Allow enabling https for Patroni REST API #1237
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bkhomuts
force-pushed
the
allow-configuring-https
branch
4 times, most recently
from
ca5fadd to
a440050
Compare
bkhomuts
force-pushed
the
allow-configuring-https
branch
from
a440050 to
b0e7ba7
Compare
vitabaks
added
enhancement
bkhomuts
force-pushed
the
allow-configuring-https
branch
from
b0e7ba7 to
a76cb0e
Compare
Contributor
Author
|
The support for https is very initial, and will require manually enabling https on existing cluster, if switching from http to https, by configuring all parameters manually and reloading patroni. This is because the playbook will try to connect to https, before patroni accepts it. For my low-scale use it works, but changing the settings effectively on higher scale will require creating additional logic to switch from http to https. |
Owner
This change will be part of the upcoming 2.4 release, and we can highlight it in the release notes. For existing clusters, we can recommend explicitly setting |
bkhomuts
commented
Sep 8, 2025
bkhomuts
force-pushed
the
allow-configuring-https
branch
from
24db962 to
56c8d51
Compare
This change introduces new variables: patroni_restapi_protocol patroni_restapi_certfile patroni_restapi_keyfile patroni_restapi_cafile With existing patroni_restapi_connect_addr and patroni_use_unix_socket_repl, it enables secure communication to the Patroni REST API. Resolves: #1234
The role sets default variables. Other playbooks have this role imported indirectly, but update_pgcluster doesn't import other roles, before variables are used. Related to: #1234
bkhomuts
force-pushed
the
allow-configuring-https
branch
from
56c8d51 to
f8fb7b9
Compare
The location is different in Debian-based and RHEL-based. Related to: #1234
bkhomuts
force-pushed
the
allow-configuring-https
branch
from
f5d6289 to
521dac2
Compare
Related to: #1234
Replace duplicate functionality with import_role. Related to: #1251
Replaces direct usage of patroni_restapi_cafile with a default to omit when not set, across all relevant Ansible playbooks, roles, and templates. This improves flexibility and prevents errors when the CA file is not provided for Patroni REST API connections.
bkhomuts
commented
Sep 15, 2025
Owner
|
The test with a self-signed certificate for the Patroni REST API was successful — it works. On the client side, you either need to specify the cacert or disable certificate verification (e.g., the -k option in curl). TODO: @vitabaks
|
Refactored the Patroni client to attempt HTTPS requests (with insecure TLS) before falling back to HTTP for monitoring and cluster info endpoints. Introduced a shared getJSON method to handle both protocols and updated GetMonitoringInfo and GetClusterInfo to use it.
vitabaks
approved these changes
Sep 16, 2025
vitabaks
added
console
There was a problem hiding this comment.
Pull Request Overview
This PR enables HTTPS support for the Patroni REST API by introducing new configuration variables and updating the client code to support both HTTP and HTTPS protocols with automatic fallback.
- Adds HTTPS support with configurable protocol, certificate files, and CA certificate for secure Patroni REST API communication
- Implements automatic HTTPS-to-HTTP fallback in the Go client for backward compatibility
- Updates all Ansible playbooks and tasks to use the new protocol variables consistently across the codebase
Reviewed Changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| console/service/pkg/patroni/client.go | Refactored client to support HTTPS with fallback to HTTP, added TLS configuration |
| automation/roles/patroni/templates/patroni.yml.j2 | Added conditional TLS certificate configuration to Patroni config template |
| automation/roles/common/defaults/main.yml | Defined new protocol and certificate variables with defaults |
| automation/roles/patroni/tasks/*.yml | Updated health check URLs to use configurable protocol and CA certificates |
| automation/roles/update/tasks/*.yml | Updated REST API calls to support HTTPS protocol and CA validation |
| automation/roles/upgrade/tasks/*.yml | Updated Patroni API calls to use new protocol variables |
| automation/playbooks/*.yml | Updated playbook API calls to use HTTPS-capable configuration |
| automation/molecule/tests/patroni/patroni.yml | Updated test to use configurable protocol |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
disable certificate verification by setting the tls_skip_verify field to true
Owner
Test: Consul service heath-checks & Partoni API with https
Doc: https://developer.hashicorp.com/consul/docs/register/health-check/vm#http-checks commit aba7655 result:
{
"service": {
"name": "test-pgcluster",
"id": "test-pgcluster-master",
"port": 6432,
"checks": [{"http": "https://10.172.0.20:8008/primary", "interval": "2s", "tls_skip_verify": true}, {"args": ["systemctl", "status", "pgbouncer"], "interval": "5s"}],
"tags": ["master", "primary"]
}
{
"service": {
"name": "test-pgcluster",
"id": "test-pgcluster-replica",
"port": 6432,
"checks": [{"http": "https://10.172.0.20:8008/replica?lag=100MB", "interval": "2s", "tls_skip_verify": true}, {"args": ["systemctl", "status", "pgbouncer"], "interval": "5s"}],
"tags": ["replica"]
}
}check: connect: passed |
Owner
