From 82e55ae87f3d785358d2ac0992e9b302f3b8b3e1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 29 Apr 2026 09:09:50 -0400 Subject: [PATCH] Open postgres on every hostgroup that opens influxdb The static defaults only listed postgres on each role's self-hostgroup, leaving sensor/searchnode/heavynode/receiver/fleet/idh/desktop/hypervisor hostgroups unable to reach the manager's so-postgres in distributed grids. A dynamic block in firewall/map.jinja added postgres to those hostgroups only when telegraf.output was switched to POSTGRES/BOTH, which left postgres unreachable by default. Mirror influxdb statically across manager/managerhype/managersearch/ standalone for every hostgroup that already lists influxdb, and drop the now-redundant telegraf-gated dynamic block from firewall/map.jinja. --- salt/firewall/defaults.yaml | 32 ++++++++++++++++++++++++++++++++ salt/firewall/map.jinja | 13 ------------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 9d0af3d0d..5c1229787 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -398,6 +398,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -410,6 +411,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -427,6 +429,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -437,6 +440,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -450,6 +454,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -459,6 +464,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -492,6 +498,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -502,6 +509,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -610,6 +618,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -622,6 +631,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -639,6 +649,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -649,6 +660,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -662,6 +674,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -671,6 +684,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -702,6 +716,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -712,6 +727,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -820,6 +836,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -832,6 +849,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -849,6 +867,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - sensoroni searchnode: portgroups: @@ -858,6 +877,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -870,6 +890,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -879,6 +900,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -912,6 +934,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -922,6 +945,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -1040,6 +1064,7 @@ firewall: - elasticsearch_rest - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1052,6 +1077,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1063,6 +1089,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - beats_5044 @@ -1074,6 +1101,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - redis @@ -1083,6 +1111,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - redis @@ -1093,6 +1122,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update @@ -1129,6 +1159,7 @@ firewall: portgroups: - docker_registry - influxdb + - postgres - sensoroni - yum - elastic_agent_control @@ -1139,6 +1170,7 @@ firewall: - yum - docker_registry - influxdb + - postgres - elastic_agent_control - elastic_agent_data - elastic_agent_update diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 61f8215b8..58d8c189d 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,6 +1,5 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKERMERGED %} -{% from 'telegraf/map.jinja' import TELEGRAFMERGED %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {# add our ip to self #} @@ -56,16 +55,4 @@ {% endif %} -{# Open Postgres (5432) to minion hostgroups when Telegraf is configured to write to Postgres #} -{% set TG_OUT = TELEGRAFMERGED.output | upper %} -{% if TG_OUT in ['POSTGRES', 'BOTH'] %} -{% if role.startswith('manager') or role == 'standalone' or role == 'eval' %} -{% for r in ['sensor', 'searchnode', 'heavynode', 'receiver', 'fleet', 'idh', 'desktop', 'import'] %} -{% if FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r] is defined %} -{% do FIREWALL_DEFAULT.firewall.role[role].chain["DOCKER-USER"].hostgroups[r].portgroups.append('postgres') %} -{% endif %} -{% endfor %} -{% endif %} -{% endif %} - {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}