Merge "Add audit database user for audit purposes"
This commit is contained in:
Zuul
Gerrit Code Review
commit
376bd5c066
postgresql
26
postgresql/templates/secret-audit.yaml
Normal file
26
postgresql/templates/secret-audit.yaml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2020 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
{{- if .Values.manifests.secret_audit }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ .Values.secrets.postgresql.audit }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
AUDIT_PASSWORD: {{ .Values.endpoints.postgresql.auth.audit.password | b64enc }}
|
||||||
|
{{- end }}
|
||||||
@ -332,6 +332,18 @@ spec:
|
|||||||
value: $(PATRONI_SUPERUSER_PASSWORD)
|
value: $(PATRONI_SUPERUSER_PASSWORD)
|
||||||
- name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
|
- name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
|
||||||
value: 'createrole,createdb'
|
value: 'createrole,createdb'
|
||||||
|
{{- if .Values.manifests.secret_audit }}
|
||||||
|
- name: AUDIT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ .Values.secrets.postgresql.audit }}
|
||||||
|
key: AUDIT_PASSWORD
|
||||||
|
# Adding the audit user with no options just adds the user without
|
||||||
|
# any GRANTs. This means the user gets to do only what default
|
||||||
|
# PUBLIC permissions allow, which is only to SELECT from tables.
|
||||||
|
- name: PATRONI_{{ .Values.endpoints.postgresql.auth.audit.username }}_PASSWORD
|
||||||
|
value: $(AUDIT_PASSWORD)
|
||||||
|
{{- end }}
|
||||||
- name: PGSSLROOTCERT
|
- name: PGSSLROOTCERT
|
||||||
value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
|
value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
|
||||||
- name: PGSSLCERT
|
- name: PGSSLCERT
|
||||||
|
|||||||
@ -378,6 +378,7 @@ secrets:
|
|||||||
replica: postgresql-replication-pki
|
replica: postgresql-replication-pki
|
||||||
server: postgresql-server-pki
|
server: postgresql-server-pki
|
||||||
exporter: postgresql-exporter
|
exporter: postgresql-exporter
|
||||||
|
audit: postgresql-audit
|
||||||
|
|
||||||
endpoints:
|
endpoints:
|
||||||
cluster_domain_suffix: cluster.local
|
cluster_domain_suffix: cluster.local
|
||||||
@ -403,6 +404,9 @@ endpoints:
|
|||||||
exporter:
|
exporter:
|
||||||
username: psql_exporter
|
username: psql_exporter
|
||||||
password: psql_exp_pass
|
password: psql_exp_pass
|
||||||
|
audit:
|
||||||
|
username: audit
|
||||||
|
password: password
|
||||||
hosts:
|
hosts:
|
||||||
default: postgresql
|
default: postgresql
|
||||||
host_fqdn_override:
|
host_fqdn_override:
|
||||||
@ -445,6 +449,7 @@ manifests:
|
|||||||
secret_replica: true
|
secret_replica: true
|
||||||
secret_server: true
|
secret_server: true
|
||||||
secret_etc: true
|
secret_etc: true
|
||||||
|
secret_audit: true
|
||||||
service: true
|
service: true
|
||||||
statefulset: true
|
statefulset: true
|
||||||
cron_job_postgresql_backup: false
|
cron_job_postgresql_backup: false
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user