Merge pull request #13 from TantorLabs/feature/new-certificate

Feature/new certificate

Author: HimuraKrd

README.md

@@ -3,8 +3,8 @@
 ## Project Structure
 
 ```
-|-- pg-cluster.yaml			# Main playbook
-|-- pki-dir				# Certificates generated using ssl-gen.sh
+|-- pg-cluster.yaml			            # Main playbook
+|-- pki-dir				                # Folder that store generated certs
 |   |-- .gitkeep
 |-- README.md
 |-- inventory
@@ -17,17 +17,25 @@
 |   |   |-- prepare_nodes.yml
 |   |-- my_inventory
 |-- roles
-|   |-- etcd					# Role that installs etcd-tantor-all package
+|   |-- certificates					# Role that generate TLS certs for etcd and patroni
+|   |   |-- tasks
+|   |   |   `-- main.yml
+|   |   |-- vars
+|   |   |   `-- main.yml
+|   |-- etcd					        # Role that installs etcd-tantor-all package
 |   |   |-- handlers
 |   |   |   `-- main.yml
 |   |   |-- tasks
 |   |   |   |-- main.yml
 |   |   |   |-- pki.yml
+|   |   |   |-- cluster_add.yml
+|   |   |   |-- cluster_del.yml
+|   |   |   |-- cluster_state.yml
 |   |   |   `-- systemd.yml
 |   |   |-- templates
 |   |   |   |-- etcd.conf.j2
 |   |   |   `-- etcd-tantor.service.j2
-|   |-- haproxy					# Role that installs haproxy-tantor-all package
+|   |-- haproxy					        # Role that installs haproxy-tantor-all package
 |   |   |-- handlers
 |   |   |   `-- main.yml
 |   |   |-- tasks
@@ -38,21 +46,25 @@
 |   |   |-- check_scripts
 |   |   |   `-- chk_patroni_leader.sh
 |   |   |-- handlers
-|   |   |   `-- main.yml 					# 
+|   |   |   `-- main.yml 
+|   |   |-- meta
+|   |   |   `-- argument_specs.yml
 |   |   |-- tasks
 |   |   |   `-- main.yml
 |   |   `-- templates
 |   |       `-- keepalived.conf.j2
-|   |-- patroni					# Role that installs patroni-tantor-all package
+|   |-- patroni					        # Role that installs patroni-tantor-all package
 |   |   |-- handlers
 |   |   |   `-- main.yml
 |   |   |-- tasks
 |   |   |   `-- main.yml
 |   |   `-- templates
-|   |       |-- patroni.service.j2
+|   |       |-- patroni_custom_bootstrap_script.sh.j2
+|   |       |-- patroni-tantor.service.j2
 |   |       |-- patroni-watchdog.service.j2
-|   |       `-- patroni.yml.j2
-|   |-- pgbouncer				# Role that installs pgbouncer-tantor-all package
+|   |       |-- patroni.yml.j2
+|   |       `-- walg.json.j2
+|   |-- pgbouncer				        # Role that installs pgbouncer-tantor-all package
 |   |   |-- handlers
 |   |   |   `-- main.yml 
 |   |   |-- sql
@@ -62,22 +74,25 @@
 |   |   `-- templates
 |   |       |-- pgbouncer.ini.j2
 |   |       `-- pgbouncer.service.j2
-|   |-- postgres_classic			# Role that installs postgresql package
+|   |-- postgres_classic			    # Role that installs postgresql package
 |   |   `-- tasks
 |   |       `-- main.yml
-|   |-- postgres_tantordb			# Role that installs tantor-server package
+|   |-- postgres_tantordb			    # Role that installs tantor-server package
 |   |   `-- tasks
 |   |       `-- main.yml
-|   `-- prepare_nodes			# Role for installing basic utils
+|   `-- prepare_nodes			        # Role for installing basic utils
 |       `-- handlers
 |           `-- main.yml
 |       `-- tasks
-|           `-- main.yml
+|           |-- main.yml
+|           |-- debian.yml
+|           `-- rhel.yml
 |-- tools
-|   |-- etcd
-|   |-- etcd.conf
-|   |-- pg_configurator.py
-|   `-- ssl-gen.sh
+|   `-- pg_cluster_backend			    # In progress
+|       |-- conf 
+|       |-- log 
+|       |-- psc 
+|       `-- pg_cluster_backend.py 
 ```
 
 ![Architecture](pg_cluster_architechture.png)
@@ -90,7 +105,7 @@ The following text will present examples of commands to be entered in the termin
 ## Requirements
 
