more postgres changes for cisoas

2025-05-11 00:08:29 +02:00 · 2025-05-11 00:08:29 +02:00 · 9b0c5d6736
commit 9b0c5d6736
parent bb2a0e0f4b
4 changed files with 23 additions and 13 deletions
--- a/cisoas-sto4-test-1.sunet.se/overlay/etc/hiera/data/local.eyaml
+++ b/cisoas-sto4-test-1.sunet.se/overlay/etc/hiera/data/local.eyaml
@ -28,4 +28,6 @@ cisoas_test_sunet_se_ssh_key: >
     c1mQHLNkpWmolLfaIR9Dp2EWdZQZCYnSv7w1pk3ndKpbIOHG48H1o1GGNhXm
     Xz/+A2dreZDWU=]

-postgres_password: ENC[PKCS7,MIIC/wYJKoZIhvcNAQcDoIIC8DCCAuwCAQAxggKHMIICgwIBADBrMFMxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxJDAiBgNVBAMMG2Npc29hcy1zdG80LXRlc3QtMS5zdW5ldC5zZQIUC4lF7ZXpyA0yDP19iMjUybjghZswDQYJKoZIhvcNAQEBBQAEggIAot6UD5o/Zr30xsWVKox0uHvbD4inYcnnf1qF+wlnFHc3v/4BYO6YgdqUw5983z9CKJ17S2K/PjRNs33d7ee5DVFDEjFU9/XuwOMvi1lQx+P1ej93UnneCkPPYfsyPyoMr4SksxsoaLTZY+1a9pYsCzW8XnI703yq8zYYyu0+YlJeGVXbBx7vgohq5Dhi07fqV5InxOkKVZLddV88HHYIn2r+soiY++D68zpZ9uRU6GgBtBsyeyLRB4LzxvGLpfdETKkzmXDlK19QVRBiRQNYI9QhNxEg8eutCRUnNEP4GnwccGHPpXa4Uig/wNpWN61+o8ziiGUnlY9/+Gwklm2qZFBGHGygBjqQDbJIRLS6KziEClJAOe698L1jul7RBABNKpdH6J5P9u9HR8oKaEZ0F8r22RYSAHcjsQo2wrcUcO1kidmAKZOWIBI1ovxswn6bLO8GxaE9eebTWcvBOD3Hp5ADyKTc9dlOHezCRh3uF8fBBZMqMxRTegA5REs6zQ+ItkzTAyrb/MWdjNHFdQ7GsBJDAkx+jWTeGPBKu3o2JDO1ADmYWuXddJk4FFYpy6LxvHCujIn0uGa02xatYTYQ6NEC+0aOHVuAJWpCQD2bg6up9pmHqPByKZGLggjEvx0nKkz1/HnmcoqmjQPi+gVzwkwqqXfa1acw7Ryty6XK6c8wXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQYEWMixSMy37Qz70VaONU+IAwLgKAAxSF6btjAtSB+82dmxz4E6Du6E5RSER0XKNROLJdrELxj/K715o8ae/kX4+I]
+postgres_user_password: ENC[PKCS7,MIIC/wYJKoZIhvcNAQcDoIIC8DCCAuwCAQAxggKHMIICgwIBADBrMFMxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxJDAiBgNVBAMMG2Npc29hcy1zdG80LXRlc3QtMS5zdW5ldC5zZQIUC4lF7ZXpyA0yDP19iMjUybjghZswDQYJKoZIhvcNAQEBBQAEggIAot6UD5o/Zr30xsWVKox0uHvbD4inYcnnf1qF+wlnFHc3v/4BYO6YgdqUw5983z9CKJ17S2K/PjRNs33d7ee5DVFDEjFU9/XuwOMvi1lQx+P1ej93UnneCkPPYfsyPyoMr4SksxsoaLTZY+1a9pYsCzW8XnI703yq8zYYyu0+YlJeGVXbBx7vgohq5Dhi07fqV5InxOkKVZLddV88HHYIn2r+soiY++D68zpZ9uRU6GgBtBsyeyLRB4LzxvGLpfdETKkzmXDlK19QVRBiRQNYI9QhNxEg8eutCRUnNEP4GnwccGHPpXa4Uig/wNpWN61+o8ziiGUnlY9/+Gwklm2qZFBGHGygBjqQDbJIRLS6KziEClJAOe698L1jul7RBABNKpdH6J5P9u9HR8oKaEZ0F8r22RYSAHcjsQo2wrcUcO1kidmAKZOWIBI1ovxswn6bLO8GxaE9eebTWcvBOD3Hp5ADyKTc9dlOHezCRh3uF8fBBZMqMxRTegA5REs6zQ+ItkzTAyrb/MWdjNHFdQ7GsBJDAkx+jWTeGPBKu3o2JDO1ADmYWuXddJk4FFYpy6LxvHCujIn0uGa02xatYTYQ6NEC+0aOHVuAJWpCQD2bg6up9pmHqPByKZGLggjEvx0nKkz1/HnmcoqmjQPi+gVzwkwqqXfa1acw7Ryty6XK6c8wXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQYEWMixSMy37Qz70VaONU+IAwLgKAAxSF6btjAtSB+82dmxz4E6Du6E5RSER0XKNROLJdrELxj/K715o8ae/kX4+I]
+
+postgres_user_password: ENC[PKCS7,MIIC/wYJKoZIhvcNAQcDoIIC8DCCAuwCAQAxggKHMIICgwIBADBrMFMxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxJDAiBgNVBAMMG2Npc29hcy1zdG80LXRlc3QtMS5zdW5ldC5zZQIUC4lF7ZXpyA0yDP19iMjUybjghZswDQYJKoZIhvcNAQEBBQAEggIAQOC2Qw0SISI3XGMSSUp3I4OQ59Fyy8ZhXCcr9AXCr3s2L5Ejctv3jOFGm+KSZmfWw/FZ2agbw+G3ZrKz4Evdj0Iwbz1bESqrdr2DPUS9URqPFzjI/ygVCEJscTZ76eg19Uo7Zq62s70eUKwawZ4XDQETvEnw6Av73GpEcIuWJrIwBMT/i9teS1nLGr6VQSUFvaCh5ypl1EYJ6LCvdDqJf4N6Jk31uh3zdTfqjsIh2g7hWzX6EU13UpFEyRYPThUDJhvNcUnKuu6WMQP45zKMP9BwnRhpFWd8fkKnxM97/r8VSqE1vU4+6ZFSkALvfqlbr4BRIflqs0VukjM45MDHpjEPNyb16CXdcPdUFv21kuTQl9hkZX6JCkfQn7OMJsneSzsflni1/hR1JOL8LQwzGzwQZ/RlqLBWUBV1/hOYFXuGGNPLAVUAqNaoWIHU7UruAmZwsQJTK43lDKXhbcjNdxeJEaczFMLIEKsOG59K0JpY8iIFptlIJ4YnXE2YloPvx6FX9+jqUsR5lAyx3nfra74DHJ4eg0zs0XWaH8htXo5ovoSXNWA0F0hTnfBmc0MvrPcfdjfyj851MKOHLIMrt3FQOUWSGgsx2Og8QpSCM/vltoQejbLI6ipM1laVMRCiGy1RnT0mloPeUxzuiWRAGcW9fRbHSWDWcuwBU0F26rIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQGqPr42rm9P5Dj10A7qQFKIAwyeiz2NB4fgEabCOl4nNGp8ovG7ueC0DpmPJOQjgV9pmJ71hQN7tXqLloKQAGU3HA]
--- a/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp
+++ b/global/overlay/etc/puppet/modules/net/manifests/cisoassistant_test.pp
@ -20,6 +20,12 @@ class net::cisoassistant_test ($ciso_service_name='',
      to    => 'any',
      proto => 'tcp',
    },
+    'allow_access_to_postgres' => {
+      from  => 'any',
+      port  => 5432,
+      to    => 'any',
+      proto => 'tcp',
+    },
  }
  $nftables_rules.each |$name, $params| {
    sunet::nftables::allow { $name:
@ -27,7 +33,8 @@ class net::cisoassistant_test ($ciso_service_name='',
    }
  }

