Add audit database user for audit purposes

This commit adds an audit user to the postgresql database which
will have only SELECT privileges on the postgresql database tables.
This is accomplished by setting up audit user creation parameters
in the Patroni bootstrap environment settings, according to (1).

(1) https://patroni.readthedocs.io/en/latest/ENVIRONMENT.html

Change-Id: Idf1cd90b5d093f12fa4a3c5c794d4b5bbc6c8831
This commit is contained in:
Koffi Nogbe 2019-09-04 09:57:57 -04:00 committed by Cliff Parsons
parent de5dd82ff8
commit 914ea2bd60
3 changed files with 43 additions and 0 deletions

View File

@ -0,0 +1,26 @@
{{/*
Copyright 2020 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_audit }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.secrets.postgresql.audit }}
type: Opaque
data:
AUDIT_PASSWORD: {{ .Values.endpoints.postgresql.auth.audit.password | b64enc }}
{{- end }}

View File

@ -332,6 +332,18 @@ spec:
value: $(PATRONI_SUPERUSER_PASSWORD) value: $(PATRONI_SUPERUSER_PASSWORD)
- name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS - name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
value: 'createrole,createdb' value: 'createrole,createdb'
{{- if .Values.manifests.secret_audit }}
- name: AUDIT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.postgresql.audit }}
key: AUDIT_PASSWORD
# Adding the audit user with no options just adds the user without
# any GRANTs. This means the user gets to do only what default
# PUBLIC permissions allow, which is only to SELECT from tables.
- name: PATRONI_{{ .Values.endpoints.postgresql.auth.audit.username }}_PASSWORD
value: $(AUDIT_PASSWORD)
{{- end }}
- name: PGSSLROOTCERT - name: PGSSLROOTCERT
value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
- name: PGSSLCERT - name: PGSSLCERT

View File

@ -378,6 +378,7 @@ secrets:
replica: postgresql-replication-pki replica: postgresql-replication-pki
server: postgresql-server-pki server: postgresql-server-pki
exporter: postgresql-exporter exporter: postgresql-exporter
audit: postgresql-audit
endpoints: endpoints:
cluster_domain_suffix: cluster.local cluster_domain_suffix: cluster.local
@ -403,6 +404,9 @@ endpoints:
exporter: exporter:
username: psql_exporter username: psql_exporter
password: psql_exp_pass password: psql_exp_pass
audit:
username: audit
password: password
hosts: hosts:
default: postgresql default: postgresql
host_fqdn_override: host_fqdn_override:
@ -445,6 +449,7 @@ manifests:
secret_replica: true secret_replica: true
secret_server: true secret_server: true
secret_etc: true secret_etc: true
secret_audit: true
service: true service: true
statefulset: true statefulset: true
cron_job_postgresql_backup: false cron_job_postgresql_backup: false