Override foreman-installer to allow remote PostgreSQL access using custom-hiera.yaml

acecile · April 6, 2021, 9:53am

You might want to allow remote PostgreSQL for various reason (development, monitoring, backup…) but if you modify pg_hba.conf yourself foreman-installer will overwrite it on next upgrade.

The proper way to do this is to overload generated puppet config by foreman-installer using /etc/foreman-installer/custom-hiera.yaml

Add the following configuration:

# PostgreSQL access for debugging/development
postgresql::server::listen_addresses:
  - '*'
postgresql::server::pg_hba_rules:
  allow_subnet_1:
    description: Allow subnet 1
    type: host
    address: 192.168.122.0/24
    database: foreman
    user: foreman
    auth_method: md5
    order: 201
  allow_subnet_2:
    description: Allow subnet 2
    type: host
    address: 192.168.123.0/24
    database: foreman
     user: foreman
     auth_method: md5
    order: 202

Then, run foreman-installer again.

In postgresql.conf, listen_address will be set to * so PostgreSQL is bound on all network interface and in pg_hba.conf you will see the following rules being added:

# Rule Name: allow_subnet_1
# Description: Allow subnet 1
# Order: 201
host	foreman	foreman	192.168.122.0/24	md5	

# Rule Name: allow_subnet_2
# Description: Allow subnet 2
# Order: 202
host	foreman	foreman	192.168.123.0/24	md5

acecile · April 6, 2021, 2:03pm

Quick note about rolling back such change:

Removing postgresql::server::pg_hba_rules: entries will clear them from pg_hba.conf but commenting/removing postgresql::server::listen_addresses will NOT update the change in postgresql.conf, previous value will stays. If you want to disable wildcard binding and revert PostgreSQL behavior as it was, replace ‘*’ by ‘localhost’