kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 37 Pull Requests 1 Projects 1 Activity

Add PostgreSQL primary support to the kosmos-ejabberd cookbook #181

Merged
greg merged 6 commits from feature/180-ejabberd_pg_primary into master 2020-06-19 14:46:52 +00:00
Conversation 8 Commits 6 Files Changed 8 +103 -46
greg commented 2020-06-10 16:45:44 +00:00
Owner
Copy Link
  • Move the PostgreSQL user and database creation to a pg_db recipe
  • Generate access rights for the ejabberd servers in the pg_db recipe
  • Connect to the PostgreSQL primary instead of localhost

Refs #180

* Move the PostgreSQL user and database creation to a `pg_db` recipe * Generate access rights for the ejabberd servers in the `pg_db` recipe * Connect to the PostgreSQL primary instead of localhost Refs #180
greg self-assigned this 2020-06-10 16:45:44 +00:00
raucao commented 2020-06-11 09:52:55 +00:00
Owner
Copy Link

I find it rather complicated that we should specifically allow PostgreSQL access per app and database, instead of allowing our own servers to connect to the primary by default. Why wouldn't a replica be allowed to connect to the primary just because it's a replica? It does that for replication anyway, and thus should needs access to all databases in the first place.

The fact that configuring simple database access requires an entire recipe should ring some alarm bells in my opinion.

I find it rather complicated that we should specifically allow PostgreSQL access per app and database, instead of allowing our own servers to connect to the primary by default. Why wouldn't a replica be allowed to connect to the primary just because it's a replica? It does that for replication anyway, and thus should needs access to all databases in the first place. The fact that configuring simple database access requires an entire recipe should ring some alarm bells in my opinion.
greg commented 2020-06-11 14:27:11 +00:00
Author
Owner
Copy Link

Replication is a special right, this is defined here for replicas: 81403b7cb9/site-cookbooks/kosmos-postgresql/recipes/default.rb (L48-L55).

A server connecting to the PostgreSQL primary as a client is not necessarily a replica, but as you said it could be done for all databases at once. I had the idea of definining each database as we need a recipe anyway to create the postgreSQL user and database for each service. Allowing access to all databases for a server could be done as part of the primary recipe, however it means the list of all services that use PostgreSQL would live there instead of the recipe for the service. I'm not opposed to doing that, I just thought doing it per database was clearer.

Replication is a special right, this is defined here for replicas: https://gitea.kosmos.org/kosmos/chef/src/commit/81403b7cb9858c48cc9262d4b79f1a63f5766016/site-cookbooks/kosmos-postgresql/recipes/default.rb#L48-L55. A server connecting to the PostgreSQL primary as a client is not necessarily a replica, but as you said it could be done for all databases at once. I had the idea of definining each database as we need a recipe anyway to create the postgreSQL user and database for each service. Allowing access to all databases for a server could be done as part of the primary recipe, however it means the list of all services that use PostgreSQL would live there instead of the recipe for the service. I'm not opposed to doing that, I just thought doing it per database was clearer.
raucao commented 2020-06-11 15:01:54 +00:00
Owner
Copy Link

I didn't mean replication per se, but all Hetzner machines would definitely be replicas for now anyway.

I mean that any of our Hetzner machines should be able to connect to the Posgtgres server in the first place. The actual authentication is then the username/password for the database, and doesn't require whitelisting the host per database.

I didn't mean replication per se, but all Hetzner machines would definitely be replicas for now anyway. I mean that any of our Hetzner machines should be able to connect to the Posgtgres server in the first place. The actual authentication is then the username/password for the database, and doesn't require whitelisting the host per database.
greg commented 2020-06-11 15:30:04 +00:00
Author
Owner
Copy Link

I'm going to look into it, there has to be a way that looks good in Chef code. Not having to run Chef again on the primary every time we add a new service will be useful

I'm going to look into it, there has to be a way that looks good in Chef code. Not having to run Chef again on the primary every time we add a new service will be useful
raucao commented 2020-06-11 15:42:13 +00:00
Owner
Copy Link

It's not about looking good, it's about adding unnecessary complexities and code.

It's not about looking good, it's about adding unnecessary complexities and code.
greg commented 2020-06-11 16:22:21 +00:00
Author
Owner
Copy Link

Pushed 6f696d7, what do you think?

Pushed 6f696d7, what do you think?
raucao commented 2020-06-11 17:02:11 +00:00
Owner
Copy Link

At least it's half the LOC. Looks much better to me.

However, I don't quite understand why it still has to be searching for every single app. Isn't there an easier way to know that a machine has roles/attributes that require postgres access? If it's not bound to the application, then it can never be out of sync.

At least it's half the LOC. Looks much better to me. However, I don't quite understand why it still has to be searching for every single app. Isn't there an easier way to know that a machine has roles/attributes that require postgres access? If it's not bound to the application, then it can never be out of sync.
greg commented 2020-06-12 14:58:11 +00:00
Author
Owner
Copy Link

However, I don't quite understand why it still has to be searching for every single app. Isn't there an easier way to know that a machine has roles/attributes that require postgres access? If it's not bound to the application, then it can never be out of sync.

I have found a better way. See ee9c241a4d, I have added a postgresql_client role

> However, I don't quite understand why it still has to be searching for every single app. Isn't there an easier way to know that a machine has roles/attributes that require postgres access? If it's not bound to the application, then it can never be out of sync. I have found a better way. See ee9c241a4d, I have added a `postgresql_client` role
👍 1
raucao approved these changes 2020-06-12 15:27:12 +00:00
raucao left a comment
Owner
Copy Link

LGTM now. 👍

LGTM now. :+1:
greg closed this pull request 2020-06-19 14:46:52 +00:00
greg deleted branch feature/180-ejabberd_pg_primary 2020-06-19 14:46:59 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
service
accounts
Kosmos Accounts

  
service
discourse
Kosmos Community Forums

  
service
drone-ci
Kosmos Drone CI

  
service
email
mail.kosmos.org

  
service
garage
S3-compatible object storage

  
service
gitea
Kosmos Gitea

  
service
ipfs
Kosmos IPFS

  
service
mastodon
kosmos.social

  
service
postgres
Database cluster

  
service
remotestorage
Portable data storage for the Web

  
service
wiki
Kosmos Wiki

  
service
xmpp
Kosmos Chat

  
bug

Something is not working

  
design

Graphic/visual design

  
dev environment

Config, builds, CI, deployment, etc.

  
docs

Documentation

  
duplicate

This issue or pull request already exists

  
enhancement

Improving existing functionality

  
feature

New functionality

  
good first issue

Dive in, and start contributing

  
idea

Something to consider

  
invalid

Not a bug

  
kredits-1

Small contribution

  
kredits-2

Medium contribution

  
kredits-3

Large contribution

  
on hold

Currently not actionable

  
ops

Manual IT ops activities

  
question

Looking for an answer

  
release
major

  
release
minor

  
release
patch

  
security

All your base are belong to us

  
ui/ux

User interface, process design, etc.

  
wontfix

This won't be fixed

No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
greg
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: kosmos/chef#181
No description provided.
Delete Branch "feature/180-ejabberd_pg_primary"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?