From 5cdaa7d3235c2603b279bd71cb5259f7b1b785b1 Mon Sep 17 00:00:00 2001 From: Michael Haehnel Date: Wed, 19 Jul 2023 19:37:50 +0200 Subject: [PATCH] DEV-1007 Fix #3 pgadmin4 --- roles/pgadmin4/vars/main.yml | 46 +++++++++---------- .../postgres/tasks/_update_database_state.yml | 43 ++++++++--------- roles/postgres/tasks/master-requirements.yml | 10 ---- templates/pgadmin4/config/pgpass_admin.j2 | 5 +- templates/pgadmin4/config/pgpass_dev.j2 | 5 +- .../pgadmin4/config/servers_admin.json.j2 | 16 ++++--- templates/pgadmin4/config/servers_dev.json.j2 | 16 ++++--- 7 files changed, 73 insertions(+), 68 deletions(-) diff --git a/roles/pgadmin4/vars/main.yml b/roles/pgadmin4/vars/main.yml index 33d78c3..ad314f8 100644 --- a/roles/pgadmin4/vars/main.yml +++ b/roles/pgadmin4/vars/main.yml @@ -15,7 +15,7 @@ pgadmin4_docker: name: "init-pgadmin", image_name: "{{ pgadmin4_image_name }}", image_version: "{{ pgadmin4_version }}", - restart: '"on-failure:10"', + restart: '"on-failure:20"', entrypoint: [ "- sh", @@ -30,7 +30,7 @@ pgadmin4_docker: " /venv/bin/python3 /pgadmin4/setup.py --load-servers /config/servers_admin.json --user nso.devops@netgo.de --replace", " /venv/bin/python3 /pgadmin4/setup.py --load-servers /config/servers_dev.json --user developer@netgo.de --replace", ], - volumes: [./config:/config, pgadmin_data:/var/lib/pgadmin], + volumes: ["./config:/config", "pgadmin_data:/var/lib/pgadmin"], }, { name: "{{ pgadmin_id }}", @@ -47,27 +47,27 @@ pgadmin4_docker: '"traefik.http.services.{{ pgadmin_id }}.loadbalancer.server.port={{ http_port }}"', ], environment: [ - 'PGADMIN_DEFAULT_EMAIL: "{{ pgadmin4_admin_username }}"', - 'PGADMIN_DEFAULT_PASSWORD: "{{ pgadmin4_admin_password }}"', - 'PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: "20"', - 'PGADMIN_CONFIG_AUTHENTICATION_SOURCES: "[''oauth2'',''internal'']"', - 'PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER: "True"', - 'PGADMIN_CONFIG_OAUTH2_CONFIG: "[{ - ''OAUTH2_NAME'': ''keycloak'', - ''OAUTH2_DISPLAY_NAME'': ''Keycloak'', - ''OAUTH2_CLIENT_ID'': ''{{ pgadmin4_oidc_client_id }}'', - ''OAUTH2_CLIENT_SECRET'': ''{{ pgadmin4_oidc_client_secret }}'', - ''OAUTH2_TOKEN_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/token'', - ''OAUTH2_AUTHORIZATION_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/auth'', - ''OAUTH2_API_BASE_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/'', - ''OAUTH2_USERINFO_ENDPOINT'': ''userinfo'', - ''OAUTH2_BUTTON_COLOR'': ''#3253a8'', - ''OAUTH2_SCOPE'': ''openid email profile'', - ''OAUTH2_USERNAME_CLAIM'': ''sub'', - ''OAUTH2_SERVER_METADATA_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/.well-known/openid-configuration'' - }]"', - ], - volumes: [pgadmin_data:/var/lib/pgadmin], + 'PGADMIN_DEFAULT_EMAIL: "{{ pgadmin4_admin_username }}"', + 'PGADMIN_DEFAULT_PASSWORD: "{{ pgadmin4_admin_password }}"', + 'PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: "20"', + 'PGADMIN_CONFIG_AUTHENTICATION_SOURCES: "[''oauth2'',''internal'']"', + 'PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER: "True"', + 'PGADMIN_CONFIG_OAUTH2_CONFIG: "[{ + ''OAUTH2_NAME'': ''keycloak'', + ''OAUTH2_DISPLAY_NAME'': ''Keycloak'', + ''OAUTH2_CLIENT_ID'': ''{{ pgadmin4_oidc_client_id }}'', + ''OAUTH2_CLIENT_SECRET'': ''{{ pgadmin4_oidc_client_secret }}'', + ''OAUTH2_TOKEN_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/token'', + ''OAUTH2_AUTHORIZATION_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/auth'', + ''OAUTH2_API_BASE_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/'', + ''OAUTH2_USERINFO_ENDPOINT'': ''userinfo'', + ''OAUTH2_BUTTON_COLOR'': ''#3253a8'', + ''OAUTH2_SCOPE'': ''openid email profile'', + ''OAUTH2_USERNAME_CLAIM'': ''sub'', + ''OAUTH2_SERVER_METADATA_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/.well-known/openid-configuration'' + }]"', + ], + volumes: ["pgadmin_data:/var/lib/pgadmin"], networks: [front-tier, back-tier], extra_hosts: "{{ pgadmin_extra_hosts | default([]) }}", }, diff --git a/roles/postgres/tasks/_update_database_state.yml b/roles/postgres/tasks/_update_database_state.yml index 24b68c5..269e2db 100644 --- a/roles/postgres/tasks/_update_database_state.yml +++ b/roles/postgres/tasks/_update_database_state.yml @@ -54,22 +54,6 @@ - item.stdout == '0' - server_type == 'master' -- name: "Grant CREATE privilege on public schema for if necessary" - community.postgresql.postgresql_privs: - role: "{{ item.item.name }}" - type: schema - priv: ALL - objs: public - login_user: "{{ postgres_admin_user }}" - database: "{{ item.item.name }}" - state: present - loop: "{{ role_check.results }}" - become: true - become_user: "{{ postgres_admin_user }}" - when: - - database_state == 'present' - - server_type == 'master' - - name: "Checking database exist" shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"' with_items: "{{ postgres_acls }}" @@ -94,6 +78,22 @@ - item.stdout == '0' - server_type == 'master' +- name: "Grant CREATE privilege on public schema for if necessary" + community.postgresql.postgresql_privs: + role: "{{ item.item.name }}" + type: schema + priv: ALL + objs: public + login_user: "{{ postgres_admin_user }}" + database: "{{ item.item.name }}" + state: present + loop: "{{ role_check.results }}" + become: true + become_user: "{{ postgres_admin_user }}" + when: + - database_state == 'present' + - server_type == 'master' + - name: "Deleting Databases if necessary" shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"' with_items: "{{ database_check.results }}" @@ -135,7 +135,7 @@ - name: "Create PostgreSQL readonly group" community.postgresql.postgresql_user: name: "postgres_readonly" - role_attr_flags: NOLOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION + role_attr_flags: NOLOGIN,NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION login_user: "{{ postgres_admin_user }}" state: present become: true @@ -167,7 +167,7 @@ when: - server_type == 'master' -- name: "Grant USAGE privilege to postgres readonly group" +- name: "Grant USAGE privilege to postgres readonly group on all public schemas" community.postgresql.postgresql_privs: role: "postgres_readonly" type: schema @@ -175,6 +175,7 @@ objs: public login_user: "{{ postgres_admin_user }}" database: "{{ item.datname }}" + state: present loop: "{{ database_list.query_result }}" become: true become_user: "{{ postgres_admin_user }}" @@ -185,7 +186,7 @@ community.postgresql.postgresql_privs: role: "postgres_readonly" type: table - priv: SELECT + privs: SELECT schema: public objs: ALL_IN_SCHEMA login_user: "{{ postgres_admin_user }}" @@ -201,7 +202,7 @@ community.postgresql.postgresql_user: name: "{{ pgadmin4_oidc_dev_username }}" password: "{{ pgadmin4_oidc_dev_password }}" - role_attr_flags: LOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION + role_attr_flags: LOGIN,NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION login_user: "{{ postgres_admin_user }}" state: present become: true @@ -212,7 +213,7 @@ - name: "Add {{ pgadmin4_oidc_dev_username }} to group 'postgres_readonly'" community.postgresql.postgresql_user: name: "{{ pgadmin4_oidc_dev_username }}" - role_attr_flags: "NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION" + role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION" groups: "postgres_readonly" login_user: "{{ postgres_admin_user }}" state: present diff --git a/roles/postgres/tasks/master-requirements.yml b/roles/postgres/tasks/master-requirements.yml index 35b0620..f72f8ad 100644 --- a/roles/postgres/tasks/master-requirements.yml +++ b/roles/postgres/tasks/master-requirements.yml @@ -1,13 +1,4 @@ --- -- name: "Check if role {{ postgres_replicator_user }} exists" - community.postgresql.postgresql_query: - query: "SELECT count(rolname) FROM pg_roles WHERE rolname = '{{ postgres_replicator_user }}'" - login_user: "{{ postgres_admin_user }}" - db: "{{ postgres_admin_user }}" - become: true - become_user: "{{ postgres_admin_user }}" - register: role_check - - name: "Create role {{ postgres_replicator_user }} if necessary" community.postgresql.postgresql_user: name: "{{ postgres_replicator_user }}" @@ -16,7 +7,6 @@ state: present become: true become_user: "{{ postgres_admin_user }}" - when: role_check.rowcount == "0" - name: "Change passwords with scram-sha-256 for postgres superuser and replicator user" community.postgresql.postgresql_user: diff --git a/templates/pgadmin4/config/pgpass_admin.j2 b/templates/pgadmin4/config/pgpass_admin.j2 index 8f4ee5c..dc9d0d4 100644 --- a/templates/pgadmin4/config/pgpass_admin.j2 +++ b/templates/pgadmin4/config/pgpass_admin.j2 @@ -1 +1,4 @@ -{{ shared_service_postgres_primary }}:5432:*:{{ postgres_admin_user }}:{{ postgres_admin_password }} +{% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %} +{% for server in pg_servers %} +{{ server.name }}:5432:*:{{ postgres_admin_user }}:{{ postgres_admin_password }} +{% endfor %} \ No newline at end of file diff --git a/templates/pgadmin4/config/pgpass_dev.j2 b/templates/pgadmin4/config/pgpass_dev.j2 index 981b0a0..4aa870b 100644 --- a/templates/pgadmin4/config/pgpass_dev.j2 +++ b/templates/pgadmin4/config/pgpass_dev.j2 @@ -1 +1,4 @@ -{{ shared_service_postgres_primary }}:5432:*:{{ pgadmin4_oidc_dev_username }}:{{ pgadmin4_oidc_dev_password }} +{% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %} +{% for server in pg_servers %} +{{ server.name }}:5432:*:{{ pgadmin4_oidc_dev_username }}:{{ pgadmin4_oidc_dev_password }} +{% endfor %} \ No newline at end of file diff --git a/templates/pgadmin4/config/servers_admin.json.j2 b/templates/pgadmin4/config/servers_admin.json.j2 index be81bae..c958fc2 100644 --- a/templates/pgadmin4/config/servers_admin.json.j2 +++ b/templates/pgadmin4/config/servers_admin.json.j2 @@ -1,15 +1,19 @@ { "Servers": { - "1": { - "Name": "{{ shared_service_postgres_primary }}", + {% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %} + {% for server in pg_servers %} + "{{ loop.index }}": { + "Name": "{{ server.name }}", "Group": "Servers_Admin", - "Host": "{{ shared_service_postgres_primary }}", - "HostAddr": "{{ shared_service_pg_master_ip }}", + "Host": "{{ server.name }}", + "HostAddr": "{{ server.private_ip }}", "Port": 5432, - "MaintenanceDB": "{{ stage_database_management_connect_name }}", + "MaintenanceDB": "{{ postgres_admin_user }}", "Username": "{{ postgres_admin_user }}", "PassFile": "/pgpass", "SSLMode": "prefer" - } + }{% if not loop.last and pg_servers|length > 1 %}, + {% endif %} + {% endfor %} } } diff --git a/templates/pgadmin4/config/servers_dev.json.j2 b/templates/pgadmin4/config/servers_dev.json.j2 index c9bd69f..a3282a9 100644 --- a/templates/pgadmin4/config/servers_dev.json.j2 +++ b/templates/pgadmin4/config/servers_dev.json.j2 @@ -1,15 +1,19 @@ { "Servers": { - "1": { - "Name": "{{ shared_service_postgres_primary }}", + {% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %} + {% for server in pg_servers %} + "{{ loop.index }}": { + "Name": "{{ server.name }}", "Group": "Servers_Readonly", - "Host": "{{ shared_service_postgres_primary }}", - "HostAddr": "{{ shared_service_pg_master_ip }}", + "Host": "{{ server.name }}", + "HostAddr": "{{ server.private_ip }}", "Port": 5432, - "MaintenanceDB": "{{ stage_database_management_connect_name }}", + "MaintenanceDB": "{{ postgres_admin_user }}", "Username": "{{ pgadmin4_oidc_dev_username }}", "PassFile": "/pgpass", "SSLMode": "prefer" - } + }{% if not loop.last and pg_servers|length > 1 %}, + {% endif %} + {% endfor %} } }