EnterpriseDB
diff --git a/‎product_docs/docs/tpa/23/reference/architecture-PGD-Lightweight.mdx
Lines changed: 103 additions & 0 deletions b/‎product_docs/docs/tpa/23/reference/architecture-PGD-Lightweight.mdx
Lines changed: 103 additions & 0 deletions
diff --git a/‎product_docs/docs/tpa/23/reference/barman.mdx
Lines changed: 106 additions & 2 deletions b/‎product_docs/docs/tpa/23/reference/barman.mdx
Lines changed: 106 additions & 2 deletions
diff --git a/‎product_docs/docs/tpa/23/reference/compliance.mdx
Lines changed: 166 additions & 0 deletions b/‎product_docs/docs/tpa/23/reference/compliance.mdx
Lines changed: 166 additions & 0 deletions
@@ -0,0 +1,103 @@
+---
+description: Configuring a PGD Lightweight cluster with TPA.
+title: PGD Lightweight
+originalFilePath: architecture-PGD-Lightweight.md
+
+---
+
+!!! Note
+
+    This architecture is for Postgres Distributed 5 only.
+    If you require PGD 4 or 3.7 please use [BDR-Always-ON](../architecture-BDR-Always-ON/).
+
+    EDB Postgres Distributed 5 in a Lightweight configuration,
+    suitable for use in test and production.
+
+    This architecture requires an EDB subscription.
+    All software will be sourced from [EDB Repos 2.0](edb_repositories/).
+
+## Cluster configuration
+
+### Overview of configuration options
+
+An example invocation of `tpaexec configure` for this architecture
+is shown below.
+
+```bash
+    tpaexec configure ~/clusters/pgd-lw \
+        --architecture Lightweight \
+        --edb-postgres-extended 15 \
+        --platform aws --instance-type t3.micro \
+        --distribution Debian \
+        --location-names main dr \
+```
+
+You can list all available options using the help command.
+
+```bash
+tpaexec configure --architecture Lightweight --help
+```
+
+The table below describes the mandatory options for PGD-Always-ON
+and additional important options.
+More detail on the options is provided in the following section.
+
+#### Mandatory Options
+
+| Options                                               | Description                                                                                  |
+| ----------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+| `--architecture` (`-a`)                               | Must be set to `Lightweight`                                                                 |
+| Postgres flavour and version (e.g. `--postgresql 15`) | A valid [flavour and version specifier](../tpaexec-configure/#postgres-flavour-and-version). |
+
+<br/><br/>
+
+#### Additional Options
+
+| Options                          | Description                                                                                                 | Behaviour if omitted                                        |
+| -------------------------------- | ----------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
+| `--platform`                     | One of `aws`, `docker`, `bare`.                                                                             | Defaults to `aws`.                                          |
+| `--location-names`               | A space-separated list of location names. The number of locations is equal to the number of names supplied. | TPA will configure a single location with three data nodes. |
+| `--add-proxy-nodes-per-location` | The number of proxy nodes in each location.                                                                 | PGD-proxy will be installed on each data node.              |
+| `--bdr-database`                 | The name of the database to be used for replication.                                                        | Defaults to `bdrdb`.                                        |
+| `--enable-pgd-probes`            | Enable http(s) api endpoints for pgd-proxy such as `health/is-ready` to allow probing proxy's health.       | Disabled by default.                                        |
+| `--proxy-listen-port`            | The port on which proxy nodes will route traffic to the write leader.                                       | Defaults to 6432                                            |
+| `--proxy-read-only-port`         | The port on which proxy nodes will route read-only traffic to shadow nodes.                                 | Defaults to 6433                                            |
+
+<br/><br/>
+
+### More detail about Lightweight configuration
+
+A PGD Lightweight cluster comprises 2 locations, with a primary active location containing 2 nodes and a disaster recovery (dr) location with a single node.
+
+Location names for the cluster are specified as
+`--location-names primary dr`. A location represents an independent
+data centre that provides a level of redundancy, in whatever way
+this definition makes sense to your use case. For example, AWS
+regions, your own data centres, or any other designation to identify
+where your servers are hosted.
+
+!!! Note for AWS users
+
+    If you are using TPA to provision an AWS cluster, the locations will
+    be mapped to separate availability zones within the `--region` you
+    specify.
+    You may specify multiple `--regions`, but TPA does not currently set
+    up VPC peering to allow instances in different regions to
+    communicate with each other. For a multi-region cluster, you will
+    need to set up VPC peering yourself.
+
+By default, every data node (in every location) will also run PGD-Proxy
+for connection routing. To create separate PGD-Proxy instances instead,
+use `--add-proxy-nodes-per-location 3` (or however many proxies you want
+to add).
+
+Global routing will make every proxy route to a single write leader, elected amongst all available data nodes across all locations.
+
+You may optionally specify `--bdr-database dbname` to set the name of
+the database with BDR enabled (default: bdrdb).
