config: introduce admin-server-host config parameter

CHANGELOG.md

@@ -5,6 +5,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+### Added
+
+ - #3558, Add the `admin-server-host` config to set the host for the admin server - @develop7
+
 ### Changed
 
  - #2052, Dropped support for PostgreSQL 9.6 - @wolfgangwalther

docs/references/configuration.rst

@@ -146,6 +146,21 @@ To reload the configuration from within the database, you can use the ``NOTIFY``
 List of parameters
 ==================
 
+.. _admin-server-host:
+
+admin-server-host
+-----------------
+
+  =============== =======================
+  **Type**        String
+  **Default**     `server-host` value
+  **Reloadable**  N
+  **Environment** PGRST_ADMIN_SERVER_HOST
+  **In-Database** `n/a`
+  =============== =======================
+
+  Specifies the host for the :ref:`admin_server`. Defaults to :ref:`server-host` value.
+
 .. _admin-server-port:
 
 admin-server-port

src/PostgREST/AppState.hs

@@ -192,7 +192,8 @@ initSockets AppConfig{..} = do
     cfg'uspm = configServerUnixSocketMode
     cfg'host = configServerHost
     cfg'port = configServerPort
-    cfg'adminport = configAdminServerPort
+    cfg'adminHost = configAdminServerHost
+    cfg'adminPort = configAdminServerPort
 
   sock <- case cfg'usp of
     -- I'm not using `streaming-commons`' bindPath function here because it's not defined for Windows,
@@ -210,9 +211,9 @@ initSockets AppConfig{..} = do
             pure (num, sock)
       pure sock
 
-  adminSock <- case cfg'adminport of
+  adminSock <- case cfg'adminPort of
     Just adminPort -> do
-      adminSock <- bindPortTCP adminPort (fromString $ T.unpack cfg'host)
+      adminSock <- bindPortTCP adminPort (fromString $ T.unpack cfg'adminHost)
       pure $ Just adminSock
     Nothing -> pure Nothing
 

src/PostgREST/Config.hs

@@ -106,6 +106,7 @@ data AppConfig = AppConfig
   , configServerTimingEnabled      :: Bool
   , configServerUnixSocket         :: Maybe FilePath
   , configServerUnixSocketMode     :: FileMode
+  , configAdminServerHost          :: Text
   , configAdminServerPort          :: Maybe Int
   , configRoleSettings             :: RoleSettings
   , configRoleIsoLvl               :: RoleIsolationLvl
@@ -176,6 +177,7 @@ toText conf =
       ,("server-timing-enabled",         T.toLower . show . configServerTimingEnabled)
       ,("server-unix-socket",        q . maybe mempty T.pack . configServerUnixSocket)
       ,("server-unix-socket-mode",   q . T.pack . showSocketMode)
+      ,("admin-server-host",         q . configAdminServerHost)
       ,("admin-server-port",             maybe "\"\"" show . configAdminServerPort)
       ]
 
@@ -276,12 +278,14 @@ parser optPath env dbSettings roleSettings roleIsolationLvl =
     <*> (fromMaybe False <$> optBool "openapi-security-active")
     <*> parseOpenAPIServerProxyURI "openapi-server-proxy-uri"
     <*> parseCORSAllowedOrigins "server-cors-allowed-origins"
-    <*> (fromMaybe "!4" <$> optString "server-host")
+    <*> (defaultServerHost <$> optString "server-host")
     <*> (fromMaybe 3000 <$> optInt "server-port")
     <*> (fmap (CI.mk . encodeUtf8) <$> optString "server-trace-header")
     <*> (fromMaybe False <$> optBool "server-timing-enabled")
     <*> (fmap T.unpack <$> optString "server-unix-socket")
     <*> parseSocketFileMode "server-unix-socket-mode"
+    <*> (defaultServerHost <$> optWithAlias (optString "admin-server-host")
+                                            (optString "server-host"))
     <*> optInt "admin-server-port"
     <*> pure roleSettings
     <*> pure roleIsolationLvl
@@ -412,6 +416,9 @@ parser optPath env dbSettings roleSettings roleIsolationLvl =
 
     defaultHoistedAllowList = ["statement_timeout","plan_filter.statement_cost_limit","default_transaction_isolation"]
 
+    defaultServerHost :: Maybe Text -> Text
+    defaultServerHost = fromMaybe "!4"
+
 -- | Read the JWT secret from a file if configJwtSecret is actually a
 -- filepath(has @ as its prefix). To check if the JWT secret is provided is
 -- in fact a file path, it must be decoded as 'Text' to be processed.

