Deploy Changes to Database Cluster

Question

Hello,

I have a CI/CD pipeline running in BitBucket. I want to create a Database Cluster on DigitalOcean for my API, so I can migrate to the API to a Kubernetes Cluster. How can I setup my pipeline to be able to deploy changes to my database? The Database Cluster restricts connections to a specific IP address so I cannot just connect from the pipeline. Is there a way to permit a connection with a specific ssh key maybe? I am not how this is normally done.

Thank you!

Answer 1

jaaywags October 16, 2020

I guess I could purchase an additional single droplet dedicated to deploying database changes and approve that one droplet access to the database cluster. I feel like that is a weird route to go though. Is there another method?

Reply Report

vashchukmaksim November 27, 2020

Hi, did you find a clean solution? Facing the same issue and it looks like it should be possible somehow…
Reply Report
- jaaywags November 27, 2020
  
  No, I have not come up with a cleaner solution. My app is still being developed. We are planning for our first deployment sometime early next year and so I have not really addressed this quite yet. Haven’t even made the switch to Kubernetes yet. As of now, the plan is to utilize a single Digital Ocean node to handle things like this. It will be separate from the cluster, wont host anything, just dedicated to handling database migrations. That is until a cleaner solution comes to light. Please keep me updated if you come up with one.
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Looks like DO API now can manage DB list (https://developers.digitalocean.com/documentation/changelog/api-v2/managed-databases-firewall-and-sql-mode-management/). I have an idea to add an IP of a CI agent (found an action for GitHub Actions here https://github.com/marketplace/actions/public-ip) via this API and remove it right after the migration is completed.
  
  Don’t know if it is gonna work and if there any problems from a security perspective but will give it a try.
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Ok, I come up with the following solution that works. Will keep it for now, probably you (or someone else) can see any problems with it. We use Github Actions so the following config is for it but it doesn’t matter much:
  
  ... - name: Deploy to DigitalOcean K8s cluster run: kubectl apply -f ./k8s - name: Get deployment status run: kubectl rollout status deploy/pp-app-auth - name: Get agent IP address id: ip uses: haythem/public-ip@v1.2 - name: Get database firewall rules run: | INITIAL_FIREWALL_LIST=$(curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_CI_PERSONAL_ACCESS_TOKEN }}" "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall") echo "INITIAL_FIREWALL_LIST=$INITIAL_FIREWALL_LIST" >> $GITHUB_ENV - name: Modify IPs list run: | UPDATED_FIREWALL_LIST=$(jq -r -c '.rules += [{"type": "ip_addr", "value": "${{ steps.ip.outputs.ipv4 }}"}]' <<< '${{ env.INITIAL_FIREWALL_LIST }}') echo "UPDATED_FIREWALL_LIST=$UPDATED_FIREWALL_LIST" >> $GITHUB_ENV - name: Submit updated IPs list to DO run: | echo ${{ env.UPDATED_FIREWALL_LIST }} curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_ACCESS_TOKEN }}" -d '${{ env.UPDATED_FIREWALL_LIST }}' "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall" - name: Install Python 3.6 uses: actions/setup-python@v2 with: python-version: '3.6' - name: Install requirements run: | python -m pip install -r requirements.txt - name: Run migration run: | PYTHONPATH=.:$PYTHONPATH alembic upgrade head - name: Revert IPs list if: ${{ always() }} run: | curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_ACCESS_TOKEN }}" -d '${{ env.INITIAL_FIREWALL_LIST }}' "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall"
  
  Some feedback would be appreciated to improve the solution. One thing I need to check and improve is to cancel the following step if deployment status is “failed” but that’s another story.
  
  Reply Report
  
  jaaywags November 28, 2020
  
  Wow, this is a very impressive solution! I’m on mobile so I will take another look when I get home, but it looks really clean. I think it’s much better than mine (purchasing an extra droplet and managing/configuring that just for migrations). I wasn’t even aware you could change database configurations via their API. I’ll most likely be taking this solution! Good job and thanks!!
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Found one potential problem (especially for not self-hosted CI solution). If we run two or more deployments with migrations at the same time we may end up with a situation where the initial list of IPs for the last deployment contains CI agent’s IP that was saved there from the first one. In that case, after the last deployment is finished it will save that IP and it will be stored there forever. Looks like a potential security leak since, I suppose, the cloud CI IPs list is used across everybody. I ended up just saving JSON with allowed IPs in a secret and use that secret on reset rather than getting that list from DO every time.
  