+
+You may optionally specify `--enable-pgd-probes [{http, https}]` to
+enable http(s) api endpoints that will allow to easily probe proxy's health.
+
+You may also specify any of the options described by
+[`tpaexec help configure-options`](../tpaexec-configure/).
@@ -99,8 +99,112 @@ TPA versions `<23.35` created the `barman` Postgres user as a `superuser`.
 
 Beginning with `23.35` the `barman` user is created with `NOSUPERUSER`,
 so any re-deploys on existing clusters will remove the `superuser` attribute
-from the `barman` Postgres user. Instead, the `barman_role` is granted the 
-required set of privileges and the `barman` user is granted `barman_role` membership. 
+from the `barman` Postgres user. Instead, the `barman_role` is granted the
+required set of privileges and the `barman` user is granted `barman_role` membership.
 
 This avoids granting the `superuser` attribute to the `barman` user, using the set
 of privileges provided in the [Barman Manual](https://docs.pgbarman.org/release/latest/#postgresql-connection).
+
+## Shared Barman server
+
+!!! Note
+
+    To use the shared Barman functionality with clusters created using a
+    TPA version earlier than 23.35, you must:
+    a) upgrade to a version of TPA that supports creating
+    shared Barman instances.
+    b) after upgrading TPA, run deploy on $first-cluster so TPA can make
+    necessary config changes for subsequent clusters to run smoothly
+    against the shared Barman node.
+
+Some deployments may want to share a single Barman server for multiple
+clusters. Shared Barman server deployment within
+tpaexec is supported via the `barman_shared` setting that can be set via
+`vars:` under the Barman server instance for the given cluster config
+that plans to use an existing Barman server. `barman_shared` is a
+boolean variable so possible values are true and false(default). When
+making any changes to the Barman config in a shared scenario, you must
+ensure that configurations across multiple clusters remain in sync so as
+to avoid a scenario where one cluster adds a specific configuration and
+a second cluster overrides it.
+
+A typical workflow for using a shared Barman server across multiple
+clusters is described below.
+
+1.  Create a TPA cluster with an instance that has `barman` role
+    (call it 'first-cluster' for this example).
+
+2.  In the second cluster (second-cluster for example), reference this
+    particular Barman instance from $clusters/first-cluster as a shared
+    Barman server instance and use `bare` as platform so we are not
+    trying to create a new Barman instance when running provision. Also
+    specify the IP address of the Barman instance that this cluster can
+    use to access it.
+
+    ```yml
+    - Name: myBarman
+      node: 5
+      role:
+          - barman
+      platform: bare
+      ip_address: x.x.x.x
+      vars:
+          barman_shared: true
+    ```
+
+3.  Once the second-cluster is provisioned but before running deploy,
+    make sure that it can access the Barman server instance via ssh. You
+    can allow this access by copying second-cluster's public key to
+    Barman server instance via `ssh-copy-id` and then do an ssh to
+    make sure you can login without having to specify the password.
+
+    ```bash
+    # add first-cluster's key to the ssh-agent
+    $ cd $clusters/first-cluster
+    $ ssh-add id_first-clutser
+    $ cd $clusters/second-cluster
+    $ ssh-keyscan -t rsa,ecdsa -4 $barman-server-ip >> tpa_known_hosts
+    $ ssh-copy-id -i id_second-cluster.pub -o 'UserKnownHostsFile=tpa_known_hosts' $user@$barman-server-ip
+    $ ssh -F ssh_config $barman-server
+    ```
+
+4.  Copy the Barman user's keys from first-cluster to second-cluster
+    ```bash
+    $ mkdir $clusters/second-cluster/keys
+    $ cp $clusters/first-cluster/keys/id_barman* clusters/second-cluster/keys
+    ```
+
+5.  Run `tpaexec deploy $clusters/second-cluster`
+
+!!! Note
+
+    You must use caution when setting up clusters that share a Barman 
+    server instance. There are a number of important aspects you must
+    consider before attempting such a setup. For example:
+
+    1.  Making sure that no two instances in any of the clusters sharing a
+        Barman server use the same name.
+    2.  Barman configuration and settings otherwise should remain in sync in
+        all the clusters using a common Barman server to avoid a scenario
+        where one cluster sets up a specific configuration and the others do
+        not either because the configuration is missing or uses a different
+        value.
+    3.  Version of Postgres on instances being backed up across different
+        clusters needs to be the same.
+    4.  Different clusters using a common Barman server cannot specify
+        different versions of Barman packages when attempting to override
+        default.
+
+Some of these may be addressed in a future release as we continue to
+improve the shared Barman server support.
+
+!!!Warning
+
+Be extremely careful when deprovisioning clusters sharing a common
+Barman node. Especially where the first cluster that deployed Barman
+uses non-bare platform. Deprovisioning the first cluster that
+originally provisioned and deployed Barman will effectively leave
+other clusters sharing the Barman node in an inconsistent state
+because the Barman node will already have been deprovisioned by the
+first cluster and it won't exist anymore.
+!!!
