Add support for blue/green deployment in mongodb role

roles/mongodb/tasks/configure-mongodb-auth.yml

@@ -2,6 +2,38 @@
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
 
+- name: Discover MongoDB configuration state
+  tags: create_mongo_users
+  itential.deployer.mongodb_state:
+    host: "{{ ansible_host }}"
+    port: "{{ mongodb_port | default(27017) }}"
+    admin_user: "{{ mongodb_user_admin }}"
+    admin_password: "{{ mongodb_user_admin_password }}"
+    hosts: "{{ groups['mongodb'] }}"
+  register: mongodb_state
+  run_once: true
+  delegate_to: "{{ groups['mongodb'][0] }}"
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
+
+- name: Display MongoDB state
+  tags: create_mongo_users
+  ansible.builtin.debug:
+    msg:
+      - "MongoDB running: {{ mongodb_state.mongodb_running }}"
+      - "Service running: {{ mongodb_state.service_running | default('N/A') }}"
+      - "Port open: {{ mongodb_state.port_open }}"
+      - "Service state: {{ mongodb_state.service_state | default('N/A') }}"
+      - "Authentication enabled: {{ mongodb_state.auth_enabled }}"
+      - "Credentials valid: {{ mongodb_state.auth_valid | default('N/A') }}"
+      - "Replica set enabled: {{ mongodb_state.replication_enabled }}"
+      - "Replica set name: {{ mongodb_state.replica_set_name | default('N/A') }}"
+      - "Primary host: {{ mongodb_state.primary_host }}"
+      - "TLS enabled: {{ mongodb_state.tls_enabled }}"
+      - "TLS mode: {{ mongodb_state.tls_mode }}"
+      - "MongoDB version: {{ mongodb_state.mongodb_version }}"
+  run_once: true
+
 # When authorization is enabled in mongo using a replica set, the members of a
 # replica set will be required to authenticate to each other. This is accomplished
 # with a keyFile or x509 certificate. The following block will create this key file,
@@ -62,6 +94,7 @@
 
 # Execute the template to apply changes to the mongo.conf for auth
 - name: Create MongoDB config file (auth)
+  when: not mongodb_state.auth_enabled
   ansible.builtin.template:
     src: mongod.conf.j2
     dest: "{{ mongodb_conf_file }}"
@@ -72,6 +105,7 @@
     stage: "auth"
 
 - name: Start mongo (auth)
+  when: not mongodb_state.auth_enabled
   ansible.builtin.service:
     name: mongod
     state: restarted

roles/mongodb/tasks/configure-mongodb-replicaset.yml

@@ -1,34 +1,37 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-
-# Check the state of the MongoDB servers. This might or might not be a replicaset.
-# This might or might not have authorization enabled. This module returns an
-# object that looks like this:
-# {
-#   "auth_enabled": true,
-#   "changed": false,
-#   "failed": false,
-#   "members": [
-#     "example1.host.com:27017",
-#     "example2.host.com:27017",
-#     "example3.host.com:27017"
-#   ],
-#   "primary": "ip-10-0-0-28.ec2.internal:27017",
-#   "replication_enabled": true
-# }
 - name: Discover MongoDB configuration state
-  itential.deployer.mongodb_config_state:
-    login_database: admin
-    login_host: "{{ inventory_hostname }}"
-    login_port: "{{ mongodb_port }}"
+  tags: create_mongo_users
+  itential.deployer.mongodb_state:
+    host: "{{ ansible_host }}"
+    port: "{{ mongodb_port | default(27017) }}"
+    admin_user: "{{ mongodb_user_admin }}"
+    admin_password: "{{ mongodb_user_admin_password }}"
+    hosts: "{{ groups['mongodb'] }}"
   register: mongodb_state
+  run_once: true
+  delegate_to: "{{ groups['mongodb'][0] }}"
   vars:
     ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
 
-- name: Print MongoDB configuration state
+- name: Display MongoDB state
+  tags: create_mongo_users
   ansible.builtin.debug:
-    msg: "{{ mongodb_state }}"
+    msg:
+      - "MongoDB running: {{ mongodb_state.mongodb_running }}"
+      - "Service running: {{ mongodb_state.service_running | default('N/A') }}"
+      - "Port open: {{ mongodb_state.port_open }}"
+      - "Service state: {{ mongodb_state.service_state | default('N/A') }}"
+      - "Authentication enabled: {{ mongodb_state.auth_enabled }}"
+      - "Credentials valid: {{ mongodb_state.auth_valid | default('N/A') }}"
+      - "Replica set enabled: {{ mongodb_state.replication_enabled }}"
+      - "Replica set name: {{ mongodb_state.replica_set_name | default('N/A') }}"
+      - "Primary host: {{ mongodb_state.primary_host }}"
+      - "TLS enabled: {{ mongodb_state.tls_enabled }}"
+      - "TLS mode: {{ mongodb_state.tls_mode }}"
+      - "MongoDB version: {{ mongodb_state.mongodb_version }}"
+  run_once: true
 
