Add basic security for Patroni REST API (#647)

vitabaks · May 3, 2024 · 0384a32 · 0384a32
1 parent 5f8c073
commit 0384a32
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/roles/patroni/config/tasks/main.yml b/roles/patroni/config/tasks/main.yml
@@ -44,6 +44,8 @@
       ansible.builtin.uri:
         url: http://{{ inventory_hostname }}:{{ patroni_restapi_port }}/config
         method: PATCH
+        user: "{{ patroni_restapi_username | default(omit) }}"
+        password: "{{ patroni_restapi_password | default(omit) }}"
         body: '{"postgresql":{"parameters":{"{{ item.option }}":"{{ item.value }}"}}}'
         body_format: json
       loop: "{{ postgresql_parameters }}"
@@ -53,6 +55,8 @@
       ansible.builtin.uri:
         url: http://{{ inventory_hostname }}:{{ patroni_restapi_port }}/config
         method: PATCH
+        user: "{{ patroni_restapi_username | default(omit) }}"
+        password: "{{ patroni_restapi_password | default(omit) }}"
         body: '{"postgresql":{"parameters":{"{{ item.option }}":null}}}'
         body_format: json
       loop: "{{ postgresql_parameters }}"

diff --git a/roles/patroni/templates/patroni.yml.j2 b/roles/patroni/templates/patroni.yml.j2
@@ -25,9 +25,15 @@ restapi:
   connect_address: {{ inventory_hostname }}:{{ patroni_restapi_port }}
 #  certfile: /etc/ssl/certs/ssl-cert-snakeoil.pem
 #  keyfile: /etc/ssl/private/ssl-cert-snakeoil.key
+{% if patroni_restapi_password | default('') | length > 0 %}
+  authentication:
+      username: {{ patroni_restapi_username | default('patroni') }}
+      password: {{ patroni_restapi_password }}
+{% else %}
 #  authentication:
 #    username: username
 #    password: password
+{% endif %}
 
 {% if not dcs_exists|bool and dcs_type == 'etcd' %}
 etcd3:

diff --git a/roles/update/tasks/switchover.yml b/roles/update/tasks/switchover.yml
@@ -3,6 +3,8 @@
   ansible.builtin.uri:
     url: http://{{ inventory_hostname }}:{{ patroni_restapi_port }}/switchover
     method: POST
+    user: "{{ patroni_restapi_username | default(omit) }}"
+    password: "{{ patroni_restapi_password | default(omit) }}"
     body: '{"leader":"{{ ansible_hostname }}"}'
     body_format: json
   register: patroni_switchover_result

diff --git a/vars/main.yml b/vars/main.yml
@@ -339,6 +339,8 @@ pgbouncer_pools:
 # Extended variables (optional)
 patroni_restapi_listen_addr: "0.0.0.0" # Listen on all interfaces. Or use "{{ inventory_hostname }}" to listen on a specific IP address.
 patroni_restapi_port: 8008
+patroni_restapi_username: "patroni"
+patroni_restapi_password: "restapi-pass"  # please change password
 patroni_ttl: 30
 patroni_loop_wait: 10
 patroni_retry_timeout: 10