 Playbook requires the following component's version to be installed:
-* Ansible >= 2.9.10
+* Ansible >= 2.9.10 (with collections community.general, community.postgresql, community.crypto)
 * Python3 (with pip module) >= 3.10.0
 * psycopg2 >= 2.5.1 (it's recommended to install via pip)
 * packaging >= 24 (it's recommended to install via pip)
@@ -226,7 +241,7 @@ By default, the playbook does not attempt to connect to Tantor repositories and
 * wal-g-tantor-all
 * tantor DBMS
 
-Pay attention to last point from the list above. Tantor package should match environment that is used during playbook launch. For example if you want to install ``tantor-be-server-15`` DBMS using command ``ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=15" pg-cluster.yaml -K`` make sure that package ``tantor-be-server-15`` is available in your local repository.  
+Pay attention to last point from the list above. Tantor package should match environment that is used during playbook launch. For example if you want to install ``tantor-be-server-16`` DBMS using command ``ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=16" pg-cluster.yaml -K`` make sure that package ``tantor-be-server-16`` is available in your local repository.  
 
 If the playbook is run in an environment with internet access, you can leverage the most up-to-date components included in the solution. To do this, add the flag ``add_nexus_repo=true`` and provide the connection details for the repositories in the file ``inventory/group_vars/prepare_nodes.yml``.
 
@@ -237,7 +252,7 @@ There are several options to run Ansible: with the option to install TantorDB or
 Use the following command to install TantorDB:
 
 ```bash
-ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=15" pg-cluster.yaml -K
+ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=16" pg-cluster.yaml -K
 ```
 
 Use the following command to install the PostgreSQL DBMS:
@@ -252,10 +267,14 @@ In the commands above, replace the value of the ``major_version`` parameter with
 
 It's possible to launch the playbook with external internet access.
 ```bash
-ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=15 add_nexus_repo=true" pg-cluster.yaml -K
+ansible-playbook -i inventory/my_inventory -u admin_user -e "postgresql_vendor=tantordb edition=be major_version=16 add_nexus_repo=true" pg-cluster.yaml -K
 ```
 In that case, make sure that connection details are provided in the file ``inventory/group_vars/prepare_nodes.yml``.
 
+## Component maintenance
+
+The playbook supports both full and partial updates for most components. Each role includes a variable that defines the desired version of a component (e.g., the variable ``pg_configurator_package_version`` corresponds to the ``pg-configurator-tantor-all`` component). These variables are defined in the ``inventory/group_vars`` YAML files. On the first run, the latest versions of the components will be installed. If you need to install a specific version, simply set the appropriate variable and run the playbook again.
+
 ## HOW TO
 
 Below you can find some common commands for working with the software products included in the ``pg_cluster`` solution. Note that the commands and their result may differ depending on the software versions used.
@@ -266,10 +285,10 @@ Below you can find some common commands for working with the software products i
 # on NODE_1
 e_host=(
   /opt/tantor/usr/bin/etcdctl
-  --endpoints=https://<HOST_1_IP>:2379,https://<HOST_2_IP>:2379,https://<HOST_N_IP>:2379
-  --cacert=/opt/tantor/etc/patroni/ca.pem
-  --cert=/opt/tantor/etc/patroni/<NODE1_HOSTNAME>.pem  
-  --key=/opt/tantor/etc/patroni/<NODE1_HOSTNAME>-key.pem
+  --endpoints=https://$(hostname -I | awk '{print $1}'):2379
+  --cacert=/opt/tantor/var/lib/etcd/pg-cluster.pki/ca.pem
+  --cert=/opt/tantor/var/lib/etcd/pg-cluster.pki/$(hostname).pem  
+  --key=/opt/tantor/var/lib/etcd/pg-cluster.pki/$(hostname)-key.pem
 )
 
 # list etcd members

ansible.cfg

@@ -4,4 +4,5 @@ command_timeout = 60
 [defaults]
 timeout = 60
 log_path = ansible.log
-host_key_checking = False # отключение проверки fingerprint
+host_key_checking = False # отключение проверки fingerprint
+fail_on_error = true

inventory/group_vars/etcd.yml

@@ -8,7 +8,9 @@ etcd_data_dir: /opt/tantor/var/lib/etcd
 etcd_master_group_name: inv_etcd
 
 etcd_secure: True
-etcd_pki_dir: "{{ [ playbook_dir, 'pki-dir', hostvars[groups['inv_etcd'][0]]['ansible_hostname'] ] | path_join }}"
+etcd_bin_path: "/opt/tantor/usr/bin/etcdctl"
+etcd_conf_dir: "/opt/tantor/var/lib/etcd/pg-cluster.pki"
+etcd_pki_dir: "{{playbook_dir}}/pki-dir/{{ ansible_inventory_sources[0] | basename | regex_replace('\\.(ini|yml|yaml)$', '') }}"
 etcd_pki_key_suffix: -key.pem
 etcd_pki_cert_suffix: .pem
 

inventory/group_vars/keepalived.yml

@@ -2,5 +2,5 @@
 keepalived_package_version: ""
 
