" {
  path = "/vault/data"
}

cluster_addr = "http://127.0.0.1:8201"

    Then run the following migration command:

    vault operator migrate -config /home/vault/migrate.hcl

    This will perform the migration and create a /vault/data/raft directory.

    Its last line should return the following output :

    Success! All of the keys have been migrated.

  5. Delete the vault-0 pod so that it seals itself and wait for it to restart (state 0/1 Running).

  6. Restart the HA installation, which should now run to completion, and unseal the 3 Vault instances :

    ansible-playbook install.yaml -t vault

    The three vault pods are then set to READY (1/1) and we are now in HA mode.

Check that the migration is done and healthy :

  • Connect to Vault and make sure our secrets are present.
  • Open a shell on each pod and run the vault status command. It should tell us :
    • Storage Type" is raft.
    • HA enabled" is set to true.
    • The "HA Mode" of our node (active or standby).
    • The same value between each pod in the last two lines (Index). The value may vary slightly over time between pods, but must not drift too much, otherwise it indicates a synchronization problem.

Troubleshoot :

If the Vault cluster finds itself in a state where none of the nodes is a leader, it is possible to re-establish a leader via the following procedure:

  1. Remove pods from the Vault cluster

  2. Run the following command block:

    # Namespace Vault
VAULT_NS="dso-vault"

# Vault internal service
VAULT_INTERNAL_SVC="conf-dso-vault-internal:8201"

# Vault cluster pod names
NODES=(
	conf-dso-vault-0
	conf-dso-vault-1
	conf-dso-vault-2
)

PEERS="[]"
for ((i=1; i <= ${#NODES[@]}; ++i)); do
	PEERS=$(echo "$PEERS" | jq --arg i "$(kubectl -n $VAULT_NS exec ${NODES[i]} -c vault -- cat /vault/data/node-id)" --arg s "$VAULT_INTERNAL_SVC" '. + [{ "id": $i, "address": $s, "non_voter": false }]')
done

for NODE in ${NODES[*]}; do
	kubectl -n $VAULT_NAMESPACE exec $NODE -c vault -- sh -c "cat > /vault/data/raft/peers.json << $PEERS"
done

  3. Restart the HA installation, which should now run to completion, and unseal the Vault instances:

    ansible-playbook install.yaml -t vault
Assets 2
Loading