DEV-1007 Fix #3 pgadmin4

2 years ago · 5cdaa7d323
parent 0842a54a03
commit 5cdaa7d323
7 changed files with 73 additions and 68 deletions
--- a/roles/pgadmin4/vars/main.yml
+++ b/roles/pgadmin4/vars/main.yml
@ -15,7 +15,7 @@ pgadmin4_docker:
          name: "init-pgadmin",
          image_name: "{{ pgadmin4_image_name }}",
          image_version: "{{ pgadmin4_version }}",
-          restart: '"on-failure:10"',
+          restart: '"on-failure:20"',
          entrypoint:
            [
              "- sh",
@ -30,7 +30,7 @@ pgadmin4_docker:
              "  /venv/bin/python3 /pgadmin4/setup.py --load-servers /config/servers_admin.json  --user nso.devops@netgo.de --replace",
              "  /venv/bin/python3 /pgadmin4/setup.py --load-servers /config/servers_dev.json  --user developer@netgo.de --replace",
            ],
-          volumes: [./config:/config, pgadmin_data:/var/lib/pgadmin],
+          volumes: ["./config:/config", "pgadmin_data:/var/lib/pgadmin"],
        },
        {
          name: "{{ pgadmin_id }}",
@ -47,27 +47,27 @@ pgadmin4_docker:
              '"traefik.http.services.{{ pgadmin_id }}.loadbalancer.server.port={{ http_port }}"',
            ],
          environment: [
-              'PGADMIN_DEFAULT_EMAIL: "{{ pgadmin4_admin_username }}"',
+            'PGADMIN_DEFAULT_EMAIL: "{{ pgadmin4_admin_username }}"',
-              'PGADMIN_DEFAULT_PASSWORD: "{{ pgadmin4_admin_password }}"',
+            'PGADMIN_DEFAULT_PASSWORD: "{{ pgadmin4_admin_password }}"',
-              'PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: "20"',
+            'PGADMIN_CONFIG_CONSOLE_LOG_LEVEL: "20"',
-              'PGADMIN_CONFIG_AUTHENTICATION_SOURCES: "[''oauth2'',''internal'']"',
+            'PGADMIN_CONFIG_AUTHENTICATION_SOURCES: "[''oauth2'',''internal'']"',
-              'PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER: "True"',
+            'PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER: "True"',
-              'PGADMIN_CONFIG_OAUTH2_CONFIG: "[{
+            'PGADMIN_CONFIG_OAUTH2_CONFIG: "[{
-              ''OAUTH2_NAME'': ''keycloak'',
+            ''OAUTH2_NAME'': ''keycloak'',
-              ''OAUTH2_DISPLAY_NAME'': ''Keycloak'',
+            ''OAUTH2_DISPLAY_NAME'': ''Keycloak'',
-              ''OAUTH2_CLIENT_ID'': ''{{ pgadmin4_oidc_client_id }}'',
+            ''OAUTH2_CLIENT_ID'': ''{{ pgadmin4_oidc_client_id }}'',
-              ''OAUTH2_CLIENT_SECRET'': ''{{ pgadmin4_oidc_client_secret }}'',
+            ''OAUTH2_CLIENT_SECRET'': ''{{ pgadmin4_oidc_client_secret }}'',
-              ''OAUTH2_TOKEN_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/token'',
+            ''OAUTH2_TOKEN_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/token'',
-              ''OAUTH2_AUTHORIZATION_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/auth'',
+            ''OAUTH2_AUTHORIZATION_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/auth'',
-              ''OAUTH2_API_BASE_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/'',
+            ''OAUTH2_API_BASE_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/protocol/openid-connect/'',
-              ''OAUTH2_USERINFO_ENDPOINT'': ''userinfo'',
+            ''OAUTH2_USERINFO_ENDPOINT'': ''userinfo'',
-              ''OAUTH2_BUTTON_COLOR'': ''#3253a8'',
+            ''OAUTH2_BUTTON_COLOR'': ''#3253a8'',
-              ''OAUTH2_SCOPE'': ''openid email profile'',
+            ''OAUTH2_SCOPE'': ''openid email profile'',
-              ''OAUTH2_USERNAME_CLAIM'': ''sub'',
+            ''OAUTH2_USERNAME_CLAIM'': ''sub'',
-              ''OAUTH2_SERVER_METADATA_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/.well-known/openid-configuration''
+            ''OAUTH2_SERVER_METADATA_URL'': ''{{ shared_service_url_keycloak }}/auth/realms/{{ pgadmin4_oidc_realm }}/.well-known/openid-configuration''
