You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by jh...@apache.org on 2021/06/09 14:55:10 UTC
[trafficcontrol] branch master updated: Update Ansible automation to initialize Traffic Vault Postgres backend (#5909)

This is an automated email from the ASF dual-hosted git repository.

jhg03a pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 10e7b79  Update Ansible automation to initialize Traffic Vault Postgres backend (#5909)
10e7b79 is described below

commit 10e7b79eae25fc6a010453702c04281d58498be5
Author: Rawlin Peters <ra...@apache.org>
AuthorDate: Wed Jun 9 08:55:02 2021 -0600

    Update Ansible automation to initialize Traffic Vault Postgres backend (#5909)
    
    * Update Ansible automation to initialize Traffic Vault Postgres backend
    
    * Address review feedback
    
    * Remove SUPERUSER and CREATEDB flags from traffic_vault DB user
    
    * Remove quotes from port field
    
    * Add task to render Traffic Vault Postgres backend AES key file
    
    * Load Traffic Vault DB schema
---
 .../ansible/roles/traffic_ops/defaults/main.yml    | 23 +++++++++++++-
 .../roles/traffic_ops/tasks/traffic_ops.yml        | 37 +++++++++++++++++++++-
 .../templates/aes.key.j2}                          |  5 +--
 .../roles/traffic_ops/templates/cdn.conf.j2        |  9 ++++++
 .../roles/traffic_ops/templates/dbconf.yml.j2      |  1 -
 .../traffic_ops/templates/postinstall.input.j2     | 28 +++++++++++-----
 .../{dbconf.yml.j2 => trafficvault_dbconf.yml.j2}  | 11 +++----
 .../ansible/roles/traffic_opsdb/defaults/main.yml  |  7 ++++
 .../tasks/initialize_traffic_opsdb.yml             | 18 +++++++++++
 .../roles/traffic_opsdb/templates/.pgpass.j2       |  1 +
 .../roles/traffic_opsdb/templates/pg_hba.conf.j2   | 14 ++++++++
 11 files changed, 133 insertions(+), 21 deletions(-)

diff --git a/infrastructure/ansible/roles/traffic_ops/defaults/main.yml b/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
index 7c5d652..db366c2 100644
--- a/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
+++ b/infrastructure/ansible/roles/traffic_ops/defaults/main.yml
@@ -112,7 +112,7 @@ to_go_supported_ds_metrics:
 
 to_plugin_config: {}
 
-to_traffic_vault_backend: "riak"
+to_traffic_vault_backend: "postgres"
 
 to_smtp_enabled: false
 to_smtp_username: ""
@@ -138,6 +138,27 @@ todb_dbconf:
     sslmode: disable
     open_manual: ""
 
+# --- Traffic Vault Postgres backend traffic_vault_config (in cdn.conf) & dbconf.yml
+to_tvdb_db_name: traffic_vault
+to_tvdb_type: Pg
+to_tvdb_port: 5432
+to_tvdb_host: localhost
+to_tvdb_username:
+to_tvdb_password:
+to_tvdb_ssl_enable: false
+to_tvdb_aes_key_loc: "{{ to_conf_installdir }}/aes.key"
+to_tvdb_aes_key:
+to_tvdb_dbconf:
+  production:
+    driver: postgres
+    host: localhost
+    port: 5432
+    user: "{{ to_tvdb_username }}"
+    password: "{{ to_tvdb_password }}"
+    dbname: "{{ to_tvdb_db_name }}"
+    sslmode: disable
+    open_manual: ""
+
 
 # --- postinstall - input.json
 to_pi_script_with_args: "{{ to_pi_script }} -a -cfile {{ to_pi_input_json }}"
diff --git a/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml b/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
index 0351ef7..bd6d64d 100644
--- a/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
+++ b/infrastructure/ansible/roles/traffic_ops/tasks/traffic_ops.yml
@@ -102,6 +102,24 @@
     dest: "{{ to_db_installdir }}/dbconf.yml"
   notify: Restart Traffic Ops
 
+- name: Render Traffic Vault database configuration file
+  template:
+    src: "trafficvault_dbconf.yml.j2"
+    owner: "{{ to_user }}"
+    group: "{{ to_group }}"
+    mode: 0600
+    dest: "{{ to_db_installdir }}/trafficvault/dbconf.yml"
+  notify: Restart Traffic Ops
+
+- name: Render Traffic Vault database AES key file
+  template:
+    src: "aes.key.j2"
+    owner: "{{ to_user }}"
+    group: "{{ to_group }}"
+    mode: 0600
+    dest: "{{ to_tvdb_aes_key_loc }}"
+  notify: Restart Traffic Ops
+
 - name: Render Traffic Ops configuration files
   template:
     src: "{{item}}.j2"
@@ -124,7 +142,24 @@
     chdir: "{{ to_app_installdir }}"
   environment:
     PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
-    PERL5LIB: ./lib:./local/lib/perl5
+    GOPATH: /opt/traffic_ops/go
+  run_once: true
+
+- name: Load Traffic Vault DB schema
+  command: ./db/admin --trafficvault -env=production load_schema
+  args:
+    chdir: "{{ to_app_installdir }}"
+  environment:
+    PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
+    GOPATH: /opt/traffic_ops/go
+  run_once: true
+
+- name: Upgrade Traffic Vault DB
+  command: ./db/admin --trafficvault -env=production upgrade
+  args:
+    chdir: "{{ to_app_installdir }}"
+  environment:
+    PATH: "{{ lookup('env', 'PATH') }}:{{ to_base_installdir }}/go/bin"
     GOPATH: /opt/traffic_ops/go
   run_once: true
 
