Update RDBMS PostgreSQL server role (#194)

* Rename default.yml to main.yml and add missing TLS parameters
* Update tempdir for postgres user access
* Add failed_when conditional for missing postgresql module stream for RHEL 8 or greater
* Update PostgreSQL repository and key tasks
* Update PostgreSQL global config options to use ternary filters
* Add argument spec for cloudera.exe.rdbms_server
* Add license headers
* Add deprecation warning for cloudera.exe.rdbms.server and redirect to cloudera.exe.rdbms_server
* Copy cloudera.exe.rdbms.server to cloudera.exe.rdbms_server

Signed-off-by: Webster Mudge <[email protected]>

Author: wmudge

meta/runtime.yml

@@ -15,3 +15,11 @@
 # limitations under the License.
 
 requires_ansible: ">=2.10"
+
+plugin_routing:
+  role:
+    rdbms.server:
+      deprecation:
+        removal_version: 3.0.0
+        warning_text: Use cloudera.exe.rdbms_server instead of this nested role.
+      redirect: cloudera.exe.rdbms_server

roles/rdbms/server/defaults/defaults.yml renamed to roles/rdbms/server/defaults/main.yml

@@ -18,15 +18,12 @@ database_tls: false
 database_type: postgresql
 database_version: 14
 
-skip_rdbms_repo_setup: False
+skip_rdbms_repo_setup: false
 
 # MYSQL
 mysql_require_secure_transport: "OFF"  # If TLS-enabled, honor or not
 
-# From cloudera.cluster.infrastructure.ca_common
-base_dir_security: /opt/cloudera/security
-base_dir_security_pki: "{{ base_dir_security }}/pki"
-
+base_dir_security_pki: "/opt/cloudera/security/pki"
 tls_chain_path: "{{ base_dir_security_pki }}/chain.pem"
 tls_cert_path_generic: "{{ base_dir_security_pki }}/host.pem"
-tls_key_path_plaintext_generic: "{{ tls_key_path_generic }}.unenc"
+tls_key_path_plaintext_generic: "{{ base_dir_security_pki }}/host.key.unenc"

roles/rdbms/server/files/utf8-template.sql

@@ -1,4 +1,4 @@
--- Copyright 2021 Cloudera, Inc.
+-- Copyright 2024 Cloudera, Inc.
 --
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the License.

roles/rdbms/server/meta/argument_specs.yml

@@ -0,0 +1,74 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+argument_specs:
+  main:
+    short_description: Install standalone RDBMS instance
+    description:
+      - Install and configure a standalone RDBMS instance for use with Cloudera Manager.
+      - Database options include PostgreSQL, MySQL, and MariaDB.
+      - Supports TLS connections.
+    options:
+      database_tls:
+        description: Flag to enable TLS configuration.
+        type: bool
+        default: false
+      database_type:
+        description: Database product to install.
+        type: str
+        required: false
+        default: postgresql
+        choices:
+          - postgresql
+          - mysql
+          - mariadb
+      database_version:
+        description: Database product version to install.
+        type: str
+        required: false
+        default: 14
+      skip_rdbms_repo_setup:
+        description: Flag to enable RDBMS repository set up on target host.
+        type: bool
+        required: false
+        default: false
+      mysql_require_secure_transport:
+        description: Value for the C(require_secure_transport) parameter in the C([mysqld]) configuration. (MySQL only)
+        type: str
+        required: false
+        default: "OFF"
+      base_dir_security_pki:
+        description:
+          - Directory on target host housing typical PKI files.
+          - Used to establish a base directory for the other TLS options.
+        type: path
+        required: false
+        default: "/opt/cloudera/security/pki"
+      tls_chain_path:
+        description: File on the target host consisting of an ordered list of certificates, including TLS certificates and Certificate Authority (CA) certificates.
+        type: path
+        required: false
+        default: "O(base_dir_security_pki)/chain.pem"
+      tls_cert_path_generic:
+        description: File on the target host consisting of the TLS certificate for the server.
+        type: path
+        required: false
+        default: "O(base_dir_security_pki)/host.pem"
+      tls_key_path_plaintext_generic:
+        description: File on the target host consisting of the unencrypted TLS private key for the server.
+        type: path
+        required: false
+        default: "O(base_dir_security_pki)/host.key.unenc"

roles/rdbms/server/meta/main.yml

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 ---
+
 galaxy_info:
   description: >
     Set up single database to support Cloudera Data Platform (CDP) Private Cloud

roles/rdbms/server/tasks/main.yml

@@ -13,6 +13,13 @@
 # limitations under the License.
 
 ---
+
+- name: DEPRECATION WARNING
+  ansible.builtin.debug:
+    msg:
+      - This role has been moved to M(cloudera.exe.rdbms_server).
+      - Please update your playbooks and roles accordingly.
+
 - name: Include database type variables
   ansible.builtin.include_vars:
     file: "{{ database_type }}/common.yml"

roles/rdbms/server/tasks/postgresql/Debian.yml

@@ -12,15 +12,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Install keyrings directory
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+
 - name: Install PostgreSQL repository key
-  ansible.builtin.apt_key:
+  ansible.builtin.get_url:
     url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
-    state: present
+    dest: /etc/apt/keyrings/postgresql.asc
   when: not skip_rdbms_repo_setup
 
 - name: Install PostgreSQL repository
   ansible.builtin.apt_repository:
-    repo: "deb https://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main"
+    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/postgresql.asc] https://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main"
     state: present
   when: not skip_rdbms_repo_setup
 

roles/rdbms/server/tasks/postgresql/RedHat.yml

@@ -28,11 +28,13 @@
     gpgkey: https://download.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL
   when: not skip_rdbms_repo_setup
 
-- name: Disable default Postgres module in RHEL 8
+- name: Disable default Postgres module in RHEL 8 or greater
   ansible.builtin.command: dnf module disable -y postgresql
   register: __postgres_module_result
   changed_when:
     - '"Disabling modules" in __postgres_module_result.stdout'
+  failed_when:
+    - __postgres_module_result.rc != 0 and __postgres_module_result.rc != 1
   when:
     - ansible_os_family == 'RedHat'
     - ansible_distribution_major_version | int >= 8

roles/rdbms/server/tasks/postgresql/template_fix.yml

@@ -15,13 +15,19 @@
 - name: Create a temporary SQL directory
   ansible.builtin.tempfile:
     state: directory
-    suffix: sql
+    suffix: "-sql"
   register: __sql
 
+- name: Enable access for the postgres user
+  ansible.builtin.file:
+    path: "{{ __sql.path }}"
+    owner: postgres
+    group: postgres
+
 - name: Copy SQL to change template to UTF-8
   ansible.builtin.copy:
     src: files/utf8-template.sql
-    dest: "{{ __sql.path }}"
+    dest: "{{ __sql.path }}/utf8-template.sql"
     owner: postgres
     group: postgres
     mode: 0660
@@ -36,4 +42,3 @@
     path: "{{ __sql.path }}"
     state: absent
   become: yes
-  become_user: postgres

roles/rdbms/server/vars/mariadb/Debian.yml

@@ -1,4 +1,19 @@
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 ---
+
 mysql_packages:
   - mariadb-client
   - mariadb-server