GitOps (CI/CD)
Using Git for cluster configuration management.
Infrastructure as Code (IaC) allows you to manage and provision infrastructure through code rather than manual processes. GitOps extends this by automating infrastructure updates using a Git workflow with continuous integration (CI) and continuous delivery (CI/CD). When changes are merged into your codebase, the CI/CD pipeline automatically applies these changes to your environment. Any configuration drift, such as manual changes or errors, is corrected by GitOps automation, ensuring the environment matches the desired state as defined in Git.
Learn more about:
After deploying your cluster, you can use the config_pgcluster.yml
playbook to integrate Git for managing cluster configurations. The automation code and all dependencies are packaged in the Docker image vitabaks/postgresql_cluster
, making it easy to integrate into your CI/CD pipelines.
- GitLab
- GitHub
Examples of GitLab CI/CD configuration files:
Simple CI Pipeline
stages:
- test-connect
- run-playbook
image: vitabaks/postgresql_cluster:2.0.0
variables:
ANSIBLE_FORCE_COLOR: 'true'
before_script:
- cd /postgresql_cluster/automation
test-connect:
stage: test-connect
script:
- ansible all --inventory $CI_PROJECT_DIR/inventory -m ping
run-playbook:
stage: run-playbook
script:
- |
ansible-playbook config_pgcluster.yml \
--inventory $CI_PROJECT_DIR/inventory \
--extra-vars "@$CI_PROJECT_DIR/vars/main.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/Debian.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/system.yml" \
--tags $TAG
This CI example assumes the following repository structure:
/vars
├── main.yml
├── Debian.yml
└── system.yml
/.gitlab-ci.yml
/README.md
/inventory
- inventory: Contains the list of hosts or servers for Ansible to manage.
- vars: Directory with variable files for Ansible.
- main.yml: Base configuration variables.
- Debian.yml: Debian-specific variables.
- system.yml: System-level variables.
The CI pipeline:
test-connect
: Tests connectivity to all hosts using ansible ping.run-playbook
: Runs the config_pgcluster.yml playbook, loading variables from the vars folder.
Extended CI Pipeline
This extended CI pipeline adds more variable files and a "files" directory, where various files are placed for later copying by Ansible to the managed hosts (if defined in the copy_files_to_all_server
variable).
An additional step, "run-check-diff", is introduced to preview the changes that will be applied to the target servers. The "run-playbook" step is triggered manually for better control.
This setup also integrates Ansible Vault for encrypting sensitive data in the secrets.yml file, which is decrypted using the --vault-password-file
option, with the vault password provided by the ANSIBLE_VAULT_PASS_FILE
variable. This variable can be defined at the repository level in the CI/CD settings for secure handling of sensitive information.
Additionally, the pipeline includes two important variables:
PLAYBOOK
: Allows you to specify the playbook to be used when manually triggering the pipeline. For example, you can set this variable to update_pgcluster.yml to run the update playbook or to any other available playbooks depending on your needs.TAG
: Provides the option to specify tags to run only specific parts of the playbook, improving execution speed by limiting the automation to the necessary sections. For example, you can set this variable to patroni, pgbouncer, or all to control which portion of the playbook gets executed. See the tags.md file for a list of available tags.
Click here to expand...
stages:
- test-connect
- run-check-diff
- run-playbook
image: vitabaks/postgresql_cluster:2.0.0
variables:
ANSIBLE_FORCE_COLOR: 'true'
PLAYBOOK:
value: "config_pgcluster.yml"
description: "name of playbook, e.g. config_pgcluster.yml or update_pgcluster.yml"
TAG:
value: "all"
description: "tags for ansible-playbook, e.g. patroni or pgbouncer or all"
before_script:
- cp -r files/* /postgresql_cluster/automation/files
- cd /postgresql_cluster/automation
test-connect:
stage: test-connect
script:
- |
ansible all \
--inventory $CI_PROJECT_DIR/inventory \
--extra-vars "@$CI_PROJECT_DIR/vars/secrets.yml" \
--vault-password-file $ANSIBLE_VAULT_PASS_FILE \
-m ping
run-check-diff:
stage: run-check-diff
script:
- |
ansible-playbook $PLAYBOOK \
--inventory $CI_PROJECT_DIR/inventory \
--extra-vars "@$CI_PROJECT_DIR/vars/main.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/Debian.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/system.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/update.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/upgrade.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/secrets.yml" \
--vault-password-file $ANSIBLE_VAULT_PASS_FILE \
--tags $TAG \
--diff --check
allow_failure: true
run-playbook:
stage: run-playbook
script:
- |
ansible-playbook $PLAYBOOK \
--inventory $CI_PROJECT_DIR/inventory \
--extra-vars "@$CI_PROJECT_DIR/vars/main.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/Debian.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/system.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/update.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/upgrade.yml" \
--extra-vars "@$CI_PROJECT_DIR/vars/secrets.yml" \
--vault-password-file $ANSIBLE_VAULT_PASS_FILE \
--tags $TAG
timeout: 10h
rules:
- when: manual
Examples of GitHub CI/CD configuration files will be provided soon.
Refer to Run Ansible playbook GitHub Action for more details.