Support for external DBMS : AWS RDS Postgresql

README.md

@@ -102,6 +102,10 @@ configured in the main.yml
 Create a PostgreSQL database and configure your database credentials in the  environment variables, see 'Verifying the deployment section', 
 other database configurations are in the roles/tpa_single_node/vars/main.yml
 
+Postgres ssl mode is enabled by default. To disable it please change the following in vars/main.yml file:
+`tpa_single_node_pg_ssl_mode: disable`.
+
+
 ### S3 or S3 compatible service like Minio
   Have the following unversioned S3 bucket names created:
   ```
@@ -159,9 +163,11 @@ ansible-galaxy collection install redhat.trusted_profile_analyzer:==0.2.0
       export TPA_SINGLE_NODE_REGISTRATION_PASSWORD=<Your Red Hat subscription password>
       export TPA_SINGLE_NODE_REGISTRY_USERNAME=<Your Red Hat image registry username>
       export TPA_SINGLE_NODE_REGISTRY_PASSWORD=<Your Red Hat image registry password>
-      export TPA_PG_HOST=<POSTGRES_HOST_IP>
-      export TPA_PG_USER=<DB_USER>
-      export TPA_PG_PASSWORD==<DB_PASSWORD>
+      export TPA_PG_HOST=<POSTGRES HOST IP>
+      export TPA_PG_ADMIN=<DB ADMIN>
+      export TPA_PG_ADMIN_PASSWORD==<DB ADMIN PASSWORD>
+      export TPA_PG_USER=<DB USER>
+      export TPA_PG_USER_PASSWORD==<DB PASSWORD>
       export TPA_STORAGE_ACCESS_KEY=<Storage Access Key>
       export TPA_STORAGE_SECRET_KEY=<Storage Secret Key>
       export TPA_OIDC_ISSUER_URL=<AWS Cognito or Keycloak Issuer URL. Incase of Keycloak endpoint auth/realms/chicken is needed>

roles/tpa_single_node/meta/argument_specs.yml

@@ -75,18 +75,32 @@ argument_specs:
         type: "str"
         version_added: "0.2.0"
         default: "guac"
+      tpa_single_node_pg_admin:
+        description: "DB admin user."
+        type: "str"
+        required: true
+        version_added: "1.2.0"
+        default: "postgres"
+      tpa_single_node_pg_admin_passwd:
+        description: "DB admin password."
+        type: "str"
+        required: true
+        version_added: "1.2.0"
+        default: "posgres1234"
       tpa_single_node_pg_user:
-        description: "DB username."
+        description: "DB user."
         type: "str"
+        required: true
         version_added: "0.2.0"
         default: "guac"
       tpa_single_node_pg_user_passwd:
-        description: "DB password."
+        description: "DB user password."
         type: "str"
+        required: true
         version_added: "0.2.0"
         default: "guac1234"
       tpa_single_node_pg_ssl_mode:
-        description: "DB SSL mode enabled/disabled."
+        description: "DB SSL mode require/disabled."
         type: "str"
         version_added: "0.2.0"
         default: "disable"

roles/tpa_single_node/tasks/guac/init.yml

@@ -2,21 +2,19 @@
 - name: Copy init-db.sql to Server
   ansible.builtin.copy:
     content: "{{ lookup('ansible.builtin.template', 'configs/init-db.sql') }}"
-    dest: "/tmp/init-db.sql"
+    dest: "{{ tpa_single_node_config_dir }}/init-db.sql"
     remote_src: true
-    mode: "0666"
+    mode: "0600"
 
 - name: Run init-db.sql
-  ansible.builtin.command:
-    cmd: >
-      psql -v ON_ERROR_STOP=1
-      -v db_name={{ tpa_single_node_pg_db }}
-      -v db_user={{ tpa_single_node_pg_user }}
-      -v db_password={{ tpa_single_node_pg_user_passwd }}
-      -f /tmp/init-db.sql
+  ansible.builtin.command: "psql postgresql://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@\
+      {{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }} \
+      -v ON_ERROR_STOP=1 \
+      -v db_name={{ tpa_single_node_pg_db }} \
+      -v db_user={{ tpa_single_node_pg_user }} \
+      -v db_password={{ tpa_single_node_pg_user_passwd }} \
+      -f {{ tpa_single_node_config_dir }}/init-db.sql"
   changed_when: false
-  become: true
-  become_user: postgres
 
 - name: Testing DB guac to make sure it is available
