From e333047ab161660e92873ad994b92944531709c1 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 20 Jun 2024 16:54:17 +0200 Subject: [PATCH 01/25] add condition for sync db password --- playbooks/secrets-init.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/playbooks/secrets-init.yml b/playbooks/secrets-init.yml index bcdd9b62e..505b40817 100644 --- a/playbooks/secrets-init.yml +++ b/playbooks/secrets-init.yml @@ -21,8 +21,8 @@ ansible.builtin.shell: executable: /bin/bash cmd: | - set -o pipefail - head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT + set -o pipefail + head -1 {{ secrets_file }} | grep -q \$ANSIBLE_VAULT register: peek_encrypted_file_vault failed_when: "peek_encrypted_file_vault.rc not in [0, 1]" changed_when: false @@ -95,6 +95,11 @@ password_loop: "{{ password_loop + ['identity_admin_password'] }}" when: (((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0) or empty_inventory + - name: Append password_loop when sync_db_password is needed + ansible.builtin.set_fact: + password_loop: "{{ password_loop + ['sync_db_password'] }}" + when: ((groups.syncservice | default([])) | length > 0) or empty_inventory + - name: Populate secrets.yml with missing secrets ansible.builtin.shell: "{{ base_folder }}/scripts/generate-secret.sh -s {{ item }} -m {{ gs_mode }} >> {{ secrets_file }}" changed_when: true From f7eaf0b5ac76c20fef6c0d88f87e6ac04b5c3ef2 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:04:16 +0200 Subject: [PATCH 02/25] postgres - add argument specs fot db setup --- roles/postgres/meta/argument_specs.yml | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 roles/postgres/meta/argument_specs.yml diff --git a/roles/postgres/meta/argument_specs.yml b/roles/postgres/meta/argument_specs.yml new file mode 100644 index 000000000..dee2e13ab --- /dev/null +++ b/roles/postgres/meta/argument_specs.yml @@ -0,0 +1,27 @@ +--- +setup_db: +short_description: Configure PostgreSQL database +options: + postgres_db_name: + type: str + required: true + description: | + Name of the database to be created + postgres_db_username: + type: str + required: true + description: | + Username of the database user + postgres_db_password: + type: str + required: true + description: | + Password of the database user + postgres_db_clients: + type: list + elements: dict + required: true + description: | + List of clients that are allowed to connect to the database + Each client should have the following keys: + - ansible_default_ipv4.address: IP address of the client From 9339a693db4d60a8ad2f87eea08469a235e14a5e Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:05:21 +0200 Subject: [PATCH 03/25] postgres - add setup db tasks --- roles/postgres/tasks/setup_db.yml | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 roles/postgres/tasks/setup_db.yml diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml new file mode 100644 index 000000000..fb5a36dc3 --- /dev/null +++ b/roles/postgres/tasks/setup_db.yml @@ -0,0 +1,64 @@ +--- +- name: Include OS specific variables + ansible.builtin.include_vars: "{{ item }}" + loop: >- + {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} + +- name: Configure postgresql client auth + become: true + notify: + - Restart-postgresql + ansible.builtin.blockinfile: + path: "{{ postgresql_conf_path }}/pg_hba.conf" + block: | + {% for host in postgres_db_clients | map('extract', hostvars, ['ansible_default_ipv4', 'address']) %} + host {{ postgres_db_name }} {{ postgres_db_username }} {{ host }}/32 md5 + {% endfor %} + marker: | + # {mark} ANSIBLE MANAGED: + # allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }} + owner: postgres + group: postgres + mode: "u=rw" + +- name: Configure PostgreSQL database + become: true + become_user: postgres + vars: + ansible_ssh_pipelining: true + block: + - name: Create necessary databases + community.postgresql.postgresql_db: + name: "{{ postgres_db_name }}" + + - name: Revoke default access to public schema + community.postgresql.postgresql_privs: + db: "{{ postgres_db_name }}" + privs: ALL + type: schema + objs: public + role: public + state: absent + tags: + - molecule-idempotence-notest + + - name: Create unprivileged users + community.postgresql.postgresql_user: + db: "{{ postgres_db_name }}" + name: "{{ postgres_db_username }}" + password: "{{ postgres_db_password }}" + expires: infinity + role_attr_flags: NOSUPERUSER + no_log: true + tags: + - molecule-idempotence-notest + + - name: Grant db privileges to users + community.postgresql.postgresql_privs: + db: "{{ postgres_db_name }}" + privs: ALL + type: schema + objs: public + role: "{{ postgres_db_username }}" + tags: + - molecule-idempotence-notest From 0e7ce57579389e0bc64793ade622dae22f981091 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:06:46 +0200 Subject: [PATCH 04/25] postgres - move db setup tasks to dedicated endpoint --- roles/postgres/tasks/main.yml | 77 +---------------------------------- 1 file changed, 2 insertions(+), 75 deletions(-) diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 699fb6bce..72e3999ee 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -44,83 +44,10 @@ backup: true with_items: "{{ postgres_config }}" - - name: Configure postgresql client auth + - name: Configure basic postgresql client auth ansible.builtin.template: src: "pg_hba.conf.j2" dest: "{{ postgresql_conf_path }}/pg_hba.conf" owner: postgres group: postgres - mode: 'u=rw' - -- name: Always flush after Configure PostgreSQL RDBMS block - ansible.builtin.meta: flush_handlers - -- name: Configure PostgreSQL RDBMS - become: true - become_user: postgres - vars: - ansible_ssh_pipelining: true - block: - - name: Create necessary databases - community.postgresql.postgresql_db: - name: "{{ item }}" - loop: - - "{{ repo_db_name }}" - - "{{ sync_db_name }}" - - - name: Revoke default access to public schema - community.postgresql.postgresql_privs: - db: "{{ item }}" - privs: ALL - type: schema - objs: public - role: public - state: absent - loop: - - "{{ repo_db_name }}" - - "{{ sync_db_name }}" - tags: - - molecule-idempotence-notest - - - name: Create unprivileged users - community.postgresql.postgresql_user: - db: "{{ item.db }}" - name: "{{ item.user }}" - password: "{{ item.pwd }}" - expires: infinity - role_attr_flags: NOSUPERUSER - no_log: true - loop: - - db: "{{ repo_db_name }}" - user: "{{ repo_db_username }}" - pwd: "{{ repo_db_password }}" - - db: "{{ sync_db_name }}" - user: "{{ sync_db_username }}" - pwd: "{{ sync_db_password }}" - tags: - - molecule-idempotence-notest - - - name: Grant db privileges to users - community.postgresql.postgresql_privs: - db: "{{ item.db }}" - privs: ALL - type: schema - objs: public - role: "{{ item.user }}" - loop: - - db: "{{ repo_db_name }}" - user: "{{ repo_db_username }}" - - db: "{{ sync_db_name }}" - user: "{{ sync_db_username }}" - - - name: >- - Revoke {{ repo_db_username }} user access to - {{ sync_db_name }} database due to previous bug - community.postgresql.postgresql_user: - db: "{{ sync_db_name }}" - name: "{{ repo_db_username }}" - priv: "ALL" - state: absent - fail_on_user: false - tags: - - molecule-idempotence-notest + mode: "u=rw" From b05068596dd21cd05bf2c67c807816adba36ca34 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:07:22 +0200 Subject: [PATCH 05/25] postgres - update pg_hba template --- roles/postgres/templates/pg_hba.conf.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2 index 738c08859..1bdf24a41 100644 --- a/roles/postgres/templates/pg_hba.conf.j2 +++ b/roles/postgres/templates/pg_hba.conf.j2 @@ -5,7 +5,3 @@ # See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html local all postgres peer host all all 127.0.0.1/32 md5 -{% for host in repo_hosts | map(attribute='local_addr') %} -host {{ repo_db_name }} {{ repo_db_username }} {{ host }}/32 md5 -{% endfor %} -host {{ sync_db_name }} {{ sync_db_username }} {{ sync_host }}/32 md5 From 7bd0ba6990f7c90ba90739f2f74edb66cac904c5 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:10:19 +0200 Subject: [PATCH 06/25] postgres - amend molecule role test --- roles/postgres/molecule/default/converge.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/postgres/molecule/default/converge.yml b/roles/postgres/molecule/default/converge.yml index 87cd8277d..479b45f7c 100644 --- a/roles/postgres/molecule/default/converge.yml +++ b/roles/postgres/molecule/default/converge.yml @@ -2,6 +2,15 @@ - name: Converge hosts: all tasks: - - name: "Include roles/postgres" + - name: Install PostgreSQL ansible.builtin.include_role: - name: "postgres" + name: postgres + - name: Configure database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: mydb + postgres_db_username: myuser + postgres_db_password: mypassword # pragma: allowlist secret + postgres_db_clients: "{{ groups.syncservice }}" From 3eddb4684a5c722ebf1659bc6db22cd5e823784f Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:11:02 +0200 Subject: [PATCH 07/25] sync - amend molecule role test --- roles/sync/molecule/default/converge.yml | 37 +++++++++++++++++++----- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/roles/sync/molecule/default/converge.yml b/roles/sync/molecule/default/converge.yml index d25d73891..51b001b6f 100644 --- a/roles/sync/molecule/default/converge.yml +++ b/roles/sync/molecule/default/converge.yml @@ -1,13 +1,36 @@ --- - name: Converge hosts: all - roles: - - role: postgres - - role: activemq - - role: repository - repository_properties: "{{ global_properties }}" - - role: nginx - - role: sync + tasks: + - ansible.builtin.include_role: + name: postgres + - ansible.builtin.meta: flush_handlers + - ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + - ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ sync_db_name }}" + postgres_db_username: "{{ sync_db_username }}" + postgres_db_password: "{{ sync_db_password }}" + postgres_db_clients: "{{ groups.syncservice }}" + - ansible.builtin.include_role: + name: activemq + - ansible.builtin.include_role: + name: repository + vars: + repository_properties: "{{ global_properties }}" + - ansible.builtin.include_role: + name: nginx + - ansible.builtin.include_role: + name: sync vars: sync_environment: JAVA_OPTS: From 3e33bccde837ece8554872e3213e713b7716d03c Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 09:12:09 +0200 Subject: [PATCH 08/25] use new postgres setup_db endpoint in main playbook --- .secrets.baseline | 145 +--------------------------------------------- playbooks/acs.yml | 51 +++++++++++----- 2 files changed, 40 insertions(+), 156 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 012eb86d5..892821cea 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -117,147 +117,6 @@ ] } ], - "results": { - "molecule/default/create.yml": [ - { - "type": "Secret Keyword", - "filename": "molecule/default/create.yml", - "hashed_secret": "6b42874e3cd20771d93096ec5ce36307a1f2ba14", - "is_verified": false, - "line_number": 240, - "is_secret": false - } - ], - "molecule/pki/host_vars/localhost.yaml": [ - { - "type": "Secret Keyword", - "filename": "molecule/pki/host_vars/localhost.yaml", - "hashed_secret": "5ffe533b830f08a0326348a9160afafc8ada44db", - "is_verified": false, - "line_number": 2, - "is_secret": false - } - ], - "playbooks/acs.yml": [ - { - "type": "Secret Keyword", - "filename": "playbooks/acs.yml", - "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd", - "is_verified": false, - "line_number": 404, - "is_secret": false - } - ], - "roles/activemq/molecule/default/tests/test_activemq.py": [ - { - "type": "Secret Keyword", - "filename": "roles/activemq/molecule/default/tests/test_activemq.py", - "hashed_secret": "5316033288e30573a91a5401b359fa398f56bf17", - "is_verified": false, - "line_number": 18, - "is_secret": false - } - ], - "roles/identity/molecule/default/converge.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/identity/molecule/default/converge.yml", - "hashed_secret": "76b90e2bab0dda9507c2c61ac09281d6cf1ea41e", - "is_verified": false, - "line_number": 5, - "is_secret": false - } - ], - "roles/repository/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/repository/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 91, - "is_secret": false - } - ], - "roles/search/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/search/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 20, - "is_secret": false - } - ], - "roles/search_enterprise/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/search_enterprise/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 9, - "is_secret": false - } - ], - "roles/sfs/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/sfs/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 30, - "is_secret": false - } - ], - "roles/sync/tasks/configure.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/sync/tasks/configure.yml", - "hashed_secret": "f9ca4692ba0f45125d7285c559427aa1306e1f7c", - "is_verified": false, - "line_number": 31, - "is_secret": false - } - ], - "roles/sync/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/sync/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 12, - "is_secret": false - } - ], - "roles/transformers/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/transformers/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 103, - "is_secret": false - } - ], - "roles/trouter/tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "roles/trouter/tasks/main.yml", - "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", - "is_verified": false, - "line_number": 85, - "is_secret": false - } - ], - "tests/molecule_it/script.sh": [ - { - "type": "Secret Keyword", - "filename": "tests/molecule_it/script.sh", - "hashed_secret": "6ed69624421f60a794037509fd6990189ea2997a", - "is_verified": false, - "line_number": 11, - "is_secret": false - } - ] - }, - "generated_at": "2024-06-28T13:00:16Z" + "results": {}, + "generated_at": "2024-07-01T17:12:19Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index b81e77877..66e16ee66 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -3,15 +3,15 @@ hosts: all:!external gather_facts: true tasks: - - name: Compare host OS with supported matrix - vars: - os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}" - ansible.builtin.fail: - msg: - - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS" - when: - - not (skip_os_test | default(false) | bool) - - ansible_distribution_version | float not in os_versions + - name: Compare host OS with supported matrix + vars: + os_versions: "{{ supported_os[ansible_distribution].versions | default([]) }}" + ansible.builtin.fail: + msg: + - "{{ ansible_distribution }} {{ ansible_distribution_version }} is not a supported OS" + when: + - not (skip_os_test | default(false) | bool) + - ansible_distribution_version | float not in os_versions - name: Populate facts ansible.builtin.import_playbook: facts.yml @@ -51,16 +51,41 @@ identity_url: "{{ alfresco_url }}/auth" - name: Database Role - hosts: database + hosts: database[0] gather_facts: false - roles: - - role: "../roles/postgres" - when: repo_db_url == "" or sync_db_url == "" + vars: + pg_role: "roles/postgres" + tasks: + - name: Install Postgres + include_role: + name: "{{ pg_role }}" + when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) + - name: Setup repository database + include_role: + name: "{{ pg_role }}" + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + when: repo_db_url != "" + - name: Setup sync database + include_role: + role: "{{ pg_role }}" + tasks_from: setup_db + vars: + postgres_db_name: "{{ sync_db_name }}" + postgres_db_username: "{{ sync_db_username }}" + postgres_db_password: "{{ sync_db_password }}" + postgres_db_clients: "{{ groups.syncservice }}" + when: sync_db_url != "" and groups.syncservice | default([]) | length > 0 post_tasks: - name: Make sure PostgreSQL is running ansible.builtin.service: name: "{{ postgresql_service }}" state: started + when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) tags: - database From c6d72dda5234e61cbf8e3d7cf6b119e7f9ee31cc Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 26 Jun 2024 14:26:52 +0200 Subject: [PATCH 09/25] repository - amend molecule role test --- roles/repository/molecule/default/converge.