Add PostgreSQL server installation role

roles/postgresql_server/README.md

@@ -0,0 +1,131 @@
+# postgresql_server
+
+Install PostgreSQL server for Cloudera Manager
+
+This role installs and configures a PostgreSQL server, primarily for use as a backend database for Cloudera Manager. It sets up the necessary packages, manages the PostgreSQL repository, configures essential database settings (e.g., `postgresql.conf`), and defines host-based authentication rules (`pg_hba.conf`). The role can also optionally create a database superuser and enable TLS for secure connections. It will also ensure the `psycopg2` (or `psycopg3`) Python client library is available.
+
+The role will:
+- Optionally enable or disable the PostgreSQL package repository setup.
+- Install PostgreSQL server packages, including client libraries and utilities.
+- Ensure the `psycopg2` (or `psycopg3`) Python package is installed, which is often required for Ansible's PostgreSQL modules.
+- Create a dedicated database superuser account if `create_database_admin_user` is `true`.
+- Configure global PostgreSQL server settings by managing the `postgresql.conf` file.
+- Configure host-based authentication (HBA) rules by managing the `pg_hba.conf` file, controlling client access.
+- Optionally, enable and configure TLS for secure client-server connections, utilizing specified certificate, key, and CA files.
+- Start and enable the PostgreSQL service.
+
+# Requirements
+
+- Target host must have internet access to download PostgreSQL packages and repository data.
+- Root or `sudo` privileges are required to manage packages, services, and system configuration files.
+- If `postgresql_tls_enabled` is `true`, ensure that the certificate, key, and CA files specified (`postgresql_tls_cert_path`, `postgresql_tls_key_path`, `postgresql_tls_ca_path`) are present on the target host prior to execution.
+
+# Dependencies
+
+- `community.general`
+- `community.postgresql`
+
+In addition, the following role(s) are required:
+
+- `geerlingguy.postgres`
+
+
+# Parameters
+
+| Variable | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `create_database_admin_user` | `bool` | `False` | `false` | Flag to specify if a database superuser should be created by this role. If `true`, `database_admin_user` and `database_admin_password` must be provided. |
+| `database_admin_user` | `str` | `True` if `create_database_admin_user` is `true` | | Username for the database superuser account to be created. |
+| `database_admin_password` | `str` | `True` if `create_database_admin_user` is `true` | | Password for the database superuser account to be created. |
+| `postgresql_version` | `int` | `False` | `14` | PostgreSQL version to install (e.g., 12, 14, 16). |
+| `postgresql_packages` | `list` of `str` | `False` | `[defaults based on OS]` | List of packages to install for the PostgreSQL server. If not defined, the role will use default package names specific to the OS distribution and PostgreSQL version. |
+| `postgresql_repo_enabled` | `bool` | `False` | `true` | Flag enabling the setup and teardown of the PostgreSQL package repository. If `false`, the role will assume existing repositories are configured and will not modify them. |
+| `postgresql_tls_enabled` | `bool` | `False` | `false` | Flag enabling TLS connections for the PostgreSQL server. |
+| `postgresql_tls_cert_path` | `path` | `False` | `$PGDATA/server.crt` | Path to the TLS certificate file on the PostgreSQL server. If not specified, PostgreSQL typically uses a default path (e.g., `$PGDATA/server.crt`). |
