Added passwordless access to sink-postgres, removed unnecessary port mappings, fixed index definition metric, added a trigger that prevents duplicates in index definitions table, made init.sql for sink-postgres lowercase

Author: dementii-priadko

config/pgwatch-postgres/metrics.yml

@@ -19,10 +19,13 @@ metrics:
     sqls:
       11: |-
         select /* pgwatch_generated */
-          indexname,
+          indexrelname,
+          schemaname,
+          relname,
           pg_get_indexdef(indexrelid) as index_definition
         from pg_stat_all_indexes
-        order by schemaname, tablename, indexname;
+        order by schemaname, relname, indexrelname
+        limit 10000;
     gauges:
       - '*'
 

config/sink-postgres/00-configure-pg-hba.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Configure pg_hba.conf to allow trust authentication from Docker networks
+
+cat > ${PGDATA}/pg_hba.conf <<EOF
+# PostgreSQL Client Authentication Configuration File
+# Custom configuration for sink-postgres container
+# Allows passwordless (trust) authentication from Docker network
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            trust
+
+# IPv6 local connections:
+host    all             all             ::1/128                 trust
+
+# Allow replication connections from localhost
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust
+
+# Allow all connections from Docker networks without password
+# This is safe because sink-postgres is not exposed externally
+host    all             all             172.16.0.0/12           trust
+host    all             all             192.168.0.0/16          trust
+host    all             all             10.0.0.0/8              trust
+EOF
+
+# Reload PostgreSQL configuration
+pg_ctl reload -D ${PGDATA}
+

config/sink-postgres/init.sql

@@ -3,79 +3,138 @@
 -- Based on https://pgwat.ch/latest/howto/metrics_db_bootstrap.html
 
 -- Create the pgwatch role for measurements database
-CREATE ROLE pgwatch WITH LOGIN PASSWORD 'pgwatchadmin';
+create role pgwatch with login password 'pgwatchadmin';
 
 -- Create the measurements database owned by pgwatch
-CREATE DATABASE measurements OWNER pgwatch;
+create database measurements owner pgwatch;
 
 -- Switch to the measurements database context
 \c measurements;
 
 -- Create extensions that might be useful for metrics storage
-CREATE EXTENSION IF NOT EXISTS btree_gist;
-CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+create extension if not exists btree_gist;
+create extension if not exists pg_stat_statements;
 
 -- Grant necessary permissions to pgwatch user
-GRANT ALL PRIVILEGES ON DATABASE measurements TO pgwatch;
-GRANT ALL PRIVILEGES ON SCHEMA public TO pgwatch;
+grant all privileges on database measurements to pgwatch;
+grant all privileges on schema public to pgwatch;
 
 
 
 -- Create a partitioned table for queryid-to-query mappings with LIST partitioning by dbname
-CREATE TABLE IF NOT EXISTS public.pgss_queryid_queries (
-    time TIMESTAMPTZ NOT NULL,
-    dbname TEXT NOT NULL,
-    data JSONB NOT NULL,
-    tag_data JSONB
-) PARTITION BY LIST (dbname);
+create table if not exists public.pgss_queryid_queries (
+    time timestamptz not null,
+    dbname text not null,
+    data jsonb not null,
+    tag_data jsonb
+) partition by list (dbname);
 
 -- Create indexes for efficient lookups
-CREATE INDEX IF NOT EXISTS pgss_queryid_queries_dbname_time_idx ON public.pgss_queryid_queries (dbname, time);
+create index if not exists pgss_queryid_queries_dbname_time_idx on public.pgss_queryid_queries (dbname, time);
 
 -- Use existing subpartitions schema
 
 
 -- Set ownership and grant permissions to pgwatch
-ALTER TABLE public.pgss_queryid_queries OWNER TO pgwatch;
-GRANT ALL PRIVILEGES ON TABLE public.pgss_queryid_queries TO pgwatch;
+alter table public.pgss_queryid_queries owner to pgwatch;
+grant all privileges on table public.pgss_queryid_queries to pgwatch;
 -- Ensure pgwatch can use sequences (if any are created)
-GRANT USAGE ON SCHEMA public TO pgwatch;
+grant usage on schema public to pgwatch;
 -- Grant permissions on all future tables in public schema
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO pgwatch; 
+alter default privileges in schema public grant all on tables to pgwatch; 
 
-CREATE OR REPLACE FUNCTION enforce_queryid_uniqueness()
-RETURNS TRIGGER AS $$
-DECLARE
-    queryid_value TEXT;
-BEGIN
+create or replace function enforce_queryid_uniqueness()
+returns trigger as $$
+declare
+    queryid_value text;
+begin
     -- Extract queryid from the data JSONB
-    queryid_value := NEW.data->>'queryid';
+    queryid_value := new.data->>'queryid';
 
