Merge branch 'claude/rds-aurora-component-012oeo6D7EyNwxoupNfefuCS' into 'master'

RDS/Aurora logical refresh component

See merge request postgres-ai/database-lab!1070

Author: agneum

engine/.gitlab-ci.yml

@@ -204,6 +204,17 @@ build-image-feature-ci-checker:
     DOCKER_NAME: "${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}/dblab-ci-checker"
     TAGS: "${DOCKER_NAME}:${CI_COMMIT_REF_SLUG}"
 
+build-image-feature-rds-refresh:
+  <<: *build_image_definition
+  <<: *only_feature
+  variables:
+    REGISTRY_USER: "${CI_REGISTRY_USER}"
+    REGISTRY_PASSWORD: "${CI_REGISTRY_PASSWORD}"
+    REGISTRY: "${CI_REGISTRY}"
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "${CI_REGISTRY}/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}/dblab-rds-refresh"
+    TAGS: "${DOCKER_NAME}:${CI_COMMIT_REF_SLUG}"
+
 build-image-feature-client:
   <<: *build_image_definition
   <<: *only_feature
@@ -239,6 +250,14 @@ build-image-master-ci-checker:
     DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-ci-checker"
     TAGS: "${DOCKER_NAME}:master,${DOCKER_NAME}:master-${CI_COMMIT_SHORT_SHA}"
 
+build-image-master-rds-refresh:
+  <<: *build_image_definition
+  <<: *only_master
+  variables:
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-rds-refresh"
+    TAGS: "${DOCKER_NAME}:master,${DOCKER_NAME}:master-${CI_COMMIT_SHORT_SHA}"
+
 build-image-master-client:
   <<: *build_image_definition
   <<: *only_master
@@ -314,6 +333,33 @@ build-image-latest-ci-checker-dev:
     - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
     - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}"
 
+build-image-latest-rds-refresh:
+  <<: *build_image_definition
+  <<: *only_tag_release
+  variables:
+    REGISTRY_USER: "${DH_CI_REGISTRY_USER}"
+    REGISTRY_PASSWORD: "${DH_CI_REGISTRY_PASSWORD}"
+    REGISTRY: "${DH_CI_REGISTRY}"
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "postgresai/dblab-rds-refresh"
+  before_script:
+    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
+    - export LATEST_TAG=$(echo ${CLEAN_TAG%.*}-latest)
+    - export TAGS="${DOCKER_NAME}:${LATEST_TAG},${DOCKER_NAME}:${CLEAN_TAG}"
+
+build-image-latest-rds-refresh-dev:
+  <<: *build_image_definition
+  <<: *only_tag_release
+  variables:
+    REGISTRY_USER: "${CI_REGISTRY_USER}"
+    REGISTRY_PASSWORD: "${CI_REGISTRY_PASSWORD}"
+    REGISTRY: "${CI_REGISTRY}"
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-rds-refresh"
+  before_script:
+    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
+    - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}"
+
 build-image-latest-client:
   <<: *build_image_definition
   <<: *only_tag_release
@@ -401,6 +447,33 @@ build-image-rc-ci-checker-dev:
     REGISTRY: "${CI_REGISTRY}"
     DOCKER_FILE: "Dockerfile.ci-checker"
     DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-ci-checker"
+
+build-image-rc-rds-refresh:
+  <<: *build_image_definition
+  <<: *only_tag_rc
+  before_script:
+    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
+    - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}"
+  variables:
+    REGISTRY_USER: "${DH_CI_REGISTRY_USER}"
+    REGISTRY_PASSWORD: "${DH_CI_REGISTRY_PASSWORD}"
+    REGISTRY: "${DH_CI_REGISTRY}"
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "postgresai/dblab-rds-refresh"
+
+build-image-rc-rds-refresh-dev:
+  <<: *build_image_definition
+  <<: *only_tag_rc
+  before_script:
+    - export CLEAN_TAG=$(echo ${CI_COMMIT_TAG#"v"})
+    - export TAGS="${DOCKER_NAME}:${CLEAN_TAG}"
+  variables:
+    REGISTRY_USER: "${CI_REGISTRY_USER}"
+    REGISTRY_PASSWORD: "${CI_REGISTRY_PASSWORD}"
+    REGISTRY: "${CI_REGISTRY}"
+    DOCKER_FILE: "Dockerfile.rds-refresh"
+    DOCKER_NAME: "registry.gitlab.com/postgres-ai/database-lab/dblab-rds-refresh"
+
 build-image-rc-client:
   <<: *build_image_definition
   <<: *only_tag_rc

