diff --git a/consul/config/service-intentions/postgres.hcl b/consul/config/service-intentions/postgres.hcl index e4f7ae0..4939e8b 100644 --- a/consul/config/service-intentions/postgres.hcl +++ b/consul/config/service-intentions/postgres.hcl @@ -1,8 +1,8 @@ Kind = "service-intentions" -Name = "[[ .pg.instance ]][[ .consul.suffix ]]" +Name = "[[ .instance ]][[ .consul.suffix ]]" Sources = [ { - Name = "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" + Name = "[[ .instance ]]-manage[[ .consul.suffix ]]" Action = "allow" }, { diff --git a/consul/config/service-resolver/postgres-master.hcl b/consul/config/service-resolver/postgres-master.hcl index 83452f0..1088543 100644 --- a/consul/config/service-resolver/postgres-master.hcl +++ b/consul/config/service-resolver/postgres-master.hcl @@ -1,6 +1,6 @@ Kind = "service-resolver" -Name = "[[ .pg.instance ]]-master[[ .consul.suffix ]]" +Name = "[[ .instance ]]-master[[ .consul.suffix ]]" Redirect { - Service = "[[ .pg.instance ]][[ .consul.suffix ]]" + Service = "[[ .instance ]][[ .consul.suffix ]]" ServiceSubset = "master" } diff --git a/consul/config/service-resolver/postgres-replica.hcl b/consul/config/service-resolver/postgres-replica.hcl index 2d44fce..2ee17f3 100644 --- a/consul/config/service-resolver/postgres-replica.hcl +++ b/consul/config/service-resolver/postgres-replica.hcl @@ -1,6 +1,6 @@ Kind = "service-resolver" -Name = "[[ .pg.instance ]]-replica[[ .consul.suffix ]]" +Name = "[[ .instance ]]-replica[[ .consul.suffix ]]" Redirect { - Service = "[[ .pg.instance ]][[ .consul.suffix ]]" + Service = "[[ .instance ]][[ .consul.suffix ]]" ServiceSubset = "replica" } diff --git a/consul/config/service-resolver/postgres.hcl b/consul/config/service-resolver/postgres.hcl index c48b07c..bfeaabe 100644 --- a/consul/config/service-resolver/postgres.hcl +++ b/consul/config/service-resolver/postgres.hcl @@ -1,5 +1,5 @@ Kind = "service-resolver" -Name = "[[ .pg.instance ]][[ .consul.suffix ]]" +Name = "[[ .instance ]][[ .consul.suffix ]]" DefaultSubset = "master" Subsets = { "master" = { diff --git a/consul/policies/postgres.hcl b/consul/policies/postgres.hcl index 72888c6..ebe3887 100644 --- a/consul/policies/postgres.hcl +++ b/consul/policies/postgres.hcl @@ -1,13 +1,13 @@ node_prefix "" { policy = "read" } -service "[[ .pg.instance ]]" { +service "[[ .instance ]]" { policy = "write" } -service "[[ .pg.instance ]]-sidecar-proxy" { +service "[[ .instance ]]-sidecar-proxy" { policy = "write" } -key_prefix "[[ .consul.prefix ]]service/[[ .pg.instance ]]" { +key_prefix "[[ .consul.prefix ]]service/[[ .instance ]]" { policy = "write" } session_prefix "" { diff --git a/init/consul b/init/consul index 04d39fb..0f9ff33 100755 --- a/init/consul +++ b/init/consul @@ -1,4 +1,4 @@ #!/bin/sh # vim: syntax=sh -vault write [[ .vault.prefix ]]consul/roles/[[ .pg.instance ]] ttl=720h max_ttl=720h consul_policies="[[ .pg.instance ]]" +vault write [[ .vault.prefix ]]consul/roles/[[ .instance ]] ttl=720h max_ttl=720h consul_policies="[[ .instance ]]" diff --git a/init/passwords b/init/passwords index f0474cf..c639f5a 100755 --- a/init/passwords +++ b/init/passwords @@ -1,11 +1,11 @@ #!/bin/sh for USER in pg monitor replicator rewind api vault_initial; do - vault kv get -field ${USER}_pwd [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] > /dev/null 2>&1 + vault kv get -field ${USER}_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]] > /dev/null 2>&1 RES=$? if [ "${RES}" = "1" ]; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] ${USER}_pwd=$(pwgen -s -y -r\\\`\'\"\#\^\| -n 50 1) + vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] ${USER}_pwd=$(pwgen -s -y -r\\\`\'\"\#\^\| -n 50 1) elif [ "${RES}" = "2" ]; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] ${USER}_pwd=$(pwgen -s -y -r\\\`\'\"\#\^\| -n 50 1) + vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] ${USER}_pwd=$(pwgen -s -y -r\\\`\'\"\#\^\| -n 50 1) fi done diff --git a/init/pki b/init/pki index 6b7f095..0af2d58 100755 --- a/init/pki +++ b/init/pki @@ -4,14 +4,14 @@ [[ template "common/vault.mkpki.sh.tpl" dict "ctx" . "pki" (dict - "name" .pg.instance + "name" .instance "ou" "PostgreSQL" "issuer" "pki/root" ) ]] -vault write [[ .vault.prefix ]]pki/[[ .pg.instance ]]/roles/postgres-server \ - allowed_domains="[[ .pg.instance ]].service.[[ .consul.domain ]]" \ +vault write [[ .vault.prefix ]]pki/[[ .instance ]]/roles/postgres-server \ + allowed_domains="[[ .instance ]].service.[[ .consul.domain ]]" \ allow_bare_domains=true \ allow_subdomains=true \ allow_localhost=false \ diff --git a/init/vault-database b/init/vault-database index 19ce365..fbe6948 100755 --- a/init/vault-database +++ b/init/vault-database @@ -8,20 +8,20 @@ else echo "Database secret already enabled at [[ .vault.prefix ]]database" fi -if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .pg.instance ]]$")')" != "true" ]; then - echo "Configuring database plugin [[ .vault.prefix ]]database/config/[[ .pg.instance ]]" - vault write [[ .vault.prefix ]]database/config/[[ .pg.instance ]] \ +if [ "$(vault list -format json [[ .vault.prefix ]]database/config | jq '.[] | test("^[[ .instance ]]$")')" != "true" ]; then + echo "Configuring database plugin [[ .vault.prefix ]]database/config/[[ .instance ]]" + vault write [[ .vault.prefix ]]database/config/[[ .instance ]] \ plugin_name="postgresql-database-plugin" \ connection_url="postgresql://{{username}}:{{password}}@[[ (urlParse .pg.server.public_url).Host ]]/postgres" \ allowed_roles="*" \ username=vault \ - password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .pg.instance ]])" \ + password="$(vault kv get -field vault_initial_pwd [[ .vault.prefix ]]kv/service/[[ .instance ]])" \ password_authentication=scram-sha-256 \ disable_escaping=true echo "Rotating root password" - vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .pg.instance ]] + vault write -force [[ .vault.prefix ]]database/rotate-root/[[ .instance ]] else - echo "Database plugin already configured for [[ .vault.prefix ]]database/config/[[ .pg.instance ]]" + echo "Database plugin already configured for [[ .vault.prefix ]]database/config/[[ .instance ]]" fi [[- else ]] echo "Required .pg.server.public_url is missing" @@ -30,5 +30,5 @@ echo "Required .pg.server.public_url is missing" echo "Creating dba role in vault" [[- template "common/vault.mkpgrole.sh.tpl" dict "ctx" . - "config" (dict "role" (printf "%s-admin" .pg.instance) "pgrole" "dba" "database" .pg.instance) + "config" (dict "role" (printf "%s-admin" .instance) "pgrole" "dba" "database" .instance) ]] diff --git a/manage.nomad.hcl b/manage.nomad.hcl index 465ea2f..e6337be 100644 --- a/manage.nomad.hcl +++ b/manage.nomad.hcl @@ -1,6 +1,6 @@ [[ $c := merge .pg.manage . -]] -job "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" { +job "[[ .instance ]]-manage[[ $c.consul.suffix ]]" { [[- if and (has $c "cron") (ne $c.cron "") ]] type = "service" @@ -25,7 +25,7 @@ job "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" { } service { - name = "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" + name = "[[ .instance ]]-manage[[ $c.consul.suffix ]]" [[ template "common/connect" $c ]] } @@ -41,7 +41,7 @@ job "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" { } vault { - policies = ["[[ .pg.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] env = false disable_file = true } @@ -79,7 +79,7 @@ job "[[ .pg.instance ]]-manage[[ $c.consul.suffix ]]" { PGHOST=localhost PGPORT=5432 PGUSER=postgres -PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }} +PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }} _EOF destination = "secrets/pg-manage.env" uid = 100000 diff --git a/postgres.nomad.hcl b/postgres.nomad.hcl index 6e72dab..5879aa5 100644 --- a/postgres.nomad.hcl +++ b/postgres.nomad.hcl @@ -1,6 +1,6 @@ [[ $c := merge .pg.server . -]] -job [[ .pg.instance | toJSON ]] { +job [[ .instance | toJSON ]] { [[ template "common/job_start" $c ]] @@ -42,7 +42,7 @@ job [[ .pg.instance | toJSON ]] { [[- if not .pg.server.recovery ]] service { - name = "[[ .pg.instance ]][[ $c.consul.suffix ]]" + name = "[[ .instance ]][[ $c.consul.suffix ]]" port = 5432 [[- template "common/prometheus_meta" $c ]] [[- template "common/connect" $c ]] @@ -51,11 +51,11 @@ job [[ .pg.instance | toJSON ]] { [[- if .pg.server.traefik.enabled ]] # Note : we don't add traefik.enable=true # This will be done dynamically only on the current master node using the update_tags.sh script - "[[ $c.traefik.instance ]].tcp.routers.[[ .pg.instance ]][[ $c.consul.suffix ]].rule=HostSNI(`[[ if has .pg.server "public_url" ]][[ (urlParse .pg.server.public_url).Hostname ]][[ else ]]*[[ end ]]`)", - "[[ $c.traefik.instance ]].tcp.routers.[[ .pg.instance ]][[ $c.consul.suffix ]].tls=true", - "[[ $c.traefik.instance ]].tcp.routers.[[ .pg.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].rule=HostSNI(`[[ if has .pg.server "public_url" ]][[ (urlParse .pg.server.public_url).Hostname ]][[ else ]]*[[ end ]]`)", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].tls=true", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]", [[- if gt (len .pg.server.traefik.middlewares) 0 ]] - "[[ $c.traefik.instance ]].tcp.routers.[[ .pg.instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]", + "[[ $c.traefik.instance ]].tcp.routers.[[ .instance ]][[ $c.consul.suffix ]].middlewares=[[ join $c.traefik.middlewares "," ]]", [[- end ]] [[- end ]] ] @@ -103,7 +103,7 @@ job [[ .pg.instance | toJSON ]] { [[- if $c.prometheus.enabled ]] # This service is just used to expose patroni metrics service { - name = "[[ .pg.instance ]]-patroni[[ $c.consul.suffix ]]" + name = "[[ .instance ]]-patroni[[ $c.consul.suffix ]]" port = "patroni" meta { @@ -158,7 +158,7 @@ job [[ .pg.instance | toJSON ]] { } vault { - policies = ["[[ .pg.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] env = false disable_file = true } @@ -168,9 +168,9 @@ job [[ .pg.instance | toJSON ]] { template { data = <<_EOT # Get a Consul token from vault, so we're able to update the tags in Consul from the containers -CONSUL_HTTP_TOKEN={{ with secret "[[ .vault.prefix ]]consul/creds/[[ .pg.instance ]]" }}{{ .Data.token }}{{ end }} +CONSUL_HTTP_TOKEN={{ with secret "[[ .vault.prefix ]]consul/creds/[[ .instance ]]" }}{{ .Data.token }}{{ end }} PATRONICTL_CONFIG_FILE=/secrets/patroni.yml -PGBACKREST_STANZA=[[ .pg.instance ]] +PGBACKREST_STANZA=[[ .instance ]] _EOT destination = "secrets/pg.env" uid = 100000 @@ -254,8 +254,8 @@ _EOT template { data = <<_EOT {{ with pkiCert - "[[ .vault.prefix ]]pki/[[ .pg.instance ]]/issue/postgres-server" - "common_name=[[ .pg.instance ]].service.[[ .consul.domain ]]" + "[[ .vault.prefix ]]pki/[[ .instance ]]/issue/postgres-server" + "common_name=[[ .instance ]].service.[[ .consul.domain ]]" (printf "ip_sans=%s" (env "NOMAD_IP_patroni")) "ttl=72h" }} {{ .Cert }} {{ .Key }} @@ -272,7 +272,7 @@ _EOT # CA certificate chains template { data = <<_EOT -{{ with secret "[[ .vault.prefix ]]pki/[[ .pg.instance ]]/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }} +{{ with secret "[[ .vault.prefix ]]pki/[[ .instance ]]/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }} _EOT destination = "local/postgres.ca.pem" change_mode = "signal" @@ -316,7 +316,7 @@ _EOT } env { - PGBACKREST_STANZA = [[ .pg.instance | toJSON ]] + PGBACKREST_STANZA = [[ .instance | toJSON ]] # Use the socket from the shared dir PGHOST = "/alloc/data/postgres" } @@ -378,7 +378,7 @@ _EOT } vault { - policies = ["[[ .pg.instance ]][[ $c.consul.suffix ]]"] + policies = ["[[ .instance ]][[ $c.consul.suffix ]]"] env = false disable_file = true } diff --git a/prep.d/10-rand-pwd.sh b/prep.d/10-rand-pwd.sh index 5068a1a..930113e 100755 --- a/prep.d/10-rand-pwd.sh +++ b/prep.d/10-rand-pwd.sh @@ -4,8 +4,8 @@ set -euo pipefail # Initialize random passwords if needed -if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .pg.instance ]]$'; then - vault kv put [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] \ +if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then + vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \ pg_pwd=$(pwgen -s -n 50 1) \ api_pwd=$(pwgen -s -n 50 1) \ monitor_pwd=$(pwgen -s -n 50 1) \ @@ -15,8 +15,8 @@ if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ . fi for PWD in pg_pwd api_pwd monitor_pwd replicator_pwd rewind_pwd vault_initial_pwd; do - if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] >/dev/null 2>&1; then - vault kv patch [[ .vault.prefix ]]kv/service/[[ .pg.instance ]] \ + if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then + vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \ ${PWD}=$(pwgen -s -n 50 1) fi done diff --git a/prep.d/mv_conf.sh b/prep.d/mv_conf.sh index f62b78f..5bbd949 100755 --- a/prep.d/mv_conf.sh +++ b/prep.d/mv_conf.sh @@ -1 +1 @@ -[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "postgres" .pg.instance) ]] +[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "postgres" .instance) ]] diff --git a/templates/create_users.sh.tpl b/templates/create_users.sh.tpl index 4804231..fe645cf 100644 --- a/templates/create_users.sh.tpl +++ b/templates/create_users.sh.tpl @@ -3,7 +3,7 @@ set -euo pipefail # Create roles needed for patroni -{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }} +{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }} psql <<'_EOSQL' ALTER ROLE postgres WITH SUPERUSER LOGIN PASSWORD '{{ .Data.data.pg_pwd }}'; CREATE ROLE replicator WITH LOGIN REPLICATION PASSWORD '{{ .Data.data.replicator_pwd }}'; diff --git a/templates/patroni.yml.tpl b/templates/patroni.yml.tpl index d82f372..b934d02 100644 --- a/templates/patroni.yml.tpl +++ b/templates/patroni.yml.tpl @@ -1,9 +1,9 @@ -name: [[ .pg.instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} -scope: [[ .pg.instance ]] +name: [[ .instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} +scope: [[ .instance ]] consul: url: http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500 - token: {{ with secret "[[ .consul.prefix ]]consul/creds/[[ .pg.instance ]]" }}{{ .Data.token }}{{ end }} + token: {{ with secret "[[ .consul.prefix ]]consul/creds/[[ .instance ]]" }}{{ .Data.token }}{{ end }} bootstrap: dcs: @@ -65,9 +65,9 @@ postgresql: - hostssl all all 0.0.0.0/0 cert clientcert=verify-full pg_ident: - - patroni-map [[ .pg.instance ]].service.[[ .consul.domain ]] postgres - - patroni-map [[ .pg.instance ]].service.[[ .consul.domain ]] replicator - - patroni-map [[ .pg.instance ]].service.[[ .consul.domain ]] rewind + - patroni-map [[ .instance ]].service.[[ .consul.domain ]] postgres + - patroni-map [[ .instance ]].service.[[ .consul.domain ]] replicator + - patroni-map [[ .instance ]].service.[[ .consul.domain ]] rewind parameters: ssl: on @@ -109,7 +109,7 @@ postgresql: authentication: superuser: username: postgres - password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}' + password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}' sslmode: verify-ca sslrootcert: /local/postgres.ca.pem @@ -136,7 +136,7 @@ restapi: verify_client: optional authentication: username: patroni - password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.api_pwd }}{{ end }}' + password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.api_pwd }}{{ end }}' ctl: insecure: False diff --git a/templates/update_tags.sh.tpl b/templates/update_tags.sh.tpl index 3e2b630..9ff1162 100644 --- a/templates/update_tags.sh.tpl +++ b/templates/update_tags.sh.tpl @@ -18,11 +18,11 @@ fi CURL_OPTS="--connect-timeout 5 --max-time 10 --retry 5 --retry-delay 1 --retry-max-time 40 --retry-connrefused" # Update tags on the main service -curl ${CURL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/catalog/service/[[ .pg.instance ]] |\ - jq --from-file /local/serviceformat.jq --arg role ${NEW_ROLE} --arg mytag [[ .pg.instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} |\ +curl ${CURL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/catalog/service/[[ .instance ]] |\ + jq --from-file /local/serviceformat.jq --arg role ${NEW_ROLE} --arg mytag [[ .instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} |\ curl ${CORL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" -X PUT -d @- http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/agent/service/register # Update tags on the sidecar service (connect-proxy) -curl ${CURL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/catalog/service/[[ .pg.instance ]]-sidecar-proxy |\ - jq --from-file /local/serviceformat.jq --arg role ${NEW_ROLE} --arg mytag [[ .pg.instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} |\ +curl ${CURL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/catalog/service/[[ .instance ]]-sidecar-proxy |\ + jq --from-file /local/serviceformat.jq --arg role ${NEW_ROLE} --arg mytag [[ .instance ]]-{{ env "NOMAD_ALLOC_INDEX" }} |\ curl ${CURL_OPTS} -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" -X PUT -d @- http://{{ sockaddr "GetInterfaceIP \"nomad\"" }}:8500/v1/agent/service/register diff --git a/upgrade.nomad.hcl b/upgrade.nomad.hcl index 07d07d7..8666e2d 100644 --- a/upgrade.nomad.hcl +++ b/upgrade.nomad.hcl @@ -1,5 +1,5 @@ [[ $c := merge .pg.upgrade . -]] -job "[[ .pg.instance ]]-upgrade" { +job "[[ .instance ]]-upgrade" { [[ template "common/job_start.tpl" $c ]] @@ -23,7 +23,7 @@ job "[[ .pg.instance ]]-upgrade" { } - task "[[ .pg.instance ]]-upgrade" { + task "[[ .instance ]]-upgrade" { driver = [[ $c.nomad.driver | toJSON ]] config { diff --git a/variables.yml b/variables.yml index ada017d..cbf6190 100644 --- a/variables.yml +++ b/variables.yml @@ -1,9 +1,10 @@ --- +# Name of the job to generate +# Also used to controler service names +instance: postgres + pg: - # Name of the job to generate - # Also used to controler service names - instance: postgres # Postgres server settings server: @@ -98,7 +99,7 @@ pg: # Optional bind DN and password to do the search operation # If undefined, the search will be done anonymously #bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org - bind_password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}' + bind_password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}' # Resource allocation for the container resources: @@ -179,7 +180,7 @@ pg: # Services to wait before running wait_for: - - service: 'master.[[ .pg.instance ]]' + - service: 'master.[[ .instance ]]' # Additional env var env: {} @@ -188,7 +189,7 @@ pg: consul: connect: upstreams: - - destination_name: "[[ .pg.instance ]]" + - destination_name: "[[ .instance ]]" local_bind_port: 5432 # List of databases to create (so permissions can be applied) @@ -344,9 +345,9 @@ pg: # The volumes are connected using per_alloc, so the alloc ID will be appended. Eg postgres-data[0], postgres-data[1] etc. data: type: csi - source: '[[ .pg.instance ]]-data' + source: '[[ .instance ]]-data' # Backup volume (can be used for pgbackrest and dumps) # Will be opened as multi-node-multi-writer. Can be NFS backup: type: csi - source: '[[ .pg.instance ]]-backup' + source: '[[ .instance ]]-backup' diff --git a/vault/policies/postgres.hcl b/vault/policies/postgres.hcl index a5ca911..c44e6f1 100644 --- a/vault/policies/postgres.hcl +++ b/vault/policies/postgres.hcl @@ -1,14 +1,14 @@ # Read secrets from vault KV -path "[[ .vault.prefix ]]kv/data/service/[[ .pg.instance ]]" { +path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" { capabilities = ["read"] } # Get a consul token to access the kv store, where patroni will manage the leader lock -path "[[ .vault.prefix ]]consul/creds/[[ .pg.instance ]]" { +path "[[ .vault.prefix ]]consul/creds/[[ .instance ]]" { capabilities = ["read"] } # Get a certificate for patroni REST API and Postgres -path "[[ .vault.prefix ]]pki/[[ .pg.instance ]]/issue/postgres-server" { +path "[[ .vault.prefix ]]pki/[[ .instance ]]/issue/postgres-server" { capabilities = ["update"] }