     -- Allow NULL queryids through
-    IF queryid_value IS NULL THEN
-        RETURN NEW;
-    END IF;
+    if queryid_value is null then
+        return new;
+    end if;
 
     -- Silently skip if duplicate exists
-    IF EXISTS (
-        SELECT 1 
-        FROM pgss_queryid_queries
-        WHERE dbname = NEW.dbname
-          AND data->>'queryid' = queryid_value
-        LIMIT 1
-    ) THEN
-        RETURN NULL;  -- Cancels INSERT silently
-    END IF;
+    if exists (
+        select 1 
+        from pgss_queryid_queries
+        where dbname = new.dbname
+          and data->>'queryid' = queryid_value
+        limit 1
+    ) then
+        return null;  -- Cancels INSERT silently
+    end if;
 
-    RETURN NEW;
-END;
-$$ LANGUAGE plpgsql;
+    return new;
+end;
+$$ language plpgsql;
 
 
-CREATE OR REPLACE TRIGGER enforce_queryid_uniqueness_trigger
-    BEFORE INSERT
-    ON pgss_queryid_queries
-    FOR EACH ROW
-    EXECUTE FUNCTION enforce_queryid_uniqueness();
+create or replace trigger enforce_queryid_uniqueness_trigger
+    before insert
+    on pgss_queryid_queries
+    for each row
+    execute function enforce_queryid_uniqueness();
+
+-- Create a partitioned table for index definitions with LIST partitioning by dbname
+create table if not exists public.index_definitions (
+    time timestamptz not null,
+    dbname text not null,
+    data jsonb not null,
+    tag_data jsonb
+) partition by list (dbname);
+
+-- Create indexes for efficient lookups
+create index if not exists index_definitions_dbname_time_idx on public.index_definitions (dbname, time);
+
+-- Set ownership and grant permissions to pgwatch
+alter table public.index_definitions owner to pgwatch;
+grant all privileges on table public.index_definitions to pgwatch;
+
+-- Create function to enforce index definition uniqueness
+create or replace function enforce_index_definition_uniqueness()
+returns trigger as $$
+declare
+    index_name text;
+    schema_name text;
+    table_name text;
+    index_definition text;
+begin
+    -- Extract index information from the data JSONB
+    index_name := new.data->>'indexrelname';
+    schema_name := new.data->>'schemaname';
+    table_name := new.data->>'relname';
+    index_definition := new.data->>'index_definition';
+    
+    -- Allow NULL index names through
+    if index_name is null then
+        return new;
+    end if;
+    
+    -- Silently skip if duplicate exists
+    if exists (
+        select 1 
+        from index_definitions
+        where dbname = new.dbname
+          and data->>'indexrelname' = index_name
+          and data->>'schemaname' = schema_name
+          and data->>'relname' = table_name
+          and data->>'index_definition' = index_definition
+        limit 1
+    ) then
+        return null;  -- Cancels INSERT silently
+    end if;
+    
+    return new;
+end;
+$$ language plpgsql;
+
+create or replace trigger enforce_index_definition_uniqueness_trigger
+    before insert
+    on index_definitions
+    for each row
+    execute function enforce_index_definition_uniqueness();
 
 

docker-compose.yml

@@ -34,24 +34,26 @@ services:
         "-c",
         "pg_stat_statements.track=all",
       ]
-    ports:
-      - "${BIND_HOST:-}55432:5432"
     volumes:
       - target_db_data:/var/lib/postgresql/data
       - ./config/target-db/init.sql:/docker-entrypoint-initdb.d/init.sql
 
   # Postgres Sink - Storage for metrics in PostgreSQL format
+  # Note: pg_hba.conf is configured to allow passwordless connections (trust)
+  # for local connections within the Docker network. This simplifies pgwatch
+  # and postgres-exporter connectivity without compromising security since
+  # the database is not exposed externally.
   sink-postgres:
     image: postgres:15
     container_name: sink-postgres
     environment:
       POSTGRES_DB: postgres
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
-    ports:
-      - "${BIND_HOST:-}55433:5432"
+      POSTGRES_HOST_AUTH_METHOD: trust
     volumes:
       - sink_postgres_data:/var/lib/postgresql/data
+      - ./config/sink-postgres/00-configure-pg-hba.sh:/docker-entrypoint-initdb.d/00-configure-pg-hba.sh
       - ./config/sink-postgres/init.sql:/docker-entrypoint-initdb.d/init.sql
 
