diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 1f287dd..efff3ed 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -21,9 +21,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.12' - name: Install dependencies diff --git a/roles/postgresql/defaults/main.yaml b/roles/postgresql/defaults/main.yaml index 69a15b9..90c62dc 100644 --- a/roles/postgresql/defaults/main.yaml +++ b/roles/postgresql/defaults/main.yaml @@ -17,7 +17,7 @@ pg_vol_size_g: 50 # The StorageClass of the postgres persistent volume. # A blank class implied the cluster default. # Unused if 'pg_vol_size_g' is '0' -pg_vol_storageclass: " " +pg_vol_storageclass: ' ' # The volume size (Gi) of a separate 'pgcopy' volume. # The volume is mounted into the database container @@ -29,11 +29,11 @@ pg_vol_storageclass: " " pg_copy_vol_size_g: 0 # The StorageClass of the persistent volume. # A blank class implied the cluster default. -pg_copy_vol_storageclass: " " +pg_copy_vol_storageclass: ' ' # Root-user variables pg_user: postgres -pg_user_password: "{{ lookup('password', '/dev/null length=8 chars=ascii_letters,digits') }}" +pg_user_password: "{{ lookup('password', '/dev/null length=14 chars=ascii_letters,digits') }}" pg_database: postgres # An auxiliary user. diff --git a/roles/postgresql/tasks/deploy.yaml b/roles/postgresql/tasks/deploy.yaml index 5e64101..b2b55e9 100644 --- a/roles/postgresql/tasks/deploy.yaml +++ b/roles/postgresql/tasks/deploy.yaml @@ -5,9 +5,9 @@ - name: Assert control variables (aux user) assert: that: - - pg_aux_user_password|string|length > 0 - - pg_aux_database|string|length > 0 - when: pg_aux_user|string|length > 0 + - pg_aux_user_password | string | length > 0 + - pg_aux_database | string | length > 0 + when: pg_aux_user | string | length > 0 # Create namespace @@ -23,16 +23,14 @@ vars: pull_namespace: "{{ pg_namespace }}" pull_secret: "{{ pg_dockerhub_pullsecret }}" - when: pg_dockerhub_pullsecret|string|length > 0 + when: pg_dockerhub_pullsecret | string | length > 0 - name: Creating namespace material k8s: - definition: "{{ lookup('template', '{{ item }}.yaml.j2') }}" + definition: "{{ lookup('template', item) }}" wait: yes loop: - - serviceaccount - - role-im-psp-unrestricted - - rolebinding-pg-sa + - serviceaccount.yaml.j2 # Secrets (database) ---------------------------------------------------------- @@ -52,23 +50,23 @@ pg_aux_user_fact: "{{ pg_aux_user }}" pg_aux_user_password_fact: "{{ pg_aux_user_password }}" pg_aux_database_fact: "{{ pg_aux_database }}" - when: pg_s_result.resources|length == 0 + when: pg_s_result.resources | length == 0 - name: Set database secret facts (pre-deployed secrets) set_fact: - pg_user_fact: "{{ pg_s_result.resources[0].data.database_admin_user|b64decode }}" - pg_user_password_fact: "{{ pg_s_result.resources[0].data.database_admin_user_password|b64decode }}" - pg_database_fact: "{{ pg_s_result.resources[0].data.database_name|b64decode }}" - pg_aux_user_fact: "{{ pg_s_result.resources[0].data.database_aux_user|b64decode }}" - pg_aux_user_password_fact: "{{ pg_s_result.resources[0].data.database_aux_user_password|b64decode }}" - pg_aux_database_fact: "{{ pg_s_result.resources[0].data.database_aux_database|b64decode }}" - when: pg_s_result.resources|length == 1 + pg_user_fact: "{{ pg_s_result.resources[0].data.database_admin_user | b64decode }}" + pg_user_password_fact: "{{ pg_s_result.resources[0].data.database_admin_user_password | b64decode }}" + pg_database_fact: "{{ pg_s_result.resources[0].data.database_name | b64decode }}" + pg_aux_user_fact: "{{ pg_s_result.resources[0].data.database_aux_user | b64decode }}" + pg_aux_user_password_fact: "{{ pg_s_result.resources[0].data.database_aux_user_password | b64decode }}" + pg_aux_database_fact: "{{ pg_s_result.resources[0].data.database_aux_database | b64decode }}" + when: pg_s_result.resources | length == 1 - name: Write Database secrets k8s: definition: "{{ lookup('template', 'secret.yaml.j2') }}" wait: yes - when: pg_s_result.resources|length == 0 + when: pg_s_result.resources | length == 0 - name: Display Database admin password debug: @@ -85,7 +83,7 @@ - name: Assert {{ pg_vol_storageclass }} StorageClass assert: - that: sc_result.resources|length == 1 + that: sc_result.resources | length == 1 fail_msg: The {{ pg_vol_storageclass }} StorageClass must be available on the cluster when: pg_vol_storageclass != " " @@ -94,7 +92,7 @@ definition: "{{ lookup('template', 'pvc-pg.yaml.j2') }}" wait: yes wait_timeout: "{{ wait_timeout }}" - when: pg_vol_size_g|int > 0 + when: pg_vol_size_g | int > 0 # Best practice ... wait for the PVC to bind. # e.g. wait until resources[0].status.phase == Bound (initially Pending) @@ -106,15 +104,15 @@ namespace: "{{ pg_namespace }}" register: pg_pvc_result until: >- - pg_pvc_result.resources|length > 0 + pg_pvc_result.resources | length > 0 and pg_pvc_result.resources[0].status is defined and pg_pvc_result.resources[0].status.phase is defined and