engine/Dockerfile.rds-refresh

@@ -0,0 +1,15 @@
+FROM alpine:3.23
+
+RUN apk add --no-cache ca-certificates tzdata
+
+# create non-root user
+RUN adduser -D -u 1000 appuser
+
+WORKDIR /app
+
+COPY ./bin/rds-refresh /usr/local/bin/rds-refresh
+
+USER appuser
+
+ENTRYPOINT ["/usr/local/bin/rds-refresh"]
+CMD ["--help"]

engine/Makefile

@@ -3,6 +3,7 @@
 SERVER_BINARY = dblab-server
 RUN_CI_BINARY = run-ci
 CLI_BINARY = dblab
+RDS_REFRESH_BINARY = rds-refresh
 GOARCH = amd64
 
 PWD= $(shell pwd)
@@ -41,10 +42,11 @@ run-lint: ## Run linters
 
 lint: install-lint run-lint ## Install and run linters
 
-build: ## Build binary files of all Database Lab components (Engine, CI Checker, CLI)
+build: ## Build binary files of all Database Lab components (Engine, CI Checker, CLI, RDS Refresh)
 	${GOBUILD} -o bin/${SERVER_BINARY} ./cmd/database-lab/main.go
 	${GOBUILD} -o bin/${RUN_CI_BINARY} ./cmd/runci/main.go
 	${GOBUILD} -o bin/${CLI_BINARY} ./cmd/cli/main.go
+	${GOBUILD} -o bin/${RDS_REFRESH_BINARY} ./cmd/rds-refresh/main.go
 
 build-debug: ## Build the Database Lab Server binary for debugging
 	${GOBUILD} -ldflags "-X gitlab.com/postgres-ai/database-lab/v3/version.version=${VERSION} \
@@ -54,6 +56,9 @@ build-debug: ## Build the Database Lab Server binary for debugging
 build-ci-checker: ## Build the Database Lab CI Checker binary
 	${GOBUILD} -o bin/${RUN_CI_BINARY} ./cmd/runci/main.go
 
+build-rds-refresh: ## Build the RDS Refresh binary
+	${GOBUILD} -o bin/${RDS_REFRESH_BINARY} ./cmd/rds-refresh/main.go
+
 build-client: ## Build Database Lab CLI binaries for all supported operating systems and platforms
 	$(foreach GOOS, $(CLIENT_PLATFORMS),\
 		$(foreach GOARCH, $(ARCHITECTURES), \
@@ -95,4 +100,4 @@ run-dle: build-dle
 	-p "2345:2345" \
 	dblab_server:local
 
-.PHONY: help all build test run-lint install-lint lint fmt clean build-image build-dle build-ci-checker build-client build-ci-checker run-dle
+.PHONY: help all build test run-lint install-lint lint fmt clean build-image build-dle build-ci-checker build-client build-rds-refresh run-dle

