Basti 91ffe75bc1 | ||
---|---|---|
.. | ||
attributes | ||
libraries | ||
recipes | ||
resources | ||
.gitignore | ||
Berksfile | ||
CHANGELOG.md | ||
LICENSE | ||
README.md | ||
chefignore | ||
metadata.rb |
README.md
kosmos_postgresql
Usage
On the primary:
Set the postgresql_primary
role on the node
On the replica:
Add the postgresql_replica
role to the node's run list. Run Chef on the node
a first time.
After the initial Chef run on the replica, run Chef on the primary to add the
firewall rules and PostgreSQL access rules, then run Chef again on the replica
to set up replication.
Caveat
firewall_rules
and
postgresql_access
are
declared in recipes, not resources because of the way custom resources
work currently in Chef. See the default.rb
and replica.rb
recipes.
The primary gives access to the replication
db to the replication
user
connecting from a replica, and replicas to the primary. For more information
about PostgreSQL client authentication, see the
official docs
The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas to the primary.
TLS self-signed certificate
A wildcard (*.kosmos.org
certificate) was generated with the following
commands:
openssl req -new -nodes -text -out root.csr -keyout root.key \
-subj "/CN=root.kosmos.org"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
-extfile /etc/ssl/openssl.cnf -extensions v3_ca \
-signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
-keyout server.key -subj "/CN=*.kosmos.org"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 1825 \
-CA root.crt -CAkey root.key -CAcreateserial \
-out server.crt
It is valid until May 12 2025.
The content of server.crt
, server.key
and root.crt
an stored in the
postgresql
encrypted data bag. The root key is stored in LastPass
("Self-signed TLS root certificate"). server.crt
& server.key
are used by
the PostgreSQL server.