test/io/configs/expected/aliases.config

@@ -35,4 +35,5 @@ server-trace-header = ""
 server-timing-enabled = false
 server-unix-socket = ""
 server-unix-socket-mode = "660"
+admin-server-host = "!4"
 admin-server-port = ""

test/io/configs/expected/boolean-numeric.config

@@ -35,4 +35,5 @@ server-trace-header = ""
 server-timing-enabled = false
 server-unix-socket = ""
 server-unix-socket-mode = "660"
+admin-server-host = "!4"
 admin-server-port = ""

test/io/configs/expected/boolean-string.config

@@ -35,4 +35,5 @@ server-trace-header = ""
 server-timing-enabled = false
 server-unix-socket = ""
 server-unix-socket-mode = "660"
+admin-server-host = "!4"
 admin-server-port = ""

test/io/configs/expected/defaults.config

@@ -35,4 +35,5 @@ server-trace-header = ""
 server-timing-enabled = false
 server-unix-socket = ""
 server-unix-socket-mode = "660"
+admin-server-host = "!4"
 admin-server-port = ""

test/io/configs/expected/no-defaults-with-db-other-authenticator.config

@@ -35,6 +35,7 @@ server-trace-header = "traceparent"
 server-timing-enabled = true
 server-unix-socket = "/tmp/pgrst_io_test.sock"
 server-unix-socket-mode = "777"
+admin-server-host = "127.0.0.1"
 admin-server-port = 3001
 app.settings.test = "test"
 app.settings.test2 = "test"

test/io/configs/expected/no-defaults-with-db.config

@@ -35,6 +35,7 @@ server-trace-header = "CF-Ray"
 server-timing-enabled = false
 server-unix-socket = "/tmp/pgrst_io_test.sock"
 server-unix-socket-mode = "777"
+admin-server-host = "127.0.0.1"
 admin-server-port = 3001
 app.settings.test = "test"
 app.settings.test2 = "test"

test/io/configs/expected/no-defaults.config

@@ -35,6 +35,7 @@ server-trace-header = "X-Request-Id"
 server-timing-enabled = true
 server-unix-socket = "/tmp/pgrst_io_test.sock"
 server-unix-socket-mode = "777"
+admin-server-host = "127.0.0.1"
 admin-server-port = 3001
 app.settings.test = "test"
 app.settings.test2 = "test"

test/io/configs/expected/types.config

@@ -35,5 +35,6 @@ server-trace-header = ""
 server-timing-enabled = false
 server-unix-socket = ""
 server-unix-socket-mode = "660"
+admin-server-host = "!4"
 admin-server-port = ""
 app.settings.test = "Bool False"

test/io/configs/no-defaults-env.yaml

@@ -38,4 +38,5 @@ PGRST_SERVER_TRACE_HEADER: X-Request-Id
 PGRST_SERVER_TIMING_ENABLED: true
 PGRST_SERVER_UNIX_SOCKET: /tmp/pgrst_io_test.sock
 PGRST_SERVER_UNIX_SOCKET_MODE: 777
+PGRST_ADMIN_SERVER_HOST: 127.0.0.1
 PGRST_ADMIN_SERVER_PORT: 3001

test/io/configs/no-defaults.config

@@ -36,5 +36,6 @@ server-timing-enabled = true
 server-unix-socket = "/tmp/pgrst_io_test.sock"
 server-unix-socket-mode = "777"
 admin-server-port = 3001
+admin-server-host = "127.0.0.1"
 app.settings.test = "test"
 app.settings.test2 = "test"

test/io/db_config.sql

@@ -35,6 +35,7 @@ CREATE DATABASE other;
 ALTER ROLE db_config_authenticator IN DATABASE other SET pgrst.db_max_rows = '1111';
 
 -- non-reloadable configs
+ALTER ROLE db_config_authenticator SET pgrst.admin_server_host = 'ignored';
 ALTER ROLE db_config_authenticator SET pgrst.admin_server_port = 'ignored';
 ALTER ROLE db_config_authenticator SET pgrst.db_channel = 'ignored';
 ALTER ROLE db_config_authenticator SET pgrst.db_channel_enabled = 'ignored';

test/spec/SpecHelper.hs

@@ -150,6 +150,7 @@ baseCfg = let secret = Just $ encodeUtf8 "reallyreallyreallyreallyverysafe" in
   , configServerUnixSocketMode      = 432
   , configDbTxAllowOverride         = True
   , configDbTxRollbackAll           = True
+  , configAdminServerHost           = "localhost"
   , configAdminServerPort           = Nothing
   , configRoleSettings              = mempty
   , configRoleIsoLvl                = mempty