  P.S. Even in that case we have a period of time during deployment when db can be potentially accessed from shared IP which in theory (e.g. the more deployments we have the more this period is) can be used. I think it’s fine since besides the IP we have db authentication. Self-hosted CI solution with static IP would be perfect :)
  
  Reply Report
  
  jaaywags November 29, 2020
  
  I can’t reply to your last comment. I think the thread hit max depth so I am replying here.
  
  That is a good point though. You have two potential issues, it either stores the IP forever, or removes it in the middle of the migration. Not sure how postgre handles that kind of security. Might block the migration from finishing and you end up with part of the update.
  
  Are you removing the list of authenticated IPs at the end of every deployment? That may break another deployment if it is past the step that grants access to that list.
  
  I am a bit worried about this solution now. As of now, we only have one deployment pipeline, but plan on migrating to a microservice architecture, which could significantly increase the number of potential concurrent deployments.
  
  I wish we could just have a dedicated IP for CI. That would solve everything. I am confused how this is not a bigger issue. I feel like this is a common problem people would face.
  
  I agree though, granting access to that list of IPs is not a big security list due to db authentication. Maybe we just permanently authenticate their list of IPs. Unless that list of IPs change often, which they might, I don’t see that as a bad solution. I have to this about this more. :/
  
  Reply Report
  
  vashchukmaksim November 29, 2020
  
  Yes, exactly, you are correct. I have already faced that issue while deploying two services with migrations at the same time. Since we are currently in the launch phase as well, that is fine to deploy only one service at a time so I didn’t think about how to solve this issue.
  
  Personally, I don’t like the idea to add all public CI IPs range to the white list. To have another droplet, as you suggested before, looks like a better alternative to me. The only problem I see here is that we separate that logic from CI process (e.g. how to cancel migration if deployment failed?). Looks like we need an extra layer of abstraction in order to sync these processes, which makes the whole solution more complicated. Probably there is an easy way to do it, don’t know.
  
  For now, I would stick to the above solution with just one deployment at a time and probably will fix the issue with some outer script that resets IPs white list when no deployments are running. For the future will aim to have a static IP for CI solution which looks the clearest way to deal with it.
  
  Reply Report

Answer 2

vashchukmaksim November 27, 2020

Hi, did you find a clean solution? Facing the same issue and it looks like it should be possible somehow…
Reply Report
- jaaywags November 27, 2020
  
  No, I have not come up with a cleaner solution. My app is still being developed. We are planning for our first deployment sometime early next year and so I have not really addressed this quite yet. Haven’t even made the switch to Kubernetes yet. As of now, the plan is to utilize a single Digital Ocean node to handle things like this. It will be separate from the cluster, wont host anything, just dedicated to handling database migrations. That is until a cleaner solution comes to light. Please keep me updated if you come up with one.
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Looks like DO API now can manage DB list (https://developers.digitalocean.com/documentation/changelog/api-v2/managed-databases-firewall-and-sql-mode-management/). I have an idea to add an IP of a CI agent (found an action for GitHub Actions here https://github.com/marketplace/actions/public-ip) via this API and remove it right after the migration is completed.
  
  Don’t know if it is gonna work and if there any problems from a security perspective but will give it a try.
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Ok, I come up with the following solution that works. Will keep it for now, probably you (or someone else) can see any problems with it. We use Github Actions so the following config is for it but it doesn’t matter much:
  
  ... - name: Deploy to DigitalOcean K8s cluster run: kubectl apply -f ./k8s - name: Get deployment status run: kubectl rollout status deploy/pp-app-auth - name: Get agent IP address id: ip uses: haythem/public-ip@v1.2 - name: Get database firewall rules run: | INITIAL_FIREWALL_LIST=$(curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_CI_PERSONAL_ACCESS_TOKEN }}" "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall") echo "INITIAL_FIREWALL_LIST=$INITIAL_FIREWALL_LIST" >> $GITHUB_ENV - name: Modify IPs list run: | UPDATED_FIREWALL_LIST=$(jq -r -c '.rules += [{"type": "ip_addr", "value": "${{ steps.ip.outputs.ipv4 }}"}]' <<< '${{ env.INITIAL_FIREWALL_LIST }}') echo "UPDATED_FIREWALL_LIST=$UPDATED_FIREWALL_LIST" >> $GITHUB_ENV - name: Submit updated IPs list to DO run: | echo ${{ env.UPDATED_FIREWALL_LIST }} curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_ACCESS_TOKEN }}" -d '${{ env.UPDATED_FIREWALL_LIST }}' "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall" - name: Install Python 3.6 uses: actions/setup-python@v2 with: python-version: '3.6' - name: Install requirements run: | python -m pip install -r requirements.txt - name: Run migration run: | PYTHONPATH=.:$PYTHONPATH alembic upgrade head - name: Revert IPs list if: ${{ always() }} run: | curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer ${{ secrets.DO_ACCESS_TOKEN }}" -d '${{ env.INITIAL_FIREWALL_LIST }}' "https://api.digitalocean.com/v2/databases/${{ secrets.DO_DATABASE_ID }}/firewall"
  