 # Cluster variables
-cluster_vip_1: "xxx.xxx.xxx.xxx"
+cluster_vip_1: ""
 vip_interface: "{{ ansible_default_ipv4.interface }}"  # interface name (ex. "ens32")

inventory/group_vars/patroni.yml

@@ -4,7 +4,7 @@ pg_configurator_package_version: ""
 patroni_pg_exists: false #**
 patroni_pg_port: 5432
 
-patroni_config_dir: /opt/tantor/etc/patroni
+patroni_config_dir: "/opt/tantor/etc/patroni"
 patroni_system_user: postgres
 patroni_system_group: postgres
 
@@ -63,9 +63,9 @@ patroni_etcd3_srv: ""
 patroni_etcd3_protocol: https
 patroni_etcd3_username: ""
 patroni_etcd3_password: ""
-patroni_etcd3_cacert: "/opt/tantor/etc/patroni/ca.pem"
-patroni_etcd3_cert: "/opt/tantor/etc/patroni/{{ inventory_hostname }}.pem"
-patroni_etcd3_key: "/opt/tantor/etc/patroni/{{ inventory_hostname }}-key.pem"
+patroni_etcd3_cacert: "{{ patroni_config_dir }}/ca.pem"
+patroni_etcd3_cert: "{{ patroni_config_dir }}/{{ inventory_hostname }}.pem"
+patroni_etcd3_key: "{{ patroni_config_dir }}/{{ inventory_hostname }}-key.pem"
 
 # https://patroni.readthedocs.io/en/latest/SETTINGS.html#bootstrap-configuration
 # dcs (Dynamic Configuration settings): This section will be written into /<namespace>/<scope>/config of the

inventory/group_vars/postgres_classic.yml

@@ -3,4 +3,4 @@
 config_system_locale: 'ru_RU.UTF-8'
 config_system_language: 'en_US.UTF-8'
 postgresql_debian_gpg_key: "https://www.postgresql.org/media/keys/ACCC4CF8.asc"
-major_version: 15
+major_version: 16

inventory/group_vars/tantordb.yml

@@ -1,4 +1,4 @@
 ---
 
-major_version: 15
+major_version: 16
 edition: "be"

pg-cluster.yaml

@@ -10,14 +10,16 @@
     - 'inventory/group_vars/prepare_nodes.yml'
   roles:
     - prepare_nodes
+  any_errors_fatal: true
 
-- name: Generage SSL certs for etcd
+- name: Generage certs
   hosts: localhost
   connection: local
   become: true
-  tags: etcd
+  tags: certificates
   roles:
-    - role: etcd-ssl
+    - role: certificates
+  any_errors_fatal: true
 
 - name: Install etcd
   hosts: inv_etcd
@@ -27,6 +29,7 @@
     - 'inventory/group_vars/etcd.yml'
   roles:
     - role: etcd
+  any_errors_fatal: true
 
 - name: Install PostgreSQL Tantordb
   hosts: inv_pg
@@ -37,6 +40,7 @@
     - 'inventory/group_vars/tantordb.yml'
   roles:
     - postgres_tantordb
+  any_errors_fatal: true
 
 - name: Install PostgreSQL Classic
   hosts: inv_pg
@@ -47,6 +51,7 @@
     - 'inventory/group_vars/postgres_classic.yml'
   roles:
     - postgres_classic
+  any_errors_fatal: true
 
 - name: Install Patroni
   hosts: inv_pg
@@ -59,6 +64,7 @@
     - 'inventory/group_vars/postgres_classic.yml'
   roles:
     - patroni
+  any_errors_fatal: true
 
 - name: Install PGBouncer
   hosts: inv_pg
@@ -70,6 +76,7 @@
     - 'inventory/group_vars/patroni.yml'
   roles:
     - pgbouncer
+  any_errors_fatal: true
 
 - name: Install Haproxy
   hosts: inv_pg
@@ -82,13 +89,16 @@
     - 'inventory/group_vars/pgbouncer.yml'
   roles:
     - haproxy
+  any_errors_fatal: true
 
 - name: Install Keepalived
   hosts: inv_keepalived
   become: true
   tags: keepalived
   vars_files:
     - 'inventory/group_vars/etcd.yml'
+    - 'inventory/group_vars/patroni.yml'
     - 'inventory/group_vars/keepalived.yml'
   roles:
     - keepalived
+  any_errors_fatal: true