feat: add PuppetDB read-only database user and pooler
PuppetDB requires a separate read-only database user for its read pool. Without it, it refuses to use the write user for read queries and all /pdb/query/v4 calls fail with a 500. - Add puppetdb_read role via CNPG managed.roles with password sourced from a new postgres-read-credentials Vault secret - Grant CONNECT, USAGE, SELECT and default privileges to puppetdb_read via postInitApplicationSQL (must also be run manually on existing cluster) - Add puppet-postgres-pooler-ro Pooler (type: ro) routing to replicas - Add puppetdb-read-database-conf ConfigMap with read-database.conf mounted into /etc/puppetlabs/puppetdb/conf.d/ in the PuppetDB deployment - Wire OPENVOXDB_READ_POSTGRES_* env vars from the new secret 💘 Generated with Crush Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>
This commit is contained in:
@@ -19,6 +19,24 @@ spec:
|
||||
postInitApplicationSQL:
|
||||
- CREATE EXTENSION IF NOT EXISTS pg_trgm;
|
||||
- CREATE EXTENSION IF NOT EXISTS pgcrypto;
|
||||
- GRANT CONNECT ON DATABASE puppetdb TO puppetdb_read;
|
||||
- GRANT USAGE ON SCHEMA public TO puppetdb_read;
|
||||
- GRANT SELECT ON ALL TABLES IN SCHEMA public TO puppetdb_read;
|
||||
- ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO puppetdb_read;
|
||||
managed:
|
||||
roles:
|
||||
- name: puppetdb_read
|
||||
ensure: present
|
||||
comment: PuppetDB read-only database user
|
||||
login: true
|
||||
superuser: false
|
||||
createdb: false
|
||||
createrole: false
|
||||
inherit: true
|
||||
replication: false
|
||||
connectionLimit: -1
|
||||
passwordSecret:
|
||||
name: postgres-read-credentials
|
||||
enablePDB: true
|
||||
enableSuperuserAccess: false
|
||||
failoverDelay: 0
|
||||
|
||||
Reference in New Issue
Block a user