Support ldap auth + small fixes
This commit is contained in:
parent
3212e80baf
commit
cf1f536658
|
@ -5,7 +5,9 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
|
|||
type = "batch"
|
||||
[[- if and (has .pg.manage "cron") (ne .pg.manage.cron "") ]]
|
||||
periodic {
|
||||
cron = [[ .pg.manage.cron | toJSON ]]
|
||||
crons = [
|
||||
[[ .pg.manage.cron | toJSON ]]
|
||||
]
|
||||
prohibit_overlap = true
|
||||
}
|
||||
[[- else ]]
|
||||
|
@ -67,6 +69,8 @@ job "[[ .pg.instance ]]-manage[[ .consul.suffix ]]" {
|
|||
LDAP2PG_MODE = [[ .pg.manage.mode | toJSON ]]
|
||||
}
|
||||
|
||||
[[ template "common/file_env.tpl" .pg.manage.env ]]
|
||||
|
||||
template {
|
||||
data =<<_EOF
|
||||
PGHOST=localhost
|
||||
|
@ -74,7 +78,7 @@ PGPORT=5432
|
|||
PGUSER=postgres
|
||||
PGPASSWORD={{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.pg_pwd }}{{ end }}
|
||||
_EOF
|
||||
destination = "secrets/env"
|
||||
destination = "secrets/pg-manage.env"
|
||||
uid = 100000
|
||||
gid = 100000
|
||||
perms = 0400
|
||||
|
|
|
@ -380,6 +380,11 @@ _EOT
|
|||
gid = 100000
|
||||
env = true
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 10
|
||||
memory = 24
|
||||
}
|
||||
}
|
||||
[[- end ]]
|
||||
}
|
||||
|
|
|
@ -53,6 +53,11 @@ postgresql:
|
|||
- local all postgres peer
|
||||
- local replication postgres peer
|
||||
- local all postgres scram-sha-256
|
||||
[[- if .pg.server.ldap_auth.enabled ]]
|
||||
- host all +ldap_roles 127.0.0.0/8 ldap ldapserver="[[ join .pg.server.ldap_auth.servers " " ]]" ldapport=[[ .pg.server.ldap_auth.port ]] [[ if .pg.server.ldap_auth.starttls ]]ldaptls=1 [[ end ]]ldapbasedn="[[ .pg.server.ldap_auth.base_dn ]]"
|
||||
[[- if and (has .pg.server.ldap_auth "bind_dn") (has .pg.server.ldap_auth "bind_password") ]] ldapbinddn="[[ .pg.server.ldap_auth.bind_dn ]]" ldapbindpasswd="[[ .pg.server.ldap_auth.bind_password ]]" [[ end -]]
|
||||
ldapsearchfilter="[[ .pg.server.ldap_auth.search_filter ]]"
|
||||
[[- end ]]
|
||||
- host all all 127.0.0.0/8 scram-sha-256
|
||||
- host replication backup 127.0.0.0/8 scram-sha-256
|
||||
- hostssl replication replicator 0.0.0.0/0 cert clientcert=verify-full map=patroni-map
|
||||
|
|
|
@ -63,6 +63,34 @@ pg:
|
|||
archive_timeout: 900
|
||||
wal_keep_size: 512
|
||||
|
||||
# You can configure ldap auth for postgres
|
||||
# users needing ldap auth should be members of the ldap_roles role in postgres
|
||||
ldap_auth:
|
||||
|
||||
# Is the auth enabled
|
||||
enabled: false
|
||||
|
||||
# List of servers to try to connect to
|
||||
servers:
|
||||
- localhost
|
||||
|
||||
# Port
|
||||
port: 389
|
||||
|
||||
# Should StartTLS be used to connect
|
||||
starttls: true
|
||||
|
||||
# The base DN where postgres will start looking for users
|
||||
base_dn: OU=People,DC=example,DC=org
|
||||
|
||||
# Search filter to find matching users
|
||||
search_filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_DBA,OU=Roles,DC=example,DC=org)(sAMAccountName=$username))"
|
||||
|
||||
# Optional bind DN and password to do the search operation
|
||||
# If undefined, the search will be done anonymously
|
||||
#bind_dn: CN=Postgres,OU=Apps,DC=example,DC=org
|
||||
bind_password: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .pg.instance ]]" }}{{ .Data.data.ldap_pwd }}{{ end }}'
|
||||
|
||||
# Resource allocation for the container
|
||||
resources:
|
||||
cpu: 500
|
||||
|
@ -134,28 +162,41 @@ pg:
|
|||
manage:
|
||||
# Image to use
|
||||
image: danielberteaud/ldap2pg:6.0-1
|
||||
|
||||
# Resource allocation
|
||||
resources:
|
||||
cpu: 20
|
||||
memory: 32
|
||||
|
||||
# Additional env var
|
||||
env: {}
|
||||
|
||||
# Connection to postgres through the service mesg
|
||||
consul:
|
||||
connect:
|
||||
upstreams:
|
||||
- destination_name: "[[ .pg.instance ]]"
|
||||
local_bind_port: 5432
|
||||
|
||||
# List of databases to create (so permissions can be applied)
|
||||
# For each database, a role with the same name (and NOLOGIN) will be created and be owner of the database
|
||||
# databases:
|
||||
# - name: vaultwarden
|
||||
# - name: odoo
|
||||
# owner: erp
|
||||
# encoding: UTF-8
|
||||
# locale: fr_FR.utf8
|
||||
databases: []
|
||||
|
||||
# Schedule to run ldap2pg regularily, to ensure permissions are up to date
|
||||
# This is especially useful when syncing roles from LDAP
|
||||
# An empty string disable running the job as a cron
|
||||
cron: ""
|
||||
|
||||
# mode can be dry (no change will be made) or real
|
||||
#
|
||||
mode: dry
|
||||
|
||||
# Default config for ldap2pg (except for rules which are handled separately)
|
||||
default_config:
|
||||
version: 6
|
||||
|
@ -228,17 +269,20 @@ pg:
|
|||
- name: dba
|
||||
comment: "Databases admins"
|
||||
options: SUPERUSER NOLOGIN
|
||||
parents: managed_roles
|
||||
parents:
|
||||
- managed_roles
|
||||
|
||||
- name: rewind
|
||||
comment: "Databases rewinder"
|
||||
options: LOGIN
|
||||
parents: managed_roles
|
||||
parents:
|
||||
- managed_roles
|
||||
|
||||
- name: vault
|
||||
comment: "Hashicorp Vault"
|
||||
options: CREATEROLE LOGIN
|
||||
parents: managed_roles
|
||||
parents:
|
||||
- managed_roles
|
||||
|
||||
- grant:
|
||||
role: vault
|
||||
|
@ -250,6 +294,10 @@ pg:
|
|||
privileges: rewinder
|
||||
databases: postgres
|
||||
|
||||
- grant:
|
||||
role: dba
|
||||
privileges: owner
|
||||
|
||||
# Additional custom rules to apply (will be appended to default_rules)
|
||||
rules: []
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user