+| `postgresql_tls_key_path` | `path` | `False` | `$PGDATA/server.key` | Path to the TLS private key file on the PostgreSQL server. If not specified, PostgreSQL typically uses a default path (e.g., `$PGDATA/server.key`). |
+| `postgresql_tls_ca_path` | `path` | `False` | `None` | Path to the TLS Certificate Authority (CA) file on the PostgreSQL server. If not specified, PostgreSQL will typically not use a CA file, impacting client certificate validation. |
+| `postgresql_config_options` | `list` of `dict` | `False` | `[]` | List of global configuration entries for the `postgresql.conf` file. Each dictionary requires an `option` (parameter name) and a `value`. |
+|     `option` | `str` | `True` | | Name of the PostgreSQL configuration parameter (e.g., `listen_addresses`). |
+|     `value` | `str` | `True` | | Value of the PostgreSQL configuration parameter (e.g., `'*'`). |
+| `postgresql_access_entries` | `list` of `dict` | `False` | `[]` | List of host-based authentication (HBA) entries for the `pg_hba.conf` file. Each dictionary requires `type`, `database`, `user`, and `auth_method`. `address` is optional. |
+|     `type` | `str` | `True` | | Authentication scope type (e.g., `host`, `local`). |
+|     `database` | `str` | `True` | | Database target for the HBA rule (e.g., `all`, `scm`). |
+|     `user` | `str` | `True` | | User or user type for the HBA rule (e.g., `all`, `scm_user`). |
+|     `address` | `str` | `False` | | Networking scope (e.g., `10.0.0.0/24`, `::1/128`). Required for `host` type. |
+|     `auth_method` | `str` | `True` | | Authentication method (e.g., `md5`, `scram-sha-256`, `trust`). |
+
+# Example Playbook
+
+```yaml
+- hosts: db_servers
+  tasks:
+    - name: Install PostgreSQL server with default settings
+      ansible.builtin.import_role:
+        name: cloudera.exe.postgresql_server
+      # Uses PostgreSQL 14, default packages, no admin user, no TLS, default configs.
+
+    - name: Install PostgreSQL 16 with custom admin user and basic HBA
+      ansible.builtin.import_role:
+        name: cloudera.exe.postgresql_server
+      vars:
+        postgresql_version: 16
+        create_database_admin_user: true
+        database_admin_user: "cm_admin"
+        database_admin_password: "MySuperSecurePassword"
+        postgresql_access_entries:
+          - type: host
+            database: all
+            user: all
+            address: 0.0.0.0/0
+            auth_method: md5
+          - type: host
+            database: all
+            user: all
+            address: ::/0
+            auth_method: md5
+
+    - name: Install PostgreSQL with TLS enabled and custom configs
+      ansible.builtin.import_role:
+        name: cloudera.exe.postgresql_server
+      vars:
+        postgresql_version: 14
+        postgresql_tls_enabled: true
+        postgresql_tls_cert_path: "/etc/pki/tls/certs/server.crt"
+        postgresql_tls_key_path: "/etc/pki/tls/private/server.key"
+        postgresql_tls_ca_path: "/etc/pki/tls/certs/ca.crt"
+        postgresql_config_options:
+          - option: ssl
+            value: on
+          - option: ssl_cert_file
+            value: "/etc/pki/tls/certs/server.crt"
+          - option: ssl_key_file
+            value: "/etc/pki/tls/private/server.key"
+          - option: ssl_ca_file
+            value: "/etc/pki/tls/certs/ca.crt"
+          - option: listen_addresses
+            value: "'*'"
+        postgresql_access_entries:
+          - type: hostssl # Enforce SSL for this rule
+            database: all
+            user: all
+            address: 0.0.0.0/0
+            auth_method: scram-sha-256
+```
+
+# License
+
+```
+Copyright 2024 Cloudera, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```

