Fix cross server mTLS auth for replicator, rewind etc.

postgres.nomad.hcl

@@ -232,8 +232,8 @@ _EOT
         data          = <<_EOT
 {{ with pkiCert
   "[[ $c.vault.pki.path ]]/issue/postgres-server"
-  (printf "common_name=pg-%s.[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]" (env "NOMAD_ALLOC_INDEX"))
-  "alt_name=[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]"
+  "common_name=[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]"
+  (printf "alt_name=%s.[[ .instance ]][[ .consul.suffix ]].service.[[ .consul.domain ]]" (env "NOMAD_ALLOC_INDEX"))
   (printf "ip_sans=%s" (env "NOMAD_IP_patroni")) "ttl=72h" }}
 {{ .Cert }}
 {{ .Key }}
@@ -332,7 +332,7 @@ _EOT
 [[- if and $c.prometheus.enabled (not .pg.server.recovery) ]]
 
 [[ $e := merge .pg.exporter .pg . ]]
-[[ template "common/task.metrics_proxy" merge (dict "prometheus" (dict "additional_proxy_conf" (tmpl.Exec "postgres/nginx_patroni.conf.tpl" $e))) $e ]]
+[[ template "common/task.metrics_proxy" merge (dict "prometheus" (dict "additional_proxy_conf" (tmpl.Exec "postgres/nginx_patroni.conf.tpl" $e))) $c ]]
 
     task "exporter" {
       driver = "[[ $e.nomad.driver ]]"

templates/patroni.yml.tpl

@@ -65,9 +65,9 @@ postgresql:
     - hostssl all         all          0.0.0.0/0    cert clientcert=verify-full
 
   pg_ident:
-    - patroni-map pg-{{ env "NOMAD_ALLOC_INDEX" }}.[[ .instance ]].service.[[ .consul.domain ]] postgres
-    - patroni-map pg-{{ env "NOMAD_ALLOC_INDEX" }}.[[ .instance ]].service.[[ .consul.domain ]] replicator
-    - patroni-map pg-{{ env "NOMAD_ALLOC_INDEX" }}.[[ .instance ]].service.[[ .consul.domain ]] rewind
+    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] postgres
+    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] replicator
+    - patroni-map [[ .instance ]].service.[[ .consul.domain ]] rewind
 
   parameters:
     ssl: on