Manage patroni cluster after deploy

.ansible-lint

@@ -19,5 +19,6 @@ skip_list:
   - command-instead-of-shell  # Using command rather than shell where necessary
   - command-instead-of-module  # Using command rather than module where necessary
   - fqcn[action]
+  - no-relative-paths
 
 # https://ansible-lint.readthedocs.io/rules/

config_pgcluster.yml

@@ -0,0 +1,158 @@
+---
+
+- name: Configuration PostgreSQL HA Cluster (based on "Patroni" and "{{ dcs_type }}")
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - vars/main.yml
+  vars:
+    minimal_ansible_version: 2.7.0
+  tasks:
+    - name: Checking ansible version
+      fail:
+        msg: "Ansible version must be {{ minimal_ansible_version }} or higher"
+      when: ansible_version.full is version(minimal_ansible_version, '<')
+
+- name: Gathering facts from all servers
+  hosts: all
+  gather_facts: true
+  tags: always
+
+- hosts: postgres_cluster
+  become: true
+  become_method: sudo
+  gather_facts: true
+  any_errors_fatal: true
+  vars_files:
+    - vars/main.yml
+    - vars/system.yml
+
+  pre_tasks:
+    - name: Include OS-specific variables
+      include_vars: "vars/{{ ansible_os_family }}.yml"
+      when: not ansible_os_family == 'Rocky' and not ansible_os_family == 'AlmaLinux'
+      tags: always
+
+    # For compatibility with Ansible old versions
+    # (support for RockyLinux and AlmaLinux has been added to Ansible 2.11)
+    - name: Include OS-specific variables
+      include_vars: "vars/RedHat.yml"
+      when: ansible_os_family == 'Rocky' or ansible_os_family == 'AlmaLinux'
+      tags: always
+
+    - name: Checking Linux distribution
+      fail:
+        msg: "{{ ansible_distribution }} is not supported"
+      when: ansible_distribution not in os_valid_distributions
+
+    - name: Checking version of OS Linux
+      fail:
+        msg: "{{ ansible_distribution_version }} of {{ ansible_distribution }} is not supported"
+      when: ansible_distribution_version is version_compare(os_minimum_versions[ansible_distribution], '<')
+
+    - name: Update apt cache
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+      environment: "{{ proxy_env | default({}) }}"
+      when: ansible_os_family == "Debian" and installation_method == "repo"
+      tags: add_repo, install_packages, install_postgres
+
+    - name: Make sure the gnupg and apt-transport-https packages are present
+      apt:
+        pkg:
+          - gnupg
+          - apt-transport-https
+        state: present
+      environment: "{{ proxy_env | default({}) }}"
+      when: ansible_os_family == "Debian" and installation_method == "repo"
+      tags: add_repo, install_packages, install_postgres
+
+    - name: Build a firewall_ports_dynamic_var
+      set_fact:
+        firewall_ports_dynamic_var: "{{ firewall_ports_dynamic_var | default([]) + (firewall_allowed_tcp_ports_for[item]) }}"
+      loop: "{{ hostvars[inventory_hostname].group_names }}"
+      when: firewall_enabled_at_boot|bool
+      tags: config_firewall, firewall
+
+    - name: Build a firewall_rules_dynamic_var
+      set_fact:
+        firewall_rules_dynamic_var: "{{ firewall_rules_dynamic_var | default([]) + (firewall_additional_rules_for[item]) }}"
+      loop: "{{ hostvars[inventory_hostname].group_names }}"
+      when: firewall_enabled_at_boot|bool
+      tags: firewall
+
+  roles:
+    - role: ansible-role-firewall
+      environment: "{{ proxy_env | default({}) }}"
+      vars:
+        firewall_allowed_tcp_ports: "{{ firewall_ports_dynamic_var | unique }}"
+        firewall_additional_rules: "{{ firewall_rules_dynamic_var | unique }}"
+      when: firewall_enabled_at_boot|bool
+      tags: firewall
+
+    - role: hostname
+    - role: resolv_conf
+    - role: etc_hosts
+    - role: sudo
+    - role: swap
+    - role: sysctl
+    - role: pam_limits
+    - role: locales
+    - role: timezone
+    - role: ntp
+    - role: ssh-keys
+
+- import_playbook: balancers.yml
+  when: with_haproxy_load_balancing|bool
+  tags: config_balancers,load_balancing, haproxy
+
+- hosts: postgres_cluster
+  become: true
+  become_method: sudo
+  gather_facts: true
+  any_errors_fatal: true
+  handlers:
+    - include: roles/patroni/handlers/main.yml
+    - include: roles/pgbouncer/handlers/main.yml
+  vars_files:
+    - vars/main.yml
+    - vars/system.yml
+
+  pre_tasks:
+    - name: Include OS-specific variables
+      include_vars: "vars/{{ ansible_os_family }}.yml"
+      when: not ansible_os_family == 'Rocky' and not ansible_os_family == 'AlmaLinux'
+      tags: always
+
+    # For compatibility with Ansible old versions
+    # (support for RockyLinux and AlmaLinux has been added to Ansible 2.11)
+    - name: Include OS-specific variables
+      include_vars: "vars/RedHat.yml"
+      when: ansible_os_family == 'Rocky' or ansible_os_family == 'AlmaLinux'
+      tags: always
+
+  roles:
+    - role: patroni/config
+
+    - role: vip-manager
+      when: not with_haproxy_load_balancing|bool and
+            (cluster_vip is defined and cluster_vip | length > 0)
+
+    # optional
+    - role: postgresql-users
+      when: is_master == "true" and postgresql_users | length > 0
+
+    - role: postgresql-databases
+      when: is_master == "true" and postgresql_databases | length > 0
+
+    - role: postgresql-schemas
+      when: is_master == "true" and postgresql_schemas | length > 0
+
+    - role: postgresql-extensions
+      when: is_master == "true" and postgresql_extensions | length > 0
+
+    - role: pgbouncer/config
+      when: pgbouncer_install|bool and pgbouncer_generate_userlist|bool
+
+...

