This repository is part of the Triton Data Center and Manta projects. For contribution guidelines, issues, and general documentation, visit the main Triton and Manta project pages.
Waferlock is a node.js process that runs inside a Triton or Manta manatee zone ("manatee" service instances in Triton, "postgres" and "buckets-postgres" service instances in Manta) to limit access to the running postgres to those IPs explicitly allowed access.
The mechanism for access control is PostgreSQL's pg_hba.conf file. (HBA stands for host-based authentication.) Waferlock updates "/manatee/pg/data/pg_hba.conf" with the set of allowed IPs and HUPs postgres when that changes. The set of IPs to allow are monitored (via polling) from two sources:
- Waferlock polls SAPI for current instances of configured service names
(
sapi_servicesconfig var in the config template). - Waferlock polls ZK for domain nodes of configured domain names (
domainsconfig var in the config template).
The written config file is a base config file plus waferlock-added sections of the form:
# <tags>
host all all <ip> trust
host replication all <ip> trust
where <tags> indicates what SAPI and/or ZK record the IP is from and <ip> is
an IPv4 address (in CIDR format, per the PostgreSQL docs). For example:
# sapi:manta:buckets-postgres:eacbcaba-8b5b-4250-967a-8d2cbb7eccba, zk:/us/joyent/nightly/buckets-mdapi/2/eacbcaba-8b5b-4250-967a-8d2cbb7eccba
host all all 172.27.2.24/32 trust
host replication all 172.27.2.24/32 trust