From 89e2f8d816db8ccf38072975d433db53f5cd8300 Mon Sep 17 00:00:00 2001
From: Pierre Frayer <pierre.frayer@ovhcloud.com>
Date: Wed, 26 Jun 2024 12:46:24 +0200
Subject: [PATCH] feat: add [read-database] config

---
 README.md                          | 2 ++
 puppetdb/Dockerfile                | 2 ++
 puppetdb/conf.d/read-database.conf | 5 +++++
 puppetdb/docker-entrypoint.sh      | 5 +++++
 4 files changed, 14 insertions(+)
 create mode 100644 puppetdb/conf.d/read-database.conf

diff --git a/README.md b/README.md
index 27430070e..3151cc647 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,8 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
 | **PUPPETDB_POSTGRES_DATABASE**          | The name of the puppetdb database in postgres<br><br>`puppetdb`                                                                         |
 | **PUPPETDB_USER**                       | The puppetdb database user<br><br>`puppetdb`                                                                                            |
 | **PUPPETDB_PASSWORD**                   | The puppetdb database password<br><br>`puppetdb`                                                                                        |
+| **PUPPETDB_READ_USER**                  | The puppetdb database read-only user<br><br>(optional)                                                                                  |
+| **PUPPETDB_READ_PASSWORD**              | The puppetdb database read-only password<br><br>(optional)                                                                              |
 | **PUPPETDB_NODE_TTL**                   | Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time<br><br>`7d` |
 | **PUPPETDB_NODE_PURGE_TTL**             | Automatically delete nodes that have been deactivated or expired for the specified amount of time<br><br>`14d`                          |
 | **PUPPETDB_REPORT_TTL**                 | Automatically delete reports that are older than the specified amount of time<br><br>`14d`                                              |
diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile
index ae6a9ae2e..54bb8e755 100644
--- a/puppetdb/Dockerfile
+++ b/puppetdb/Dockerfile
@@ -22,6 +22,8 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
     WAITFORCERT="" \
     PUPPETDB_USER=puppetdb \
     PUPPETDB_PASSWORD=puppetdb \
+    PUPPETDB_READ_USER="" \
+    PUPPETDB_READ_PASSWORD="" \
     PUPPETDB_NODE_TTL=7d \
     PUPPETDB_NODE_PURGE_TTL=14d \
     PUPPETDB_REPORT_TTL=14d \
diff --git a/puppetdb/conf.d/read-database.conf b/puppetdb/conf.d/read-database.conf
new file mode 100644
index 000000000..74aa211f7
--- /dev/null
+++ b/puppetdb/conf.d/read-database.conf
@@ -0,0 +1,5 @@
+read-database: {
+  subname: "//"${PUPPETDB_POSTGRES_HOSTNAME}":"${PUPPETDB_POSTGRES_PORT}"/"${PUPPETDB_POSTGRES_DATABASE}
+  username: ${PUPPETDB_READ_USER}
+  password: ${PUPPETDB_READ_PASSWORD}
+}
diff --git a/puppetdb/docker-entrypoint.sh b/puppetdb/docker-entrypoint.sh
index 33d8567a4..c0528e9be 100755
--- a/puppetdb/docker-entrypoint.sh
+++ b/puppetdb/docker-entrypoint.sh
@@ -3,6 +3,11 @@
 
 set -e
 
+# Remove optional config files if values are not set
+if [[ ( -z "$PUPPETDB_READ_USER" || -z "$PUPPETDB_READ_PASSWORD" ) && -e /etc/puppetlabs/puppetdb/conf.d/read-database.conf ]]; then
+    rm /etc/puppetlabs/puppetdb/conf.d/read-database.conf
+fi
+
 for f in /docker-entrypoint.d/*.sh; do
     echo "Running $f"
     "$f"