add support for data server operator (#125)

README.md

@@ -131,13 +131,8 @@ This following information is parsed from the integration:
   - JUMP_SVR_HOST
   - JUMP_SVR_USER
   - JUMP_SVR_RWX_FILESTORE_PATH
-- Postgres (When V4_CFG_POSTGRES_TYPE is set to external)
-  - V4_CFG_POSTGRES_ADMIN_LOGIN
-  - V4_CFG_POSTGRES_PASSWORD
-  - V4_CFG_POSTGRES_FQDN
-  - V4_CFG_POSTGRES_CONNECTION_NAME
-  - V4_CFG_POSTGRES_SERVICE_ACCOUNT
-  - V4_CFG_POSTGRES_SSL_ENFORCEMENT
+- Postgres
+  - V4_CFG_POSTGRES_SERVERS (if postgres deployed)
 - Cluster
   - KUBECONFIG
   - V4_CFG_CLUSTER_NODE_POOL_MODE

ansible.cfg

@@ -18,4 +18,4 @@ display_skipped_hosts = False
 hash_behaviour=merge
 library = /usr/share/ansible:./plugins/modules
 lookup_plugins = ./plugins/lookup
-action_plugins = ./plugins/action
+action_plugins = ./plugins/action

docs/CONFIG-VARS.md

@@ -22,7 +22,6 @@ Supported configuration variables are listed in the table below.  All variables
   - [TLS](#tls)
     - [Cert-manager](#cert-manager)
   - [Postgres](#postgres)
-    - [External Postgres](#external-postgres)
   - [CAS](#cas)
   - [CONNECT](#connect)
   - [Miscellaneous](#miscellaneous)
@@ -191,22 +190,49 @@ When setting V4_CFG_TLS_MODE to a value other than "disabled" and no V4_CFG_TLS_
 
 ## Postgres
 
-| Name | Description | Type | Default | Required | Notes | Tasks |
-| :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| V4_CFG_POSTGRES_TYPE | Postgres installation type | string | | true | [internal,external] | viya |
+Postgres servers can be defined with the postgres_servers variable which is a map of objects. The variable has the following format:
+
+```bash
+V4_CFG_POSTGRES_SERVERS:
+  default: {}
+  ...
+```
 
-### External Postgres
+**NOTE**: the `default` elements is always required . This will be the default server. Below is the list of parameters each element can contain.
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| V4_CFG_POSTGRES_ADMIN_LOGIN | Existing postgres username | string | | true | | viya |
-| V4_CFG_POSTGRES_PASSWORD | Existing postgres password | string | | true | | viya |
-| V4_CFG_POSTGRES_FQDN | Existing postgres ip/fqdn | string | | true | | viya |
-| V4_CFG_POSTGRES_PORT | Existing postgres port | string | 5432 | false | | viya |
-| V4_CFG_POSTGRES_DATABASE | Existing postgres database name | string | "SharedServices" | false | | viya |
-| V4_CFG_POSTGRES_SSL_ENFORCEMENT | Require ssl connection to existing postgres | bool | false | false | Ignored on GCP when using cloud sql | viya |
-| V4_CFG_POSTGRES_CONNECTION_NAME | Existing postgres database connection name | string | | false | See [ansible cloud authentication](user/AnsibleCloudAuthentication.md) | viya |
-| V4_CFG_POSTGRES_SERVICE_ACCOUNT | Existing service account for postgres connectivity | string | | false | See [ansible cloud authentication](user/AnsibleCloudAuthentication.md) | viya |
+| internal | Whether the database is internal or external | bool | | true | All servers must but internal or all must be external | viya |
+| database | Database name | string | Database server role | false | Default database name for default server is SharedServices | viya |
+| admin | External postgres username | string | | false | Required for external postgres servers | viya |
+| password | External postgres password | string | | false | Required for external postgres servers | viya |
+| fqdn | External postgres ip/fqdn | string | | false | Required for external postgres servers | viya |
+| server_port | External postgres port | string | 5432 | false | | viya |
+| ssl_enforcement_enabled | Require ssl connection to external postgres | bool | | false | Required for external postgres servers. Ignored on GCP when using cloud sql | viya |
+| connection_name | External postgres database connection name | string | | false | Required for using cloud-sql-proxy on gcp. See [ansible cloud authentication](user/AnsibleCloudAuthentication.md) | viya |
+| service_account | External service account for postgres connectivity | string | | false | Required for using cloud-sql-proxy on gcp. See [ansible cloud authentication](user/AnsibleCloudAuthentication.md) | viya |
+
+Example:
+
+```bash
+V4_CFG_POSTGRES_SERVERS:
+  default:
+    internal: false
+    admin: pgadmin
+    password: "password"
+    fqdn: mydbserver.local
+    server_port: 5432
+    ssl_enforcement_enabled: true
+    database: SharedServices
+  other_db:
+    internal: false
+    admin: pgadmin
+    password: "password"
+    fqdn: 10.10.10.10
+    server_port: 5432
+    ssl_enforcement_enabled: true
+    database: OtherDB
+```
 
 ## CAS
 

examples/ansible-vars-iac.yaml

@@ -23,7 +23,6 @@ V4_CFG_INGRESS_FQDN: <desired_fqdn>
 V4_CFG_TLS_MODE: "full-stack" # [full-stack|front-door|disabled]
 
 ## Postgres
-V4_CFG_POSTGRES_TYPE: external #[internal|external]
 
 ## LDAP
 V4_CFG_EMBEDDED_LDAP_ENABLE: true

examples/ansible-vars.yaml

@@ -33,11 +33,14 @@ V4_CFG_INGRESS_FQDN: <desired_fqdn>
 V4_CFG_TLS_MODE: "full-stack" # [full-stack|front-door|disabled]
 
 ## Postgres
-V4_CFG_POSTGRES_TYPE: external
-V4_CFG_POSTGRES_ADMIN_LOGIN: <existing_pg_user> 
-V4_CFG_POSTGRES_PASSWORD: <existing_pg_password> 
-V4_CFG_POSTGRES_FQDN: <existing_pg_fqdn> 
-V4_CFG_POSTGRES_PORT: 5432
+V4_CFG_POSTGRES_SERVERS:
+  default:
+    internal: false
+    admin: <existing_pg_user>
+    password: <existing_pg_password>
+    fqdn: <existing_pg_fqdn>
+    ssl_enforcement_enabled: true
+    database: <desired_database>
 
 ## LDAP
 V4_CFG_EMBEDDED_LDAP_ENABLE: true
@@ -50,4 +53,4 @@ V4_CFG_CONNECT_ENABLE_LOADBALANCER: false
 
 ## Monitoring and Logging
 ## uncomment and update the below values when deploying the viya4-monitoring-kubernetes stack
-#V4M_BASE_DOMAIN: <base_domain>
+#V4M_BASE_DOMAIN: <base_domain>

playbooks/playbook.yaml

@@ -7,15 +7,15 @@
       tags:
         - install
         - uninstall
-        - upgrade
+        - update
     - name: common role
       include_role: 
         name: common
         public: yes
       tags:
         - install
         - uninstall
-        - upgrade
+        - update
     - name: jump-server role
       include_role:
         name: jump-server
@@ -46,6 +46,7 @@
     - name: monitoring role - namespace
       include_role:
         name: monitoring
+        tasks_from: viya-monitoring
       tags:
         - viya-monitoring
     - name: Delete tmpdir
@@ -55,4 +56,4 @@
       tags:
         - install
         - uninstall
-        - upgrade
+        - update

requirements.yaml

@@ -2,3 +2,5 @@
 collections:
   - name: community.kubernetes
     version: 1.2.1
+  - name: ansible.utils
+    version: 2.3.0

roles/baseline/defaults/main.yml

@@ -2,6 +2,8 @@ V4_CFG_TLS_MODE: "full-stack" # other valid values are front-door and disabled
 V4_CFG_RWX_FILESTORE_ENDPOINT: /export
 V4_CFG_INGRESS_TYPE: ingress
 
