Skip to content

Add patroni allowlist support

DJ Mountney requested to merge patroni-allowlist into master

What does this MR do?

Adds support for providing the restapi allowlist for patroni. This was a feature added in the 2.1.0 of patroni, for 'unsafe rest api endpoints'. This applies to the same endpoints that the basic auth support does.

Related issues

Closes: #6260 (closed)

Testing

  • Setup multi-node patroni cluster
    • Note, if you want to test the allowlist_include_members flag, its best to specify the patroni['listen_address'] to be a specific IP of each node, otherwise patroni will listen on all interfaces, and only the first will be added to the allowlist, which might be the ipv6 address)
  • Default setup
    • Confirm that rest api writes can be made between patroni nodes
    • curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config (hit a different endpoint from the node you are on)
  • allowlist set to local and include members false patroni['allowlist'] = ['127.0.0.0/24']; patroni['allowlist_include_members'] = false
    • Confirm that rest api writes cannot be made between patroni nodes
    • access denied curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
  • allowlist set to local and include members true patroni['allowlist'] = ['127.0.0.0/24']; patroni['allowlist_include_members'] = true
    • Confirm that rest api writes can be made between patroni nodes
    • writes cannot be made from other nodes (like pgbouncer)
    • curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
  • allowlist set to specific IPs that have access patroni['allowlist'] = ['127.0.0.0/24', '172.18.0.30/32']
    • Confirm that rest api write can be made from the node that was added and not other nodes. (For example add the pgbouncer node to the allowlist, and try writes from there with this config)
    • curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by DJ Mountney

Merge request reports

Loading