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2 b/infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
similarity index 69%
copy from infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
copy to infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
index afafab6..64b6bf5 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/aes.key.j2
@@ -11,7 +11,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #}
-{% for hostname in groups['traffic_opsdb'] %}
-{{ hostname }}:{{ postgresql_port }}:{{ postgresql_admin_user }}:{{ postgresql_admin_user_password }}
-{{ hostname }}:{{ postgresql_port }}:{{ todb_username }}:{{ todb_password }}
-{% endfor %}
+{{ to_tvdb_aes_key }}
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2 b/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
index 9e06085..411800c 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
@@ -80,9 +80,18 @@
       "plugin_config" : {{ to_plugin_config | to_nice_json(indent=2) }},
       "traffic_vault_backend": "{{ to_traffic_vault_backend }}",
       "traffic_vault_config": {
+{% if to_traffic_vault_backend == "postgres" %}
+         "dbname": "{{ to_tvdb_db_name }}",
+         "hostname": "{{ to_tvdb_host }}",
+         "port": {{ to_tvdb_port }},
+         "user": "{{ to_tvdb_username }}",
+         "password": "{{ to_tvdb_password }}",
+         "aes_key_location": "{{ to_tvdb_aes_key_loc }}"
+{% else %}
          "user": "{{ to_riak_username }}",
          "password": "{{ to_riak_username_password }}",
          "MaxTLSVersion": "{{ to_riak_tls_max_version }}"
+{% endif %}
       }
    }
 }
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2 b/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
index 6d76c2e..67fe87b 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
@@ -1,4 +1,3 @@
-#!/usr/bin/env perl
 {#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2 b/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
index 10d1c1e..5889052 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/postinstall.input.j2
@@ -92,19 +92,31 @@
       "hidden": "1"
     }
   ],
-  "/opt/traffic_ops/app/db/dbconf.yml": [
+  "/opt/traffic_ops/app/conf/production/tv.conf": [
     {
-      "Database server root (admin) username": "{{ postgresql_admin_user }}",
-      "config_var": "pgUser"
+      "Traffic Vault Database type": "{{ to_tvdb_type }}",
+      "config_var": "type"
     },
     {
-      "Database server admin password": "{{ postgresql_admin_user_password }}",
-      "config_var": "pgPassword",
-      "hidden": "1"
+      "Traffic Vault Database name": "{{ to_tvdb_db_name }}",
+      "config_var": "dbname"
+    },
+    {
+      "Traffic Vault Database server hostname IP or FQDN": "{{ to_tvdb_host }}",
+      "config_var": "hostname"
+    },
+    {
+      "Traffic Vault Database port number": "{{ to_tvdb_port }}",
+      "config_var": "port"
     },
     {
-      "Download Maxmind Database?": "{{ to_pi_maxmind_download }}",
-      "config_var": "maxmind"
+      "Traffic Vault database user": "{{ to_tvdb_username }}",
+      "config_var": "user"
+    },
+    {
+      "Traffic Vault database password": "{{ to_tvdb_password }}",
+      "config_var": "password",
+      "hidden": "1"
     }
   ],
   "/opt/traffic_ops/install/data/json/openssl_configuration.json": [
diff --git a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2 b/infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
similarity index 57%
copy from infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
copy to infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
index 6d76c2e..3746740 100644
--- a/infrastructure/ansible/roles/traffic_ops/templates/dbconf.yml.j2
+++ b/infrastructure/ansible/roles/traffic_ops/templates/trafficvault_dbconf.yml.j2
@@ -1,4 +1,3 @@
-#!/usr/bin/env perl
 {#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,13 +14,13 @@
 version: "1.0"
 name: dbconf.yml
 
