Merge pull request #740 from bcgov/yj

Yj

postgres/external-access/README.md

@@ -0,0 +1,25 @@
+# Allowing DB access for Power BI reports/dashboards
+
+Refer to [How to expose non-HTTP access to a service](https://digital.gov.bc.ca/cloud/services/private/internal-resources/emerald/#how-do-i-expose-nonhttp-access-to-a-service)
+
+## Create a service with LoadBalancer type
+
+Run the command on the namespace of the environment.
+
+```sh
+oc apply -f strdss<env>-lb.yaml
+```
+
+## Get assigned IP address
+
+```sh
+oc -n b0471a-<env> get service strdss<env>-lb -o jsonpath='{.status.loadBalancer.ingress[].ip}{"\n"}'
+```
+
+## Creating Read Only User
+
+After replacing `<username>` and `<dbname>`, run the [create-read-only-user script](readonly-user.sql) to create a read-only user.
+
+## Dropping user
+
+If you want to delete the user, after replacing `<username>` and `<dbname>`, run the [drop-user script](drop-user.sql).

postgres/external-access/drop-user.sql

@@ -0,0 +1,3 @@
+REASSIGN OWNED BY <username> TO postgres;
+DROP OWNED BY <username>;
+DROP USER <username>;

postgres/external-access/readonly-user.sql

@@ -0,0 +1,49 @@
+DO
+$$
+DECLARE
+    v_username TEXT := '<username>'; 
+    v_password TEXT;
+    v_database TEXT := '<dbname>';
+    v_schema   TEXT := 'public';
+BEGIN
+
+	SET client_min_messages = 'notice';
+
+-- Ensure the pgcrypto extension is enabled to use gen_random_bytes()
+    PERFORM * FROM pg_extension WHERE extname = 'pgcrypto';
+    IF NOT FOUND THEN
+        CREATE EXTENSION pgcrypto;
+    END IF;
+
+    -- Generate a random 12-character password
+    v_password := encode(gen_random_bytes(10), 'base64');
+
+    -- Create user with generated password
+    EXECUTE format('CREATE USER %I WITH PASSWORD %L;', v_username, v_password);
+
+    -- Revoke all default privileges on the database
+    EXECUTE format('REVOKE ALL ON DATABASE %I FROM %I;', v_database, v_username);
+
+    -- Grant CONNECT on the database
+    EXECUTE format('GRANT CONNECT ON DATABASE %I TO %I;', v_database, v_username);
+
+    -- Grant USAGE on the schema
+    EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I;', v_schema, v_username);
+
+    -- Grant SELECT on all tables in the schema
+    EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I;', v_schema, v_username);
+
+    -- Grant SELECT on all sequences in the schema
+    EXECUTE format('GRANT SELECT ON ALL SEQUENCES IN SCHEMA %I TO %I;', v_schema, v_username);
+
+    -- Alter default privileges for future tables
+    EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO %I;', v_schema, v_username);
+
+    -- Alter default privileges for future sequences
+    EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON SEQUENCES TO %I;', v_schema, v_username);
+
+    -- Print the generated password
+    RAISE NOTICE 'Generated password for user % is: %', v_username, v_password;
+
+END
+$$;

postgres/external-access/strdssdev-lb.yaml

@@ -0,0 +1,24 @@
+kind: Service
+apiVersion: v1
+metadata:
+  annotations:
+    aviinfrasetting.ako.vmware.com/name: dataclass-medium
+  name: strdssdev-lb
+  labels:
+    DataClass: Medium
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssdev-lb
+    app.kubernetes.io/name: strdssdev-lb
+    app.kubernetes.io/version: 16.3.0
+    helm.sh/chart: postgresql-15.5.20
+spec:
+  type: LoadBalancer
+  ports:
+    - name: tcp-postgresql
+      protocol: TCP
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssdev
+    app.kubernetes.io/name: strdssdev

postgres/external-access/strdssprod-lb.yaml

@@ -0,0 +1,24 @@
+kind: Service
+apiVersion: v1
+metadata:
+  annotations:
+    aviinfrasetting.ako.vmware.com/name: dataclass-medium
+  name: strdssprod-lb
+  labels:
+    DataClass: Medium
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssprod-lb
+    app.kubernetes.io/name: strdssprod-lb
+    app.kubernetes.io/version: 16.3.0
+    helm.sh/chart: postgresql-15.5.20
+spec:
+  type: LoadBalancer
+  ports:
+    - name: tcp-postgresql
+      protocol: TCP
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssprod
+    app.kubernetes.io/name: strdssprod

postgres/external-access/strdsstest-lb.yaml

@@ -0,0 +1,24 @@
+kind: Service
+apiVersion: v1
+metadata:
+  annotations:
+    aviinfrasetting.ako.vmware.com/name: dataclass-medium
+  name: strdsstest-lb
+  labels:
+    DataClass: Medium
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdsstest-lb
+    app.kubernetes.io/name: strdsstest-lb
+    app.kubernetes.io/version: 16.3.0
+    helm.sh/chart: postgresql-15.5.20
+spec:
+  type: LoadBalancer
+  ports:
+    - name: tcp-postgresql
+      protocol: TCP
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdsstest
+    app.kubernetes.io/name: strdsstest

postgres/external-access/strdssuat-lb.yaml

@@ -0,0 +1,24 @@
+kind: Service
+apiVersion: v1
+metadata:
+  annotations:
+    aviinfrasetting.ako.vmware.com/name: dataclass-medium
+  name: strdssuat-lb
+  labels:
+    DataClass: Medium
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssuat-lb
+    app.kubernetes.io/name: strdssuat-lb
+    app.kubernetes.io/version: 16.3.0
+    helm.sh/chart: postgresql-15.5.20
+spec:
+  type: LoadBalancer
+  ports:
+    - name: tcp-postgresql
+      protocol: TCP
+      port: 5432
+      targetPort: tcp-postgresql
+  selector:
+    app.kubernetes.io/component: primary
+    app.kubernetes.io/instance: strdssuat
+    app.kubernetes.io/name: strdssuat