Murat ÖZDEMİR
8780c7c05e
- Updated roadmap (03-infra-stack-changes.md) to deprecate database proxies in prod. - Detailed direct subnet access via WireGuard for production developers. - Provided multi-host connection parameters for Patroni and MongoDB Replica Sets in setup guide (08-prod-db-cluster-kurulum.md). - Added environment comparison table to developer access guide.
3.6 KiB
04 - Test DB Docker Installation (Swarm Worker)
The purpose of this phase is to add the iklim-db-01 node to Swarm as a worker and run PostgreSQL and MongoDB as Swarm services.
Architecture Decision
The roadmap states that DBs will be installed "manually". In the test environment, this "manual" process will be implemented by starting the DBs as Docker containers on the Swarm Worker, instead of installing them directly on the operating system.
The installation has two phases:
- Preparation (Ansible): The
test-db-post-stack.ymlplaybook sets up DB directories, themongod.confconfiguration, and the WireGuard VPN service. - Deploy (Gitea CI/CD): The
deploy-test.ymlworkflow deploys PostgreSQL and MongoDB services to Swarm throughdocker-stack-infra.yml.
Why?
- Ease of management: Version transitions and configuration management are much faster with Docker.
- Overlay Network: Application services (
iklim-app-01) can access DBs through theiklimco-netoverlay network in an encrypted and isolated way. - Data persistence: Data is stored in Docker named volumes on
iklim-db-01. StorageBox is used only for backups.
Prerequisites
03-test-ansible-bootstrap.mdmust be completed on both nodes.- Docker must be installed on
iklim-db-01; the Bootstrap role does this. vault_postgres_root_user,vault_postgres_password,vault_mongo_root_user, andvault_mongo_root_passwordmust be defined in the Ansible vault.
1. Firewall Update
Rules must be added to terraform/hetzner/test/firewall.tf so iklim-db-01 can join Swarm and accept application traffic.
Swarm Communication (App Subnet <-> DB Subnet)
For Swarm management, ports 2377/tcp, 7946/tcp/udp, and 4789/udp must be open mutually between both subnets.
DB Access (App Subnet -> DB Subnet)
- PostgreSQL:
5432/tcp - MongoDB:
27017/tcp
After making the update:
cd terraform/hetzner/test
terraform apply
2. Vault Update
cd ansible/test
ansible-vault edit group_vars/all/vault.yml
Add these variables:
vault_postgres_root_user: "postgres"
vault_postgres_password: "STRONG_PASSWORD"
vault_mongo_root_user: "mongoadmin"
vault_mongo_root_password: "STRONG_PASSWORD"
3. Installation with Ansible
cd ansible/test
ansible-playbook -i inventory/generated/test.yml test-db-post-stack.yml --ask-vault-pass
What does the playbook do?
On iklim-db-01, through the db_stack and wireguard roles:
- Creates the
/opt/iklimco/db/mongodb/config/directory - Places the
mongod.conffile - Installs and configures the WireGuard VPN server (
51820/udp)
Deploying DB services (PostgreSQL, MongoDB) to Swarm is the responsibility of the Gitea CI/CD workflow (
deploy-test.yml), not Ansible. This workflow deploys all services at once throughdocker-stack-infra.yml.
4. Volume and Data Structure
DB data is stored in Docker named volumes on iklim-db-01:
| Volume | Content |
|---|---|
iklim-db_postgresql_data |
PostgreSQL data files |
iklim-db_mongodb_data |
MongoDB data files |
MongoDB logs are written to stdout and can be watched with docker logs. Configuration: /opt/iklimco/db/mongodb/config/mongod.conf
StorageBox is not used for DB data. It only has a role in the backup strategy.
5. Acceptance Criteria
iklim-db-01appears as Ready and Active in thedocker node lscommand.docker stack services iklim-dbshows both services with 1/1 replicas.- Access from the application node is available through the
iklim-db_postgresqlandiklim-db_mongodbDNS names. - Data is preserved from named volumes after reboot; verify with
docker volume ls.