kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
chef/site-cookbooks/kosmos-postgresql
History

README.md

kosmos-postgresql

Custom resources

postgresql_custom_server

Usage:

(node['fqdn'], for example andromeda.kosmos.org) is generated using Let's Encrypt and copied to the PostgreSQL data directory and added to the postgresql.conf file

On the primary:

postgresql_custom_server "12" do
  role "primary"
end

On a replica:

postgresql_custom_server "12" do
  role "replica"
end

After the initial Chef run on the replica, run Chef on the primary to add the firewall rules and PostgreSQL access rules, then run Chef again on the replica to set up replication.

Caveat

firewall_rules and postgresql_access are declared in recipes, not resources because of the way custom resources work currently in Chef. See the default.rb and replica.rb recipes.

The primary gives access to the replication db to the replication user connecting from a replica, and replicas to the primary. For more information about PostgreSQL client authentication, see the official docs

The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas to the primary.

TLS self-signed certificate

A wildcard (*.kosmos.org certificate) was generated with the following commands:

openssl req -new -nodes -text -out root.csr -keyout root.key \
  -subj "/CN=root.kosmos.org"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
  -signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
  -keyout server.key -subj "/CN=*.kosmos.org"
chmod og-rwx server.key
openssl x509 -req -in server.csr -text -days 1825 \
  -CA root.crt -CAkey root.key -CAcreateserial \
  -out server.crt

It is valid until May 12 2025.

The content of server.crt, server.key and root.crt an stored in the postgresql encrypted data bag. The root key is stored in LastPass ("Self-signed TLS root certificate"). server.crt & server.key are used by the PostgreSQL server.

The root certificate needs to be deployed to clients so they verify the cert can be trusted.

For example:

postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
file root_cert_path do
  content postgresql_data_bag_item['ssl_root_cert']
  mode "0644"
end

/etc/ssl/certs/root.kosmos.org.crt can be used as the CA root cert path in the client's configuration