feat: add PuppetDB read-only database user and pooler
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

PuppetDB requires a separate read-only database user for its read pool.
Without it, it refuses to use the write user for read queries and all
/pdb/query/v4 calls fail with a 500.

- Add puppetdb_read role via CNPG managed.roles with password sourced
  from a new postgres-read-credentials Vault secret
- Grant CONNECT, USAGE, SELECT and default privileges to puppetdb_read
  via postInitApplicationSQL (must also be run manually on existing cluster)
- Add puppet-postgres-pooler-ro Pooler (type: ro) routing to replicas
- Add puppetdb-read-database-conf ConfigMap with read-database.conf
  mounted into /etc/puppetlabs/puppetdb/conf.d/ in the PuppetDB deployment
- Wire OPENVOXDB_READ_POSTGRES_* env vars from the new secret

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>
This commit is contained in:
2026-03-21 23:21:55 +11:00
parent b49e8d3647
commit 02051136e9
7 changed files with 106 additions and 0 deletions
+16
View File
@@ -59,6 +59,16 @@ spec:
secretKeyRef:
key: username
name: postgres-credentials
- name: OPENVOXDB_READ_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgres-read-credentials
- name: OPENVOXDB_READ_POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgres-read-credentials
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -78,6 +88,9 @@ spec:
volumeMounts:
- mountPath: /opt/puppetlabs/server/data/puppetdb
name: puppetdb-storage
- mountPath: /etc/puppetlabs/puppetdb/conf.d/read-database.conf
name: puppetdb-read-database-conf
subPath: read-database.conf
initContainers:
- name: create-log-dir
image: docker.io/busybox:1.37
@@ -154,3 +167,6 @@ spec:
- name: puppetdb-storage
persistentVolumeClaim:
claimName: puppetserver-puppetdb-claim
- name: puppetdb-read-database-conf
configMap:
name: puppetdb-read-database-conf