From eb98aa1bacdd9c9e46526139be482c386a838268 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Tue, 12 May 2020 16:04:58 +0200
Subject: [PATCH] Clarify the firewall and client authentication rules

---
 site-cookbooks/kosmos-postgresql/README.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/site-cookbooks/kosmos-postgresql/README.md b/site-cookbooks/kosmos-postgresql/README.md
index 76a2418..9d8bda5 100644
--- a/site-cookbooks/kosmos-postgresql/README.md
+++ b/site-cookbooks/kosmos-postgresql/README.md
@@ -36,6 +36,14 @@ to set up replication.
 #### Caveat
 
 [`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
-[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) need
-to be declared in recipes, not resources because of the way custom resources
-work currently in Chef
+[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
+declared in recipes, not resources because of the way custom resources
+work currently in Chef. See the `default.rb` and `replica.rb` recipes.
+
+The primary gives access to the `replication` db to the `replication` user
+connecting from a replica, and replicas to the primary. For more information
+about PostgreSQL client authentication, see the
+[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)
+
+The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas
+to the primary.