seira 0.5.1 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87fa02469006bc2145037e07818f61879777d8345c5a5270f2d8faad32640599
-  data.tar.gz: 57b21d9c6f6507afe943fba5519ca0f118207c0d5844d544a529e6c26d3d4d00
+  metadata.gz: 7064ff568c67e81e0cdb84bc98fe1420b392ab69174ad39a2d96c81ae59615f5
+  data.tar.gz: 41024bad248f6e8631587d0fd7d6bb0c6db49fd9ce8da58bd85330f46d321345
 SHA512:
-  metadata.gz: 04e53ae6f602a47299d4829ec25dde2adf76b201f888130c8f5fc686da4167ee32682090029dbb9b1cdde60438e51dd95d162455a4aec9bf002cad3f079bfc5b
-  data.tar.gz: 7187058bc0a2d9406469bebf44b351346acd0164d7cd59b6895f08e5658a9f957fd168543ae0a98496206d3014f10cc7e20a9b82e55a25145ee72fedc80d80e3
+  metadata.gz: 85ce01cc44b6d88ab6890a93d2228e323cb277f797b1fecdd3ca763d5a00668092949dcdcd1f1fc79bd5f6412e04d40486884b62dd8b0556e015442713b1bb27
+  data.tar.gz: 599e8c0a21b0e6f1df8dac190a1c6d12be34fc9f2eceaf425ac4b8ec7b78c4163d4e5ad6be35daf6ae8c206f66cc2e12017617be69944d8f7c5812122992fcb6

data/lib/seira/db/alter_proxyuser_roles.rb

@@ -0,0 +1,42 @@
+module Seira
+  class Db
+    class AlterProxyuserRoles
+      include Seira::Commands
+
+      attr_reader :name, :root_password
+
+      def initialize(app:, action:, args:, context:)
+        if args.length != 2
+          puts 'Specify db name and root password as the positional arguments'
+          exit(1)
+        end
+
+        @name = args[0]
+        @root_password = args[1]
+      end
+
+      def run
+        # Connect to the instance and remove some of the default group memberships and permissions
+        # from proxyuser, leaving it with only what it needs to be able to do
+        expect_script = <<~BASH
+          set timeout 90
+          spawn gcloud sql connect #{name}
+          expect "Password for user postgres:"
+          send "#{root_password}\\r"
+          expect "postgres=>"
+          send "ALTER ROLE proxyuser NOCREATEDB NOCREATEROLE;\\r"
+          expect "postgres=>"
+        BASH
+        if system("expect <<EOF\n#{expect_script}EOF")
+          puts "Successfully removed unnecessary permissions from proxyuser"
+        else
+          puts "Failed to remove unnecessary permissions from proxyuser."
+          puts "You may need to whitelist the correct IP in the gcloud UI."
+          puts "You can get the correct IP from https://www.whatismyip.com/"
+          puts "Make sure to remove it from the whitelist after successfully running db alter-proxyuser-roles"
+          exit(1)
+        end
+      end
+    end
+  end
+end

data/lib/seira/db/create.rb

@@ -40,6 +40,8 @@ module Seira
         set_secrets
         write_pgbouncer_yaml
 
+        alter_proxy_user_roles if replica_for.nil?
+
         puts "To use this database, deploy the pgbouncer config file that was created and use the ENV that was set."
         puts "To make this database the primary, promote it using the CLI and update the DATABASE_URL."
       end
@@ -79,6 +81,7 @@ module Seira
 
         # Basic configs
         create_command += " --database-version=#{version}"
+        create_command += " --network=default" # allow network to be configurable?
 
         # A read replica cannot have HA, inherits the cpu, mem and storage of its primary
         if replica_for.nil?
@@ -115,7 +118,7 @@ module Seira
         # Set the root user's password to something secure
         @root_password = SecureRandom.urlsafe_base64(32)
 
-        if gcloud("sql users set-password postgres '' --instance=#{name} --password=#{root_password}", context: context, format: :boolean)
+        if gcloud("sql users set-password postgres --instance=#{name} --password=#{root_password}", context: context, format: :boolean)
           puts "Set root password to #{root_password}"
         else
           puts "Failed to set root password"
@@ -127,30 +130,16 @@ module Seira
         # Create proxyuser with secure password
         @proxyuser_password = SecureRandom.urlsafe_base64(32)
 
-        if gcloud("sql users create proxyuser '' --instance=#{name} --password=#{proxyuser_password}", context: context, format: :boolean)
+        if gcloud("sql users create proxyuser --instance=#{name} --password=#{proxyuser_password}", context: context, format: :boolean)
           puts "Created proxyuser with password #{proxyuser_password}"
         else
           puts "Failed to create proxyuser"
           exit(1)
         end
+      end
 
