Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

puppetdb and puppet postgres authentication method mismatch #394

Open
ukgaz opened this issue Mar 15, 2024 · 3 comments
Open

puppetdb and puppet postgres authentication method mismatch #394

ukgaz opened this issue Mar 15, 2024 · 3 comments
Labels
needs-feedback

Comments

@ukgaz
Copy link

ukgaz commented Mar 15, 2024

Fresh installation of puppet 7 with puppetdb and postgres backend caused a reoccurring puppet change to appear

/Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]

Packages in use

puppetserver-7.15.0-1.el7.noarch
puppetdb-termini-7.16.0-1.el7.noarch
puppet-agent-7.28.0-1.el7.x86_64
puppetdb-7.17.1-1.el7.noarch
postgresql15-server-15.6-1PGDG.rhel7.x86_64
postgresql15-libs-15.6-1PGDG.rhel7.x86_64
postgresql15-contrib-15.6-1PGDG.rhel7.x86_64
postgresql15-15.6-1PGDG.rhel7.x86_64

With basic puppetdb config

    class { 'puppetdb': }
    class { 'puppetdb::master::config': }

and in hiera node definition
puppetdb::postgres_version: '15'

I think the issue is due to the following change made for postgres puppet module puppetlabs/puppetlabs-postgresql#1402

To fix I had to set in hiera

postgresql::server::password_encryption: 'md5'

puppetdb basic configuration in theory should be matching configuration or documentation at https://www.puppet.com/docs/puppetdb/7/configure_postgres should be considered updating.
@deric deric mentioned this issue Apr 18, 2024
Merged
@h0tw1r3
Copy link
Contributor

h0tw1r3 commented May 1, 2024
edited

@ukgaz #400 should fix the issue.
Can you test with the latest release?

@ukgaz
Copy link
Author

ukgaz commented May 1, 2024
edited

Great to see this is being inveistigated. I setup a server from scratch so I don't interfere with our live systems. Cloned our code folder and change the hostname on the puppet master so it targets a different server.

Anyhow I'm still seeing

Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]

in ENV.pp

class { 'puppetdb': }
class { 'puppetdb::master::config': }

class { 'repo_postgres':
  pg_version => '15',
}

In Hiera

puppetdb::concurrent_writes: 18
puppetdb::manage_package_repo: false
puppetdb::postgres_version: '15'
repo_rhel::exclude_base: 'postgresql-server'
repo_rhel::exclude_updates: 'postgresql-server'

As you can see for this change I've removed only the
postgresql::server::password_encryption: 'md5'
Since I could see within params scram-sha-256 should be considered default. I can keep the guest up just in case you wish for me to do any further testing.

repo_* is our our own repo management module

@h0tw1r3
Copy link
Contributor

h0tw1r3 commented May 2, 2024
edited

Just released 8.0.1, which bumps the postgres dependency #402
Maybe that'll do it :)
If I have time tomorrow I'll spin up a test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h0tw1r3 @ukgaz