Securing the software

Follow these steps to secure all the software applications that are running on your HA cluster setup.

About this task

The following software applications require security setup:
  • etcd
  • Patroni
  • PostgreSQL

Procedure

  • On Node Type 2 where etcd is installed, edit the etcd configuration file and add the following line:
    • 
      ETCD_CLIENT_CERT_AUTH=true
      ETCD_TRUSTED_CA_FILE=<PATH>/rootCA.crt
      ETCD_CERT_FILE=<PATH>/<SERVER_NAME>.crt
      ETCD_KEY_FILE=<PATH>/<SERVER_NAME>.key
      Where,
      • <PATH>

        Path where you stored SSL certificates on the node.

      • <SERVER_NAME>.crt

        Server certificate file for the node.

      • <SERVER_NAME>.key

        Server key file name for the node.

    • Edit ETCD_LISTEN_CLIENT_URLS and ETCD_ADVERTISE_CLIENT_URLS parameters value to change URL protocol from http to https.
    The final ectd.conf file might look as follows:
    
    LISTEN_PEER_URLS="http://<ETCD_IP_address>:2380"
    ETCD_LISTEN_CLIENT_URLS="https://localhost:2379,https://<ETCD_IP_address>:2379"
    ETCD_INITIAL_ADVERTISE_PEER_URLS="http://<ETCD_IP_address>:2380"
    ETCD_INITIAL_CLUSTER="etcd0=http://<ETCD_IP_address>:2380,"
    ETCD_ADVERTISE_CLIENT_URLS="https://<ETCD_IP_address>:2379"
    ETCD_INITIAL_CLUSTER_TOKEN="cluster1"
    ETCD_INITIAL_CLUSTER_STATE="new"
    #SSL Configuration
    ETCD_CLIENT_CERT_AUTH=true
    ETCD_TRUSTED_CA_FILE=<PATH>/rootCA.crt
    ETCD_CERT_FILE=<PATH>/<SERVER_NAME>.crt
    ETCD_KEY_FILE=<PATH>/<SERVER_NAME>.key
  • Use the following commands to secure Patroni and etcd communications:
    Edit patroni_config.yaml file and add protocol, cacert, cert, and key in etcd section.
    
    host: <ETCD_IP_address>:2379
    protocol: https
    cacert: <PATH>/rootCA.crt
    cert: <PATH>/<ETCD_SERVER_NAME>.key
    key: <PATH>/<ETCD_SERVER_NAME>.key
    Where,
    • <PATH>

      Path where you stored SSL certificates on the node.

    • <ETCD_SERVER_NAME>.crt

      Server certificate file for the node.

    • <ETCD_SERVER_NAME>.key

      Server key file name for the node.

  • Use the following commands to secure REST API endpoints:

    In the patroni_config.yaml, add certfile and keyfile properties to the restapi section.

    restapi:
    
    restapi:
      listen: <NODE_IP_address>:8008 
      connect_address: <NODE_IP_address>:8008
      certfile: <PATH>/<SERVER_NAME>.crt
      keyfile: <PATH>/<SERVER_NAME>.key
    
    Where,
    • <PATH>

      Path where you stored SSL certificates on the node.

    • <SERVER_NAME>.crt

      Server certificate file for the node

    • <SERVER_NAME>.key

      Server key file name for the node.

  • Use the following configurations to secure Patroni REST API and CTL communications:
    Edit the patroni_config.yaml and add a section ctl after the restapi section.
    ctl:
    insecure: false #Allow connections to insecure sites without certs
    certfile: <PATH>/<SERVER_NAME>.crt
    cacert: <PATH>/rootCA.crt
    Where,
    • <PATH>

      Path where you stored SSL certificates on the node.

    • <SERVER_NAME>.crt

      Server certificate file for the node.

  • Use the following commands to secure PostgreSQL:
    • Edit the patroni_config.yaml file and add the following parameters to postgresql section:
      
      postgresql:
        listen: <NODE_IP_address>:5432
        connect_address:<NODE_IP_address>:5432
        data_dir: <DATA_DIR>  bin_dir:  <BIN_DIR>  
        pgpass: /tmp/pgpass0
        authentication:
          replication:
            username: replicator
            password: <replicator_password>
          superuser:
            username: postgres
            password: <superuser_password>
          parameters:
            unix_socket_directories: '.'
            ssl: on
            ssl_cert_file: <PATH>/<SERVER_NAME>.crt
            ssl_key_file: <PATH>/<SERVER_NAME>.key
            ssl_ca_file: <PATH>/rootCA.crt
    • Edit the patroni_config.yaml file and add client authentication parameters to postgresql.pg_hba.conf section:
      
      pg_hba:
          - local all all md5
          - host all all 0.0.0./0 md5
          - host replication replicator 127.0.0.1/32 md5
          - host replication replicator <Node1_IP_address>/32 md5
          - host replication replicator <Node2_IP_address>/32 md5
          - host replication replicator <NodeN_IP_address>/32 md5
          - host all all <Node1_IP_address>/32 md5
          - host all all <Node2_IP_address>/32 md5
          - host all all <NodeN_IP_address>/32 md5
          - hostssl <APP_USER> <APP_DB> 0.0.0.0/0 md5 clientcert-1
    Where,
    • <Node#_IP_address>

      IP address or hostnames of the cluster nodes that are running PostgreSQL instance.

    • <APP_USER>

      Your application user, which can be an additional user that you specified in the user section or the super user.

    • <APP_DB>

      Your application database to access the clients with valid SSL certificate along with credentials.

  • Use the following commands to secure HAProxy:

    Configure HAProxy in passthrough mode to work as reverse proxy to minimize HAProxy to transfer incoming communication as it is.

    On Node Type 3 where HAProxy is installed, edit the listen prd_postgres section in /etc/haproxy/haproxy.cfg file.
    
    listen prd_postgres
        bind *:<posgresql_PORT>
        option httpchk
        mode tcp
        http-check expect status 200
        default-server inter 3s fall 3 raise 2 on-marked-down shutdown-sessions
        server POSTGRESQL_1 Node1_IP_address:5432 verify none maxconn 100 check check-ssl port 8008
        server POSTGRESQL_2 Node2_IP_address:5432 verify none maxconn 100 check check-ssl port 8008
        server POSTGRESQL_N NodeN_IP_address:5432 verify none maxconn 100 check check-ssl port 8008

What to do next

Validate the patroni_config.yaml from each node after the configuration is complete.