Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabled TLS encryption for PostgreSQL and PgBouncer #849

Merged
merged 23 commits into from
Dec 19, 2024
Merged

Enabled TLS encryption for PostgreSQL and PgBouncer #849

merged 23 commits into from
Dec 19, 2024
+113 −5

Conversation

klention
Copy link
Contributor

@klention klention commented Dec 15, 2024
edited by vitabaks
Loading

Enabled TLS encryption for PostgreSQL and PGBouncer (related issue: #361)

Generate a Self Signed OpenSSL certificate.

@klention klention marked this pull request as draft December 15, 2024 20:51
@klention klention marked this pull request as ready for review December 15, 2024 20:56
1. Enabled TLS encryption for PostgreSQL and PGBouncer.
6ed248f 
2. Automatically set the number of max_worker_processes and max_parallel_workers based on the system resources.
vitabaks
vitabaks reviewed Dec 16, 2024
View reviewed changes
automation/vars/main.yml Outdated Show resolved Hide resolved
@vitabaks
Copy link
Owner

@klention Thank you for your contribution! Please consider my comments.

klention and others added 2 commits December 16, 2024 14:49
@klention @vitabaks
Update automation/vars/main.yml
12d5196 
Co-authored-by: Vitaliy Kukharik <37010174+vitabaks@users.noreply.github.com>
Use ansible module to generate TLS certificates instead of OpenSSL
38159d5
@klention
Copy link
Contributor Author

klention commented Dec 17, 2024
edited
Loading

@vitabaks, I updated the scrips as suggested.

Not sure though why tests failed for debian and ubuntu.

@vitabaks
Copy link
Owner

fatal: [10.172.0.22]: FAILED! => {"changed": false, "msg": "The directory /var/lib/postgresql/17 does not exist or the file is not a directory", "name": "/var/lib/postgresql/17"}

I think we need another path to store certificates.

vitabaks
vitabaks reviewed Dec 17, 2024
View reviewed changes
automation/vars/main.yml Outdated Show resolved Hide resolved
vitabaks
vitabaks reviewed Dec 17, 2024
View reviewed changes
automation/vars/main.yml Outdated Show resolved Hide resolved
vitabaks
vitabaks reviewed Dec 17, 2024
View reviewed changes
automation/vars/main.yml Outdated Show resolved Hide resolved
@klention
Copy link
Contributor Author

fatal: [10.172.0.22]: FAILED! => {"changed": false, "msg": "The directory /var/lib/postgresql/17 does not exist or the file is not a directory", "name": "/var/lib/postgresql/17"}

I think we need another path to store certificates.

This is strange because just one task above at line 422 creates the postgresql_data_dir directory. But, we can definitely put it somewhere else.

@vitabaks
Copy link
Owner

This is strange because just one task above at line 422 creates the postgresql_data_dir directory. But, we can definitely put it somewhere else.

I have already fixed this, see the commits.

vitabaks
vitabaks reviewed Dec 18, 2024
View reviewed changes
automation/vars/main.yml Outdated Show resolved Hide resolved
@vitabaks vitabaks changed the title Enabled TLS encryption for PostgreSQL and PGBouncer. Enabled TLS encryption for PostgreSQL and PgBouncer Dec 18, 2024
@vitabaks
Copy link
Owner

We also need to ensure that the certificate and key are copied to the new cluster node during scaling (add_pgnode.yml). If this is challenging for you, I’m happy to handle it.

@klention
Copy link
Contributor Author

We also need to ensure that the certificate and key are copied to the new cluster node during scaling (add_pgnode.yml). If this is challenging for you, I’m happy to handle it.

Here is the new commit

@klention klention marked this pull request as draft December 18, 2024 21:13
@klention klention marked this pull request as ready for review December 18, 2024 23:07
@vitabaks
Copy link
Owner

Here is the new commit

Thanks, I made a small change (commit) and tested it, everything works!

@vitabaks vitabaks merged commit ee6454b into vitabaks:master Dec 19, 2024
15 checks passed
@vitabaks vitabaks mentioned this pull request Dec 19, 2024
Closed
@klention klention deleted the tls_encryption branch December 19, 2024 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vitabaks vitabaks vitabaks left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@klention @vitabaks