Skip to content

Commit

Permalink
OPSEXP-2637: refactor postgres role to generate syncservice database …
Browse files Browse the repository at this point in the history
…credentials only when needed (#894)
  • Loading branch information
alxgomz authored Jul 3, 2024
1 parent 70fb9fd commit 686bbf9
Show file tree
Hide file tree
Showing 11 changed files with 227 additions and 122 deletions.
4 changes: 2 additions & 2 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@
"filename": "playbooks/acs.yml",
"hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd",
"is_verified": false,
"line_number": 404,
"line_number": 433,
"is_secret": false
}
],
Expand Down Expand Up @@ -259,5 +259,5 @@
}
]
},
"generated_at": "2024-06-28T13:00:16Z"
"generated_at": "2024-07-03T08:58:42Z"
}
55 changes: 42 additions & 13 deletions playbooks/acs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,15 @@
hosts: all:!external
gather_facts: true
tasks:
- name: Compare host OS with supported matrix
vars:
os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}"
ansible.builtin.fail:
msg:
- "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS"
when:
- not (skip_os_test | default(false) | bool)
- ansible_distribution_version | float not in os_versions
- name: Compare host OS with supported matrix
vars:
os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}"
ansible.builtin.fail:
msg:
- "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS"
when:
- not (skip_os_test | default(false) | bool)
- ansible_distribution_version | float not in os_versions

- name: Populate facts
ansible.builtin.import_playbook: facts.yml
Expand Down Expand Up @@ -51,16 +51,45 @@
identity_url: "{{ alfresco_url }}/auth"

- name: Database Role
hosts: database
hosts: database[0]
gather_facts: false
roles:
- role: "../roles/postgres"
when: repo_db_url == "" or sync_db_url == ""
vars:
pg_role: "../roles/postgres"
create_repo_db: >-
{{ (repo_db_url == "") | ansible.builtin.bool }}
create_sync_db: >-
{{ (sync_db_url == "" and groups.syncservice | default([]) | length > 0) | ansible.builtin.bool }}
tasks:
- name: Install Postgres
ansible.builtin.include_role:
name: "{{ pg_role }}"
when: create_repo_db or create_sync_db
- name: Setup repository database
ansible.builtin.include_role:
name: "{{ pg_role }}"
tasks_from: setup_db
vars:
postgres_db_name: "{{ repo_db_name }}"
postgres_db_username: "{{ repo_db_username }}"
postgres_db_password: "{{ repo_db_password }}"
postgres_db_clients: "{{ groups.repository }}"
when: create_repo_db
- name: Setup sync database
ansible.builtin.include_role:
role: "{{ pg_role }}"
tasks_from: setup_db
vars:
postgres_db_name: "{{ sync_db_name }}"
postgres_db_username: "{{ sync_db_username }}"
postgres_db_password: "{{ sync_db_password }}"
postgres_db_clients: "{{ groups.syncservice }}"
when: create_sync_db
post_tasks:
- name: Make sure PostgreSQL is running
ansible.builtin.service:
name: "{{ postgresql_service }}"
state: started
when: create_repo_db or create_sync_db
tags:
- database

Expand Down
10 changes: 7 additions & 3 deletions playbooks/secrets-init.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@
ansible.builtin.shell:
executable: /bin/bash
cmd: |
set -o pipefail
head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT
set -o pipefail
head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT
register: peek_encrypted_file_vault
failed_when: "peek_encrypted_file_vault.rc not in [0, 1]"
changed_when: false
Expand Down Expand Up @@ -59,7 +59,6 @@
ansible.builtin.set_fact:
password_loop:
- repo_db_password
- sync_db_password

- name: Check if inventory is provided
ansible.builtin.set_fact:
Expand Down Expand Up @@ -95,6 +94,11 @@
password_loop: "{{ password_loop + ['identity_admin_password'] }}"
when: (((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0) or empty_inventory

- name: Append password_loop when sync_db_password is needed
ansible.builtin.set_fact:
password_loop: "{{ password_loop + ['sync_db_password'] }}"
when: ((groups.syncservice | default([])) | length > 0) or empty_inventory

