diff --git a/Tiltfile b/Tiltfile index 354ed7f3c..bef579d17 100644 --- a/Tiltfile +++ b/Tiltfile @@ -196,7 +196,7 @@ k8s_yaml(helm('./helm/bundles/cortex-crds', name='cortex-crds', set=crd_extra_va if 'nova' in ACTIVE_DEPLOYMENTS: print("Activating Cortex Nova bundle") k8s_yaml(helm('./helm/bundles/cortex-nova', name='cortex-nova', values=tilt_values, set=env_set_overrides)) - k8s_resource('cortex-nova-postgresql-v18', labels=['Cortex-Nova'], port_forwards=[ + k8s_resource('cortex-nova-postgresql-v18-g0', labels=['Cortex-Nova'], port_forwards=[ port_forward(8000, 5432), ]) k8s_resource('cortex-nova-scheduling-controller-manager', labels=['Cortex-Nova'], port_forwards=[ @@ -221,7 +221,7 @@ if 'nova' in ACTIVE_DEPLOYMENTS: if 'manila' in ACTIVE_DEPLOYMENTS: print("Activating Cortex Manila bundle") k8s_yaml(helm('./helm/bundles/cortex-manila', name='cortex-manila', values=tilt_values, set=env_set_overrides)) - k8s_resource('cortex-manila-postgresql-v18', labels=['Cortex-Manila'], port_forwards=[ + k8s_resource('cortex-manila-postgresql-v18-g0', labels=['Cortex-Manila'], port_forwards=[ port_forward(8002, 5432), ]) k8s_resource('cortex-manila-scheduling-controller-manager', labels=['Cortex-Manila'], port_forwards=[ @@ -238,7 +238,7 @@ if 'manila' in ACTIVE_DEPLOYMENTS: if 'cinder' in ACTIVE_DEPLOYMENTS: k8s_yaml(helm('./helm/bundles/cortex-cinder', name='cortex-cinder', values=tilt_values, set=env_set_overrides)) - k8s_resource('cortex-cinder-postgresql-v18', labels=['Cortex-Cinder'], port_forwards=[ + k8s_resource('cortex-cinder-postgresql-v18-g0', labels=['Cortex-Cinder'], port_forwards=[ port_forward(8004, 5432), ]) k8s_resource('cortex-cinder-scheduling-controller-manager', labels=['Cortex-Cinder'], port_forwards=[ diff --git a/helm/bundles/cortex-cinder/templates/secrets.yaml b/helm/bundles/cortex-cinder/templates/secrets.yaml index 0d3ba89a6..7d95f3638 100644 --- a/helm/bundles/cortex-cinder/templates/secrets.yaml +++ b/helm/bundles/cortex-cinder/templates/secrets.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: cortex-cinder-postgres data: - host: {{ printf "%s-v%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") | b64enc | quote }} + host: {{ printf "%s-v%s-%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") (index .Values "cortex-postgres" "instanceSuffix") | b64enc | quote }} user: {{ .Values.postgres.user | b64enc | quote }} password: {{ .Values.postgres.password | b64enc | quote }} database: {{ .Values.postgres.database | b64enc | quote }} diff --git a/helm/bundles/cortex-cinder/values.yaml b/helm/bundles/cortex-cinder/values.yaml index 300322880..117ad44bf 100644 --- a/helm/bundles/cortex-cinder/values.yaml +++ b/helm/bundles/cortex-cinder/values.yaml @@ -38,7 +38,7 @@ sharedSSOCert: &sharedSSOCert selfSigned: "false" postgres: - host: cortex-cinder-postgresql-v18 + host: cortex-cinder-postgresql-v18-g0 user: postgres password: secret database: postgres diff --git a/helm/bundles/cortex-manila/templates/secrets.yaml b/helm/bundles/cortex-manila/templates/secrets.yaml index 59c21b425..05ec83e33 100644 --- a/helm/bundles/cortex-manila/templates/secrets.yaml +++ b/helm/bundles/cortex-manila/templates/secrets.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: cortex-manila-postgres data: - host: {{ printf "%s-v%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") | b64enc | quote }} + host: {{ printf "%s-v%s-%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") (index .Values "cortex-postgres" "instanceSuffix") | b64enc | quote }} user: {{ .Values.postgres.user | b64enc | quote }} password: {{ .Values.postgres.password | b64enc | quote }} database: {{ .Values.postgres.database | b64enc | quote }} diff --git a/helm/bundles/cortex-manila/values.yaml b/helm/bundles/cortex-manila/values.yaml index 66c1c5f2d..dba2bd319 100644 --- a/helm/bundles/cortex-manila/values.yaml +++ b/helm/bundles/cortex-manila/values.yaml @@ -38,7 +38,7 @@ sharedSSOCert: &sharedSSOCert selfSigned: "false" postgres: - host: cortex-manila-postgresql-v18 + host: cortex-manila-postgresql-v18-g0 user: postgres password: secret database: postgres diff --git a/helm/bundles/cortex-nova/templates/secrets.yaml b/helm/bundles/cortex-nova/templates/secrets.yaml index 50ae310ff..86db64b75 100644 --- a/helm/bundles/cortex-nova/templates/secrets.yaml +++ b/helm/bundles/cortex-nova/templates/secrets.yaml @@ -4,7 +4,7 @@ kind: Secret metadata: name: cortex-nova-postgres data: - host: {{ printf "%s-v%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") | b64enc | quote }} + host: {{ printf "%s-v%s-%s" (index .Values "cortex-postgres" "fullnameOverride") (index .Values "cortex-postgres" "major") (index .Values "cortex-postgres" "instanceSuffix") | b64enc | quote }} user: {{ .Values.postgres.user | b64enc | quote }} password: {{ .Values.postgres.password | b64enc | quote }} database: {{ .Values.postgres.database | b64enc | quote }} diff --git a/helm/bundles/cortex-nova/values.yaml b/helm/bundles/cortex-nova/values.yaml index 273f09dda..f0e8f2461 100644 --- a/helm/bundles/cortex-nova/values.yaml +++ b/helm/bundles/cortex-nova/values.yaml @@ -43,7 +43,7 @@ sharedSSOCert: &sharedSSOCert selfSigned: "false" postgres: - host: cortex-nova-postgresql-v18 + host: cortex-nova-postgresql-v18-g0 user: postgres password: secret database: postgres diff --git a/helm/library/cortex-postgres/templates/_helpers.tpl b/helm/library/cortex-postgres/templates/_helpers.tpl index 48135f745..30ee66305 100644 --- a/helm/library/cortex-postgres/templates/_helpers.tpl +++ b/helm/library/cortex-postgres/templates/_helpers.tpl @@ -65,11 +65,13 @@ Create the name of the service account to use {{- end }} {{/* -Versioned fully qualified app name (appends -v to the fullname). +Versioned fully qualified app name (appends -v- to the fullname). +The instanceSuffix is a rotation token: bumping it forces a new StatefulSet and PVC +to be provisioned, which re-runs initdb with the (rotated) POSTGRES_PASSWORD. Truncates the base name to leave room for the suffix within the 63-char DNS limit. */}} {{- define "cortex-postgres.versionedFullname" -}} -{{- $suffix := printf "-v%s" .Values.major -}} +{{- $suffix := printf "-v%s-%s" .Values.major .Values.instanceSuffix -}} {{- $base := include "cortex-postgres.fullname" . -}} {{- printf "%s%s" ($base | trunc (int (sub 63 (len $suffix)))) $suffix | trimSuffix "-" }} {{- end }} diff --git a/helm/library/cortex-postgres/templates/service.yaml b/helm/library/cortex-postgres/templates/service.yaml index 67937a2ca..cc9679263 100644 --- a/helm/library/cortex-postgres/templates/service.yaml +++ b/helm/library/cortex-postgres/templates/service.yaml @@ -17,3 +17,4 @@ spec: selector: {{- include "cortex-postgres.selectorLabels" . | nindent 4 }} app.kubernetes.io/pg-major: {{ .Values.major | quote }} + app.kubernetes.io/instance-suffix: {{ .Values.instanceSuffix | quote }} diff --git a/helm/library/cortex-postgres/templates/statefulset.yaml b/helm/library/cortex-postgres/templates/statefulset.yaml index 2a770ddf7..aac02b80a 100644 --- a/helm/library/cortex-postgres/templates/statefulset.yaml +++ b/helm/library/cortex-postgres/templates/statefulset.yaml @@ -13,6 +13,7 @@ spec: matchLabels: {{- include "cortex-postgres.selectorLabels" . | nindent 6 }} app.kubernetes.io/pg-major: {{ .Values.major | quote }} + app.kubernetes.io/instance-suffix: {{ .Values.instanceSuffix | quote }} serviceName: {{ include "cortex-postgres.versionedFullname" . }} template: metadata: @@ -20,6 +21,7 @@ spec: app: {{ include "cortex-postgres.versionedFullname" . }} {{- include "cortex-postgres.labels" . | nindent 8 }} app.kubernetes.io/pg-major: {{ .Values.major | quote }} + app.kubernetes.io/instance-suffix: {{ .Values.instanceSuffix | quote }} spec: terminationGracePeriodSeconds: 10 containers: diff --git a/helm/library/cortex-postgres/values.yaml b/helm/library/cortex-postgres/values.yaml index 2d4cb4b40..9ed45bcaa 100644 --- a/helm/library/cortex-postgres/values.yaml +++ b/helm/library/cortex-postgres/values.yaml @@ -5,6 +5,13 @@ fullnameOverride: cortex-postgresql major: "18" +# Rotation token (generation). Bump to g1, g2, ... to provision a fresh +# StatefulSet + PVC, which causes initdb to run again and apply the (rotated) +# POSTGRES_PASSWORD from vault. The "g" prefix keeps the suffix visually +# distinct from the trailing StatefulSet pod ordinal (e.g. -g0-0 vs -0-0). +# The Postgres major version is independent and lives in `major` above. +instanceSuffix: "g0" + image: repository: ghcr.io/cobaltcore-dev/cortex-postgres pullPolicy: IfNotPresent