deploy_pgcluster.yml

@@ -144,6 +144,8 @@
   become_method: sudo
   gather_facts: true
   any_errors_fatal: true
+  handlers:
+    - include: roles/pgbouncer/handlers/main.yml
   vars_files:
     - vars/main.yml
     - vars/system.yml
@@ -169,7 +171,6 @@
       when: pg_probackup_install|bool
 
     - role: pgbouncer
-      when: pgbouncer_install|bool
 
     - role: patroni
 
@@ -190,7 +191,7 @@
     - role: postgresql-extensions
       when: is_master == "true" and postgresql_extensions | length > 0
 
-    - role: pgbouncer/userlist
+    - role: pgbouncer/config
       when: pgbouncer_install|bool and pgbouncer_generate_userlist|bool
 
     - role: netdata

roles/patroni/config/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+
+# Patroni configure
+- name: Make sure that conf directory exists
+  file:
+    path: /etc/patroni
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0750
+  tags: patroni
+
+- name: Make sure that patroni log directory exists
+  file:
+    path: "{{ patroni_log_dir }}"
+    owner: postgres
+    group: postgres
+    state: directory
+    mode: 0750
+  when: patroni_log_destination == 'logfile'
+  tags: patroni
+
+- name: Make sure the postgresql log directory "{{ postgresql_log_dir }}" exists
+  file:
+    path: "{{ postgresql_log_dir }}"
+    owner: postgres
+    group: postgres
+    state: directory
+    mode: 0700
+  tags: patroni
+
+- name: Update conf file "/etc/patroni/patroni.yml"
+  template:
+    src: ../templates/patroni.yml.j2
+    dest: /etc/patroni/patroni.yml
+    owner: postgres
+    group: postgres
+    mode: 0640
+  notify: "reload patroni"
+  tags: patroni
+
+- name: Update pg_hba.conf
+  template:
+    src: ../templates/pg_hba.conf.j2
+    dest: "{{ postgresql_conf_dir }}/pg_hba.conf"
+    owner: postgres
+    group: postgres
+    mode: 0640
+  notify: "reload postgres"
+  tags: patroni, pg_hba
+
+- block:
+    - name: Update postgresql parameters in DCS
+      uri:
+        url: http://{{ hostvars[inventory_hostname]['inventory_hostname'] }}:8008/config
+        method: PATCH
+        body: '{"postgresql":{"parameters":{"{{ item.option }}":"{{ item.value }}"}}}'
+        body_format: json
+      loop: "{{ postgresql_parameters }}"
+      when: item.value != "null"
+
+    - name: Delete postgresql parameters from DCS
+      uri:
+        url: http://{{ hostvars[inventory_hostname]['inventory_hostname'] }}:8008/config
+        method: PATCH
+        body: '{"postgresql":{"parameters":{"{{ item.option }}":null}}}'
+        body_format: json
+      loop: "{{ postgresql_parameters }}"
+      when: item.value == "null"
+  when: is_master == "true"
+  tags: patroni
+
+- name: Delete postgresql parameters from "/etc/patroni/patroni.yml"
+  lineinfile:
+    path: /etc/patroni/patroni.yml
+    regexp: '^.*{{ item.option }}: {{ item.value }}$'
+    state: absent
+  loop: "{{ postgresql_parameters }}"
+  tags: patroni
+  when: item.value == "null"
+
+...

