You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by jh...@apache.org on 2021/06/09 14:55:10 UTC
[trafficcontrol] branch master updated: Update Ansible automation
to initialize Traffic Vault Postgres backend (#5909)
This is an automated email from the ASF dual-hosted git repository.
jhg03a pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 10e7b79 Update Ansible automation to initialize Traffic Vault Postgres backend (#5909)
10e7b79 is described below
commit 10e7b79eae25fc6a010453702c04281d58498be5
Author: Rawlin Peters <ra...@apache.org>
AuthorDate: Wed Jun 9 08:55:02 2021 -0600
Update Ansible automation to initialize Traffic Vault Postgres backend (#5909)
* Update Ansible automation to initialize Traffic Vault Postgres backend
* Address review feedback
* Remove SUPERUSER and CREATEDB flags from traffic_vault DB user
* Remove quotes from port field
* Add task to render Traffic Vault Postgres backend AES key file
* Load Traffic Vault DB schema
---
.../ansible/roles/traffic_ops/defaults/main.yml | 23 +++++++++++++-
.../roles/traffic_ops/tasks/traffic_ops.yml | 37 +++++++++++++++++++++-
.../templates/aes.key.j2} | 5 +--
.../roles/traffic_ops/templates/cdn.conf.j2 | 9 ++++++
.../roles/traffic_ops/templates/dbconf.yml.j2 | 1 -
.../traffic_ops/templates/postinstall.input.j2 | 28 +++++++++++-----
.../{dbconf.yml.j2 => trafficvault_dbconf.yml.j2} | 11 +++----
.../ansible/roles/traffic_opsdb/defaults/main.yml | 7 ++++
.../tasks/initialize_traffic_opsdb.yml | 18 +++++++++++
.../roles/traffic_opsdb/templates/.pgpass.j2 | 1 +
.../roles/traffic_opsdb/templates/pg_hba.conf.j2 | 14 ++++++++
11 files changed, 133 insertions(+), 21 deletions(-)
diff --git a/infrastructure/ansible/roles/traffic_ops/defaults/main.yml b/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
index 7c5d652..db366c2 100644
--- a/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
+++ b/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
@@ -112,7 +112,7 @@ to_go_supported_ds_metrics:
to_plugin_config: {}
-to_traffic_vault_backend: "riak"
+to_traffic_vault_backend: "postgres"
to_smtp_enabled: false
to_smtp_username: ""
@@ -138,6 +138,27 @@ todb_dbconf:
sslmode: disable
open_manual: ""
+# --- Traffic Vault Postgres backend traffic_vault_config (in cdn.conf) & dbconf.yml
+to_tvdb_db_name: traffic_vault
+to_tvdb_type: Pg
+to_tvdb_port: 5432
+to_tvdb_host: localhost
+to_tvdb_username:
+to_tvdb_password:
+to_tvdb_ssl_enable: false
+to_tvdb_aes_key_loc: "{{ to_conf_installdir }}/aes.key"
+to_tvdb_aes_key:
+to_tvdb_dbconf:
+ production:
+ driver: postgres
+ host: localhost
+ port: 5432
+ user: "{{ to_tvdb_username }}"
+ password: "{{ to_tvdb_password }}"
+ dbname: "{{ to_tvdb_db_name }}"
+ sslmode: disable
+ open_manual: ""
+
# --- postinstall - input.json
to_pi_script_with_args: "{{ to_pi_script }} -a -cfile {{ to_pi_input_json }}"
diff --git a/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml b/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
index 0351ef7..bd6d64d 100644
--- a/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
+++ b/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
@@ -102,6 +102,24 @@
dest: "{{ to_db_installdir }}/dbconf.yml"
notify: Restart Traffic Ops
+- name: Render Traffic Vault database configuration file
+ template:
+ src: "trafficvault_dbconf.yml.j2"
+ owner: "{{ to_user }}"
+ group: "{{ to_group }}"
+ mode: 0600
+ dest: "{{ to_db_installdir }}/trafficvault/dbconf.yml"
+ notify: Restart Traffic Ops
+
+- name: Render Traffic Vault database AES key file
+ template:
+ src: "aes.key.j2"
+ owner: "{{ to_user }}"
+ group: "{{ to_group }}"
+ mode: 0600
+ dest: "{{ to_tvdb_aes_key_loc }}"
+ notify: Restart Traffic Ops
+
- name: Render Traffic Ops configuration files
template:
src: "{{item}}.j2"
@@ -124,7 +142,24 @@
chdir: "{{ to_app_installdir }}"
environment:
PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
- PERL5LIB: ./lib:./local/lib/perl5
+ GOPATH: /opt/traffic_ops/go
+ run_once: true
+
+- name: Load Traffic Vault DB schema
+ command: ./db/admin --trafficvault -env=production load_schema
+ args:
+ chdir: "{{ to_app_installdir }}"
+ environment:
+ PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
+ GOPATH: /opt/traffic_ops/go
+ run_once: true
+
+- name: Upgrade Traffic Vault DB
+ command: ./db/admin --trafficvault -env=production upgrade
+ args:
+ chdir: "{{ to_app_installdir }}"
