Fan postgres telegraf cred for manager on every auth run

The empty-pillar case produced a telegraf.conf with `user= password=` which libpq misparses ("password=" gets consumed as the user value), yielding `password authentication failed for user "password="` on every manager without a prior fan-out (fresh install, not the salt-key path the reactor handles). Two fixes: - salt/postgres/auth.sls: always fan for grains.id in addition to any postgres_fanout_minion from the reactor, so the manager's own pillar is populated on every postgres.auth run. The existing `unless` guard keeps re-runs idempotent. - salt/telegraf/etc/telegraf.conf: gate the [[outputs.postgresql]] block on PG_USER and PG_PASS being non-empty. If a minion hasn't received its pillar yet the output block simply isn't rendered — the next highstate picks up the creds once the fan-out completes, and in the meantime telegraf keeps running the other outputs instead of erroring with a malformed connection string.
2026-05-30 15:06:20 +02:00 · 2026-04-21 14:40:19 -04:00
parent 05f6503d61
commit d5dc28e526
2 changed files with 24 additions and 11 deletions
@@ -96,7 +96,7 @@
  # insecure_skip_verify = false
 {%- endif %}

-{%- if TG_OUT in ['POSTGRES', 'BOTH'] %}
+{%- if TG_OUT in ['POSTGRES', 'BOTH'] and PG_USER and PG_PASS %}
 # Configuration for sending metrics to PostgreSQL.
 # options='-c role=so_telegraf' makes every connection SET ROLE to the shared
 # group role so tables created on first write are owned by so_telegraf, and