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/repository/molecule/default/converge.yml b/roles/repository/molecule/default/converge.yml index db7e703a4..dbb6e555d 100644 --- a/roles/repository/molecule/default/converge.yml +++ b/roles/repository/molecule/default/converge.yml @@ -1,8 +1,17 @@ --- - name: Converge hosts: all - roles: - - role: postgres + tasks: + - include_role: + name: postgres + - include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" - role: activemq activemq_version: "{{ dependencies_version.activemq }}" - role: repository From 441594c9d13221c40c4df7e07204640211a3e8ae Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 13:46:42 +0200 Subject: [PATCH 10/25] various fixes --- .secrets.baseline | 145 +++++++++++++++++- playbooks/acs.yml | 10 +- roles/postgres/meta/argument_specs.yml | 53 +++---- .../repository/molecule/default/converge.yml | 30 ++-- roles/sync/molecule/default/converge.yml | 25 +-- 5 files changed, 209 insertions(+), 54 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 892821cea..a63853c97 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -117,6 +117,147 @@ ] } ], - "results": {}, - "generated_at": "2024-07-01T17:12:19Z" + "results": { + "molecule/default/create.yml": [ + { + "type": "Secret Keyword", + "filename": "molecule/default/create.yml", + "hashed_secret": "6b42874e3cd20771d93096ec5ce36307a1f2ba14", + "is_verified": false, + "line_number": 240, + "is_secret": false + } + ], + "molecule/pki/host_vars/localhost.yaml": [ + { + "type": "Secret Keyword", + "filename": "molecule/pki/host_vars/localhost.yaml", + "hashed_secret": "5ffe533b830f08a0326348a9160afafc8ada44db", + "is_verified": false, + "line_number": 2, + "is_secret": false + } + ], + "playbooks/acs.yml": [ + { + "type": "Secret Keyword", + "filename": "playbooks/acs.yml", + "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd", + "is_verified": false, + "line_number": 431, + "is_secret": false + } + ], + "roles/activemq/molecule/default/tests/test_activemq.py": [ + { + "type": "Secret Keyword", + "filename": "roles/activemq/molecule/default/tests/test_activemq.py", + "hashed_secret": "5316033288e30573a91a5401b359fa398f56bf17", + "is_verified": false, + "line_number": 18, + "is_secret": false + } + ], + "roles/identity/molecule/default/converge.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/identity/molecule/default/converge.yml", + "hashed_secret": "76b90e2bab0dda9507c2c61ac09281d6cf1ea41e", + "is_verified": false, + "line_number": 5, + "is_secret": false + } + ], + "roles/repository/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/repository/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 91, + "is_secret": false + } + ], + "roles/search/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/search/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 20, + "is_secret": false + } + ], + "roles/search_enterprise/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/search_enterprise/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 9, + "is_secret": false + } + ], + "roles/sfs/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/sfs/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 30, + "is_secret": false + } + ], + "roles/sync/tasks/configure.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/sync/tasks/configure.yml", + "hashed_secret": "f9ca4692ba0f45125d7285c559427aa1306e1f7c", + "is_verified": false, + "line_number": 31, + "is_secret": false + } + ], + "roles/sync/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/sync/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 12, + "is_secret": false + } + ], + "roles/transformers/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/transformers/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 103, + "is_secret": false + } + ], + "roles/trouter/tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "roles/trouter/tasks/main.yml", + "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", + "is_verified": false, + "line_number": 85, + "is_secret": false + } + ], + "tests/molecule_it/script.sh": [ + { + "type": "Secret Keyword", + "filename": "tests/molecule_it/script.sh", + "hashed_secret": "6ed69624421f60a794037509fd6990189ea2997a", + "is_verified": false, + "line_number": 11, + "is_secret": false + } + ] + }, + "generated_at": "2024-07-01T17:13:30Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 66e16ee66..c7d4281f4 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -57,12 +57,14 @@ pg_role: "roles/postgres" tasks: - name: Install Postgres - include_role: + ansible.builtin.include_role: name: "{{ pg_role }}" when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Setup repository database - include_role: - name: "{{ pg_role }}" + ansible.builtin.include_role: + name: "{{ pg_role }}" tasks_from: setup_db vars: postgres_db_name: "{{ repo_db_name }}" @@ -71,7 +73,7 @@ postgres_db_clients: "{{ groups.repository }}" when: repo_db_url != "" - name: Setup sync database - include_role: + ansible.builtin.include_role: role: "{{ pg_role }}" tasks_from: setup_db vars: diff --git a/roles/postgres/meta/argument_specs.yml b/roles/postgres/meta/argument_specs.yml index dee2e13ab..c679841f6 100644 --- a/roles/postgres/meta/argument_specs.yml +++ b/roles/postgres/meta/argument_specs.yml @@ -1,27 +1,28 @@ --- -setup_db: -short_description: Configure PostgreSQL database -options: - postgres_db_name: - type: str - required: true - description: | - Name of the database to be created - postgres_db_username: - type: str - required: true - description: | - Username of the database user - postgres_db_password: - type: str - required: true - description: | - Password of the database user - postgres_db_clients: - type: list - elements: dict - required: true - description: | - List of clients that are allowed to connect to the database - Each client should have the following keys: - - ansible_default_ipv4.address: IP address of the client +argument_specs: + setup_db: + short_description: Configure PostgreSQL database + options: + postgres_db_name: + type: str + required: true + description: | + Name of the database to be created + postgres_db_username: + type: str + required: true + description: | + Username of the database user + postgres_db_password: + type: str + required: true + description: | + Password of the database user + postgres_db_clients: + type: list + elements: str + required: true + description: | + List of clients that are allowed to connect to the database + Each client must be an host inventory for which facts have been + gathered (in particular ansible_default_ipv4.address) diff --git a/roles/repository/molecule/default/converge.yml b/roles/repository/molecule/default/converge.yml index dbb6e555d..8bfbef8af 100644 --- a/roles/repository/molecule/default/converge.yml +++ b/roles/repository/molecule/default/converge.yml @@ -1,20 +1,26 @@ --- - name: Converge hosts: all + roles: + - role: activemq + activemq_version: "{{ dependencies_version.activemq }}" tasks: - - include_role: + - name: Install PostgreSQL + ansible.builtin.include_role: name: postgres - - include_role: + - name: Configure repository database + ansible.builtin.include_role: name: postgres tasks_from: setup_db vars: - postgres_db_name: "{{ repo_db_name }}" - postgres_db_username: "{{ repo_db_username }}" - postgres_db_password: "{{ repo_db_password }}" - postgres_db_clients: "{{ groups.repository }}" - - role: activemq - activemq_version: "{{ dependencies_version.activemq }}" - - role: repository - repository_properties: "{{ global_properties }}" - raw_properties: - - ../../configuration_files/alfresco-global.properties + postgres_db_name: "{{ repo_db_name }}" + postgres_db_username: "{{ repo_db_username }}" + postgres_db_password: "{{ repo_db_password }}" + postgres_db_clients: "{{ groups.repository }}" + - name: Install Alfresco repository + ansible.builtin.include_role: + name: repository + vars: + repository_properties: "{{ global_properties }}" + raw_properties: + - ../../configuration_files/alfresco-global.properties diff --git a/roles/sync/molecule/default/converge.yml b/roles/sync/molecule/default/converge.yml index 51b001b6f..baef6ae5d 100644 --- a/roles/sync/molecule/default/converge.yml +++ b/roles/sync/molecule/default/converge.yml @@ -1,11 +1,17 @@ --- - name: Converge hosts: all + roles: + - role: activemq + - role: nginx tasks: - - ansible.builtin.include_role: + - name: Install PostgreSQL + ansible.builtin.include_role: name: postgres - - ansible.builtin.meta: flush_handlers - - ansible.builtin.include_role: + - name: Flush handlers + ansible.builtin.meta: flush_handlers + - name: Setup repository database + ansible.builtin.include_role: name: postgres tasks_from: setup_db vars: @@ -13,7 +19,8 @@ postgres_db_username: "{{ repo_db_username }}" postgres_db_password: "{{ repo_db_password }}" postgres_db_clients: "{{ groups.repository }}" - - ansible.builtin.include_role: + - name: Setup sync database + ansible.builtin.include_role: name: postgres tasks_from: setup_db vars: @@ -21,15 +28,13 @@ postgres_db_username: "{{ sync_db_username }}" postgres_db_password: "{{ sync_db_password }}" postgres_db_clients: "{{ groups.syncservice }}" - - ansible.builtin.include_role: - name: activemq - - ansible.builtin.include_role: + - name: Install Alfresco repository + ansible.builtin.include_role: name: repository vars: repository_properties: "{{ global_properties }}" - - ansible.builtin.include_role: - name: nginx - - ansible.builtin.include_role: + - name: Install Alfresco sync service + ansible.builtin.include_role: name: sync vars: sync_environment: From 9aa6c0326ac5116554498ba8611ea7cfb29c2857 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 14:04:49 +0200 Subject: [PATCH 11/25] move handler back to role --- .secrets.baseline | 4 ++-- playbooks/acs.yml | 2 -- roles/postgres/tasks/main.yml | 3 +++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index a63853c97..d41fdcb62 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -144,7 +144,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd", "is_verified": false, - "line_number": 431, + "line_number": 429, "is_secret": false } ], @@ -259,5 +259,5 @@ } ] }, - "generated_at": "2024-07-01T17:13:30Z" + "generated_at": "2024-07-01T17:14:52Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index c7d4281f4..fe43ec295 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -60,8 +60,6 @@ ansible.builtin.include_role: name: "{{ pg_role }}" when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) - - name: Flush handlers - ansible.builtin.meta: flush_handlers - name: Setup repository database ansible.builtin.include_role: name: "{{ pg_role }}" diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 72e3999ee..142477c2e 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -51,3 +51,6 @@ owner: postgres group: postgres mode: "u=rw" + +- name: Flush handlers + ansible.builtin.meta: flush_handlers From 7d3028b9c90d15b71818936a74c1efa618669bce Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 14:21:31 +0200 Subject: [PATCH 12/25] use blockinfile instead of template --- roles/postgres/tasks/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 142477c2e..13cc65db6 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -45,9 +45,12 @@ with_items: "{{ postgres_config }}" - name: Configure basic postgresql client auth - ansible.builtin.template: - src: "pg_hba.conf.j2" - dest: "{{ postgresql_conf_path }}/pg_hba.conf" + ansible.builtin.blockinfile: + path: "{{ postgresql_conf_path }}/pg_hba.conf" + marker: "# {mark} local connections allowed - Ansible managed block" + block: | + local all postgres peer + host all all 127.0.0.1/32 md5 owner: postgres group: postgres mode: "u=rw" From 7c9e9da6a0da6fb3d7eb5e044bd200cd889ea322 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 15:30:29 +0200 Subject: [PATCH 13/25] postgres - fix tests --- roles/postgres/molecule/default/converge.yml | 17 +++++++++++++---- roles/postgres/tasks/main.yml | 11 ----------- roles/postgres/tasks/setup_db.yml | 5 ++--- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/roles/postgres/molecule/default/converge.yml b/roles/postgres/molecule/default/converge.yml index 479b45f7c..d416fa360 100644 --- a/roles/postgres/molecule/default/converge.yml +++ b/roles/postgres/molecule/default/converge.yml @@ -5,12 +5,21 @@ - name: Install PostgreSQL ansible.builtin.include_role: name: postgres - - name: Configure database + - name: Configure repo database ansible.builtin.include_role: name: postgres tasks_from: setup_db vars: - postgres_db_name: mydb - postgres_db_username: myuser - postgres_db_password: mypassword # pragma: allowlist secret + postgres_db_name: alfresco + postgres_db_username: alfresco + postgres_db_password: alfresco + postgres_db_clients: "{{ groups.syncservice }}" + - name: Configure sync database + ansible.builtin.include_role: + name: postgres + tasks_from: setup_db + vars: + postgres_db_name: alfresco-sync + postgres_db_username: alfresco-sync + postgres_db_password: alfresco postgres_db_clients: "{{ groups.syncservice }}" diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 13cc65db6..d3b7b0f60 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -44,16 +44,5 @@ backup: true with_items: "{{ postgres_config }}" - - name: Configure basic postgresql client auth - ansible.builtin.blockinfile: - path: "{{ postgresql_conf_path }}/pg_hba.conf" - marker: "# {mark} local connections allowed - Ansible managed block" - block: | - local all postgres peer - host all all 127.0.0.1/32 md5 - owner: postgres - group: postgres - mode: "u=rw" - - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml index fb5a36dc3..765360d37 100644 --- a/roles/postgres/tasks/setup_db.yml +++ b/roles/postgres/tasks/setup_db.yml @@ -14,9 +14,8 @@ {% for host in postgres_db_clients | map('extract', hostvars, ['ansible_default_ipv4', 'address']) %} host {{ postgres_db_name }} {{ postgres_db_username }} {{ host }}/32 md5 {% endfor %} - marker: | - # {mark} ANSIBLE MANAGED: - # allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }} + marker: >- + # {mark} ANSIBLE MANAGED: allow {{ postgres_db_clients | join(", ") }} to connect to {{ postgres_db_name }} as {{ postgres_db_username }} owner: postgres group: postgres mode: "u=rw" From e1105356416b380b2c35ef4339e54176475e33d5 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 15:30:53 +0200 Subject: [PATCH 14/25] fix database role condition --- playbooks/acs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index fe43ec295..e9f65b8af 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -54,12 +54,12 @@ hosts: database[0] gather_facts: false vars: - pg_role: "roles/postgres" + pg_role: "../roles/postgres" tasks: - name: Install Postgres ansible.builtin.include_role: name: "{{ pg_role }}" - when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) + when: repo_db_url == "" or (sync_db_url == "" and groups.syncservice | default([]) | length > 0) - name: Setup repository database ansible.builtin.include_role: name: "{{ pg_role }}" From c8c61345a55cddf7e4764ef73fb01cc272a03975 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 16:47:43 +0200 Subject: [PATCH 15/25] fix database plays conditions --- playbooks/acs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index e9f65b8af..2bc4013cc 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -69,7 +69,7 @@ postgres_db_username: "{{ repo_db_username }}" postgres_db_password: "{{ repo_db_password }}" postgres_db_clients: "{{ groups.repository }}" - when: repo_db_url != "" + when: repo_db_url == "" - name: Setup sync database ansible.builtin.include_role: role: "{{ pg_role }}" @@ -79,13 +79,13 @@ postgres_db_username: "{{ sync_db_username }}" postgres_db_password: "{{ sync_db_password }}" postgres_db_clients: "{{ groups.syncservice }}" - when: sync_db_url != "" and groups.syncservice | default([]) | length > 0 + when: sync_db_url == "" and groups.syncservice | default([]) | length > 0 post_tasks: - name: Make sure PostgreSQL is running ansible.builtin.service: name: "{{ postgresql_service }}" state: started - when: repo_db_url != "" or (sync_db_url != "" and groups.syncservice | default([]) | length > 0) + when: repo_db_url == "" or (sync_db_url == "" and groups.syncservice | default([]) | length > 0) tags: - database From 9748c50fb08be3aa7fbc09ea39126d54595d9983 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Mon, 1 Jul 2024 17:12:08 +0200 Subject: [PATCH 16/25] postgres - try top set fact needed in calling playbook --- roles/postgres/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index d3b7b0f60..752a6d26d 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -4,6 +4,10 @@ loop: >- {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} +- name: Set postgreSQL service name as fact + ansible.builtin.set_fact: + postgresql_service: "{{ postgresql_service }}" + - name: Install PostgreSQL RDBMS become: true block: From b3dd35c8c8434ca8534f20f9a381c94bc8c38b35 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Tue, 2 Jul 2024 16:49:45 +0200 Subject: [PATCH 17/25] remove sync db pass from password generation main loop and checks --- playbooks/secrets-init.yml | 1 - playbooks/secrets.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/playbooks/secrets-init.yml b/playbooks/secrets-init.yml index 505b40817..199b5e418 100644 --- a/playbooks/secrets-init.yml +++ b/playbooks/secrets-init.yml @@ -59,7 +59,6 @@ ansible.builtin.set_fact: password_loop: - repo_db_password - - sync_db_password - name: Check if inventory is provided ansible.builtin.set_fact: diff --git a/playbooks/secrets.yml b/playbooks/secrets.yml index 8b3fb735e..558375b47 100644 --- a/playbooks/secrets.yml +++ b/playbooks/secrets.yml @@ -49,7 +49,6 @@ ansible.builtin.assert: that: - repo_db_password is defined and repo_db_password | length > 0 - - sync_db_password is defined and sync_db_password | length > 0 msg: "Mandatory secrets are missing from vars/secrets.yml file. If this is a test environment, you can autogenerate them setting the autogen_unsecure_secrets variable to yes. Otherwise, please take a look @@ -122,6 +121,7 @@ - name: Set sync_db_password secret ansible.builtin.set_fact: sync_db_password: "{{ hostvars.localhost.sync_db_password }}" + when: (groups.syncservice | default([])) | length > 0 - name: Set secrets for ActiveMQ auth hosts: activemq:repository:transformers:syncservice:search_enterprise From 18b00a24e61a3ec4bb20a6f7381ebfb264ad7e03 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 10:51:06 +0200 Subject: [PATCH 18/25] postgres - remove unused template --- roles/postgres/templates/pg_hba.conf.j2 | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 roles/postgres/templates/pg_hba.conf.j2 diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2 deleted file mode 100644 index 1bdf24a41..000000000 --- a/roles/postgres/templates/pg_hba.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{{ ansible_managed | comment }} -# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# See: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html -local all postgres peer -host all all 127.0.0.1/32 md5 From 757a04fc715ffc50f4777d1a8c8492fee71ab278 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 10:51:31 +0200 Subject: [PATCH 19/25] sync - molecule role test cleanup --- roles/sync/molecule/default/converge.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/sync/molecule/default/converge.yml b/roles/sync/molecule/default/converge.yml index baef6ae5d..dbc5a45a8 100644 --- a/roles/sync/molecule/default/converge.yml +++ b/roles/sync/molecule/default/converge.yml @@ -8,8 +8,6 @@ - name: Install PostgreSQL ansible.builtin.include_role: name: postgres - - name: Flush handlers - ansible.builtin.meta: flush_handlers - name: Setup repository database ansible.builtin.include_role: name: postgres From e16e36078135e8a07846ed916b978b8fd9ddd86b Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 11:02:52 +0200 Subject: [PATCH 20/25] avoid condition duplication --- .secrets.baseline | 4 ++-- playbooks/acs.yml | 12 ++++++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index d41fdcb62..2db8cc8f7 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -144,7 +144,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "3a0b8a438a9efa61267357269709a946d797b9bd", "is_verified": false, - "line_number": 429, + "line_number": 433, "is_secret": false } ], @@ -259,5 +259,5 @@ } ] }, - "generated_at": "2024-07-01T17:14:52Z" + "generated_at": "2024-07-03T08:58:42Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 2bc4013cc..62c371acf 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -55,11 +55,15 @@ gather_facts: false vars: pg_role: "../roles/postgres" + create_repo_db: >- + {{ repo_db_url == "" | ansible.builtin.bool }} + create_sync_db: >- + {{ (sync_db_url == "" and groups.syncservice | default([]) | length > 0) | ansible.builtin.bool }} tasks: - name: Install Postgres ansible.builtin.include_role: name: "{{ pg_role }}" - when: repo_db_url == "" or (sync_db_url == "" and groups.syncservice | default([]) | length > 0) + when: create_repo_db or create_sync_db - name: Setup repository database ansible.builtin.include_role: name: "{{ pg_role }}" @@ -69,7 +73,7 @@ postgres_db_username: "{{ repo_db_username }}" postgres_db_password: "{{ repo_db_password }}" postgres_db_clients: "{{ groups.repository }}" - when: repo_db_url == "" + when: create_repo_db - name: Setup sync database ansible.builtin.include_role: role: "{{ pg_role }}" @@ -79,13 +83,13 @@ postgres_db_username: "{{ sync_db_username }}" postgres_db_password: "{{ sync_db_password }}" postgres_db_clients: "{{ groups.syncservice }}" - when: sync_db_url == "" and groups.syncservice | default([]) | length > 0 + when: create_sync_db post_tasks: - name: Make sure PostgreSQL is running ansible.builtin.service: name: "{{ postgresql_service }}" state: started - when: repo_db_url == "" or (sync_db_url == "" and groups.syncservice | default([]) | length > 0) + when: create_repo_db or create_sync_db tags: - database From 605240fb418dd7cc88c2e9954b239a399e3a8983 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 12:06:59 +0200 Subject: [PATCH 21/25] review comments --- roles/postgres/tasks/main.yml | 6 +++--- roles/postgres/tasks/setup_db.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml index 752a6d26d..08a99d195 100644 --- a/roles/postgres/tasks/main.yml +++ b/roles/postgres/tasks/main.yml @@ -4,7 +4,7 @@ loop: >- {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} -- name: Set postgreSQL service name as fact +- name: Set PostgreSQL service name as fact ansible.builtin.set_fact: postgresql_service: "{{ postgresql_service }}" @@ -33,13 +33,13 @@ notify: - Restart-postgresql block: - - name: Configure postgresql to listen on all IP interfaces + - name: Configure PostgreSQL to listen on all IP interfaces ansible.builtin.lineinfile: path: "{{ postgresql_conf_path }}/postgresql.conf" regexp: ^\s*listen_addresses\s*= line: "listen_addresses = '{{ postgres_listen_addresses }}'" - - name: Custom postgresql Configuration + - name: Custom PostgreSQL Configuration ansible.builtin.lineinfile: path: "{{ postgresql_conf_path }}/postgresql.conf" regexp: "^{{ item['line'] }}" diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml index 765360d37..9229e3570 100644 --- a/roles/postgres/tasks/setup_db.yml +++ b/roles/postgres/tasks/setup_db.yml @@ -4,7 +4,7 @@ loop: >- {{ lookup('first_found', os_fallback, errors='ignore', wantlist=True) }} -- name: Configure postgresql client auth +- name: Configure PostgreSQL client auth become: true notify: - Restart-postgresql From 8409f9b2049b1436fa6978e91153d87c9efe972c Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 12:14:14 +0200 Subject: [PATCH 22/25] add a check task after removing sync db crenetials rom the mandatory password checks task --- playbooks/secrets.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/playbooks/secrets.yml b/playbooks/secrets.yml index 558375b47..0a8e1203a 100644 --- a/playbooks/secrets.yml +++ b/playbooks/secrets.yml @@ -62,6 +62,13 @@ quiet: true when: ((groups.activemq | default([])) + (groups.external_activemq | default([]))) | length > 0 + - name: Ensure sync_db_password is set when required + ansible.builtin.assert: + that: sync_db_password is defined and sync_db_password | length > 0 + msg: "sync_db_password must have been already set at this point" + quiet: true + when: (groups.syncservice | default([])) | length > 0 + - name: Ensure ca_signing_key_passphrase is set when required ansible.builtin.assert: that: ca_signing_key_passphrase is defined and ca_signing_key_passphrase | length > 0 From 92b22a206f9f271ca8b28abf6b3a679d9614278e Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 12:17:19 +0200 Subject: [PATCH 23/25] review comments --- roles/postgres/tasks/setup_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml index 9229e3570..66fdf71b1 100644 --- a/roles/postgres/tasks/setup_db.yml +++ b/roles/postgres/tasks/setup_db.yml @@ -26,7 +26,7 @@ vars: ansible_ssh_pipelining: true block: - - name: Create necessary databases + - name: Create database community.postgresql.postgresql_db: name: "{{ postgres_db_name }}" From 380105cf1eefd223fda430ce3d030790306b08bd Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 14:19:42 +0200 Subject: [PATCH 24/25] fix conition syntax --- playbooks/acs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 62c371acf..46e557f06 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -56,7 +56,7 @@ vars: pg_role: "../roles/postgres" create_repo_db: >- - {{ repo_db_url == "" | ansible.builtin.bool }} + {{ (repo_db_url == "") | ansible.builtin.bool }} create_sync_db: >- {{ (sync_db_url == "" and groups.syncservice | default([]) | length > 0) | ansible.builtin.bool }} tasks: From 4214ac900d30d3462e480d8478f6e49570f88b91 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 3 Jul 2024 15:51:31 +0200 Subject: [PATCH 25/25] review comments --- roles/postgres/tasks/setup_db.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/postgres/tasks/setup_db.yml b/roles/postgres/tasks/setup_db.yml index 66fdf71b1..169e69d6b 100644 --- a/roles/postgres/tasks/setup_db.yml +++ b/roles/postgres/tasks/setup_db.yml @@ -41,7 +41,7 @@ tags: - molecule-idempotence-notest - - name: Create unprivileged users + - name: Create unprivileged user community.postgresql.postgresql_user: db: "{{ postgres_db_name }}" name: "{{ postgres_db_username }}" @@ -52,7 +52,7 @@ tags: - molecule-idempotence-notest - - name: Grant db privileges to users + - name: Grant db privileges to user community.postgresql.postgresql_privs: db: "{{ postgres_db_name }}" privs: ALL