   ansible.builtin.command: "psql postgresql://{{ tpa_single_node_pg_user }}:{{ tpa_single_node_pg_user_passwd }}@\

roles/tpa_single_node/tasks/infra/main.yml

@@ -4,6 +4,7 @@
   args:
     apply:
       become: true
+  when: tpa_single_node_pg_install_enabled
 
 - name: Configure OIDC
   ansible.builtin.include_tasks: infra/oidc.yml

roles/tpa_single_node/templates/manifests/collectorist/api/Configmap.yaml.j2

@@ -12,7 +12,7 @@ data:
     collectors:
       osv:
         cadence: 1d
-        url: https://collector-osv-pod:{{ tpa_single_node_collector_osv_port }}/api/v1/
+        url: https://{{ tpa_single_node_rhel_host }}:{{ tpa_single_node_collector_osv_port }}/api/v1/
         interests:
           - package
           - vulnerability

roles/tpa_single_node/templates/manifests/guac/graphql/Deployment.yaml.j2

@@ -31,7 +31,7 @@ spec:
           command:
             - /opt/guac/guacmigrate
           args:
-            - --db-address=postgres://{{ tpa_single_node_pg_user }}:{{ tpa_single_node_pg_user_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }}?sslmode={{ tpa_single_node_pg_ssl_mode }}
+            - --db-address=postgres://{{ tpa_single_node_pg_admin }}:{{ tpa_single_node_pg_admin_passwd }}@{{ tpa_single_node_pg_host }}:{{ tpa_single_node_pg_port }}/{{ tpa_single_node_pg_db }}?sslmode={{ tpa_single_node_pg_ssl_mode }}
             - --db-driver=postgres
             - --db-debug=true
           volumeMounts: null

roles/tpa_single_node/vars/main.yml

@@ -10,12 +10,15 @@ tpa_single_node_systemd_directory: /etc/systemd/system
 tpa_single_node_default_empty: ""
 
 # DB_SERVICE
+tpa_single_node_pg_install_enabled: false
 tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}"
 tpa_single_node_pg_port: 5432
 tpa_single_node_pg_db: guac
+tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}"
+tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}"
 tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}"
-tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_PASSWORD') }}"
-tpa_single_node_pg_ssl_mode: disable
+tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}"
+tpa_single_node_pg_ssl_mode: require
 
 # Storage Service
 tpa_single_node_storage_access_key: "{{ lookup('env', 'TPA_STORAGE_ACCESS_KEY') }}" # S3/minio root username

roles/tpa_single_node/vars/main_example_aws.yml

@@ -11,12 +11,14 @@ tpa_single_node_systemd_directory: /etc/systemd/system
 tpa_single_node_default_empty: ""
 
 # DB_SERVICE
-tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST', default='192.168.121.60') }}"
+tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}"
 tpa_single_node_pg_port: 5432
 tpa_single_node_pg_db: guac
-tpa_single_node_pg_user: guac
-tpa_single_node_pg_user_passwd: guac1234
-tpa_single_node_pg_ssl_mode: disable
+tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}"
+tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}"
+tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}"
+tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}"
+tpa_single_node_pg_ssl_mode: require
 
 # Storage Service
 tpa_single_node_storage_type: s3

roles/tpa_single_node/vars/main_example_nonaws.yml

@@ -11,11 +11,13 @@ tpa_single_node_systemd_directory: /etc/systemd/system
 tpa_single_node_default_empty: ""
 
 # DB_SERVICE
-tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST', default='192.168.121.60') }}"
+tpa_single_node_pg_host: "{{ lookup('env', 'TPA_PG_HOST') | default('192.168.121.60', true) }}"
 tpa_single_node_pg_port: 5432
 tpa_single_node_pg_db: guac
-tpa_single_node_pg_user: guac
-tpa_single_node_pg_user_passwd: guac1234
+tpa_single_node_pg_admin: "{{ lookup('env', 'TPA_PG_ADMIN') }}"
+tpa_single_node_pg_admin_passwd: "{{ lookup('env', 'TPA_PG_ADMIN_PASSWORD') }}"
+tpa_single_node_pg_user: "{{ lookup('env', 'TPA_PG_USER') }}"
+tpa_single_node_pg_user_passwd: "{{ lookup('env', 'TPA_PG_USER_PASSWORD') }}"
 tpa_single_node_pg_ssl_mode: disable
 
 # Storage Service