engine/cmd/rds-refresh/README.md

@@ -0,0 +1,244 @@
+# RDS/Aurora Refresh for DBLab
+
+Perform full refresh from RDS/Aurora snapshots (logical mode).
+
+## Why?
+
+DBLab logical mode runs `pg_dump` against your database. On large databases, this:
+- **Holds xmin horizon for hours** → bloat accumulation
+- **Creates load on production**
+- **Requires direct network access** to production
+
+This tool dumps from a **temporary RDS clone** instead. Production is never touched.
+
+```
+Production ──RDS snapshot──► RDS Snapshot ──restore──► RDS Clone ──pg_dump──► DBLab
+              (automated)                              (temporary)
+```
+
+## Quick Start
+
+```bash
+# 1. Configure
+cat > config.yaml << 'EOF'
+source:
+  type: rds                    # or "aurora-cluster"
+  identifier: my-prod-db
+  dbName: postgres
+  username: postgres
+  password: ${DB_PASSWORD}
+
+clone:
+  instanceClass: db.t3.medium
+  securityGroups: [sg-xxx]     # must allow DBLab inbound
+
+dblab:
+  apiEndpoint: https://dblab:2345
+  token: ${DBLAB_TOKEN}
+
+aws:
+  region: us-east-1
+EOF
+
+# 2. Test
+docker run --rm \
+  -v $PWD/config.yaml:/config.yaml \
+  -e DB_PASSWORD -e DBLAB_TOKEN -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
+  postgresai/rds-refresh -config /config.yaml -dry-run
+
+# 3. Run
+docker run --rm \
+  -v $PWD/config.yaml:/config.yaml \
+  -e DB_PASSWORD -e DBLAB_TOKEN -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \
+  postgresai/rds-refresh -config /config.yaml
+```
+
+## Configuration
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `source.type` | ✓ | `rds` or `aurora-cluster` |
+| `source.identifier` | ✓ | RDS/Aurora identifier |
+| `source.dbName` | ✓ | Database name |
+| `source.username` | ✓ | Database user |
+| `source.password` | ✓ | Password (use `${ENV_VAR}`) |
+| `clone.instanceClass` | ✓ | RDS clone instance type |
+| `clone.securityGroups` | | SGs allowing DBLab access |
+| `clone.subnetGroup` | | DB subnet group |
+| `clone.maxAge` | | Max age before clone is stale (default: 48h) |
+| `dblab.apiEndpoint` | ✓ | DBLab API URL |
+| `dblab.token` | ✓ | DBLab verification token |
+| `dblab.timeout` | | Max refresh wait (default: 4h) |
+| `aws.region` | ✓ | AWS region |
+
+Full example: [config.example.rds_refresh.yaml](../../configs/config.example.rds_refresh.yaml)
+
+## Scheduling
+
+```bash
+# Cron (weekly, Sunday 2 AM)
+0 2 * * 0 docker run --rm -v /etc/dblab/config.yaml:/config.yaml \
+  --env-file /etc/dblab/env postgresai/rds-refresh -config /config.yaml
+```
+
+<details>
+<summary>Kubernetes CronJob</summary>
+
+```yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: dblab-refresh
+spec:
+  schedule: "0 2 * * 0"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: dblab-refresh  # IRSA
+          containers:
+          - name: refresh
+            image: postgresai/rds-refresh
+            args: ["-config", "/config/config.yaml"]
+            envFrom:
+            - secretRef:
+                name: dblab-refresh-secrets
+            volumeMounts:
+            - name: config
+              mountPath: /config
+          volumes:
+          - name: config
+            configMap:
+              name: dblab-refresh-config
+          restartPolicy: Never
+```
+</details>
+
+<details>
+<summary>ECS Scheduled Task</summary>
+
+```bash
+aws events put-rule --name dblab-refresh --schedule-expression "cron(0 2 ? * SUN *)"
+aws events put-targets --rule dblab-refresh --targets '[{