-        # Connect to the instance and remove some of the default group memberships and permissions
-        # from proxyuser, leaving it with only what it needs to be able to do
-        expect_script = <<~BASH
-          set timeout 90
-          spawn gcloud sql connect #{name}
-          expect "Password for user postgres:"
-          send "#{root_password}\\r"
-          expect "postgres=>"
-          send "ALTER ROLE proxyuser NOCREATEDB NOCREATEROLE;\\r"
-          expect "postgres=>"
-        BASH
-        if system("expect <<EOF\n#{expect_script}EOF")
-          puts "Successfully removed unnecessary permissions from proxyuser"
-        else
-          puts "Failed to remove unnecessary permissions from proxyuser"
-          exit(1)
-        end
+      def alter_proxy_user_roles
+        Seira::Db::AlterProxyuserRoles.new(app: app, action: action, args: [name, root_password], context: context).run
       end
 
       def set_secrets
@@ -186,10 +175,6 @@ module Seira
         "#{name}-pgbouncer-secrets"
       end
 
-      def pgbouncer_configs_name
-        "#{name}-pgbouncer-configs"
-      end
-
       def pgbouncer_service_name
         "#{name}-pgbouncer-service"
       end
@@ -202,11 +187,21 @@ module Seira
         "#{app}_#{Helpers.rails_env(context: context)}"
       end
 
+      def ips
+        @_ips ||= begin
+          describe_command = "sql instances describe #{name}"
+          json = JSON.parse(gcloud(describe_command, context: context, format: :json))
+          private_ip = json['ipAddresses'].find { |address| address['type'] == 'PRIVATE' }['ipAddress']
+          public_ip = json['ipAddresses'].find { |address| address['type'] == 'PRIMARY' }['ipAddress']
+          { private: private_ip, public: public_ip }
+        end
+      end
+
       def write_pgbouncer_yaml
         # TODO: Clean this up by moving into a proper templated yaml file
         pgbouncer_yaml = <<-FOO
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: #{name}-pgbouncer
@@ -217,6 +212,11 @@ metadata:
     database: #{name}
 spec:
   replicas: 2
+  selector:
+    matchLabels:
+      app: #{app}
+      tier: #{pgbouncer_tier}
+      database: #{name}
   strategy:
     type: RollingUpdate
     rollingUpdate:
@@ -236,8 +236,6 @@ spec:
             - containerPort: 6432
               protocol: TCP
           envFrom:
-            - configMapRef:
-                name: #{pgbouncer_configs_name}
             - secretRef:
                 name: #{pgbouncer_secret_name}
           env:
@@ -246,7 +244,7 @@ spec:
             - name: "PGDATABASE"
               value: "#{@database_name || default_database_name}"
             - name: "DB_HOST"
-              value: "127.0.0.1" # Exposed by cloudsql proxy
+              value: "#{ips[:private]}" # private IP for #{name}
             - name: "DB_PORT"
               value: "5432"
             - name: "LISTEN_PORT"
@@ -287,33 +285,10 @@ spec:
             requests:
               cpu: 100m
               memory: 300Mi
-        - image: gcr.io/cloudsql-docker/gce-proxy:1.11    # Gcloud SQL Proxy
-          name: cloudsql-proxy
-          command:
-            - /cloud_sql_proxy
-            - --dir=/cloudsql
-            - -instances=#{context[:project]}:#{context[:region]}:#{name}=tcp:5432
-            - -credential_file=/secrets/cloudsql/credentials.json
-          ports:
-            - containerPort: 5432
-              protocol: TCP
-          volumeMounts:
-            - name: cloudsql-credentials
-              mountPath: /secrets/cloudsql
-              readOnly: true
-            - name: ssl-certs
-              mountPath: /etc/ssl/certs
-            - name: cloudsql
-              mountPath: /cloudsql
-      volumes:
-        - name: cloudsql-credentials
-          secret:
-            secretName: cloudsql-credentials
-        - name: cloudsql
-          emptyDir:
-        - name: ssl-certs
-          hostPath:
-            path: /etc/ssl/certs
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh", "-c", "killall -INT pgbouncer && sleep 20"]
 ---
 apiVersion: v1
 kind: Service
@@ -324,12 +299,11 @@ metadata:
     app: #{app}
     tier: #{pgbouncer_tier}
 spec:
-  type: NodePort
+  type: ClusterIP
   ports:
-  - protocol: TCP
-    port: 6432
-    targetPort: 6432
-    nodePort: 0
+    - protocol: TCP
+      port: 6432
+      targetPort: 6432
   selector:
     app: #{app}
     tier: #{pgbouncer_tier}

data/lib/seira/db.rb

@@ -1,13 +1,14 @@
 require 'securerandom'
 require 'English'
 
