Add patroni allowlist to documentation

Use the allowlist wherever we also have PostgreSQL trust addresses, and Patroni together.

Add patroni allowlist to documentation
Use the allowlist wherever we also have PostgreSQL trust addresses, and Patroni together.
ff0a08f3 · DJ Mountney · 1cc201fd · ff0a08f3 · ff0a08f3 · ff0a08f3
Commit ff0a08f3 authored Jul 23, 2021 by DJ Mountney
7 changed files
--- a/doc/administration/geo/setup/database.md
+++ b/doc/administration/geo/setup/database.md
@@ -571,6 +571,13 @@ Leader instance**:
   patroni['password'] = 'PATRONI_API_PASSWORD'
   patroni['replication_password'] = 'PLAIN_TEXT_POSTGRESQL_REPLICATION_PASSWORD'

+   # Add all patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_PRIMARY1_IP/32 PATRONI_PRIMARY2_IP/32 PATRONI_PRIMARY3_IP/32
+     PATRONI_SECONDARY1_IP/32 PATRONI_SECONDARY2_IP/32 PATRONI_SECONDARY3_IP/32
+   ]
+
   # We list all secondary instances as they can all become a Standby Leader
   postgresql['md5_auth_cidr_addresses'] = %w[
     PATRONI_PRIMARY1_IP/32 PATRONI_PRIMARY2_IP/32 PATRONI_PRIMARY3_IP/32 PATRONI_PRIMARY_PGBOUNCER/32
@@ -725,6 +732,13 @@ For each Patroni instance on the secondary site:
     # Any other instance that needs access to the database as per documentation
   ]

+
+   # Add patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_SECONDARY1_IP/32 PATRONI_SECONDARY2_IP/32 PATRONI_SECONDARY3_IP/32
+   ]
+
   patroni['standby_cluster']['enable'] = true
   patroni['standby_cluster']['host'] = 'INTERNAL_LOAD_BALANCER_PRIMARY_IP'
   patroni['standby_cluster']['port'] = INTERNAL_LOAD_BALANCER_PRIMARY_PORT
@@ -903,6 +917,12 @@ For each Patroni instance on the secondary site for the tracking database:
      # Any other instance that needs access to the database as per documentation
   ]

+   # Add patroni nodes to the allowlist
+   patroni['allowlist'] = %w[
+     127.0.0.1/32
+     PATRONI_TRACKINGDB1_IP/32 PATRONI_TRACKINGDB2_IP/32 PATRONI_TRACKINGDB3_IP/32
+   ]
+
   # Patroni configuration
   patroni['username'] = 'PATRONI_API_USERNAME'
   patroni['password'] = 'PATRONI_API_PASSWORD'

--- a/doc/administration/postgresql/replication_and_failover.md
+++ b/doc/administration/postgresql/replication_and_failover.md
@@ -257,6 +257,9 @@ patroni['postgresql']['max_replication_slots'] = X
 # available database connections.
 patroni['postgresql']['max_wal_senders'] = X+1

+# Replace XXX.XXX.XXX.XXX/YY with Network Addresses for your other patroni nodes
+patroni['allowlist'] = %w(XXX.XXX.XXX.XXX/YY 127.0.0.1/32)
+
 # Replace XXX.XXX.XXX.XXX/YY with Network Address
 postgresql['trust_auth_cidr_addresses'] = %w(XXX.XXX.XXX.XXX/YY 127.0.0.1/32)

@@ -572,6 +575,7 @@ patroni['password'] = 'PATRONI_API_PASSWORD'
 patroni['postgresql']['max_replication_slots'] = 6
 patroni['postgresql']['max_wal_senders'] = 7

+patroni['allowlist'] = = %w(10.6.0.0/16 127.0.0.1/32)
 postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/16 127.0.0.1/32)

 # Configure the Consul agent
@@ -664,6 +668,7 @@ patroni['password'] = 'PATRONI_API_PASSWORD'
 # available database connections.
 patroni['postgresql']['max_wal_senders'] = 7