- name: Populate secrets.yml with missing secrets
ansible.builtin.shell: "{{ base_folder }}/scripts/generate-secret.sh -s {{ item }} -m {{ gs_mode }} >> {{ secrets_file }}"
changed_when: true
Expand Down
9 changes: 8 additions & 1 deletion playbooks/secrets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@
ansible.builtin.assert:
that:
- repo_db_password is defined and repo_db_password | length > 0
- sync_db_password is defined and sync_db_password | length > 0
msg: "Mandatory secrets are missing from vars/secrets.yml file.
If this is a test environment, you can autogenerate them setting
the autogen_unsecure_secrets variable to yes. Otherwise, please take a look
Expand All @@ -63,6 +62,13 @@
quiet: true
when: ((groups.activemq | default([])) + (groups.external_activemq | default([]))) | length > 0

- name: Ensure sync_db_password is set when required
ansible.builtin.assert:
that: sync_db_password is defined and sync_db_password | length > 0
msg: "sync_db_password must have been already set at this point"
quiet: true
when: (groups.syncservice | default([])) | length > 0

- name: Ensure ca_signing_key_passphrase is set when required
ansible.builtin.assert:
that: ca_signing_key_passphrase is defined and ca_signing_key_passphrase | length > 0
Expand Down Expand Up @@ -122,6 +128,7 @@
- name: Set sync_db_password secret
ansible.builtin.set_fact:
sync_db_password: "{{ hostvars.localhost.sync_db_password }}"
when: (groups.syncservice | default([])) | length > 0

- name: Set secrets for ActiveMQ auth
hosts: activemq:repository:transformers:syncservice:search_enterprise
Expand Down
28 changes: 28 additions & 0 deletions roles/postgres/meta/argument_specs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
argument_specs:
setup_db:
short_description: Configure PostgreSQL database
options:
postgres_db_name:
type: str
required: true
description: |
Name of the database to be created
postgres_db_username:
type: str
required: true
description: |
Username of the database user
postgres_db_password:
type: str
required: true
description: |
Password of the database user
postgres_db_clients:
type: list
elements: str
required: true
description: |
List of clients that are allowed to connect to the database
Each client must be an host inventory for which facts have been
gathered (in particular ansible_default_ipv4.address)
22 changes: 20 additions & 2 deletions roles/postgres/molecule/default/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,24 @@
- name: Converge
hosts: all
tasks:
- name: "Include roles/postgres"
- name: Install PostgreSQL
ansible.builtin.include_role:
name: "postgres"
name: postgres
- name: Configure repo database
ansible.builtin.include_role:
name: postgres
tasks_from: setup_db
vars:
postgres_db_name: alfresco
postgres_db_username: alfresco
postgres_db_password: alfresco
postgres_db_clients: "{{ groups.syncservice }}"
- name: Configure sync database
ansible.builtin.include_role:
name: postgres
tasks_from: setup_db
vars:
postgres_db_name: alfresco-sync
postgres_db_username: alfresco-sync
postgres_db_password: alfresco
postgres_db_clients: "{{ groups.syncservice }}"
88 changes: 7 additions & 81 deletions roles/postgres/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
loop: >-
{{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }}
- name: Set PostgreSQL service name as fact
ansible.builtin.set_fact:
postgresql_service: "{{ postgresql_service }}"

- name: Install PostgreSQL RDBMS
become: true
block:
Expand All @@ -29,13 +33,13 @@
notify:
- Restart-postgresql
block:
- name: Configure postgresql to listen on all IP interfaces
- name: Configure PostgreSQL to listen on all IP interfaces
ansible.builtin.lineinfile:
path: "{{ postgresql_conf_path }}/postgresql.conf"
regexp: ^\s*listen_addresses\s*=
line: "listen_addresses = '{{ postgres_listen_addresses }}'"

- name: Custom postgresql Configuration
- name: Custom PostgreSQL Configuration
ansible.builtin.lineinfile:
path: "{{ postgresql_conf_path }}/postgresql.conf"
regexp: "^{{ item['line'] }}"
Expand All @@ -44,83 +48,5 @@
backup: true
with_items: "{{ postgres_config }}"

