Basti
91ffe75bc1
|
||
|---|---|---|
| .. | ||
| attributes | ||
| libraries | ||
| recipes | ||
| resources | ||
| .gitignore | ||
| Berksfile | ||
| CHANGELOG.md | ||
| LICENSE | ||
| README.md | ||
| chefignore | ||
| metadata.rb | ||
README.md
kosmos_postgresql
Usage
On the primary:
Set the postgresql_primary role on the node
On the replica:
Add the postgresql_replica role to the node's run list. Run Chef on the node
a first time.
After the initial Chef run on the replica, run Chef on the primary to add the
firewall rules and PostgreSQL access rules, then run Chef again on the replica
to set up replication.
Caveat
firewall_rules and
postgresql_access are
declared in recipes, not resources because of the way custom resources
work currently in Chef. See the default.rb and replica.rb recipes.
The primary gives access to the replication db to the replication user
connecting from a replica, and replicas to the primary. For more information
about PostgreSQL client authentication, see the
official docs
The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas to the primary.
TLS self-signed certificate
A wildcard (*.kosmos.org certificate) was generated with the following
commands:
openssl req -new -nodes -text -out root.csr -keyout root.key \
-subj "/CN=root.kosmos.org"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
-extfile /etc/ssl/openssl.cnf -extensions v3_ca \
-signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
-keyout server.key -subj "/CN=*.kosmos.org"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 1825 \
-CA root.crt -CAkey root.key -CAcreateserial \
-out server.crt
It is valid until May 12 2025.
The content of server.crt, server.key and root.crt an stored in the
postgresql encrypted data bag. The root key is stored in LastPass
("Self-signed TLS root certificate"). server.crt & server.key are used by
the PostgreSQL server.