 # Execute the template to apply changes to the mongo.conf for replication
 - name: Create MongoDB config file (replicaset)
@@ -156,7 +159,7 @@
   when:
     - not mongodb_state.replication_enabled
     - inventory_hostname in groups.mongodb
-    - inventory_hostname == mongodb_state.primary
+    - inventory_hostname == mongodb_state.primary_host
     - groups.mongodb | length < 3
     - groups.mongodb_arbiter | default([]) | length > 0
   vars:

roles/mongodb/tasks/configure-mongodb-tls.yml

@@ -1,6 +1,38 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
+- name: Discover MongoDB configuration state
+  tags: create_mongo_users
+  itential.deployer.mongodb_state:
+    host: "{{ ansible_host }}"
+    port: "{{ mongodb_port | default(27017) }}"
+    admin_user: "{{ mongodb_user_admin }}"
+    admin_password: "{{ mongodb_user_admin_password }}"
+    hosts: "{{ groups['mongodb'] }}"
+  register: mongodb_state
+  run_once: true
+  delegate_to: "{{ groups['mongodb'][0] }}"
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
+
+- name: Display MongoDB state
+  tags: create_mongo_users
+  ansible.builtin.debug:
+    msg:
+      - "MongoDB running: {{ mongodb_state.mongodb_running }}"
+      - "Service running: {{ mongodb_state.service_running | default('N/A') }}"
+      - "Port open: {{ mongodb_state.port_open }}"
+      - "Service state: {{ mongodb_state.service_state | default('N/A') }}"
+      - "Authentication enabled: {{ mongodb_state.auth_enabled }}"
+      - "Credentials valid: {{ mongodb_state.auth_valid | default('N/A') }}"
+      - "Replica set enabled: {{ mongodb_state.replication_enabled }}"
+      - "Replica set name: {{ mongodb_state.replica_set_name | default('N/A') }}"
+      - "Primary host: {{ mongodb_state.primary_host }}"
+      - "TLS enabled: {{ mongodb_state.tls_enabled }}"
+      - "TLS mode: {{ mongodb_state.tls_mode }}"
+      - "MongoDB version: {{ mongodb_state.mongodb_version }}"
+  run_once: true
+
 # Ensure that the directory exists for the certificates and key files
 - name: Ensure that the directory exists for the certificates and key files
   ansible.builtin.file:
@@ -31,6 +63,7 @@
 
 # Execute the template to apply changes to the mongo.conf for TLS support
 - name: Create MongoDB config file (TLS)
+  when: not mongodb_state.tls_enabled
   ansible.builtin.template:
     src: mongod.conf.j2
     dest: "{{ mongodb_conf_file }}"
@@ -41,6 +74,7 @@
     stage: "tls"
 
 - name: Start mongo (TLS)
+  when: not mongodb_state.tls_enabled
   ansible.builtin.service:
     name: mongod
     state: restarted

roles/mongodb/tasks/configure-mongodb.yml

@@ -8,16 +8,28 @@
 - name: Configure MongoDB replica set
   ansible.builtin.include_tasks:
     file: configure-mongodb-replicaset.yml
+    apply:
+      tags:
+        - configure_replicaset
+  tags: configure_replicaset
   when: mongodb_replication_enabled | bool
 
 # Configure auth
 - name: Configure MongoDB Auth
   ansible.builtin.include_tasks:
     file: configure-mongodb-auth.yml
+    apply:
+      tags:
+        - configure_auth
+  tags: configure_auth
   when: mongodb_auth_enabled | bool
 
 # Configure TLS
 - name: Configure MongoDB TLS
   ansible.builtin.include_tasks:
     file: configure-mongodb-tls.yml
+    apply:
+      tags:
+        - configure_tls
+  tags: configure_tls
   when: mongodb_tls_enabled | bool

