Merge "Add audit database user for audit purposes"

2020-01-28 23:03:45 +00:00 · 2020-01-28 23:03:45 +00:00 · 376bd5c066
commit 376bd5c066
parent 844d2cd16d 914ea2bd60
3 changed files with 43 additions and 0 deletions
--- a/postgresql/templates/secret-audit.yaml
+++ b/postgresql/templates/secret-audit.yaml
@ -0,0 +1,26 @@
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_audit }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.postgresql.audit }}
+type: Opaque
+data:
+  AUDIT_PASSWORD: {{ .Values.endpoints.postgresql.auth.audit.password | b64enc }}
+{{- end }}
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@ -332,6 +332,18 @@ spec:
              value: $(PATRONI_SUPERUSER_PASSWORD)
            - name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
              value: 'createrole,createdb'
+{{- if .Values.manifests.secret_audit }}
+            - name: AUDIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.audit }}
+                  key: AUDIT_PASSWORD
+            # Adding the audit user with no options just adds the user without
+            # any GRANTs. This means the user gets to do only what default
+            # PUBLIC permissions allow, which is only to SELECT from tables.
+            - name: PATRONI_{{ .Values.endpoints.postgresql.auth.audit.username }}_PASSWORD
+              value: $(AUDIT_PASSWORD)
+{{- end }}
            - name: PGSSLROOTCERT
              value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
            - name: PGSSLCERT
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -378,6 +378,7 @@ secrets:
    replica: postgresql-replication-pki
    server: postgresql-server-pki
    exporter: postgresql-exporter
+    audit: postgresql-audit

 endpoints:
  cluster_domain_suffix: cluster.local
@ -403,6 +404,9 @@ endpoints:
      exporter:
        username: psql_exporter
        password: psql_exp_pass
+      audit:
+        username: audit
+        password: password
    hosts:
      default: postgresql
    host_fqdn_override:
@ -445,6 +449,7 @@ manifests:
  secret_replica: true
  secret_server: true
  secret_etc: true
+  secret_audit: true
  service: true
  statefulset: true
  cron_job_postgresql_backup: false