-  $postgres_password = safe_hiera('postgres_password')
+  $postgres_admin_password = safe_hiera('postgres_admin_password')
+  $postgres_user_password = safe_hiera('postgres_user_password')

  if $postgres_docker_tag {

@ -37,18 +44,18 @@ class net::cisoassistant_test ($ciso_service_name='',
      compose_dir  => '/opt',
      compose_filename => 'docker-compose.yml',
      content => template('net/cisoassistant/docker-compose.yml.erb'),
+    }
  }

-  sunet::misc::create_dir { "/opt/cisoas/data/": owner => 'root', group => 'root', mode => '0755', }
  sunet::misc::create_dir { "/opt/cisoas/postgresql/": owner => 'root', group => 'root', mode => '0755', }
  sunet::misc::create_dir { "/opt/cisoas/postgresql/init/": owner => 'root', group => 'root', mode => '0755', }
  sunet::misc::create_dir { "/opt/cisoas/backup/postgres/": owner => 'root', group => 'root', mode => '0777', }

  sunet::misc::create_cfgfile { "/opt/cisoas/postgresql/init/init-db.sh":
-    content => template('net/cisoas/init-db.sh.erb'),
+    content => template('net/cisoassistant/init-db.sh.erb'),
    group   => 'root',
    mode    => '0755',
-  }
+  } ->

  file { '/opt/cisoas/update-cisoas-enterprise.sh':
    mode    => '0744',
@ -68,11 +75,12 @@ class net::cisoassistant_test ($ciso_service_name='',
    owner   => 'root',
    group   => 'root',
    content => template('net/cisoassistant/Caddyfile.erb'),
-  }
+  } ->

  sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
    cmd         => '/opt/cisoas/update-cisoas-enterprise.sh',
    weekday     => 'Saturday',
    ok_criteria => ['exit_status=0', 'max_age=10d'],
  }
-}
+
+}
--- a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb
+++ b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/docker-compose.yml.erb
@ -20,8 +20,8 @@ services:
      - /opt/cisoas/postgresql/init/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
      - /opt/cisoas/backup/postgres:/var/lib/postgresql/backup
    environment:
-      - POSTGRES_USER=ciso-assistantuser
-      - POSTGRES_PASSWORD=<%= @postgres_password %>
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=<%= @postgres_admin_password %>

  backend:
    container_name: backend
--- a/global/overlay/etc/puppet/modules/net/templates/cisoassistant/init-db.sh.erb
+++ b/global/overlay/etc/puppet/modules/net/templates/cisoassistant/init-db.sh.erb
@ -2,8 +2,8 @@
 set -e

 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
-    CREATE USER ciso-assistantuser;
-    ALTER USER ciso-assistantuser WITH PASSWORD '<%= @postgres_password %>';
-    CREATE DATABASE <%= @db_name %>;
-    GRANT ALL PRIVILEGES ON DATABASE ciso-assistant TO ciso-assistantuser;
+    CREATE USER "ciso-assistantuser";
+    ALTER USER "ciso-assistantuser" WITH PASSWORD '<%= @postgres_user_password %>';
+    CREATE DATABASE "ciso-assistant";
+    GRANT ALL PRIVILEGES ON DATABASE "ciso-assistant" TO "ciso-assistantuser";
 EOSQL