roles/mongodb/tasks/create-mongodb-users.yml

@@ -0,0 +1,104 @@
+# Copyright (c) 2024, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+
+- name: Set the host, either the primary or the first defined mongodb host
+  ansible.builtin.set_fact:
+    mongodb_write_host: "{{ mongodb_state.primary_host if mongodb_state.replication_enabled else groups['mongodb'][0] }}"
+  run_once: true
+
+- name: Display write host
+  ansible.builtin.debug:
+    msg: "Write host was determined to be: {{ mongodb_write_host }}"
+
+- name: Check if MongoDB admin user exists
+  community.mongodb.mongodb_shell:
+    eval: "db.getSiblingDB('admin').getUser('{{ mongodb_user_admin }}') !== null"
+    login_database: "admin"
+    login_host: "{{ mongodb_write_host }}"
+    login_password: "{{ mongodb_user_admin_password if mongodb_state.auth_enabled else omit }}"
+    login_port: "{{ mongodb_port }}"
+    login_user: "{{ mongodb_user_admin if mongodb_state.auth_enabled else omit }}"
+    mongo_cmd: auto
+  register: admin_user_check
+  failed_when: false
+  changed_when: false
+  run_once: true
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
+
+- name: Set admin user existence fact
+  ansible.builtin.set_fact:
+    admin_user_exists: "{{ (admin_user_check.transformed_output | first | string) == 'true' }}"
+  run_once: true
+
+- name: Check if MongoDB itential user exists
+  community.mongodb.mongodb_shell:
+    eval: "db.getSiblingDB('{{ mongodb_itential_db_name }}').getUser('{{ mongodb_user_itential }}') !== null"
+    login_database: "admin"
+    login_host: "{{ mongodb_write_host }}"
+    login_password: "{{ mongodb_user_admin_password if mongodb_state.auth_enabled else omit }}"
+    login_port: "{{ mongodb_port }}"
+    login_user: "{{ mongodb_user_admin if mongodb_state.auth_enabled else omit }}"
+    mongo_cmd: auto
+  register: itential_user_check
+  failed_when: false
+  changed_when: false
+  run_once: true
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
+
+- name: Set itential user existence fact
+  ansible.builtin.set_fact:
+    itential_user_exists: "{{ (itential_user_check.transformed_output | first | string) == 'true' }}"
+  run_once: true
+
+- name: Display result of user checks
+  ansible.builtin.debug:
+    msg:
+      - "MongoDB user {{ mongodb_user_admin }} {{ 'exists' if admin_user_exists else 'does not exist' }}"
+      - "MongoDB user {{ mongodb_user_itential }} {{ 'exists' if itential_user_exists else 'does not exist' }}"
+  run_once: true
+
+- name: Create admin user
+  when: not admin_user_exists | bool
+  community.mongodb.mongodb_user:
+    login_user: "{{ mongodb_user_admin if mongodb_state.auth_enabled else omit }}"
+    login_password: "{{ mongodb_user_admin_password if mongodb_state.auth_enabled else omit }}"
+    login_port: "{{ mongodb_port }}"
+    login_host: "{{ mongodb_write_host }}"
+    database: "{{ mongodb_admin_db_name }}"
+    name: "{{ mongodb_user_admin }}"
+    password: "{{ mongodb_user_admin_password }}"
+    state: present
+    replica_set: "{{ mongodb_state.replica_set_name if mongodb_state.replication_enabled else omit }}"
+    roles:
+      - db: "{{ mongodb_admin_db_name }}"
+        role: root
+    update_password: always
+  register: admin_user_creation_result
+  run_once: true
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"
+
+- name: Create itential user
+  when: not itential_user_exists
+  community.mongodb.mongodb_user:
+    login_user: "{{ mongodb_user_admin if mongodb_state.auth_enabled else omit }}"
+    login_password: "{{ mongodb_user_admin_password if mongodb_state.auth_enabled else omit }}"
+    login_database: "{{ 'admin' if mongodb_state.auth_enabled else omit }}"
+    login_port: "{{ mongodb_port }}"
+    login_host: "{{ mongodb_write_host }}"
+    database: "{{ mongodb_itential_db_name }}"
+    user: "{{ mongodb_user_itential }}"
+    password: "{{ mongodb_user_itential_password }}"
+    state: present
+    replica_set: "{{ mongodb_state.replica_set_name if mongodb_state.replication_enabled else omit }}"
+    roles:
+      - db: "{{ mongodb_itential_db_name }}"
+        role: readWrite
+    update_password: always
+  register: itential_user_creation_result
+  run_once: true
+  vars:
+    ansible_python_interpreter: "{{ mongodb_python_venv }}/bin/python3"

roles/mongodb/tasks/disable-thp.yml

@@ -50,7 +50,11 @@
         mode: "0644"
       vars:
         description: Disable Transparent Hugepages (THP)
-        command: /bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null && echo never | tee /sys/kernel/mm/transparent_hugepage/defrag > /dev/null'
+        command: >-
+          /bin/sh -c '
+          echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null &&
+          echo never | tee /sys/kernel/mm/transparent_hugepage/defrag > /dev/null
+          '
 
     - name: Start THP service
       ansible.builtin.systemd:

roles/mongodb/tasks/enable-thp.yml

@@ -40,7 +40,13 @@
         mode: "0644"
       vars:
         description: Enable Transparent Hugepages (THP)
-        command: /bin/sh -c 'echo always | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null && echo defer+madvise | tee /sys/kernel/mm/transparent_hugepage/defrag > /dev/null && echo 0 | tee /sys/kernel/mm/transparent_hugepage/khugepaged/max_ptes_none > /dev/null && echo 1 | tee /proc/sys/vm/overcommit_memory > /dev/null'
+        command: >-
+          /bin/sh -c '
+          echo always | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null &&
+          echo defer+madvise | tee /sys/kernel/mm/transparent_hugepage/defrag > /dev/null &&
+          echo 0 | tee /sys/kernel/mm/transparent_hugepage/khugepaged/max_ptes_none > /dev/null &&
+          echo 1 | tee /proc/sys/vm/overcommit_memory > /dev/null
+          '
 
     - name: Start THP service
       ansible.builtin.systemd: