Rebuild images for March 2024 + small cleanup
This commit is contained in:
parent
4f62d5154a
commit
26f3f1d1f8
|
@ -12,7 +12,7 @@ RUN set -eux &&\
|
|||
chown root:root ldap2pg &&\
|
||||
chmod 755 ldap2pg
|
||||
|
||||
FROM danielberteaud/alpine:24.2-1
|
||||
FROM danielberteaud/alpine:24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ENV PGHOST=localhost \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM danielberteaud/postgres:15.24.2-4
|
||||
FROM danielberteaud/postgres:15.24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ARG PATRONI_VERSION=3.2.2
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM danielberteaud/alpine:24.2-1
|
||||
FROM danielberteaud/alpine:24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ARG PG_FROM= \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM danielberteaud/alma:9.24.2-1
|
||||
FROM danielberteaud/alma:9.24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ENV PG_BASE_DATA=/data/db/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
# vim: syntax=sh
|
||||
|
||||
vault write /consul/roles/postgres ttl=720h max_ttl=720h consul_policies="postgres"
|
||||
vault write consul/roles/postgres ttl=720h max_ttl=720h consul_policies="postgres"
|
||||
|
|
|
@ -17,33 +17,33 @@ fi
|
|||
|
||||
if [ "${INITIAL_SETUP}" = "true" ]; then
|
||||
# Enable the secret engine
|
||||
echo "Mounting new PKI secret engine at /pki/postgres"
|
||||
vault secrets enable -path=/pki/postgres pki
|
||||
echo "Mounting new PKI secret engine at pki/postgres"
|
||||
vault secrets enable -path=pki/postgres pki
|
||||
else
|
||||
echo "Secret engine already mounted at /pki/postgres"
|
||||
echo "Secret engine already mounted at pki/postgres"
|
||||
fi
|
||||
|
||||
# Configure max-lease-ttl
|
||||
echo "Tune PKI secret engine"
|
||||
vault secrets tune -max-lease-ttl=131400h /pki/postgres
|
||||
vault secrets tune -max-lease-ttl=131400h pki/postgres
|
||||
|
||||
# Configure PKI URLs
|
||||
echo "Configure URL endpoints"
|
||||
vault write /pki/postgres/config/urls \
|
||||
issuing_certificates="${VAULT_ADDR}/v1/pki/postgres/ca" \
|
||||
crl_distribution_points="${VAULT_ADDR}/v1/pki/postgres/crl" \
|
||||
ocsp_servers="${VAULT_ADDR}/v1/pki/postgres/ocsp"
|
||||
vault write pki/postgres/config/urls \
|
||||
issuing_certificates="${VAULT_ADDR}/v1pki/postgres/ca" \
|
||||
crl_distribution_points="${VAULT_ADDR}/v1pki/postgres/crl" \
|
||||
ocsp_servers="${VAULT_ADDR}/v1pki/postgres/ocsp"
|
||||
|
||||
vault write /pki/postgres/config/cluster \
|
||||
path="${VAULT_ADDR}/v1/pki/postgres"
|
||||
vault write pki/postgres/config/cluster \
|
||||
path="${VAULT_ADDR}/v1pki/postgres"
|
||||
|
||||
vault write /pki/postgres/config/crl \
|
||||
vault write pki/postgres/config/crl \
|
||||
auto_rebuild=true \
|
||||
enable_delta=true
|
||||
|
||||
# Configure tidy
|
||||
echo "Configure auto tidy for the PKI"
|
||||
vault write /pki/postgres/config/auto-tidy \
|
||||
vault write pki/postgres/config/auto-tidy \
|
||||
enabled=true \
|
||||
tidy_cert_store=true \
|
||||
tidy_expired_issuers=true \
|
||||
|
@ -58,7 +58,7 @@ vault write /pki/postgres/config/auto-tidy \
|
|||
if [ "${INITIAL_SETUP}" = "true" ]; then
|
||||
# Generate an internal CA
|
||||
echo "Generating an internal CA"
|
||||
vault write -format=json /pki/postgres/intermediate/generate/internal \
|
||||
vault write -format=json pki/postgres/intermediate/generate/internal \
|
||||
common_name="postgres Certificate Authority" \
|
||||
ttl="131400h" \
|
||||
organization="ACME Corp" \
|
||||
|
@ -71,8 +71,8 @@ if [ "${INITIAL_SETUP}" = "true" ]; then
|
|||
|
||||
|
||||
# Sign this PKI with a root PKI
|
||||
echo "Signing the new CA with the authority from /pki/root"
|
||||
vault write -format=json /pki/root/root/sign-intermediate \
|
||||
echo "Signing the new CA with the authority from pki/root"
|
||||
vault write -format=json pki/root/root/sign-intermediate \
|
||||
csr=@${TMP}/postgres.csr \
|
||||
format=pem_bundle \
|
||||
ttl="131400h" \
|
||||
|
@ -80,7 +80,7 @@ if [ "${INITIAL_SETUP}" = "true" ]; then
|
|||
|
||||
# Update the intermediate CA with the signed one
|
||||
echo "Update the new CA with the signed version"
|
||||
vault write /pki/postgres/intermediate/set-signed \
|
||||
vault write pki/postgres/intermediate/set-signed \
|
||||
certificate=@${TMP}/postgres.crt
|
||||
|
||||
|
||||
|
@ -91,7 +91,7 @@ echo "Cleaning temp files"
|
|||
rm -rf ${TMP}
|
||||
|
||||
|
||||
vault write /pki/postgres/roles/postgres-server \
|
||||
vault write pki/postgres/roles/postgres-server \
|
||||
allowed_domains="postgres.service.consul" \
|
||||
allow_bare_domains=true \
|
||||
allow_subdomains=true \
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
echo "Required .pg.server.public_url is missing"
|
||||
|
||||
echo "Creating dba role in vault"vault write /database/roles/postgres-admin \
|
||||
echo "Creating dba role in vault"vault write database/roles/postgres-admin \
|
||||
db_name="postgres" \
|
||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||
GRANT \"dba\" TO \"{{name}}\"; \
|
||||
|
|
|
@ -63,7 +63,7 @@ job "postgres-manage" {
|
|||
user = 1053
|
||||
|
||||
config {
|
||||
image = "danielberteaud/wait-for:24.2-1"
|
||||
image = "danielberteaud/wait-for:24.3-1"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
@ -89,7 +89,7 @@ job "postgres-manage" {
|
|||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/ldap2pg:6.0-9"
|
||||
image = "danielberteaud/ldap2pg:6.0-10"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
@ -125,7 +125,7 @@ _EOT
|
|||
PGHOST=localhost
|
||||
PGPORT=5432
|
||||
PGUSER=postgres
|
||||
PGPASSWORD={{ with secret "/kv/service/postgres" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }}
|
||||
PGPASSWORD={{ with secret "kv/service/postgres" }}{{ .Data.data.pg_pwd | sprig_squote }}{{ end }}
|
||||
_EOF
|
||||
destination = "secrets/pg-manage.env"
|
||||
uid = 100000
|
||||
|
|
|
@ -142,7 +142,7 @@ job "postgres" {
|
|||
kill_timeout = "10m"
|
||||
|
||||
config {
|
||||
image = "danielberteaud/patroni:15.24.2-3"
|
||||
image = "danielberteaud/patroni:15.24.3-1"
|
||||
# Set shm_size to half of the total size
|
||||
shm_size = 536870912
|
||||
volumes = ["local/mkdir-socket.sh:/entrypoint.d/70-mkdir-socket.sh"]
|
||||
|
@ -175,7 +175,7 @@ _EOT
|
|||
template {
|
||||
data = <<_EOT
|
||||
# Get a Consul token from vault, so we're able to update the tags in Consul from the containers
|
||||
CONSUL_HTTP_TOKEN={{ with secret "/consul/creds/postgres" }}{{ .Data.token }}{{ end }}
|
||||
CONSUL_HTTP_TOKEN={{ with secret "consul/creds/postgres" }}{{ .Data.token }}{{ end }}
|
||||
PATRONICTL_CONFIG_FILE=/secrets/patroni.yml
|
||||
_EOT
|
||||
destination = "secrets/pg.env"
|
||||
|
@ -354,7 +354,7 @@ postgresql:
|
|||
authentication:
|
||||
superuser:
|
||||
username: postgres
|
||||
password: '{{ with secret "/kv/service/postgres" }}{{ .Data.data.pg_pwd }}{{ end }}'
|
||||
password: '{{ with secret "kv/service/postgres" }}{{ .Data.data.pg_pwd }}{{ end }}'
|
||||
sslmode: verify-ca
|
||||
sslrootcert: /local/postgres.ca.pem
|
||||
|
||||
|