+require_relative 'db/alter_proxyuser_roles'
 require_relative 'db/create'
 
 module Seira
   class Db
     include Seira::Commands
 
-    VALID_ACTIONS = %w[help create delete list restart connect ps kill analyze create-readonly-user psql table-sizes index-sizes vacuum unused-indexes unused-indices user-connections info].freeze
+    VALID_ACTIONS = %w[help create delete list restart connect ps kill analyze create-readonly-user psql table-sizes index-sizes vacuum unused-indexes unused-indices user-connections info alter-proxyuser-roles].freeze
     SUMMARY = "Manage your Cloud SQL Postgres databases.".freeze
 
     attr_reader :app, :action, :args, :context
@@ -55,6 +56,8 @@ module Seira
         run_user_connections
       when 'info'
         run_info
+      when 'alter-proxyuser-roles'
+        run_alter_proxyuser_roles
       else
         fail "Unknown command encountered"
       end
@@ -78,22 +81,23 @@ module Seira
       puts SUMMARY
       puts "\n"
       puts <<~HELPTEXT
-        analyze:              Display database performance information
-        connect:              Open a psql command prompt via gcloud connect. You will be shown the password needed before the prompt opens.
-        create:               Create a new postgres instance in cloud sql. Supports creating replicas and other numerous flags.
-        create-readonly-user: Create a database user named by --username=<name> with only SELECT access privileges
-        delete:               Delete a postgres instance from cloud sql. Use with caution, and remove all kubernetes configs first.
-        index-sizes:          List sizes of all indexes in the database
-        info:                 Summarize all database instances for the app
-        kill:                 Kill a query
-        list:                 List all postgres instances.
-        ps:                   List running queries
-        psql:                 Open a psql prompt via kubectl exec into a pgbouncer pod.
-        restart:              Fully restart the database.
-        table-sizes:          List sizes of all tables in the database
-        unused-indexes:       Show indexes with zero or low usage
-        user-connections:     List number of connections per user
-        vacuum:               Run a VACUUM ANALYZE
+        analyze:                Display database performance information
+        connect:                Open a psql command prompt via gcloud connect. You will be shown the password needed before the prompt opens.
+        create:                 Create a new postgres instance in cloud sql. Supports creating replicas and other numerous flags.
+        create-readonly-user:   Create a database user named by --username=<name> with only SELECT access privileges
+        delete:                 Delete a postgres instance from cloud sql. Use with caution, and remove all kubernetes configs first.
+        index-sizes:            List sizes of all indexes in the database
+        info:                   Summarize all database instances for the app
+        kill:                   Kill a query
+        list:                   List all postgres instances.
+        ps:                     List running queries
+        psql:                   Open a psql prompt via kubectl exec into a pgbouncer pod.
+        restart:                Fully restart the database.
+        table-sizes:            List sizes of all tables in the database
+        unused-indexes:         Show indexes with zero or low usage
+        user-connections:       List number of connections per user
+        vacuum:                 Run a VACUUM ANALYZE
+        alter-proxyuser-roles:  Update NOCREATEDB and NOCREATEROLE roles for proxyuser in cloud sql.
       HELPTEXT
     end
 
@@ -101,6 +105,10 @@ module Seira
       Seira::Db::Create.new(app: app, action: action, args: args, context: context).run(existing_instances)
     end
 
+    def run_alter_proxyuser_roles
+      Seira::Db::AlterProxyuserRoles.new(app: app, action: action, args: args, context: context).run
+    end
+
     def run_delete
       name = "#{app}-#{args[0]}"
       if gcloud("sql instances delete #{name}", context: context, format: :boolean)

data/lib/seira/version.rb

@@ -1,3 +1,3 @@
 module Seira
-  VERSION = "0.5.1".freeze
+  VERSION = "0.5.2".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: seira
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.2
 platform: ruby
 authors:
 - Scott Ringwelski
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-18 00:00:00.000000000 Z
+date: 2018-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: highline
@@ -124,6 +124,7 @@ files:
 - lib/seira/commands/gcloud.rb
 - lib/seira/commands/kubectl.rb
 - lib/seira/db.rb
+- lib/seira/db/alter_proxyuser_roles.rb
 - lib/seira/db/create.rb
 - lib/seira/jobs.rb
 - lib/seira/memcached.rb