roles/patroni/handlers/main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Reload patroni service
+  systemd:
+    daemon_reload: true
+    name: patroni
+    enabled: true
+    state: reloaded
+  listen: "reload patroni"
+
+- name: Reload postgres
+  become: true
+  become_user: postgres
+  command: "{{ postgresql_bin_dir }}/psql -p {{ postgresql_port }} -c 'SELECT pg_reload_conf()'"
+  register: psql_reload_result
+  changed_when: psql_reload_result.rc == 0
+  failed_when: false  # exec pg_reload_conf on all running postgres (to re-run with --tag pg_hba).
+  listen: "reload postgres"
+
+...

roles/patroni/tasks/main.yml

@@ -579,7 +579,7 @@
   tags: patroni, patroni_start_master
 
 - block:  # PITR (custom bootstrap)
-# Prepare (install pexpect, ruamel.yaml)
+  # Prepare (install pexpect, ruamel.yaml)
     - name: Prepare | Make sure the ansible required python library is exist
       pip:
         name: "{{ item }}"
@@ -594,7 +594,7 @@
         PATH: "{{ ansible_env.PATH }}:/usr/local/bin:/usr/bin"
       vars:
         ansible_python_interpreter: /usr/bin/python3
-# Run PITR
+  # Run PITR
     - name: Stop patroni service on the Replica servers (if running)
       systemd:
         name: patroni

roles/pgbouncer/userlist/tasks/main.yml → roles/pgbouncer/config/tasks/main.yml

@@ -1,4 +1,23 @@
 ---
+- name: Ensure config directory "{{ pgbouncer_conf_dir }}" exist
+  file:
+    path: "{{ pgbouncer_conf_dir }}"
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0750
+  tags: pgbouncer
+
+- name: Update pgbouncer.ini
+  template:
+    src: ../templates/pgbouncer.ini.j2
+    dest: "{{ pgbouncer_conf_dir }}/pgbouncer.ini"
+    owner: postgres
+    group: postgres
+    mode: 0640
+  notify: "restart pgbouncer"
+  when: existing_pgcluster is not defined or not existing_pgcluster|bool
+  tags: pgbouncer
 
 - name: Get users and password md5 from pg_shadow
   run_once: true

roles/pgbouncer/handlers/main.yml

@@ -18,4 +18,11 @@
   ignore_errors: false
   listen: "restart pgbouncer"
 
+- name: Reload pgbouncer service
+  systemd:
+    name: pgbouncer
+    state: reloaded
+  listen: "reload pgbouncer"
+  ignore_errors: true  # Added to prevent test failures in CI.
+
 ...

roles/swap/tasks/main.yml

@@ -61,7 +61,7 @@
         opts: sw
         state: present
   when: (swap_exists.stdout is defined and swap_exists.stdout | length < 1) or
-        (swap_exists.stdout_lines is defined and (swap_exists.stdout_lines|map('trim')|map('int')|sum / 1024 / 1024)|round|int != swap_file_size_mb|int)
+        (swap_exists.stdout_lines is defined and (swap_exists.stdout_lines | map('trim') | map('int') | sum / 1024 / 1024) | round | int != swap_file_size_mb|int)
   tags: swap, swap_create
 
 ...

vars/main.yml

@@ -1,4 +1,5 @@
 ---
+
 # ---------------------------------------------------------------------
 # Proxy variables (optional) for download packages using a proxy server
 proxy_env: {}  # yamllint disable rule:braces