From 18679082b9cda9526f69949503b234d8f638f68e Mon Sep 17 00:00:00 2001
From: "Ketelsen, Sven" <sven.ketelsen@netgo.de>
Date: Tue, 25 Jul 2023 12:34:08 +0000
Subject: [PATCH] MPMXKD-17 fixed CREATE table grants

---
 group_vars/all/pgadmin4.yml                     | 3 ---
 group_vars/all/services.yml                     | 2 ++
 roles/pgadmin4/tasks/main.yml                   | 2 +-
 roles/pgadmin4/vars/main.yml                    | 2 +-
 roles/pgadmin4_realm/defaults/main.yml          | 8 ++++----
 roles/postgres/tasks/_update_database_state.yml | 4 ++--
 6 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/group_vars/all/pgadmin4.yml b/group_vars/all/pgadmin4.yml
index 8cd165f..16c22de 100644
--- a/group_vars/all/pgadmin4.yml
+++ b/group_vars/all/pgadmin4.yml
@@ -1,7 +1,4 @@
 ---
-pgadmin4_base_hostname: "{{ stage }}-pgadmin4-01.{{ domain }}"
-pgadmin4_base_url: "https://{{ pgadmin4_base_hostname }}"
-
 pgadmin4_oidc_realm: "stage-pgadmin4"
 pgadmin4_oidc_client_id: "stage-pgadmin4"
 pgadmin4_oidc_dev_username: "pgadmin-dev"
diff --git a/group_vars/all/services.yml b/group_vars/all/services.yml
index 7fdbf3d..0ab9b61 100644
--- a/group_vars/all/services.yml
+++ b/group_vars/all/services.yml
@@ -15,6 +15,8 @@ shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ d
 shared_service_host_management: "{{ stage }}-management-01"
 shared_service_url_management: "https://{{ shared_service_hostname_management }}"
 shared_service_hostname_management: "{{ shared_service_host_management }}-connect.{{ domain_env }}"
+shared_service_url_pgadmin4: "https://{{ shared_service_hostname_pgadmin4 }}"
+shared_service_hostname_pgadmin4: "{{ stage }}-pgadmin4-01-pgadmin4.{{ domain_env }}"
 
 shared_service_hostname_logstash: "{{ stage }}-elastic-stack-logstash-01"
 
diff --git a/roles/pgadmin4/tasks/main.yml b/roles/pgadmin4/tasks/main.yml
index 1220029..ddc1a11 100644
--- a/roles/pgadmin4/tasks/main.yml
+++ b/roles/pgadmin4/tasks/main.yml
@@ -70,7 +70,7 @@
 # Initialize Login process against Keycloak server
 - name: "Initialize SSO Login on Pgadmin4"
   uri:
-    url: "{{ pgadmin4_base_url }}/authenticate/login"
+    url: "{{ shared_service_url_pgadmin4 }}/authenticate/login"
     method: GET
     body_format: form-urlencoded
     body:
diff --git a/roles/pgadmin4/vars/main.yml b/roles/pgadmin4/vars/main.yml
index ad314f8..0ab833c 100644
--- a/roles/pgadmin4/vars/main.yml
+++ b/roles/pgadmin4/vars/main.yml
@@ -40,7 +40,7 @@ pgadmin4_docker:
             [
               '"traefik.enable=true"',
               '"traefik.http.routers.{{ pgadmin_id }}.service={{ pgadmin_id }}"',
-              '"traefik.http.routers.{{ pgadmin_id }}.rule=Host(`{{ pgadmin4_base_hostname }}`)"',
+              '"traefik.http.routers.{{ pgadmin_id }}.rule=Host(`{{ pgadmin_id }}.{{ domain_env }}`)"',
               '"traefik.http.routers.{{ pgadmin_id }}.entrypoints=websecure"',
               '"traefik.http.routers.{{ pgadmin_id }}.tls=true"',
               '"traefik.http.routers.{{ pgadmin_id }}.tls.certresolver=letsencrypt"',
diff --git a/roles/pgadmin4_realm/defaults/main.yml b/roles/pgadmin4_realm/defaults/main.yml
index 73fc112..7d33102 100644
--- a/roles/pgadmin4_realm/defaults/main.yml
+++ b/roles/pgadmin4_realm/defaults/main.yml
@@ -5,13 +5,13 @@ current_realm_clients:
   - name: "{{ pgadmin4_oidc_client_id }}"
     base_url: ""
     clientId: "{{ pgadmin4_oidc_client_id }}"
-    admin_url: "{{ pgadmin4_base_url }}"
-    root_url: "{{ pgadmin4_base_url }}"
+    admin_url: "{{ shared_service_url_pgadmin4 }}"
+    root_url: "{{ shared_service_url_pgadmin4 }}"
     redirect_uris:
-      - "{{ pgadmin4_base_url }}/*"
+      - "{{ shared_service_url_pgadmin4 }}/*"
     secret: "{{ pgadmin4_oidc_client_secret }}"
     web_origins:
-      - "{{ pgadmin4_base_url }}/"
+      - "{{ shared_service_url_pgadmin4 }}/"
 
 current_realm_users:
   - username: "{{ pgadmin4_oidc_dev_username }}"
diff --git a/roles/postgres/tasks/_update_database_state.yml b/roles/postgres/tasks/_update_database_state.yml
index 7219112..e34834a 100644
--- a/roles/postgres/tasks/_update_database_state.yml
+++ b/roles/postgres/tasks/_update_database_state.yml
@@ -152,9 +152,9 @@
   become: true
   become_user: "{{ postgres_admin_user }}"
 
-- name: Revoke CREATE privilege on public schema from postgres_readonly group
+- name: "Revoke CREATE privilege on public schema for group postgres_readonly"
   community.postgresql.postgresql_privs:
-    role: "public"
+    role: "postgres_readonly"
     type: schema
     priv: CREATE
     objs: public