From 254f9020ae12b4c9ebd4ec3118174c17fd7b6f04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 12 May 2020 12:10:10 +0200 Subject: [PATCH] Enable firewall rules to allow primary/replica to connect --- .../kosmos-postgresql/recipes/default.rb | 14 ++++++- .../kosmos-postgresql/recipes/firewall.rb | 40 ------------------- .../kosmos-postgresql/recipes/replica.rb | 14 ++++++- 3 files changed, 26 insertions(+), 42 deletions(-) delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/firewall.rb diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index 2b8e09b..eb63826 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -61,6 +61,18 @@ postgresql_replicas.each do |replica| # resource was already up to date notifies :reload, "service[#{postgresql_service}]", :immediately end + + unless node.chef_environment == "development" + include_recipe "firewall" + + firewall_rule "postgresql" do + port 5432 + protocol :tcp + command :allow + destination replica[:ipaddress] + end + end end -include_recipe "kosmos-postgresql::firewall" +# TODO: We need to set up firewall rules and access rules for clients too +# (Mastodon, ejabberd, etc) diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall.rb deleted file mode 100644 index e2471cc..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb +++ /dev/null @@ -1,40 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: firewall -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# FIXME: The firewall recipe do not work in the custom resource, so the code -# lives here for now. The issue is described here, but I think messing with the -# run context is confusing: -# -# https://github.com/chef-cookbooks/firewall/issues/134 -unless node.chef_environment == "development" - include_recipe "firewall" - - firewall_rule "postgresql" do - port 5432 - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index 9cc1740..82eb4bf 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -71,6 +71,18 @@ systemctl start #{postgresql_service} # On the next Chef run the replica will be set up node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true + + unless node.chef_environment == "development" + include_recipe "firewall" + + firewall_rule "postgresql" do + port 5432 + protocol :tcp + command :allow + destination primary[:ipaddress] + end + end end -include_recipe "kosmos-postgresql::firewall" +# TODO: We need to set up firewall rules and access rules for clients too +# (Mastodon, ejabberd, etc)