roles/postgresql_server/defaults/main.yml

@@ -0,0 +1,31 @@
+---
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+postgresql_version: 14
+
+postgresql_repo_enabled: true
+# postgresql_packages: []
+
+postgresql_tls_enabled: false
+# postgresql_tls_cert_path:
+# postgresql_tls_key_path:
+# postgresql_tls_ca_path:
+
+# postgresql_config_options: []
+# postgresql_access_entries: []
+
+create_database_admin_user: false
+# database_admin_user:
+# database_admin_password:

roles/postgresql_server/files/utf8-template.sql

@@ -0,0 +1,24 @@
+-- Copyright 2024 Cloudera, Inc.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+-- If unable to set encoding via /etc/locale.conf and LC_ALL="en_US.UTF-8"
+
+update pg_database set datallowconn = TRUE where datname = 'template0';
+\c template0
+update pg_database set datistemplate = FALSE where datname = 'template1';
+drop database template1;
+create database template1 with template = template0 encoding = 'UTF8';
+update pg_database set datistemplate = TRUE where datname = 'template1';
+\c template1
+update pg_database set datallowconn = FALSE where datname = 'template0';

roles/postgresql_server/handlers/main.yml

@@ -0,0 +1,24 @@
+---
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Clean YUM metadata
+  ansible.builtin.command: yum clean metadata
+  changed_when: false
+  tags: molecule-idempotence-notest
+
+- name: Clean DNF metadata
+  ansible.builtin.command: dnf clean metadata
+  changed_when: false
+  tags: molecule-idempotence-notest

roles/postgresql_server/meta/argument_specs.yml

@@ -0,0 +1,116 @@
+---
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+argument_specs:
+  main:
+    short_description: Install PostgreSQL server for Cloudera Manager
+    description:
+      - Install and configure PostgreSQL server, including required users, for Cloudera Manager.
+      - Will install C(psycopg2) (or C(psycopg3)).
+      - Optionally, will enable TLS.
+      - Optionally, will create a database superuser.
+    author: Cloudera Labs
+    version_added: "5.0.0"
+    options:
+      create_database_admin_user:
+        description:
+          - Flag to specify if a database superuser should be created
+        type: bool
+        default: false
+      database_admin_user:
+        description:
+          - Username for database superuser account
+        type: str
+        required: false
+      database_admin_password:
+        description:
+          - Password for database superuser account
+        type: str
+        required: false
+      postgresql_version:
+        description:
+          - PostgreSQL version to install.
+        default: 14
+      postgresql_packages:
+        description:
+          - List of packages for the PostgreSQL installation.
+          - If not defined, defaults are specified by OS distribution.
+        type: list
+        elements: str
+      postgresql_repo_enabled:
+        description:
+          - Flag enabling the setup and teardown of the PostgreSQL repository.
+          - If I(postgresql_repo_enable=no), then any existing repositories will be employed.
+        type: bool
+        default: true
+      postgresql_tls_enabled:
+        description:
+          - Flag enabling TLS connections.
+        type: bool
+        default: false
+      postgresql_tls_cert_path:
+        description:
+          - Path to the TLS certificate file.
+          - If not specified, the PostgreSQL server will employ its default, typically C($PGDATA/server.crt).
+        type: path
+      postgresql_tls_key_path:
+        description:
+          - Path to the TLS private key file.
+          - If not specified, the PostgreSQL server will employ its default, typically C($PGDATA/server.key).
+        type: path
+      postgresql_tls_ca_path:
+        description:
+          - Path to the TLS certificate authority (CA) file.
+          - If not specified, the PostgreSQL server will employ its default, typically C(None), i.e. empty.
+        type: path
+      postgresql_config_options:
+        description:
+          - List of global configuration entries for PostgreSQL server, i.e. C(postgres.conf) file.
+        type: list
+        elements: dict
+        options:
+          option:
+            description:
+              - Name of the parameter.
+            required: true
+          value:
+            description:
+              - Value of the parameter.
+            required: true
+      postgresql_access_entries:
+        description:
+          - List of host-based authentication (HBA) entries for PostgreSQL server, i.e. C(pg_hba.conf) file.
+        type: list
+        elements: dict
+        options:
+          type:
+            description:
+              - Authentication scope (type).
+            required: true
+          database:
+            description:
+              - Database target.
+            required: true
+          user:
+            description:
+              - User or user type.
+            required: true
+          address:
+            description:
+              - Networking scope.
+          auth_method:
+            description:
+              - Authentication method.
+            required: true

roles/postgresql_server/molecule/default/converge.yml

@@ -0,0 +1,27 @@
+---
+# Copyright 2024 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Converge
+  hosts: all
+  gather_facts: true
+  become: true
+  tasks:
+    - name: Install PostgreSQL
+      ansible.builtin.import_role:
+        name: cloudera.exe.postgresql_server
+      vars:
+        create_database_admin_user: true
+        database_admin_user: molecule
+        database_admin_password: molecule