+  "Id": "1",
+  "Arn": "arn:aws:ecs:REGION:ACCOUNT:cluster/CLUSTER",
+  "RoleArn": "arn:aws:iam::ACCOUNT:role/ecsEventsRole",
+  "EcsParameters": {
+    "TaskDefinitionArn": "arn:aws:ecs:REGION:ACCOUNT:task-definition/dblab-refresh",
+    "TaskCount": 1, "LaunchType": "FARGATE"
+  }
+}]'
+```
+</details>
+
+## IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["rds:DescribeDBSnapshots", "rds:DescribeDBClusterSnapshots",
+                 "rds:DescribeDBInstances", "rds:DescribeDBClusters"],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["rds:RestoreDBInstanceFromDBSnapshot", "rds:RestoreDBClusterFromSnapshot",
+                 "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DeleteDBCluster",
+                 "rds:AddTagsToResource", "rds:ModifyDBInstance", "rds:ModifyDBCluster"],
+      "Resource": ["arn:aws:rds:*:ACCOUNT:db:dblab-refresh-*",
+                   "arn:aws:rds:*:ACCOUNT:cluster:dblab-refresh-*",
+                   "arn:aws:rds:*:ACCOUNT:snapshot:*",
+                   "arn:aws:rds:*:ACCOUNT:cluster-snapshot:*",
+                   "arn:aws:rds:*:ACCOUNT:subgrp:*", "arn:aws:rds:*:ACCOUNT:pg:*"]
+    }
+  ]
+}
+```
+
+## Network
+
+RDS clone must be reachable from DBLab on port 5432. Same VPC or peered.
+
+## DBLab Setup
+
+Must run in **logical mode**. Tool updates config via API (no SSH needed).
+
+```yaml
+retrieval:
+  refresh:
+    timetable: ""  # disable built-in scheduler
+  jobs: [logicalDump, logicalRestore, logicalSnapshot]
+  spec:
+    logicalDump:
+      options:
+        source:
+          connection:
+            host: placeholder  # updated by rds-refresh
+            port: 5432
+```
+
+## How It Works
+
+1. **Startup cleanup**: Check for orphaned clones from previous runs
+2. Check DBLab health
+3. Find latest RDS snapshot
+4. Create RDS clone from RDS snapshot (`dblab-refresh-YYYYMMDD-HHMMSS`)
+5. Wait for RDS clone (~15 min)
+6. Update DBLab config via API
+7. Trigger refresh, wait for completion
+8. Delete RDS clone (always, even on error)
+
+## Orphan Protection
+
+The tool has multiple layers of protection against orphaned clones:
+
+1. **Defer cleanup**: Clone is deleted when process exits normally
+2. **Signal handlers**: Catches SIGINT, SIGTERM, SIGHUP (SSH disconnect)
+3. **State file**: Tracks active clone in `./meta/rds-refresh.state` (same directory as DBLab meta files)
+4. **Tag scan**: Finds clones by `ManagedBy=dblab-rds-refresh` tag
+
+### Manual Cleanup
+
+```bash
+# Dry run - see what would be deleted
+rds-refresh cleanup -config config.yaml -dry-run
+
+# Delete stale clones older than 24 hours
+rds-refresh cleanup -config config.yaml -max-age 24h
+
+# Run in cron as safety net (weekly)
+0 3 * * 0 rds-refresh cleanup -config /etc/dblab/config.yaml -max-age 48h
+```
+
+### Best Practice
+
+Run inside `screen` or `tmux` to prevent SSH disconnections from orphaning clones:
+
+```bash
+screen -S dblab-refresh
+rds-refresh -config config.yaml
+# Ctrl+A, D to detach
+```
+
+## Troubleshooting
+
+| Error | Fix |
+|-------|-----|
+| No snapshots | Enable automated backups on RDS |
+| RDS clone not accessible | Check security group allows 5432 from DBLab |
+| Config update failed | Verify DBLab endpoint and token |
+| Timeout | Increase `dblab.timeout`, check DBLab logs |
+
+## Cost
+
+RDS clone cost only while running (~2-5 hours):
+- db.t3.medium: ~$0.35
+- db.r5.large: ~$1.20
+
+## License
+
+Apache 2.0 — [Postgres.ai](https://postgres.ai)