dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ubicloud/rhizome/postgres/bin/configure
Burak Yucesoy 59c21736da Add OS users to be used by the prometheus integration 
We added 2 new OS users; prometheus and ubi_monitoring, which are created while
generating the base PostgreSQL OS image. The prometheus user will be used to
run the prometheus server and node_exporter and the former means that it will
be exposed to outside. The ubi_monitoring user will be used to connect to the
database and scrape Postgres metrics. We are adding a special row for allowing
the ubi_monitoring OS user to connect to the database as the ubi_monitoring
database user. This user has pg_monitor rights, thus it is able to read/execute
various monitoring views and functions. I didn't want to allow prometheus to
connect to the database because it is exposed to the outside and potential
vulnerability on the prometheus server could lead to the database compromise
otherwise.
2024-07-03 01:42:51 +02:00

90 lines
3.3 KiB
Ruby
Executable file
Raw Permalink Blame History

#!/bin/env ruby
# frozen_string_literal: true
require "json"
require_relative "../../common/lib/util"
configure_hash = JSON.parse($stdin.read)
# Update /etc/hosts
hosts = <<-HOSTS
127.0.0.1 localhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
#{configure_hash["hosts"]}
HOSTS
safe_write_to_file("/etc/hosts", hosts)
# Update postgresql.conf
configs = configure_hash["configs"].map { |k, v| "#{k} = #{v}" }.join("\n")
safe_write_to_file("/etc/postgresql/16/main/conf.d/001-service.conf", configs)
# Update pg_hba.conf
private_subnets = configure_hash["private_subnets"].flat_map {
[
"host all all #{_1["net4"]} scram-sha-256",
"host all all #{_1["net6"]} scram-sha-256"
]
}.join("\n")
pg_hba_entries = <<-PG_HBA
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file.
# TYPE DATABASE USER ADDRESS METHOD
# Database administrative login by Unix domain socket
local all postgres peer map=system2postgres
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
# Allow connections from localhost with ubi_monitoring OS user as
# ubi_monitoring database user. This will be used by postgres_exporter
# to scrape metrics and expose them to prometheus.
local all ubi_monitoring peer
# Allow connections from private subnet with SCRAM authentication
#{private_subnets}
# Allow replication connection using special replication user for
# HA standbys
hostssl replication ubi_replication all cert map=standby2replication
# Allow connections from public internet with SCRAM authentication
host all all all scram-sha-256
PG_HBA
safe_write_to_file("/etc/postgresql/16/main/pg_hba.conf", pg_hba_entries)
identity = configure_hash["identity"]
pg_ident_entries = <<-PG_IDENT
# PostgreSQL User Name Maps
# =========================
#
# Refer to the PostgreSQL documentation, chapter "Client
# Authentication" for a complete description.
# MAPNAME SYSTEM-USERNAME PG-USERNAME
system2postgres postgres postgres
system2postgres ubi postgres
standby2replication #{identity} ubi_replication
PG_IDENT
safe_write_to_file("/etc/postgresql/16/main/pg_ident.conf", pg_ident_entries)
# Reload the postmaster to apply changes
r "pg_ctlcluster 16 main reload || pg_ctlcluster 16 main restart"
Reference in a new issue View git blame Copy permalink