mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-14 17:02:56 +00:00
da9c101939
The compute_ctl HTTP server has the following purposes: - Allow management via the control plane - Provide an endpoint for scaping metrics - Provide APIs for compute internal clients - Neon Postgres extension for installing remote extensions - local_proxy for installing extensions and adding grants The first two purposes require the HTTP server to be available outside the compute. The Neon threat model is a bad actor within our internal network. We need to reduce the surface area of attack. By exposing unnecessary unauthenticated HTTP endpoints to the internal network, we increase the surface area of attack. For endpoints described in the third bullet point, we can just run an extra HTTP server, which is only bound to the loopback interface since all consumers of those endpoints are within the compute.
This directory contains files that are needed to build the compute images, or included in the compute images.
compute-node.Dockerfile To build the compute image
vm-image-spec.yaml Instructions for vm-builder, to turn the compute-node image into corresponding vm-compute-node image.
etc/ Configuration files included in /etc in the compute image
patches/ Some extensions need to be patched to work with Neon. This directory contains such patches. They are applied to the extension sources in compute-node.Dockerfile
In addition to these, postgres itself, the neon postgres extension, and compute_ctl are built and copied into the compute image by compute-node.Dockerfile.