diff options
| author | Pavlo Strokov <pstrokov@gitlab.com> | 2020-12-30 13:19:03 +0300 |
|---|---|---|
| committer | Pavlo Strokov <pstrokov@gitlab.com> | 2020-12-30 13:19:03 +0300 |
| commit | 441ac39f2b30926040c3795443208433f38e7d97 (patch) | |
| tree | cb5fac9140dc3e6ce034e6dbd4abed14a7188bef /_support/terraform | |
| parent | 666ac9ff4149cc9d8e25cadee708717958a04ef1 (diff) | |
Demo: configuration of direct connection to Postgres
With introduction of database notifications listener we need
to configure direct connection between praefect and postgres
as PgBouncer can't serve LISTEN operation with transaction
scoped configuration.
The change adds praefect instances IPs to the list of allowed IPs
of the Postgres database. So each praefect is allowed to connect
directly to it.
Closes: https://gitlab.com/gitlab-org/gitaly/-/issues/3354
Diffstat (limited to '_support/terraform')
| -rw-r--r-- | _support/terraform/roles/deploy/templates/hosts.ini.j2 | 1 | ||||
| -rw-r--r-- | _support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 | 2 | ||||
| -rw-r--r-- | _support/terraform/terraform/main.tf | 16 |
3 files changed, 18 insertions, 1 deletions
diff --git a/_support/terraform/roles/deploy/templates/hosts.ini.j2 b/_support/terraform/roles/deploy/templates/hosts.ini.j2 index dbce0ae1c..0bd714119 100644 --- a/_support/terraform/roles/deploy/templates/hosts.ini.j2 +++ b/_support/terraform/roles/deploy/templates/hosts.ini.j2 @@ -10,6 +10,7 @@ [databases] {{ tfstate.outputs.praefect_pgbouncer_ip.value }} +{{ tfstate.outputs.praefect_postgres_ip.value }} [gitlabs] {{ tfstate.outputs.gitlab_external_ip.value }} internal={{ tfstate.outputs.gitlab_internal_ip.value }} diff --git a/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 b/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 index 6a06d1322..ba6df2d92 100644 --- a/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 +++ b/_support/terraform/roles/praefect/templates/praefect-gitlab.rb.j2 @@ -31,6 +31,8 @@ praefect['database_user'] = 'praefect' praefect['database_password'] = '{{ praefect_sql_password }}' praefect['database_dbname'] = 'praefect_production' praefect['database_sslmode'] = 'disable' +praefect['database_host_no_proxy'] = '{{ groups['databases'][1] }}' +praefect['database_port_no_proxy'] = 5432 # Name of storage hash must match storage name in git_data_dirs on GitLab # server ('praefect') and in git_data_dirs on Gitaly nodes ('gitaly-1') diff --git a/_support/terraform/terraform/main.tf b/_support/terraform/terraform/main.tf index 5482359fb..92c38127b 100644 --- a/_support/terraform/terraform/main.tf +++ b/_support/terraform/terraform/main.tf @@ -51,9 +51,19 @@ resource "google_sql_database_instance" "praefect_sql" { ipv4_enabled = true authorized_networks { - name = "allow-all-inbound" + name = "allow-${google_compute_address.pgbouncer.name}" value = google_compute_address.pgbouncer.address } + + dynamic authorized_networks { + for_each = google_compute_instance.praefect + iterator = praefects + + content { + name = "allow-${praefects.value.name}" + value = praefects.value.network_interface.0.access_config.0.nat_ip + } + } } } } @@ -62,6 +72,10 @@ output "praefect_pgbouncer_ip" { value = module.pgbouncer.private_ip_address } +output "praefect_postgres_ip" { + value = google_sql_database_instance.praefect_sql.public_ip_address +} + resource "google_sql_user" "users" { name = "praefect" instance = google_sql_database_instance.praefect_sql.name |