Test: Autobase console & Patroni API with httpsTest the updated Patroni cluster monitoring functionality in Autobase Console. Result:if node is unavailable {"level":"debug","app":"pg_console","version":"2.3.2","module":"cluster_watcher","cluster":"vitabaks-pgcluster-01","error":"http fallback failed after https: Get \"https://172.31.42.40:8008/cluster\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","time":"2025-09-17T17:28:40Z","message":"failed to get patroni info"}
{"level":"debug","app":"pg_console","version":"2.3.2","cid":"03a1ca28-815f-4bf0-b180-8c95a147391b","error":"Get \"https://172.31.44.144:8008/cluster\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","time":"2025-09-17T17:28:42Z","message":"https request failed, falling back to http"}
{"level":"debug","app":"pg_console","version":"2.3.2","module":"cluster_watcher","cluster":"vitabaks-pgcluster-01","error":"http fallback failed after https: Get \"https://172.31.44.144:8008/cluster\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","time":"2025-09-17T17:28:44Z","message":"failed to get patroni info"}
if node is available {"level":"debug","app":"pg_console","version":"2.3.2","query_id":"1ec5035f-6643-4fb2-96c6-803e91904870","cid":"65021616-f8b1-4294-851d-b49556232d15","sql":"insert into servers(cluster_id, ip_address, server_name, server_role, server_status, timeline, lag, tags, pending_restart)values($1, $2, $3, $4, $5, $6, $7, $8, $9) on conflict(cluster_id, ip_address) do update set server_name = case when EXCLUDED.server_name = '' then servers.server_name else EXCLUDED.server_name end, server_role = coalesce(EXCLUDED.server_role, servers.server_role), server_status = coalesce(EXCLUDED.server_status, servers.server_status), timeline = coalesce(EXCLUDED.timeline, servers.timeline), lag = EXCLUDED.lag, tags = coalesce(EXCLUDED.tags, servers.tags), pending_restart = coalesce(EXCLUDED.pending_restart, servers.pending_restart) returning *","args":"(,85,\"172.31.36.231\",\"ip-172-31-36-231\",(*string)(\"replica\"),(*string)(\"streaming\"),(*int64)(1),(*int64)(0),(*interface{})(nil)(*bool)(false))","time":"2025-09-17T17:43:49Z","message":"TraceQueryStart"}
{"level":"debug","app":"pg_console","version":"2.3.2","query_id":"1ec5035f-6643-4fb2-96c6-803e91904870","cid":"65021616-f8b1-4294-851d-b49556232d15","time":"2025-09-17T17:43:49Z","message":"TraceQueryEnd duration: 2.857574ms"}
{"level":"debug","app":"pg_console","version":"2.3.2","query_id":"cbc3f30e-4734-440c-8a57-c7a419822e33","cid":"65021616-f8b1-4294-851d-b49556232d15","sql":"insert into servers(cluster_id, ip_address, server_name, server_role, server_status, timeline, lag, tags, pending_restart)values($1, $2, $3, $4, $5, $6, $7, $8, $9) on conflict(cluster_id, ip_address) do update set server_name = case when EXCLUDED.server_name = '' then servers.server_name else EXCLUDED.server_name end, server_role = coalesce(EXCLUDED.server_role, servers.server_role), server_status = coalesce(EXCLUDED.server_status, servers.server_status), timeline = coalesce(EXCLUDED.timeline, servers.timeline), lag = EXCLUDED.lag, tags = coalesce(EXCLUDED.tags, servers.tags), pending_restart = coalesce(EXCLUDED.pending_restart, servers.pending_restart) returning *","args":"(,85,\"172.31.42.40\",\"ip-172-31-42-40\",(*string)(\"leader\"),(*string)(\"running\"),(*int64)(1),(*int64)(nil),(*interface{})(nil)(*bool)(false))","time":"2025-09-17T17:43:49Z","message":"TraceQueryStart"}
{"level":"debug","app":"pg_console","version":"2.3.2","query_id":"cbc3f30e-4734-440c-8a57-c7a419822e33","cid":"65021616-f8b1-4294-851d-b49556232d15","time":"2025-09-17T17:43:49Z","message":"TraceQueryEnd duration: 708.206µs"}
{"level":"debug","app":"pg_console","version":"2.3.2","query_id":"5f665979-d6b6-46a5-8901-8fe3dd5474ae","cid":"65021616-f8b1-4294-851d-b49556232d15","sql":"insert into servers(cluster_id, ip_address, server_name, server_role, server_status, timeline, lag, tags, pending_restart)values($1, $2, $3, $4, $5, $6, $7, $8, $9) on conflict(cluster_id, ip_address) do update set server_name = case when EXCLUDED.server_name = '' then servers.server_name else EXCLUDED.server_name end, server_role = coalesce(EXCLUDED.server_role, servers.server_role), server_status = coalesce(EXCLUDED.server_status, servers.server_status), timeline = coalesce(EXCLUDED.timeline, servers.timeline), lag = EXCLUDED.lag, tags = coalesce(EXCLUDED.tags, servers.tags), pending_restart = coalesce(EXCLUDED.pending_restart, servers.pending_restart) returning *","args":"(,85,\"172.31.44.144\",\"ip-172-31-44-144\",(*string)(\"replica\"),(*string)(\"streaming\"),(*int64)(1),(*int64)(0),(*interface{})(nil)(*bool)(false))","time":"2025-09-17T17:43:49Z","message":"TraceQueryStart"}
{"level":"debug","app":"pg_console","version":"2.3.2","query_id":"5f665979-d6b6-46a5-8901-8fe3dd5474ae","cid":"65021616-f8b1-4294-851d-b49556232d15","time":"2025-09-17T17:43:49Z","message":"TraceQueryEnd duration: 618.966µs"}
passed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change introduces new variables:
patroni_restapi_protocol
patroni_restapi_certfile
patroni_restapi_keyfile
patroni_restapi_cafile
With existing patroni_restapi_connect_addr and patroni_use_unix_socket_repl, it enables secure communication to the Patroni REST API.
Resolves: #1234