2019-01-09 17:26:50 +00:00
|
|
|
# kosmos-postgresql
|
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
## Usage
|
2019-01-09 17:26:50 +00:00
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
### On the primary:
|
2020-05-11 16:18:21 +00:00
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
Set the `postgresql_primary` role on the node
|
2020-05-11 16:18:21 +00:00
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
### On the replica:
|
2020-05-11 16:18:21 +00:00
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
Add the `postgresql_replica` role to the node's run list. Run Chef on the node
|
|
|
|
a first time.
|
2020-05-11 16:18:21 +00:00
|
|
|
After the initial Chef run on the replica, run Chef on the primary to add the
|
|
|
|
firewall rules and PostgreSQL access rules, then run Chef again on the replica
|
|
|
|
to set up replication.
|
|
|
|
|
2020-05-14 10:36:20 +00:00
|
|
|
## Caveat
|
2020-05-11 16:18:21 +00:00
|
|
|
|
|
|
|
[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
|
2020-05-12 14:04:58 +00:00
|
|
|
[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
|
|
|
|
declared in recipes, not resources because of the way custom resources
|
|
|
|
work currently in Chef. See the `default.rb` and `replica.rb` recipes.
|
|
|
|
|
|
|
|
The primary gives access to the `replication` db to the `replication` user
|
|
|
|
connecting from a replica, and replicas to the primary. For more information
|
|
|
|
about PostgreSQL client authentication, see the
|
|
|
|
[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)
|
|
|
|
|
|
|
|
The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas
|
|
|
|
to the primary.
|
2020-05-13 17:10:14 +00:00
|
|
|
|
|
|
|
## TLS self-signed certificate
|
|
|
|
|
|
|
|
A wildcard (`*.kosmos.org` certificate) was generated with the following
|
|
|
|
commands:
|
|
|
|
|
|
|
|
```
|
|
|
|
openssl req -new -nodes -text -out root.csr -keyout root.key \
|
|
|
|
-subj "/CN=root.kosmos.org"
|
|
|
|
chmod og-rwx root.key
|
|
|
|
openssl x509 -req -in root.csr -text -days 3650 \
|
|
|
|
-extfile /etc/ssl/openssl.cnf -extensions v3_ca \
|
|
|
|
-signkey root.key -out root.crt
|
|
|
|
openssl req -new -nodes -text -out server.csr \
|
|
|
|
-keyout server.key -subj "/CN=*.kosmos.org"
|
|
|
|
chmod og-rwx server.key
|
|
|
|
openssl x509 -req -in server.csr -text -days 1825 \
|
|
|
|
-CA root.crt -CAkey root.key -CAcreateserial \
|
|
|
|
-out server.crt
|
|
|
|
```
|
|
|
|
|
|
|
|
It is valid until May 12 2025.
|
|
|
|
|
|
|
|
The content of `server.crt`, `server.key` and `root.crt` an stored in the
|
|
|
|
`postgresql` encrypted data bag. The root key is stored in LastPass
|
|
|
|
("Self-signed TLS root certificate"). `server.crt` & `server.key` are used by
|
|
|
|
the PostgreSQL server.
|