+PRIVATE_CLUSTER_ENABLE: false
+
 ## Cert-manager
 CERT_MANAGER_NAME: cert-manager
 CERT_MANAGER_NAMESPACE: cert-manager
@@ -34,6 +36,8 @@ INGRESS_NGINX_CONFIG:
       externalTrafficPolicy: Local
       sessionAffinity: None
       loadBalancerSourceRanges: "{{ LOADBALANCER_SOURCE_RANGES |default(['0.0.0.0/0'], -1) }}"
+      annotation:
+
     config:
       use-forwarded-headers: "true"
     tcp: {}
@@ -91,3 +95,21 @@ CLUSTER_AUTOSCALER_CONFIG:
       name: cluster-autoscaler
       annotations:
         "eks.amazonaws.com/role-arn": "{{ CLUSTER_AUTOSCALER_ACCOUNT }}"
+
+private_cluster:
+  aws:
+    controller:
+      service:
+        annotations:
+          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+          service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  azure:
+    controller:
+      service:
+        annotations:
+          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+  gcp:
+    controller:
+      service: 
+        annotations:
+          networking.gke.io/load-balancer-type: "Internal"

roles/baseline/tasks/cert-manager.yaml

@@ -12,7 +12,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
 
 - name: Remove cert-manager
   community.kubernetes.helm:

roles/baseline/tasks/cluster-autoscaler.yaml

@@ -11,7 +11,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
 
 - name: Remove cluster-autoscaler
   community.kubernetes.helm:

roles/baseline/tasks/contour.yaml

@@ -12,7 +12,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
 
 - name: Remove contour
   community.kubernetes.helm:

roles/baseline/tasks/ingress-nginx.yaml

@@ -1,4 +1,13 @@
 ---
+- set_fact:
+    INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG |combine(private_cluster[PROVIDER], recursive=True)}}"
+  when:
+    - PRIVATE_CLUSTER_ENABLE
+    - PROVIDER in private_cluster
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   community.kubernetes.helm:
     name: "{{ INGRESS_NGINX_NAME }}"
@@ -12,7 +21,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
 
 - name: Remove ingress-nginx
   community.kubernetes.helm:

roles/baseline/tasks/metrics-server.yaml

@@ -9,7 +9,7 @@
   register: metrics_service
   tags:
     - install
-    - upgrade
+    - update
     - uninstall
 
 - name: Deploy metrics-server
@@ -24,7 +24,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
   when:
     - (metrics_service.resources | length) == 0
 

roles/baseline/tasks/nfs-subdir-external-provisioner.yaml

@@ -8,7 +8,7 @@
   tags:
     - install
     - uninstall
-    - upgrade
+    - update
 
 - name: Remove deprecated efs-provisioner
   community.kubernetes.helm:
@@ -19,7 +19,7 @@
   tags:
     - install
     - uninstall
-    - upgrade
+    - update
 
 - name: Remove deprecated efs-provisioner namespace
   community.kubernetes.k8s:
@@ -31,7 +31,7 @@
   tags:
     - install
     - uninstall
-    - upgrade
+    - update
 
 - name: Deploy nfs-subdir-external-provisioner
   community.kubernetes.helm:
@@ -46,7 +46,7 @@
     wait: true
   tags:
     - install
-    - upgrade
+    - update
 
 - name: Remove nfs-subdir-external-provisioner
   community.kubernetes.helm:

roles/common/defaults/main.yml

@@ -0,0 +1,2 @@
+V4_CFG_POSTGRES_SERVERS: 
+  default: {}