-              }]"',
+            }]"',
-            ],
+          ],
-          volumes: [pgadmin_data:/var/lib/pgadmin],
+          volumes: ["pgadmin_data:/var/lib/pgadmin"],
          networks: [front-tier, back-tier],
          extra_hosts: "{{ pgadmin_extra_hosts | default([]) }}",
        },
--- a/roles/postgres/tasks/_update_database_state.yml
+++ b/roles/postgres/tasks/_update_database_state.yml
@ -54,22 +54,6 @@
    - item.stdout == '0'
    - server_type == 'master'
 - name: "Grant CREATE privilege on public schema for if necessary"
  community.postgresql.postgresql_privs:
    role: "{{ item.item.name }}"
    type: schema
    priv: ALL
    objs: public
    login_user: "{{ postgres_admin_user }}"
    database: "{{ item.item.name }}"
    state: present
  loop: "{{ role_check.results }}"
  become: true
  become_user: "{{ postgres_admin_user }}"
  when:
    - database_state == 'present'
    - server_type == 'master'
 - name: "Checking database exist"
  shell: '/usr/bin/psql -Atc "SELECT count(*) FROM pg_database WHERE datname = ''{{ item.name }}''"'
  with_items: "{{ postgres_acls }}"
@ -94,6 +78,22 @@
    - item.stdout == '0'
    - server_type == 'master'
 - name: "Grant CREATE privilege on public schema for if necessary"
  community.postgresql.postgresql_privs:
    role: "{{ item.item.name }}"
    type: schema
    priv: ALL
    objs: public
    login_user: "{{ postgres_admin_user }}"
    database: "{{ item.item.name }}"
    state: present
  loop: "{{ role_check.results }}"
  become: true
  become_user: "{{ postgres_admin_user }}"
  when:
    - database_state == 'present'
    - server_type == 'master'
 - name: "Deleting Databases if necessary"
  shell: '/usr/bin/psql -c "DROP DATABASE {{ item.item.name }} WITH (FORCE);"'
  with_items: "{{ database_check.results }}"
@ -135,7 +135,7 @@
 - name: "Create PostgreSQL readonly group"
  community.postgresql.postgresql_user:
    name: "postgres_readonly"
-    role_attr_flags: NOLOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
+    role_attr_flags: NOLOGIN,NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION
    login_user: "{{ postgres_admin_user }}"
    state: present
  become: true
@ -167,7 +167,7 @@
  when:
    - server_type == 'master'
- name: "Grant USAGE privilege to postgres readonly group"
+- name: "Grant USAGE privilege to postgres readonly group on all public schemas"
  community.postgresql.postgresql_privs:
    role: "postgres_readonly"
    type: schema
@ -175,6 +175,7 @@
    objs: public
    login_user: "{{ postgres_admin_user }}"
    database: "{{ item.datname }}"
    state: present
  loop: "{{ database_list.query_result }}"
  become: true
  become_user: "{{ postgres_admin_user }}"
@ -185,7 +186,7 @@
  community.postgresql.postgresql_privs:
    role: "postgres_readonly"
    type: table
-    priv: SELECT
+    privs: SELECT
    schema: public
    objs: ALL_IN_SCHEMA
    login_user: "{{ postgres_admin_user }}"
@ -201,7 +202,7 @@
  community.postgresql.postgresql_user:
    name: "{{ pgadmin4_oidc_dev_username }}"
    password: "{{ pgadmin4_oidc_dev_password }}"
-    role_attr_flags: LOGIN,NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION
+    role_attr_flags: LOGIN,NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION
    login_user: "{{ postgres_admin_user }}"
    state: present
  become: true
@ -212,7 +213,7 @@
 - name: "Add {{ pgadmin4_oidc_dev_username }} to group 'postgres_readonly'"
  community.postgresql.postgresql_user:
    name: "{{ pgadmin4_oidc_dev_username }}"
-    role_attr_flags: "NOSUPERUSER,NOINHERIT,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
+    role_attr_flags: "NOSUPERUSER,NOCREATEDB,NOCREATEROLE,NOREPLICATION"
    groups: "postgres_readonly"
    login_user: "{{ postgres_admin_user }}"
    state: present
--- a/roles/postgres/tasks/master-requirements.yml
