Check syntax of patroni and pg_hba config files (#1297)

sshenderson · vitabaks · web-flow · commit f1ea3cf1c3b2 · 2025-10-08T10:01:31.000+07:00
Co-authored-by: Vitaliy Kukharik &lt;vitabaks@gmail.com&gt;
diff --git a/automation/roles/patroni/tasks/main.yml b/automation/roles/patroni/tasks/main.yml
@@ -534,6 +534,19 @@
             group: postgres
             mode: "0640"
 
+        - name: Prepare PostgreSQL | validate generated pg_hba.conf
+          become: true
+          become_user: postgres
+          community.postgresql.postgresql_query:
+            login_host: "127.0.0.1"
+            login_port: "{{ postgresql_port }}"
+            login_user: "{{ patroni_superuser_username }}"
+            login_password: "{{ patroni_superuser_password }}"
+            login_db: "postgres"
+            query: "SELECT * FROM pg_hba_file_rules WHERE error IS NOT NULL"
+          register: pg_hba_validate_result
+          failed_when: pg_hba_validate_result.query_result | length > 0
+
         - name: Prepare PostgreSQL | reload for apply the pg_hba.conf
           become: true
           become_user: postgres
@@ -927,6 +940,20 @@
         (('replica' in groups and groups['replica'] | length > 0 and inventory_hostname in groups['replica'] and postgresql_conf_dir != postgresql_data_dir)
         or postgresql_exists | default(false) | bool)
 
+    - name: Prepare PostgreSQL | validate generated pg_hba.conf
+      become: true
+      become_user: postgres
+      community.postgresql.postgresql_query:
+        login_host: "127.0.0.1"
+        login_port: "{{ postgresql_port }}"
+        login_user: "{{ patroni_superuser_username }}"
+        login_password: "{{ patroni_superuser_password }}"
+        login_db: "postgres"
+        query: "SELECT * FROM pg_hba_file_rules WHERE error IS NOT NULL"
+      register: pg_hba_validate_result
+      failed_when: pg_hba_validate_result.query_result | length > 0
+      when: inventory_hostname == groups['master'][0]
+
     - name: Prepare PostgreSQL | reload for apply the pg_hba.conf
       become: true
       become_user: postgres
diff --git a/automation/roles/patroni/tasks/patroni.yml b/automation/roles/patroni/tasks/patroni.yml
@@ -3,6 +3,7 @@
   ansible.builtin.template:
     src: templates/patroni.yml.j2
     dest: "{{ patroni_config_file | default('/etc/patroni/patroni.yml') }}"
+    validate: patroni --validate-config %s
     owner: postgres
     group: postgres
     mode: "0640"
diff --git a/automation/roles/patroni/templates/patroni.yml.j2 b/automation/roles/patroni/templates/patroni.yml.j2
@@ -69,7 +69,6 @@ etcd3:
 {% if dcs_type == 'consul' %}
 consul:
   host: 127.0.0.1:8500
-  checks: []
   {% if consul_tls_enable | default(false) | bool %}
   scheme: https
   cacert: {{ patroni_consul_cacert | default('/etc/patroni/tls/consul/ca.crt') }}
diff --git a/automation/roles/postgresql_schemas/tasks/main.yml b/automation/roles/postgresql_schemas/tasks/main.yml
@@ -6,8 +6,10 @@
     name: "{{ item.schema }}"
     owner: "{{ item.owner }}"
     login_db: "{{ item.db }}"
-    login_unix_socket: "{{ postgresql_unix_socket_dir }}"
+    login_host: "127.0.0.1"
     login_port: "{{ postgresql_port }}"
+    login_user: "{{ patroni_superuser_username }}"
+    login_password: "{{ patroni_superuser_password }}"
     state: present
   ignore_errors: true
   loop: "{{ postgresql_schemas | flatten(1) }}"