+ environment:
+ PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
GOPATH: /opt/traffic_ops/go
run_once: true
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2 b/infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
similarity index 69%
copy from infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
copy to infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
index afafab6..64b6bf5 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
@@ -11,7 +11,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#}
-{% for hostname in groups['traffic_opsdb'] %}
-{{ hostname }}:{{ postgresql_port }}:{{ postgresql_admin_user }}:{{ postgresql_admin_user_password }}
-{{ hostname }}:{{ postgresql_port }}:{{ todb_username }}:{{ todb_password }}
-{% endfor %}
+{{ to_tvdb_aes_key }}
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2 b/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
index 9e06085..411800c 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
@@ -80,9 +80,18 @@
"plugin_config" : {{ to_plugin_config | to_nice_json(indent=2) }},
"traffic_vault_backend": "{{ to_traffic_vault_backend }}",
"traffic_vault_config": {
+{% if to_traffic_vault_backend == "postgres" %}
+ "dbname": "{{ to_tvdb_db_name }}",
+ "hostname": "{{ to_tvdb_host }}",
+ "port": {{ to_tvdb_port }},
+ "user": "{{ to_tvdb_username }}",
+ "password": "{{ to_tvdb_password }}",
+ "aes_key_location": "{{ to_tvdb_aes_key_loc }}"
+{% else %}
"user": "{{ to_riak_username }}",
"password": "{{ to_riak_username_password }}",
"MaxTLSVersion": "{{ to_riak_tls_max_version }}"
+{% endif %}
}
}
}
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2 b/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
index 6d76c2e..67fe87b 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
@@ -1,4 +1,3 @@
-#!/usr/bin/env perl
{#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2 b/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
index 10d1c1e..5889052 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
@@ -92,19 +92,31 @@
"hidden": "1"
}
],
- "/opt/traffic_ops/app/db/dbconf.yml": [
+ "/opt/traffic_ops/app/conf/production/tv.conf": [
{
- "Database server root (admin) username": "{{ postgresql_admin_user }}",
- "config_var": "pgUser"
+ "Traffic Vault Database type": "{{ to_tvdb_type }}",
+ "config_var": "type"
},
{
- "Database server admin password": "{{ postgresql_admin_user_password }}",
- "config_var": "pgPassword",
- "hidden": "1"
+ "Traffic Vault Database name": "{{ to_tvdb_db_name }}",
+ "config_var": "dbname"
+ },
+ {
+ "Traffic Vault Database server hostname IP or FQDN": "{{ to_tvdb_host }}",
+ "config_var": "hostname"
+ },
+ {
+ "Traffic Vault Database port number": "{{ to_tvdb_port }}",
+ "config_var": "port"
},
{
- "Download Maxmind Database?": "{{ to_pi_maxmind_download }}",
- "config_var": "maxmind"
+ "Traffic Vault database user": "{{ to_tvdb_username }}",
+ "config_var": "user"
+ },
+ {
+ "Traffic Vault database password": "{{ to_tvdb_password }}",
+ "config_var": "password",
+ "hidden": "1"
}
],
"/opt/traffic_ops/install/data/json/openssl_configuration.json": [
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2 b/infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
similarity index 57%
copy from infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
copy to infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
index 6d76c2e..3746740 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
@@ -1,4 +1,3 @@
-#!/usr/bin/env perl
{#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,13 +14,13 @@
version: "1.0"
name: dbconf.yml
-{% for db_env in todb_dbconf %}
+{% for db_env in to_tvdb_dbconf %}
{{ db_env }}:
- driver: {{ todb_dbconf[db_env]['driver'] }}
-{% if todb_dbconf[db_env]['open_manual'] | length %}
- open: {{ todb_dbconf[db_env]['open_manual'] }}
+ driver: {{ to_tvdb_dbconf[db_env]['driver'] }}
+{% if to_tvdb_dbconf[db_env]['open_manual'] | length %}
+ open: {{ to_tvdb_dbconf[db_env]['open_manual'] }}
{% else %}
- open: host={{ todb_dbconf[db_env]['host'] }} port={{ todb_dbconf[db_env]['port'] }} user={{ todb_dbconf[db_env]['user'] }} password={{ todb_dbconf[db_env]['password'] }} dbname={{ todb_dbconf[db_env]['dbname'] }} sslmode={{ todb_dbconf[db_env]['sslmode'] }}