+++ b/roles/postgres/tasks/master-requirements.yml
@ -1,13 +1,4 @@
 ---
 - name: "Check if role {{ postgres_replicator_user }} exists"
  community.postgresql.postgresql_query:
    query: "SELECT count(rolname) FROM pg_roles WHERE rolname = '{{ postgres_replicator_user }}'"
    login_user: "{{ postgres_admin_user }}"
    db: "{{ postgres_admin_user }}"
  become: true
  become_user: "{{ postgres_admin_user }}"
  register: role_check
 - name: "Create role {{ postgres_replicator_user }} if necessary"
  community.postgresql.postgresql_user:
    name: "{{ postgres_replicator_user }}"
@ -16,7 +7,6 @@
    state: present
  become: true
  become_user: "{{ postgres_admin_user }}"
  when: role_check.rowcount == "0"
 - name: "Change passwords with scram-sha-256 for postgres superuser and replicator user"
  community.postgresql.postgresql_user:
--- a/templates/pgadmin4/config/pgpass_admin.j2
+++ b/templates/pgadmin4/config/pgpass_admin.j2
@ -1 +1,4 @@
-{{ shared_service_postgres_primary }}:5432:*:{{ postgres_admin_user }}:{{ postgres_admin_password }}
+{% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %}
 {% for server in pg_servers %}
 {{ server.name }}:5432:*:{{ postgres_admin_user }}:{{ postgres_admin_password }}
 {% endfor %}
--- a/templates/pgadmin4/config/pgpass_dev.j2
+++ b/templates/pgadmin4/config/pgpass_dev.j2
@ -1 +1,4 @@
-{{ shared_service_postgres_primary }}:5432:*:{{ pgadmin4_oidc_dev_username }}:{{ pgadmin4_oidc_dev_password }}
+{% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %}
 {% for server in pg_servers %}
 {{ server.name }}:5432:*:{{ pgadmin4_oidc_dev_username }}:{{ pgadmin4_oidc_dev_password }}
 {% endfor %}
--- a/templates/pgadmin4/config/servers_admin.json.j2
+++ b/templates/pgadmin4/config/servers_admin.json.j2
@ -1,15 +1,19 @@
 {
    "Servers": {
-        "1": {
+        {% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %}
-            "Name": "{{ shared_service_postgres_primary }}",
+        {% for server in pg_servers %}
        "{{ loop.index }}": {
            "Name": "{{ server.name }}",
            "Group": "Servers_Admin",
-            "Host": "{{ shared_service_postgres_primary }}",
+            "Host": "{{ server.name }}",
-            "HostAddr": "{{ shared_service_pg_master_ip }}",
+            "HostAddr": "{{ server.private_ip }}",
            "Port": 5432,
-            "MaintenanceDB": "{{ stage_database_management_connect_name }}",
+            "MaintenanceDB": "{{ postgres_admin_user }}",
            "Username": "{{ postgres_admin_user }}",
            "PassFile": "/pgpass",
            "SSLMode": "prefer"
-        }
+        }{% if not loop.last and pg_servers|length > 1 %},
        {% endif %}
        {% endfor %}
    }
 }
--- a/templates/pgadmin4/config/servers_dev.json.j2
+++ b/templates/pgadmin4/config/servers_dev.json.j2
@ -1,15 +1,19 @@
 {
    "Servers": {
-        "1": {
+        {% set pg_servers = stage_server_infos | selectattr('service', 'equalto', 'postgres') | selectattr('role', 'equalto', 'master') | list %}
-            "Name": "{{ shared_service_postgres_primary }}",
+        {% for server in pg_servers %}
        "{{ loop.index }}": {
            "Name": "{{ server.name }}",
            "Group": "Servers_Readonly",
-            "Host": "{{ shared_service_postgres_primary }}",
+            "Host": "{{ server.name }}",
-            "HostAddr": "{{ shared_service_pg_master_ip }}",
+            "HostAddr": "{{ server.private_ip }}",
            "Port": 5432,
-            "MaintenanceDB": "{{ stage_database_management_connect_name }}",
+            "MaintenanceDB": "{{ postgres_admin_user }}",
            "Username": "{{ pgadmin4_oidc_dev_username }}",
            "PassFile": "/pgpass",
            "SSLMode": "prefer"
-        }
+        }{% if not loop.last and pg_servers|length > 1 %},
        {% endif %}
        {% endfor %}
    }
 }