From 982e3754a5755cc227552b6f1fcc195e8793589c Mon Sep 17 00:00:00 2001
From: "Gnana Lakshmi Kilambhi (gk118g)" <gk118g@att.com>
Date: Tue, 1 Sep 2020 13:43:11 +0530
Subject: [PATCH] Add default reject rule at the end in Postgres pg_hba.conf to
 ensure all connections must be explicitly allowed.

default reject at the end of pg_hba.conf is added to ensure all connections must be explicitly allowed.
List of dependant users are added to allow connections are:
1. postgresql-admin
2. postgres
3. psql_exporter

Change-Id: Ic7bd19e5eb4745b91d94d5a88851280054459547
---
 postgresql/values.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index 16791d6c0..0cd221b57 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -256,8 +256,11 @@ conf:
   debug: false
   pg_hba: |
     host all all 127.0.0.1/32 trust
-    host all all 0.0.0.0/0 md5
+    host all postgresql-admin 0.0.0.0/0 md5
+    host all postgres 0.0.0.0/0 md5
+    host all psql_exporter 0.0.0.0/0 md5
     local all all trust
+    host all all 0.0.0.0/0 reject
 
   postgresql:
     archive_mode: 'off'