pg_pvc_result.resources[0].status.phase == 'Bound' delay: 5 - retries: "{{ (bind_timeout|int / 5)|int }}" + retries: "{{ (bind_timeout | int / 5) | int }}" when: - - pg_vol_size_g|int > 0 - - wait_for_bind|bool + - pg_vol_size_g | int > 0 + - wait_for_bind | bool # Database volume (pg-copy) --------------------------------------------------- @@ -130,7 +128,7 @@ - name: Assert {{ pg_copy_vol_storageclass }} StorageClass assert: - that: sc_result.resources|length == 1 + that: sc_result.resources | length == 1 fail_msg: The {{ pg_copy_vol_storageclass }} StorageClass must be available on the cluster when: pg_copy_vol_storageclass != " " @@ -150,28 +148,28 @@ namespace: "{{ pg_namespace }}" register: pg_copy_pvc_result until: >- - pg_copy_pvc_result.resources|length > 0 + pg_copy_pvc_result.resources | length > 0 and pg_copy_pvc_result.resources[0].status is defined and pg_copy_pvc_result.resources[0].status.phase is defined and pg_copy_pvc_result.resources[0].status.phase == 'Bound' delay: 5 - retries: "{{ (bind_timeout|int / 5)|int }}" - when: wait_for_bind|bool + retries: "{{ (bind_timeout | int / 5) | int }}" + when: wait_for_bind | bool - when: pg_copy_vol_size_g|int > 0 + when: pg_copy_vol_size_g | int > 0 # Database (postgres) --------------------------------------------------------- - name: Postgres k8s: - definition: "{{ lookup('template', '{{ item }}.yaml.j2') }}" + definition: "{{ lookup('template', item) }}" wait: yes wait_timeout: "{{ wait_timeout }}" loop: - - configmap-postgres-conf - - configmap-postgres-init - - service - - statefulset + - configmap-postgres-conf.yaml.j2 + - configmap-postgres-init.yaml.j2 + - service.yaml.j2 + - statefulset.yaml.j2 - name: Wait for Postgres k8s_info: @@ -181,10 +179,10 @@ - app=postgres register: result until: >- - result.resources|length > 0 + result.resources | length > 0 and result.resources[0].status.containerStatuses is defined - and result.resources[0].status.containerStatuses|length == 1 + and result.resources[0].status.containerStatuses | length == 1 and result.resources[0].status.containerStatuses[0].ready is defined and result.resources[0].status.containerStatuses[0].ready delay: 20 - retries: "{{ (wait_timeout|int / 20)|int }}" + retries: "{{ (wait_timeout | int / 20) | int }}" diff --git a/roles/postgresql/tasks/main.yaml b/roles/postgresql/tasks/main.yaml index 66b7166..0979707 100644 --- a/roles/postgresql/tasks/main.yaml +++ b/roles/postgresql/tasks/main.yaml @@ -11,17 +11,17 @@ - name: Assert authentication assert: that: - - k8s_auth_host|length > 0 - - k8s_auth_api_key|length > 0 + - k8s_auth_host | length > 0 + - k8s_auth_api_key | length > 0 # Go... - block: - include_tasks: deploy.yaml - when: pg_state|string == 'present' + when: pg_state | string == 'present' - include_tasks: undeploy.yaml - when: pg_state|string == 'absent' + when: pg_state | string == 'absent' module_defaults: group/k8s: diff --git a/roles/postgresql/templates/configmap-postgres-conf.yaml.j2 b/roles/postgresql/templates/configmap-postgres-conf.yaml.j2 index 2a17d95..61ca9de 100644 --- a/roles/postgresql/templates/configmap-postgres-conf.yaml.j2 +++ b/roles/postgresql/templates/configmap-postgres-conf.yaml.j2 @@ -5,4 +5,4 @@ metadata: name: postgres-conf namespace: {{ pg_namespace }} data: - postgresql.conf: "{{ pg_configuration|replace('\n', '\\n') }}" + postgresql.conf: "{{ pg_configuration | replace('\n', '\\n') }}" diff --git a/roles/postgresql/templates/role-im-psp-unrestricted.yaml.j2 b/roles/postgresql/templates/role-im-psp-unrestricted.yaml.j2 deleted file mode 100644 index 92ed08e..0000000 --- a/roles/postgresql/templates/role-im-psp-unrestricted.yaml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: im-psp-unrestricted - namespace: {{ pg_namespace }} -rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['im-core-unrestricted'] diff --git a/roles/postgresql/templates/rolebinding-pg-sa.yaml.j2 b/roles/postgresql/templates/rolebinding-pg-sa.yaml.j2 deleted file mode 100644 index b6c3e80..0000000 --- a/roles/postgresql/templates/rolebinding-pg-sa.yaml.j2 +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: pg-sa - namespace: {{ pg_namespace }} -roleRef: - kind: Role - name: im-psp-unrestricted - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: postgres - namespace: {{ pg_namespace }} diff --git a/roles/postgresql/templates/statefulset.yaml.j2 b/roles/postgresql/templates/statefulset.yaml.j2 index 79548a6..2929d43 100644 --- a/roles/postgresql/templates/statefulset.yaml.j2 +++ b/roles/postgresql/templates/statefulset.yaml.j2 @@ -25,13 +25,11 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: informaticsmatters.com/purpose - operator: In - values: - - core + - key: informaticsmatters.com/purpose-core + operator: Exists {% endif %} -{% if all_image_preset_pullsecret_name|string|length > 0 %} +{% if all_image_preset_pullsecret_name | string | length > 0 %} imagePullSecrets: - name: {{ all_image_preset_pullsecret_name }} {% endif %}