refactor: resolution of PostgreSQL image to avoid permission issues

JakubDurkac · JakubDurkac · commit 38e77d9c2d30 · 2025-10-09T21:11:08.000+02:00
When using the image resolution within template, it seems that it needs to create some temporary objects
in the openshift namespace. To avoid the need for setting up writing permissions, the image is now resolved
just by reading the image from the API and passing it down to the template.

I have also simplified the template a bit and fixed database migration job behavior - indentation issues, time to live, removal of finished jobs.
diff --git a/ansible/roles/project_setup/tasks/main.yml b/ansible/roles/project_setup/tasks/main.yml
@@ -61,11 +61,20 @@
         tls.crt: "{{ pullsar_sa_cert_crt | b64encode }}"
         tls.key: "{{ pullsar_sa_cert_key | b64encode }}"
 
+- name: "Find the full image name for the specified PostgreSQL version"
+  kubernetes.core.k8s_info:
+    api_version: image.openshift.io/v1
+    kind: ImageStreamTag
+    name: "postgresql:{{ postgres_version }}"
+    namespace: openshift
+  register: postgres_imagestream_tag
+
 - name: "Process the official OpenShift PostgreSQL template"
   community.okd.openshift_process:
     src: "../templates/postgresql-persistent.yml"
     namespace_target: "{{ project_namespace }}"
     parameters:
+      POSTGRESQL_IMAGE: "{{ postgres_imagestream_tag.resources[0].image.dockerImageReference }}"
       POSTGRESQL_USER: "{{ postgres_credentials.DB_USER }}"
       POSTGRESQL_PASSWORD: "{{ postgres_credentials.DB_PASSWORD }}"
       POSTGRESQL_DATABASE: "{{ postgres_credentials.DB_NAME }}"
diff --git a/ansible/templates/postgresql-migration-job.yml b/ansible/templates/postgresql-migration-job.yml
@@ -4,6 +4,9 @@ metadata:
   generateName: "postgresql-migration-job-"
   namespace: "{{ project_namespace }}"
 spec:
+  backoffLimit: 4
+  activeDeadlineSeconds: 900
+  ttlSecondsAfterFinished: 3600
   template:
     spec:
       containers:
@@ -14,36 +17,35 @@ spec:
           - "-c"
           - |
             echo "Waiting for database to be available..."
-            until psql -h {{ postgres_credentials.DB_HOST }} -c '\q'; do
+            until psql -h {{ postgres_credentials.DB_HOST }} -U {{ postgres_credentials.DB_USER }} -c '\q'; do
               >&2 echo "Postgres is unavailable - sleeping"
               sleep 2
             done
 