@@ -0,0 +1,166 @@
+---
+description: Generating standards-compliant clusters with TPA
+title: Compliance
+originalFilePath: compliance.md
+
+---
+
+TPA can generate configurations designed to make it easy for a
+cluster to comply with the STIG or CIS standards. If you pass
+`--compliance stig` or `--compliance cis` to `tpaexec configure`,
+TPA will:
+
+-   Check that other options are compatible with the appropriate
+    standard.
+-   Add various entries to the generated `config.yml`, including
+    marking that this is a cluster meant to comply with a particular
+    standard and setting Postgres configuration as required by
+    the standard.
+-   Adjust some deployment tasks to enforce compliance.
+-   Run checks at the end of deployment.
+
+The deploy-time checks can
+be skipped by giving the option `--excluded_tasks=compliance` to `tpaexec
+deploy`. This feature is intended for testing only, when using a test
+system on which full compliance is impossible (for example,
+because SSL certificates are not available).
+
+There are some situations in which TPA will intentionally fail to
+comply with the selected standard; these are documented under Exceptions
+below.
+
+## STIG
+
+STIG compliance is indicated by the `--compliance stig` option to
+`tpaexec configure`.
+
+### Option compatibility
+
+STIG compliance requires the `bare` platform and the `epas` flavour.
+It requires the RedHat OS with version 8 or 9.
+
+### Settings in config.yml
+
+The following entry is added to `cluster_vars` to use the SQL/Protect
+feature of EDB Postgres Advanced Server:
+
+```
+    extra_postgres_extensions: [ 'sql_protect' ]
+```
+
+The following entries are added to `cluster_vars` to force clients
+to use SSL authentication:
+
+```
+  hba_force_hostssl: True
+  hba_force_certificate_auth: True
+  hba_cert_authentication_map: sslmap
+```
+
+The following entries are added to `cluster_vars` to set GUCs in
+postgresql.conf:
+
+```
+  tcp_keepalives_idle: 10
+  tcp_keepalives_interval: 10
+  tcp_keepalives_count: 10
+  log_destination: "stderr"
+  postgres_log_file_mode: "0600"
+```
+
+The following entries are added to `postgres_conf_settings` in
+`cluster_vars` to set GUCs in postgresql.conf:
+
+```
+  edb_audit: "xml"
+  edb_audit_statement: "all"
+  edb_audit_connect: "all"
+  edb_audit_disconnect: "all"
+  statement_timeout: 1000
+  client_min_messages: "ERROR"
+```
+
+### Deployment differences
+
+During deployment, TPA will set connection limits for the database users
+it creates, corresponding to the number of connections that are needed
+for normal operation. As each user is set up, it will also check that
+an SSL client certificate has been provided for it.
+
+### Providing client ssl certificates
+
+STIG requires DOD-approved ssl certificates for client connections.
+These certificates can't be generated by TPA and therefore must be
+supplied. When setting up authentication for a user from a
+node in the cluster, TPA will look for a certificate/key pair on the
+node. The certificate and key should be in files called .crt
+and .key in the directory given by the `ssl_client_cert_dir`
+setting. The default for this setting is `/`, so the files would be,
+for example, `/barman.crt` and `/barman.key` when the `barman` user is
+being set up.
+
+### Final checks
+
+At the end of deployment, TPA will check that the server has FIPS
+enabled.
+
+### Exceptions
+
+If you select EFM as the failover manager, TPA will configure password
+authentication for the EFM user. This goes against the STIG requirement
+that all TCP connections use certificate authentication. The reason for
+this exception is that EFM does not support certificate authentication.
+
+## CIS
+
+CIS compliance is indicated by the `--compliance cis` option to `tpaexec
+configure`.
+
+### Settings in config.yml
+
+The following entries are added to `cluster_vars` to set GUCs in
+postgresql.conf:
+
+```
+  log_connections: "on"
+  log_disconnections: "on"
+```
+
+The following entry is added to `cluster_vars` to enable required
+extensions:
+
+```
+  extra_postgres_extensions: ["passwordcheck", "pgaudit"]
+```
+
+The following entry is added to `cluster_vars` to set the umask for
+the postgres OS user:
+
+```
+  extra_bash_rc_lines: "umask 0077"
+```
+
+The following entries are added to `postgres_conf_settings` in
+`cluster_vars` to set GUCs in postgresql.conf:
+
+```
+
+  log_error_verbosity: "verbose"
+  log_line_prefix: "'%m [%p]: [%l-1] db=%d,user=%u,app=%a,client=%h '"
+  log_replication_commands: "on"
+  temp_file_limit: "1GB"
+```
+
+### Final checks
+
+At the end of deployment, TPA will check that the server has FIPS
+enabled.
+
+### Exceptions
+
+TPA does not support pgBackRest as mentioned in the CIS specification.
+Instead TPA installs Barman.
+
+TPA does not install and configure `set_user` as required by the CIS
+specification. This is because preventing logon by the Postgres user
+would leave TPA unable to connect to, and configure, the database.