  Some feedback would be appreciated to improve the solution. One thing I need to check and improve is to cancel the following step if deployment status is “failed” but that’s another story.
  
  Reply Report
  
  jaaywags November 28, 2020
  
  Wow, this is a very impressive solution! I’m on mobile so I will take another look when I get home, but it looks really clean. I think it’s much better than mine (purchasing an extra droplet and managing/configuring that just for migrations). I wasn’t even aware you could change database configurations via their API. I’ll most likely be taking this solution! Good job and thanks!!
  
  Reply Report
  
  vashchukmaksim November 28, 2020
  
  Found one potential problem (especially for not self-hosted CI solution). If we run two or more deployments with migrations at the same time we may end up with a situation where the initial list of IPs for the last deployment contains CI agent’s IP that was saved there from the first one. In that case, after the last deployment is finished it will save that IP and it will be stored there forever. Looks like a potential security leak since, I suppose, the cloud CI IPs list is used across everybody. I ended up just saving JSON with allowed IPs in a secret and use that secret on reset rather than getting that list from DO every time.
  
  P.S. Even in that case we have a period of time during deployment when db can be potentially accessed from shared IP which in theory (e.g. the more deployments we have the more this period is) can be used. I think it’s fine since besides the IP we have db authentication. Self-hosted CI solution with static IP would be perfect :)
  
  Reply Report
  
  jaaywags November 29, 2020
  
  I can’t reply to your last comment. I think the thread hit max depth so I am replying here.
  
  That is a good point though. You have two potential issues, it either stores the IP forever, or removes it in the middle of the migration. Not sure how postgre handles that kind of security. Might block the migration from finishing and you end up with part of the update.
  
  Are you removing the list of authenticated IPs at the end of every deployment? That may break another deployment if it is past the step that grants access to that list.
  
  I am a bit worried about this solution now. As of now, we only have one deployment pipeline, but plan on migrating to a microservice architecture, which could significantly increase the number of potential concurrent deployments.
  
  I wish we could just have a dedicated IP for CI. That would solve everything. I am confused how this is not a bigger issue. I feel like this is a common problem people would face.
  
  I agree though, granting access to that list of IPs is not a big security list due to db authentication. Maybe we just permanently authenticate their list of IPs. Unless that list of IPs change often, which they might, I don’t see that as a bad solution. I have to this about this more. :/
  
  Reply Report
  
  vashchukmaksim November 29, 2020
  
  Yes, exactly, you are correct. I have already faced that issue while deploying two services with migrations at the same time. Since we are currently in the launch phase as well, that is fine to deploy only one service at a time so I didn’t think about how to solve this issue.
  
  Personally, I don’t like the idea to add all public CI IPs range to the white list. To have another droplet, as you suggested before, looks like a better alternative to me. The only problem I see here is that we separate that logic from CI process (e.g. how to cancel migration if deployment failed?). Looks like we need an extra layer of abstraction in order to sync these processes, which makes the whole solution more complicated. Probably there is an easy way to do it, don’t know.
  
  For now, I would stick to the above solution with just one deployment at a time and probably will fix the issue with some outer script that resets IPs white list when no deployments are running. For the future will aim to have a static IP for CI solution which looks the clearest way to deal with it.
  
  Reply Report

Related

Question

Deploy Changes to Database Cluster

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Deploy Changes to Database Cluster

Related

Leave a comment

Related

question

How did my database got hacked ?

question

iTunes is blocking my Digital Ocean droplet

question

How do I add IP addresses to 'pg_hba.conf'?

question

Why is Upload & Download Speed of Droplets so unreliable?

Looking for something else?