From 7dc13a92efee477766a07b5f0ec7be166e597920 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 15 Oct 2023 11:16:21 +0000
Subject: [PATCH 1/1] Add a prometheus user to all postgres clusters

---
 cookbooks/postgresql/recipes/default.rb                | 8 ++++++++
 cookbooks/postgresql/templates/default/pg_hba.conf.erb | 1 +
 test/data_bags/postgresql/passwords.json               | 4 ++++
 3 files changed, 13 insertions(+)
 create mode 100644 test/data_bags/postgresql/passwords.json

diff --git a/cookbooks/postgresql/recipes/default.rb b/cookbooks/postgresql/recipes/default.rb
index 9f713b60e..ed58edb71 100644
--- a/cookbooks/postgresql/recipes/default.rb
+++ b/cookbooks/postgresql/recipes/default.rb
@@ -116,11 +116,19 @@ package "pgtop"
 package "libdbd-pg-perl"
 
 clusters = node[:postgresql][:clusters] || []
+passwords = data_bag_item("postgresql", "passwords")
 
 clusters.each do |name, details|
   prometheus_suffix = name.tr("/", "-")
   prometheus_database = node[:postgresql][:monitor_database]
 
+  postgresql_user "prometheus" do
+    cluster name
+    password passwords["prometheus"]
+    roles "pg_monitor"
+    not_if { ::File.exist?("/var/lib/postgresql/#{name}/standby.signal") }
+  end
+
   prometheus_exporter "postgres" do
     port 10000 + details[:port].to_i
     service "postgres-#{prometheus_suffix}"
diff --git a/cookbooks/postgresql/templates/default/pg_hba.conf.erb b/cookbooks/postgresql/templates/default/pg_hba.conf.erb
index 18b490c03..cb561691f 100644
--- a/cookbooks/postgresql/templates/default/pg_hba.conf.erb
+++ b/cookbooks/postgresql/templates/default/pg_hba.conf.erb
@@ -4,6 +4,7 @@
 <% @early_rules.each do |rule| -%>
 <%= rule[:type] || "host" %>	<%= rule[:database] || "all" %>		<%= rule[:user] || "all" %>		<%= rule[:address] %>		<%= rule[:method] || "md5" %> <%= (rule[:options] || {}).collect { |k,v| "#{k}=#{v}" }.join(" ") %>
 <% end -%>
+local	all		prometheus				md5
 local	all		all					peer
 host	all		all		127.0.0.1/32		md5
 host	all		all		::1/128			md5
diff --git a/test/data_bags/postgresql/passwords.json b/test/data_bags/postgresql/passwords.json
new file mode 100644
index 000000000..120914cfe
--- /dev/null
+++ b/test/data_bags/postgresql/passwords.json
@@ -0,0 +1,4 @@
+{
+  "id": "passwords",
+  "prometheus": "prometheus-password"
+}
-- 
2.39.5