@ -381,7 +381,7 @@ restapi:
|
|||
verify_client: optional
|
||||
authentication:
|
||||
username: patroni
|
||||
password: '{{ with secret "/kv/service/postgres" }}{{ .Data.data.api_pwd }}{{ end }}'
|
||||
password: '{{ with secret "kv/service/postgres" }}{{ .Data.data.api_pwd }}{{ end }}'
|
||||
|
||||
ctl:
|
||||
insecure: False
|
||||
|
@ -409,7 +409,7 @@ _EOT
|
|||
set -euo pipefail
|
||||
|
||||
# Create roles needed for patroni
|
||||
{{ with secret "/kv/service/postgres" }}
|
||||
{{ with secret "kv/service/postgres" }}
|
||||
psql <<'_EOSQL'
|
||||
ALTER ROLE postgres WITH SUPERUSER LOGIN PASSWORD '{{ .Data.data.pg_pwd }}';
|
||||
CREATE ROLE replicator WITH LOGIN REPLICATION PASSWORD '{{ .Data.data.replicator_pwd }}';
|
||||
|
@ -446,7 +446,7 @@ _EOT
|
|||
template {
|
||||
data = <<_EOT
|
||||
{{ with pkiCert
|
||||
"/pki/postgres/issue/postgres-server"
|
||||
"pki/postgres/issue/postgres-server"
|
||||
"common_name=postgres.service.consul"
|
||||
(printf "alt_name=%s.postgres.service.consul" (env "NOMAD_ALLOC_INDEX"))
|
||||
(printf "ip_sans=%s" (env "NOMAD_IP_patroni")) "ttl=72h" }}
|
||||
|
@ -465,7 +465,7 @@ _EOT
|
|||
# CA certificate chains
|
||||
template {
|
||||
data = <<_EOT
|
||||
{{ with secret "/pki/postgres/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
|
||||
{{ with secret "pki/postgres/cert/ca_chain" }}{{ .Data.ca_chain }}{{ end }}
|
||||
_EOT
|
||||
destination = "local/postgres.ca.pem"
|
||||
change_mode = "signal"
|
||||
|
|
|
@ -5,7 +5,7 @@ set -euo pipefail
|
|||
# vim: syntax=sh
|
||||
|
||||
export LC_ALL=C
|
||||
VAULT_KV_PATH=/kv/service/postgres
|
||||
VAULT_KV_PATH=kv/service/postgres
|
||||
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||
vault kv put ${VAULT_KV_PATH} \
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
# Read secrets from vault KV
|
||||
path "/kv/data/service/postgres" {
|
||||
path "kv/data/service/postgres" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Get a consul token to access the kv store, where patroni will manage the leader lock
|
||||
path "/consul/creds/postgres" {
|
||||
path "consul/creds/postgres" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Get a certificate for patroni REST API and Postgres
|
||||
path "/pki/postgres/issue/postgres-server" {
|
||||
path "pki/postgres/issue/postgres-server" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
|
|
@ -68,7 +68,7 @@ job "[[ .instance ]]-manage" {
|
|||
[[- end ]]
|
||||
}
|
||||
|
||||
[[ template "common/file_env" $c.env ]]
|
||||
[[ template "common/file_env" $c ]]
|
||||
|
||||
template {
|
||||
data =<<_EOF
|
||||
|
|
|
@ -37,7 +37,7 @@ job "[[ .instance ]]-upgrade" {
|
|||
PG_DO_UPGRADE = [[ $c.do_upgrade | toJSON ]]
|
||||
}
|
||||
|
||||
[[ template "common/file_env.tpl" $c.env ]]
|
||||
[[ template "common/file_env.tpl" $c ]]
|
||||
|
||||
volume_mount {
|
||||
volume = "data"
|
||||
|
|
|
@ -31,7 +31,7 @@ pg:
|
|||
# Postgres server settings
|
||||
server:
|
||||
# The image to use
|
||||
image: '[[ .docker.repo ]]patroni:15.24.2-3'
|
||||
image: '[[ .docker.repo ]]patroni:15.24.3-1'
|
||||
|
||||
# Number of postgres instance. Patroni will handle leader election and replication
|
||||
count: 1
|
||||
|
@ -194,7 +194,7 @@ pg:
|
|||
# manage can create database, users and sync permissions from LDAP (using ldap2pg)
|
||||
manage:
|
||||
# Image to use
|
||||
image: '[[ .docker.repo ]]ldap2pg:6.0-9'
|
||||
image: '[[ .docker.repo ]]ldap2pg:6.0-10'
|
||||
|
||||
# Resource allocation
|
||||
resources:
|
||||
|
|
Loading…
Reference in New Issue