+patroni['allowlist'] = = %w(10.6.0.0/16 127.0.0.1/32)
 postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/16 127.0.0.1/32)

 consul['configuration'] = {

--- a/doc/administration/reference_architectures/10k_users.md
+++ b/doc/administration/reference_architectures/10k_users.md
@@ -601,7 +601,10 @@ in the second step, do not supply the `EXTERNAL_URL` value.
   patroni['username'] = '<patroni_api_username>'
   patroni['password'] = '<patroni_api_password>'

-   # Replace XXX.XXX.XXX.XXX/YY with Network Address
+   # Replace 10.6.0.0/24 with Network Addresses for your other patroni nodes
+   patroni['allowlist'] = %w(10.6.0.0/24 127.0.0.1/32)
+
+   # Replace 10.6.0.0/24 with Network Address
   postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/24 127.0.0.1/32)

   # Set the network addresses that the exporters will listen on for monitoring

--- a/doc/administration/reference_architectures/25k_users.md
+++ b/doc/administration/reference_architectures/25k_users.md
@@ -603,7 +603,10 @@ in the second step, do not supply the `EXTERNAL_URL` value.
   patroni['username'] = '<patroni_api_username>'
   patroni['password'] = '<patroni_api_password>'

-   # Replace XXX.XXX.XXX.XXX/YY with Network Address
+   # Replace 10.6.0.0/24 with Network Addresses for your other patroni nodes
+   patroni['allowlist'] = %w(10.6.0.0/24 127.0.0.1/32)
+
+   # Replace 10.6.0.0/24 with Network Address
   postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/24 127.0.0.1/32)

   # Set the network addresses that the exporters will listen on for monitoring

--- a/doc/administration/reference_architectures/3k_users.md
+++ b/doc/administration/reference_architectures/3k_users.md
@@ -883,7 +883,10 @@ in the second step, do not supply the `EXTERNAL_URL` value.
   patroni['username'] = '<patroni_api_username>'
   patroni['password'] = '<patroni_api_password>'

-   # Replace XXX.XXX.XXX.XXX/YY with Network Address
+   # Replace 10.6.0.0/24 with Network Addresses for your other patroni nodes
+   patroni['allowlist'] = %w(10.6.0.0/24 127.0.0.1/32)
+
+   # Replace 10.6.0.0/24 with Network Address
   postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/24 127.0.0.1/32)

   # Set the network addresses that the exporters will listen on for monitoring

--- a/doc/administration/reference_architectures/50k_users.md
+++ b/doc/administration/reference_architectures/50k_users.md
@@ -611,7 +611,10 @@ in the second step, do not supply the `EXTERNAL_URL` value.
   patroni['username'] = '<patroni_api_username>'
   patroni['password'] = '<patroni_api_password>'

-   # Replace XXX.XXX.XXX.XXX/YY with Network Address
+   # Replace 10.6.0.0/24 with Network Addresses for your other patroni nodes
+   patroni['allowlist'] = %w(10.6.0.0/24 127.0.0.1/32)
+
+   # Replace 10.6.0.0/24 with Network Address
   postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/24 127.0.0.1/32)

   # Set the network addresses that the exporters will listen on for monitoring

--- a/doc/administration/reference_architectures/5k_users.md
+++ b/doc/administration/reference_architectures/5k_users.md
@@ -874,7 +874,10 @@ in the second step, do not supply the `EXTERNAL_URL` value.
   patroni['username'] = '<patroni_api_username>'
   patroni['password'] = '<patroni_api_password>'

-   # Replace XXX.XXX.XXX.XXX/YY with Network Address
+   # Replace 10.6.0.0/24 with Network Addresses for your other patroni nodes
+   patroni['allowlist'] = %w(10.6.0.0/24 127.0.0.1/32)
+
+   # Replace 10.6.0.0/24 with Network Address
   postgresql['trust_auth_cidr_addresses'] = %w(10.6.0.0/24 127.0.0.1/32)

   # Set the network addresses that the exporters will listen on for monitoring