+ open: host={{ to_tvdb_dbconf[db_env]['host'] }} port={{ to_tvdb_dbconf[db_env]['port'] }} user={{ to_tvdb_dbconf[db_env]['user'] }} password={{ to_tvdb_dbconf[db_env]['password'] }} dbname={{ to_tvdb_dbconf[db_env]['dbname'] }} sslmode={{ to_tvdb_dbconf[db_env]['sslmode'] }}
{% endif %}
{% endfor %}
diff --git a/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml b/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
index b15b14a..57c4955 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
+++ b/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
@@ -45,3 +45,10 @@ todb_password:
# TODB database name
todb_db_name: traffic_ops
+
+# Traffic Vault Postgres database credentials
+tvdb_username:
+tvdb_password:
+
+# Traffic Vault Postgres database name
+tvdb_db_name: traffic_vault
diff --git a/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml b/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
index 6b59769..a9003fe 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
+++ b/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
@@ -34,9 +34,27 @@
ssl_rootcert: "{{ postgresql_certs_ca }}"
no_log: true
+- name: Create Traffic Vault Database User
+ postgresql_user:
+ encrypted: yes
+ name: "{{ tvdb_username }}"
+ password: "{{ tvdb_password }}"
+ port: "{{ postgresql_port }}"
+ login_host: 127.0.0.1
+ role_attr_flags: LOGIN
+ ssl_rootcert: "{{ postgresql_certs_ca }}"
+ no_log: true
+
- name: Create Traffic Ops Database
postgresql_db:
login_host: 127.0.0.1
name: "{{ todb_db_name }}"
owner: "{{ todb_username }}"
port: "{{ postgresql_port }}"
+
+- name: Create Traffic Vault Database
+ postgresql_db:
+ login_host: 127.0.0.1
+ name: "{{ tvdb_db_name }}"
+ owner: "{{ tvdb_username }}"
+ port: "{{ postgresql_port }}"
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2 b/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
index afafab6..f5f1b4e 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
+++ b/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
@@ -14,4 +14,5 @@
{% for hostname in groups['traffic_opsdb'] %}
{{ hostname }}:{{ postgresql_port }}:{{ postgresql_admin_user }}:{{ postgresql_admin_user_password }}
{{ hostname }}:{{ postgresql_port }}:{{ todb_username }}:{{ todb_password }}
+{{ hostname }}:{{ postgresql_port }}:{{ tvdb_username }}:{{ tvdb_password }}
{% endfor %}
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2 b/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
index 3dac6d2..5345f85 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
+++ b/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
@@ -108,16 +108,19 @@
# ------------------------------------------------------
# -- Primary
hostssl {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-primary'] | map('extract', hostvars, ['ansible_host']) | first) }}/32 md5
+ hostssl {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-primary'] | map('extract', hostvars, ['ansible_host']) | first) }}/32 md5
{% if groups['traffic_opsdb-standby'] is defined %}
# -- Secondary
hostssl {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-standby'] | map('extract', hostvars, ['ansible_host']) | first) }}/32 md5
+ hostssl {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-standby'] | map('extract', hostvars, ['ansible_host']) | first) }}/32 md5
{% endif %}
{% if groups['traffic_opsdb-replicas'] is defined %}
# -- Replicas
{% for host_obj in (groups['traffic_opsdb-replicas']) %}
hostssl {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-replicas'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
+ hostssl {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-replicas'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
{% endfor %}
{% endif %}
@@ -132,6 +135,17 @@
host {{ postgresql_user }} {{ todb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
{% endfor %}
+#-------------------------------------
+# TRAFFIC VAULT
+# ------------------------------------------------------
+{% for host_obj in (groups['traffic_ops']) %}
+ hostssl {{ tvdb_db_name }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
+ host {{ tvdb_db_name }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
+
+ hostssl {{ postgresql_user }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
+ host {{ postgresql_user }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32 md5
+{% endfor %}
+
# ------------------------------------------------------
# REPLICATION
# ------------------------------------------------------