Add patroni allowlist support
What does this MR do?
Adds support for providing the restapi allowlist for patroni. This was a feature added in the 2.1.0 of patroni, for 'unsafe rest api endpoints'. This applies to the same endpoints that the basic auth support does.
Related issues
Closes: #6260 (closed)
Testing
- Setup multi-node patroni cluster
- Note, if you want to test the
allowlist_include_members
flag, its best to specify thepatroni['listen_address']
to be a specific IP of each node, otherwise patroni will listen on all interfaces, and only the first will be added to the allowlist, which might be the ipv6 address)
- Note, if you want to test the
- Default setup
- Confirm that rest api writes can be made between patroni nodes
-
curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
(hit a different endpoint from the node you are on)
- allowlist set to local and include members false
patroni['allowlist'] = ['127.0.0.0/24']; patroni['allowlist_include_members'] = false
- Confirm that rest api writes cannot be made between patroni nodes
- access denied
curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
- allowlist set to local and include members true
patroni['allowlist'] = ['127.0.0.0/24']; patroni['allowlist_include_members'] = true
- Confirm that rest api writes can be made between patroni nodes
- writes cannot be made from other nodes (like pgbouncer)
curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
- allowlist set to specific IPs that have access
patroni['allowlist'] = ['127.0.0.0/24', '172.18.0.30/32']
- Confirm that rest api write can be made from the node that was added and not other nodes. (For example add the pgbouncer node to the allowlist, and try writes from there with this config)
curl -s -XPATCH -d '{"ttl":35}' http://database-ip-1:8008/config
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-package
has a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Edited by DJ Mountney