-{% for db_env in todb_dbconf %}
+{% for db_env in to_tvdb_dbconf %}
 {{ db_env }}:
-    driver: {{ todb_dbconf[db_env]['driver'] }}
-{% if todb_dbconf[db_env]['open_manual'] | length %}
-    open: {{ todb_dbconf[db_env]['open_manual'] }}
+    driver: {{ to_tvdb_dbconf[db_env]['driver'] }}
+{% if to_tvdb_dbconf[db_env]['open_manual'] | length %}
+    open: {{ to_tvdb_dbconf[db_env]['open_manual'] }}
 {% else %}
-    open: host={{ todb_dbconf[db_env]['host'] }} port={{ todb_dbconf[db_env]['port'] }} user={{ todb_dbconf[db_env]['user'] }} password={{ todb_dbconf[db_env]['password'] }} dbname={{ todb_dbconf[db_env]['dbname'] }} sslmode={{ todb_dbconf[db_env]['sslmode'] }}
+    open: host={{ to_tvdb_dbconf[db_env]['host'] }} port={{ to_tvdb_dbconf[db_env]['port'] }} user={{ to_tvdb_dbconf[db_env]['user'] }} password={{ to_tvdb_dbconf[db_env]['password'] }} dbname={{ to_tvdb_dbconf[db_env]['dbname'] }} sslmode={{ to_tvdb_dbconf[db_env]['sslmode'] }}
 {% endif %}
 
 {% endfor %}
diff --git a/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml b/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
index b15b14a..57c4955 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
+++ b/infrastructure/ansible/roles/traffic_opsdb/defaults/main.yml
@@ -45,3 +45,10 @@ todb_password:
 
 # TODB database name
 todb_db_name: traffic_ops
+
+# Traffic Vault Postgres database credentials
+tvdb_username:
+tvdb_password:
+
+# Traffic Vault Postgres database name
+tvdb_db_name: traffic_vault
diff --git a/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml b/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
index 6b59769..a9003fe 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
+++ b/infrastructure/ansible/roles/traffic_opsdb/tasks/initialize_traffic_opsdb.yml
@@ -34,9 +34,27 @@
     ssl_rootcert: "{{ postgresql_certs_ca }}"
   no_log: true
 
+- name: Create Traffic Vault Database User
+  postgresql_user:
+    encrypted: yes
+    name: "{{ tvdb_username }}"
+    password: "{{ tvdb_password }}"
+    port: "{{ postgresql_port }}"
+    login_host: 127.0.0.1
+    role_attr_flags: LOGIN
+    ssl_rootcert: "{{ postgresql_certs_ca }}"
+  no_log: true
+
 - name: Create Traffic Ops Database
   postgresql_db:
     login_host: 127.0.0.1
     name: "{{ todb_db_name }}"
     owner: "{{ todb_username }}"
     port: "{{ postgresql_port }}"
+
+- name: Create Traffic Vault Database
+  postgresql_db:
+    login_host: 127.0.0.1
+    name: "{{ tvdb_db_name }}"
+    owner: "{{ tvdb_username }}"
+    port: "{{ postgresql_port }}"
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2 b/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
index afafab6..f5f1b4e 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
+++ b/infrastructure/ansible/roles/traffic_opsdb/templates/.pgpass.j2
@@ -14,4 +14,5 @@
 {% for hostname in groups['traffic_opsdb'] %}
 {{ hostname }}:{{ postgresql_port }}:{{ postgresql_admin_user }}:{{ postgresql_admin_user_password }}
 {{ hostname }}:{{ postgresql_port }}:{{ todb_username }}:{{ todb_password }}
+{{ hostname }}:{{ postgresql_port }}:{{ tvdb_username }}:{{ tvdb_password }}
 {% endfor %}
diff --git a/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2 b/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
index 3dac6d2..5345f85 100644
--- a/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
+++ b/infrastructure/ansible/roles/traffic_opsdb/templates/pg_hba.conf.j2
@@ -108,16 +108,19 @@
 # ------------------------------------------------------
    # --  Primary
    hostssl  {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-primary'] | map('extract', hostvars, ['ansible_host']) | first) }}/32  md5
+   hostssl  {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-primary'] | map('extract', hostvars, ['ansible_host']) | first) }}/32  md5
 
 {% if groups['traffic_opsdb-standby'] is defined %}
    # --  Secondary
    hostssl  {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-standby'] | map('extract', hostvars, ['ansible_host']) | first) }}/32  md5
+   hostssl  {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-standby'] | map('extract', hostvars, ['ansible_host']) | first) }}/32  md5
 
 {% endif %}
 {% if groups['traffic_opsdb-replicas'] is defined %}
    # --  Replicas
    {% for host_obj in (groups['traffic_opsdb-replicas']) %}
    hostssl  {{ todb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-replicas'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
+   hostssl  {{ tvdb_db_name }} {{ postgresql_user }} {{ (groups['traffic_opsdb-replicas'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
    {% endfor %}
 
 {% endif %}
@@ -132,6 +135,17 @@
    host  {{ postgresql_user }} {{ todb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
 {% endfor %}
 
+#-------------------------------------
+#  TRAFFIC VAULT
+# ------------------------------------------------------
+{% for host_obj in (groups['traffic_ops']) %}
+   hostssl  {{ tvdb_db_name }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
+   host  {{ tvdb_db_name }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
+
+   hostssl  {{ postgresql_user }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
+   host  {{ postgresql_user }} {{ tvdb_username }} {{ (groups['traffic_ops'] | map('extract', hostvars, ['ansible_host']) | list)[loop.index0] }}/32  md5
+{% endfor %}
+
 # ------------------------------------------------------
 #  REPLICATION
 # ------------------------------------------------------