Patroni¶
PostgreSQL high availability is achieved by using the patroni plugin of
pglift. This needs to be set up through a non-null value for the
patroni key in site settings:
patroni: {}
With the above settings, pglift assumes that an open etcd server is
available at 127.0.0.1:2379. It may be required to configure the etcd
hosts address:
patroni:
etcd:
hosts:
- 192.168.60.21:2379
- 192.168.60.21:2380
Settings and Patroni configuration¶
The Patroni configuration file is generated from configuration managed by pglift (based on settings and arguments) and from a template which may be overridden.
The patroni.yaml template contains this configuration by
default:
---
bootstrap:
dcs:
loop_wait: 10
watchdog:
mode: 'off'
The configuration managed by pglift always takes precedence to ensure proper functionality, while additional user inputs enrich the configuration.
Security¶
Protecting Etcd¶
Through site settings, it is possible to secure communication between Patroni and etcd via TLS.
The settings would look like the following:
patroni:
[…]
etcd:
protocol: https
cacert: /path/to/cacert.crt
cert: /path/to/client.crt
key: /path/to/client.key
Those settings are actually copied to the etcd section in Patroni YAML configuration file that pglift generates at instance creation.
At least the protocol: https should be specified to require TLS encryption
from Patroni to Etcd. Unless the root certificate for the authority is
available in system’s store, the cacert should be specified as well.
Then, client certificates cert and key can be specified to enable TLS
authentication provided that the etcd server runs with client certificate
authentication enabled (--client-cert-auth and --trusted-ca-file
command-line options for etcd); this configuration provides a global
authentication, but no role-based security.
For role-based authorization, the etcd server must have roles and users
defined and authentication enabled. Then, at instance setup, the
--patroni-etcd-{username,password} command-line options of pglift
instance create should be used to configure the connection user to etcd.
Warning
Basic authentication works by writing Etcd username and password to the
Patroni YAML configuration; pglift generates the file with owner-read
permission 600 though.
Note
Basic authentication takes precedence on the client certificates method so both methods should not be used together.
Protecting the REST API¶
To secure the patroni’s REST API, the following parameters can be set:
patroni:
[…]
restapi:
cafile: /path/to/cacert.crt
certfile: /path/to/client.crt
keyfile: /path/to/client.key
verify_client: optional
verify_client must be set to either required or optional if
certificates are set. Please refer to patroni’ s official documentation.
Basic authentication can be configured when creating an instance with
the pglift instance create command. To enable such authentication the
--patroni-restapi-authentication-{username,password} options should be
used.
Those parameters are actually copied to the restapi.authentication section
in Patroni YAML configuration file that pglift generates at instance creation.
Warning
Basic authentication should be used with transport-level encryption for proper security. It is strongly recommended to configure TLS certificates when using those authentication options.
Watchdog support¶
One can activate watchdog devices support via site settings. Please refer to patroni configuration and watchdog documentation.
Here’s an example of settings for watchdog:
patroni:
[…]
watchdog:
mode: required
device: /dev/watchdog
safety_margin: 5
pg_rewind support¶
pg_rewind can be activated by adding the following settings:
patroni:
[…]
postgresql:
use_pg_rewind: true
The corresponding setting will go in the patroni.postgresql section in patroni configuration file.