             echo "Database is available. Running migration script..."
-            psql -h {{ postgres_credentials.DB_HOST }} -f /migrations/V1__initial_setup.sql
+            psql -h {{ postgres_credentials.DB_HOST }} -U {{ postgres_credentials.DB_USER }} -f /migrations/V1__initial_setup.sql
             echo "Migration complete."
-      env:
-        - name: PGPASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: postgres-credentials
-              key: DB_PASSWORD
-        - name: PGUSER
-          valueFrom:
-            secretKeyRef:
-              name: postgres-credentials
-              key: DB_USER
-        - name: PGDATABASE
-          valueFrom:
-            secretKeyRef:
-              name: postgres-credentials
-              key: DB_NAME
-      volumeMounts:
-        - name: migration-script
-          mountPath: /migrations
+        env:
+          - name: PGPASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: postgres-credentials
+                key: DB_PASSWORD
+          - name: PGUSER
+            valueFrom:
+              secretKeyRef:
+                name: postgres-credentials
+                key: DB_USER
+          - name: PGDATABASE
+            valueFrom:
+              secretKeyRef:
+                name: postgres-credentials
+                key: DB_NAME
+        volumeMounts:
+          - name: migration-script
+            mountPath: /migrations
       volumes:
         - name: migration-script
           configMap:
             name: postgresql-migration-script
       restartPolicy: Never
-  backoffLimit: 4
diff --git a/ansible/templates/postgresql-persistent.yml b/ansible/templates/postgresql-persistent.yml
@@ -28,21 +28,11 @@ metadata:
     openshift.io/support-url: https://access.redhat.com
     samples.operator.openshift.io/version: 4.18.21
     tags: database,postgresql
-  creationTimestamp: "2021-07-27T18:39:32Z"
-  labels:
-    samples.operator.openshift.io/managed: "true"
   name: postgresql-persistent
-  namespace: openshift
-  resourceVersion: "2673535493"
-  uid: 8dc9aa48-0b02-43a1-bd14-dd09b71f3ab6
 objects:
 - apiVersion: v1
   kind: Secret
   metadata:
-    annotations:
-      template.openshift.io/expose-database_name: '{.data[''database-name'']}'
-      template.openshift.io/expose-password: '{.data[''database-password'']}'
-      template.openshift.io/expose-username: '{.data[''database-user'']}'
     name: ${DATABASE_SERVICE_NAME}
   stringData:
     database-name: ${POSTGRESQL_DATABASE}
@@ -51,22 +41,14 @@ objects:
 - apiVersion: v1
   kind: Service
   metadata:
-    annotations:
-      template.openshift.io/expose-uri: postgres://{.spec.clusterIP}:{.spec.ports[?(.name=="postgresql")].port}
     name: ${DATABASE_SERVICE_NAME}
   spec:
     ports:
     - name: postgresql
-      nodePort: 0
       port: 5432
-      protocol: TCP
       targetPort: 5432
     selector:
       name: ${DATABASE_SERVICE_NAME}
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
 - apiVersion: v1
   kind: PersistentVolumeClaim
   metadata:
@@ -80,8 +62,6 @@ objects:
 - apiVersion: apps.openshift.io/v1
   kind: DeploymentConfig
   metadata:
-    annotations:
-      template.alpha.openshift.io/wait-for-ready: "true"
     name: ${DATABASE_SERVICE_NAME}
   spec:
     replicas: 1
@@ -95,8 +75,7 @@ objects:
           name: ${DATABASE_SERVICE_NAME}
       spec:
         containers:
-        - capabilities: {}
-          env:
+        - env:
           - name: POSTGRESQL_USER
             valueFrom:
               secretKeyRef:
@@ -112,8 +91,7 @@ objects:
               secretKeyRef:
                 key: database-name
                 name: ${DATABASE_SERVICE_NAME}
-          image: ' '
-          imagePullPolicy: IfNotPresent
+          image: '${POSTGRESQL_IMAGE}'
           livenessProbe:
             exec:
               command:
@@ -134,33 +112,20 @@ objects:
           resources:
             limits:
               memory: ${MEMORY_LIMIT}
-          securityContext:
-            capabilities: {}
-            privileged: false
-          terminationMessagePath: /dev/termination-log
           volumeMounts:
           - mountPath: /var/lib/pgsql/data
             name: ${DATABASE_SERVICE_NAME}-data
-        dnsPolicy: ClusterFirst
-        restartPolicy: Always
         volumes:
         - name: ${DATABASE_SERVICE_NAME}-data
           persistentVolumeClaim:
             claimName: ${DATABASE_SERVICE_NAME}
     triggers:
-    - imageChangeParams:
-        automatic: true
-        containerNames:
-        - postgresql
-        from:
-          kind: ImageStreamTag
-          name: postgresql:${POSTGRESQL_VERSION}
-          namespace: ${NAMESPACE}
-        lastTriggeredImage: ""
-      type: ImageChange
     - type: ConfigChange
-  status: {}
 parameters:
+- description: The full pull spec for the PostgreSQL image, resolved from the ImageStream.
+  displayName: PostgreSQL Image Name
+  name: POSTGRESQL_IMAGE
+  required: true
 - description: Maximum amount of memory the container can use.
   displayName: Memory Limit
   name: MEMORY_LIMIT
