(PDB-4764) Agent SSL certificates are used for communication with PostgreSQL

[Filipovici-Andrei]

Updated the manifests for SSL configuration of PostgreSQL database configuration file.

[puppet-community-rangefinder]

puppetdb_conn_validator is a type

Breaking changes to this file MAY impact these 1 modules (near match):

• puppetlabs-puppetdb

puppetdb::database::postgresql is a class

that may have no external impact to Forge modules.

puppetdb is a class

Breaking changes to this file WILL impact these 5 modules (exact match):

• simp-simp
• abstractit-puppet
• aursu-puppet
• neillturner-foreman_puppetdb
• ploperations-puppet

Breaking changes to this file MAY impact these 3 modules (near match):

• devopera-dopuppetmaster
• example42-psick
• puppetfinland-puppetmaster

puppetdb::params is a class

that may have no external impact to Forge modules.

This module is declared in 33 of 576 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[austb]

To document the settings I had to add for client authentication I wanted to add these here

pg_hba.conf

# Rule Name: Allow certificate mapped connections to pe-puppetdb as pe-puppetdb (ipv4)
# Description: none
# Order: 0
hostssl puppetdb     puppetdb     0.0.0.0/0       cert    map=puppetdb-puppetdb-map clientcert=1

# Rule Name: Allow certificate mapped connections to pe-puppetdb as pe-puppetdb (ipv6)
# Description: none
# Order: 1
hostssl puppetdb     puppetdb     ::/0    cert    map=puppetdb-puppetdb-map clientcert=1

This is a file I forgot about, but pg_ident.conf defines the certificate name to database username mappings

# This file is managed by Puppet. DO NOT EDIT.
puppetdb-puppetdb-map duller-artery.delivery.puppetlabs.net puppetdb

A lot of my configuration to get it working was done manually, so in case I missed anything I've extended the lifetime of duller-artery.delivery.puppetlabs.net in case you want to dig around in the settings.

[austb]

This looks good, I think it could use a couple of basic tests for the important settings, like pg_ident/pg_hba rules, the subname config setting, and the pk8 and then it should be ready to go.