1.2.16 FEP Custom Resources - spec.fep.pgAuditLog

Protocol	Required key	Description
’http’ or not defined	basic_auth	The basic authentication for http web server
’s3’	aws_access_key	AWS access key
’s3’	aws_secret_key	AWS secret key
’blob’	azure_storage_account_name	Azure storage account name
’blob’	azure_storage_account_key	Azure storage account key

The Operator creates a default secret with keys for all the protocols with empty values when "pgAuditLog.endpoint.authentication" is not defined or empty.

The default secret is a template which the end user can update its proper values. The following is its content:

Default Authentication Secret
kind: Secret apiVersion: v1 metadata: name: [FEPCluster name]-pgauditlog-auth namespace: [FEPCluster namespace] type: Opaque data: basic_auth: ““ aws_access_key: ““ aws_access_secret: ““ azure_storage_account_name: ““ azure_storage_account_key: ““

Default Authentication Secret

kind: Secret
apiVersion: v1
metadata:
  name: [FEPCluster name]-pgauditlog-auth
  namespace: [FEPCluster namespace]
type: Opaque
data:

    basic_auth: ““
    aws_access_key: ““
    aws_access_secret: ““

    azure_storage_account_name: ““
    azure_storage_account_key: ““

When the default secret is created, the Operator also updates the created secret name in the FEPCluster CR:

FEPCluster
spec.fep pgAuditLog: enable: 'true' endpoint: protocol: 's3' authentication: ‘[FEPCluster name]-pgauditlog-auth’ …

The Operator uses the default secret but the upload feature will fail as the secret does not contain correct values. So the end user needs to update the values of the default secret to use upload feature properly.

Note

The Operator does not own - user specified secret because it is created by the end user. Only the default secret created by operator is owned by the cluster.
When the FEPCluster has been delete, this secret will remain.

1.2.16.2 CR example for customized pgaudit ConfigMap

Enable pgAudit
- The pgAudit extension will be enabled.
Use custom pgAudit config file
- The pgAudit log will be output based on custom configuration

FEPCluster
spec.fep pgAuditLog: enable: 'true' config: my-pgaudit-conf endpoint: … … # fepChildCrVal.customPgAudit will be ignored in this case

ConfigMap - Name: my-pgaudit-conf
data: pgaudit.conf: \| [output] logger = 'auditlog' log_directory = '/database/log/audit' [rule] audit_role='jason' database='demo' class='READ, WRITE' [option]

1.2.16.3 CR example when uploading logs to Azure Blob

Use Azure blob as an endpoint to upload pgAudit file

FEPCluster (using Azue blob as endpoint)
spec.fep pgAuditLog: enable: 'true' endpoint: protocol: 'blob' authentication: my-azure-blob-secret azureContainerName: cluster1 azureBlobName: pgaudit-log-1 schedules: upload: '30 * * * *'

Secret - Name: my-azure-blob-secret
data: azure_storage_account_name: cG9zdGdyZXM= azure_storage_account_key: ZnNcG9zdGads3cGzdGdyZXMyZXMlcA==

1.2.16.4 CR example for uploading logs to S3

Use AWS S3 as an endpoint to upload pgAudit file

The pgAudit log will be uploaded to AWS s3 storage based on the provided schedule.

FEPCluster (using S3 as endpoint)
spec.fep pgAuditLog: enable: 'true' endpoint: url: 's3://pgaudit1/cluster1' protocol: 's3' authentication: my-aws-s3-secret schedules: upload: '30 * * * *'

Secret - Name: my-aws-s3-secret
data: aws_access_key: cG9zdGdyZXM= aws_access_secret: ZnNlcaAZnNlcA3A==