   # VictoriaMetrics Sink - Storage for metrics in Prometheus format
@@ -79,11 +81,9 @@ services:
       [
         "--sources=/etc/pgwatch/sources.yml",
         "--metrics=/etc/pgwatch/metrics.yml",
-        "--sink=postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements",
+        "--sink=postgresql://pgwatch@sink-postgres:5432/measurements?sslmode=disable",
         "--web-addr=:8080",
       ]
-    ports:
-      - "${BIND_HOST:-}58080:8080"
     depends_on:
       - sources-generator
       - sink-postgres
@@ -103,9 +103,6 @@ services:
         "--sink=prometheus://0.0.0.0:9091/pgwatch",
         "--web-addr=:8089",
       ]
-    ports:
-      - "${BIND_HOST:-}58089:8089"
-      - "${BIND_HOST:-}59091:9091"
     depends_on:
       - sources-generator
       - sink-prometheus
@@ -143,8 +140,6 @@ services:
       - PROMETHEUS_URL=http://sink-prometheus:9090
     depends_on:
       - sink-prometheus
-    ports:
-      - "${BIND_HOST:-}55000:5000"
     restart: unless-stopped
   # PostgreSQL Reports Generator - Runs reports after 1 hour
   postgres-reports:
@@ -194,8 +189,6 @@ services:
     image: gcr.io/cadvisor/cadvisor:v0.51.0
     container_name: cadvisor
     privileged: true
-    ports:
-      - "58081:8080"
     volumes:
       - /:/rootfs:ro
       - /var/run:/var/run:ro
@@ -212,8 +205,6 @@ services:
   node-exporter:
     image: prom/node-exporter:v1.8.2
     container_name: node-exporter
-    ports:
-      - "59100:9100"
     command:
       - '--path.rootfs=/host'
       - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
@@ -227,8 +218,6 @@ services:
     container_name: postgres-exporter-sink
     environment:
       DATA_SOURCE_NAME: "postgresql://postgres:postgres@sink-postgres:5432/measurements?sslmode=disable"
-    ports:
-      - "59187:9187"
     depends_on:
       - sink-postgres
     restart: unless-stopped

reporter/postgres_reports.py

@@ -78,18 +78,18 @@ def get_index_definitions_from_sink(self) -> Dict[str, str]:
             with self.pg_conn.cursor(cursor_factory=psycopg2.extras.DictCursor) as cursor:
                 # Query the index_definitions table for the most recent data
                 query = """
-                    SELECT DISTINCT ON (data->>'indexname')
-                        data->>'indexname' as indexname,
+                    SELECT DISTINCT ON (data->>'indexrelname')
+                        data->>'indexrelname' as indexrelname,
                         data->>'index_definition' as index_definition
                     FROM public.index_definitions
-                    WHERE data ? 'indexname' AND data ? 'index_definition'
-                    ORDER BY data->>'indexname', time DESC
+                    WHERE data ? 'indexrelname' AND data ? 'index_definition'
+                    ORDER BY data->>'indexrelname', time DESC
                 """
                 cursor.execute(query)
 
                 for row in cursor.fetchall():
-                    if row['indexname']:
-                        index_definitions[row['indexname']] = row['index_definition']
+                    if row['indexrelname']:
+                        index_definitions[row['indexrelname']] = row['index_definition']
 
         except Exception as e:
             print(f"Error fetching index definitions from Postgres sink: {e}")
@@ -1846,9 +1846,9 @@ def make_request(api_url, endpoint, request_data):
 def main():
     parser = argparse.ArgumentParser(description='Generate PostgreSQL reports using PromQL')
     parser.add_argument('--prometheus-url', default='http://sink-prometheus:9090',
-                        help='Prometheus URL (default: http://sink-prometheus:9090 for Docker, use http://localhost:59090 for external access)')
-    parser.add_argument('--postgres-sink-url', default='postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements',
-                        help='Postgres sink connection string (default: postgresql://pgwatch:pgwatchadmin@sink-postgres:5432/measurements for Docker, use postgresql://pgwatch:pgwatchadmin@localhost:55433/measurements for external access)')
+                        help='Prometheus URL (default: http://sink-prometheus:9090)')
+    parser.add_argument('--postgres-sink-url', default='postgresql://pgwatch@sink-postgres:5432/measurements',
+                        help='Postgres sink connection string (default: postgresql://pgwatch@sink-postgres:5432/measurements)')
     parser.add_argument('--cluster', default='local',
                         help='Cluster name (default: local)')
     parser.add_argument('--node-name', default='node-01',