- name: Configure postgresql client auth
ansible.builtin.template:
src: "pg_hba.conf.j2"
dest: "{{ postgresql_conf_path }}/pg_hba.conf"
owner: postgres
group: postgres
mode: 'u=rw'

- name: Always flush after Configure PostgreSQL RDBMS block
- name: Flush handlers
ansible.builtin.meta: flush_handlers

- name: Configure PostgreSQL RDBMS
become: true
become_user: postgres
vars:
ansible_ssh_pipelining: true
block:
- name: Create necessary databases
community.postgresql.postgresql_db:
name: "{{ item }}"
loop:
- "{{ repo_db_name }}"
- "{{ sync_db_name }}"

- name: Revoke default access to public schema
community.postgresql.postgresql_privs:
db: "{{ item }}"
privs: ALL
type: schema
objs: public
role: public
state: absent
loop:
- "{{ repo_db_name }}"
- "{{ sync_db_name }}"
tags:
- molecule-idempotence-notest

- name: Create unprivileged users
community.postgresql.postgresql_user:
db: "{{ item.db }}"
name: "{{ item.user }}"
password: "{{ item.pwd }}"
expires: infinity
role_attr_flags: NOSUPERUSER
no_log: true
loop:
- db: "{{ repo_db_name }}"
user: "{{ repo_db_username }}"
pwd: "{{ repo_db_password }}"
- db: "{{ sync_db_name }}"
user: "{{ sync_db_username }}"
pwd: "{{ sync_db_password }}"
tags:
- molecule-idempotence-notest

- name: Grant db privileges to users
community.postgresql.postgresql_privs:
db: "{{ item.db }}"
privs: ALL
type: schema
objs: public
role: "{{ item.user }}"
loop:
- db: "{{ repo_db_name }}"
user: "{{ repo_db_username }}"
- db: "{{ sync_db_name }}"
user: "{{ sync_db_username }}"

- name: >-
Revoke {{ repo_db_username }} user access to
{{ sync_db_name }} database due to previous bug
community.postgresql.postgresql_user:
db: "{{ sync_db_name }}"
name: "{{ repo_db_username }}"
priv: "ALL"
state: absent
fail_on_user: false
tags:
- molecule-idempotence-notest
63 changes: 63 additions & 0 deletions roles/postgres/tasks/setup_db.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
- name: Include OS specific variables
ansible.builtin.include_vars: "{{ item }}"
loop: >-
{{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }}
- name: Configure PostgreSQL client auth
become: true
notify:
- Restart-postgresql
ansible.builtin.blockinfile:
path: "{{ postgresql_conf_path }}/pg_hba.conf"
block: |
{% for host in postgres_db_clients | map('extract', hostvars, ['ansible_default_ipv4', 'address']) %}
host {{ postgres_db_name }} {{ postgres_db_username }} {{ host }}/32 md5
{% endfor %}
marker: >-
# {mark} ANSIBLE MANAGED: allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }}
owner: postgres
group: postgres
mode: "u=rw"

- name: Configure PostgreSQL database
become: true
become_user: postgres
vars:
ansible_ssh_pipelining: true
block:
- name: Create database
community.postgresql.postgresql_db:
name: "{{ postgres_db_name }}"

- name: Revoke default access to public schema
community.postgresql.postgresql_privs:
db: "{{ postgres_db_name }}"
privs: ALL
type: schema
objs: public
role: public
state: absent
tags:
- molecule-idempotence-notest

- name: Create unprivileged user
community.postgresql.postgresql_user:
db: "{{ postgres_db_name }}"
name: "{{ postgres_db_username }}"
password: "{{ postgres_db_password }}"
expires: infinity
role_attr_flags: NOSUPERUSER
no_log: true
tags:
- molecule-idempotence-notest

- name: Grant db privileges to user
community.postgresql.postgresql_privs:
db: "{{ postgres_db_name }}"
privs: ALL
type: schema
objs: public
role: "{{ postgres_db_username }}"
tags:
- molecule-idempotence-notest
11 changes: 0 additions & 11 deletions roles/postgres/templates/pg_hba.conf.j2

This file was deleted.

Loading

0 comments on commit 686bbf9

Please sign in to comment.