Add switch to configure database SSL connection #80
Conversation
|
Can one of the admins verify this patch? |
|
I have updated my changes, because the if statement to disable the database connection validation was wrong. |
|
test this please |
|
Merged build triggered. (Status: PENDING, Details: null) |
|
Merged build started. (Status: PENDING, Details: http://box.bob.sh:8080/job/puppetlabs-puppetdb/253/) |
|
Merged build finished. (Status: FAILURE, Details: http://box.bob.sh:8080/job/puppetlabs-puppetdb/253/) |
|
@stdietrich this is throwing errors on the rspec-system tests, and the travis tests seem to have blocked also. How about you rebase, and push your changes again and lets see if this clears things. When you push again to this PR it should start the system tests automatically, so make sure you check out the results to see if they are still failing and/or fix them. |
|
Yes, you are right. Just rebased my changes on latest master and run the system spec tests. They are indeed failing, I will have a look into this and fix the errors. |
|
Found the culprit. |
|
retest this please |
| ) inherits puppetdb::params { | ||
|
|
||
| # We don't need any validation for the embedded database, presumably. | ||
| if ($database == 'postgres' and $database_password != undef) { | ||
| if ($database == 'postgres' and ( | ||
| $database_password != undef and $database_ssl == false) |
There was a problem hiding this comment.
Is this because validate_db_connection doesn't support SSL?
There was a problem hiding this comment.
validate_db_connection does support SSL, because it uses psql. psql expects certificates to be located in a .postgresql folder inside the home folder of the executing user.
Now one would have to store the certificates multiple times on the machine, once for the validate_db_connection and another time inside the JKS.
To circumvent this, I disabled DB validation if SSL is enabled.
There was a problem hiding this comment.
So I like this feature, I really do - but can't help but think this is incomplete because of our inability to use validate_db_connection. I do however realise that getting everything working is going to be a hassle, but it feels like a bad line to draw. Maybe I'm just being pedantic, but I would like to find a better incremental release of this feature somehow. Let me ponder some more, but I don't suppose you have any ideas on doing something that is a stop-gap?
There was a problem hiding this comment.
If you insist on validate_db_connection, then there is only one way to solve this :)
The paths to the certificates are hardcoded in the libpq C library, which is used by psql.
So, you have to store the certificates multiple times or symlinking the contents of the .postgres folder to a different location.
This should probably handled by the puppetlabs-postgresql module.
Let me know, if you come up with any other solution.
|
Merged build triggered. (Status: PENDING, Details: null) |
|
Merged build started. (Status: PENDING, Details: http://box.bob.sh:8080/job/puppetlabs-puppetdb/256/) |
|
Merged build finished. (Status: SUCCESS, Details: http://box.bob.sh:8080/job/puppetlabs-puppetdb/256/) |
|
The unit tests are failing atm @stdietrich |
|
@kbarber |
|
@stdietrich this should be better now, I've just asked Travis to re-run your tests. |
| @@ -32,6 +32,7 @@ | |||
| $database_username = $puppetdb::params::database_username, | |||
| $database_password = $puppetdb::params::database_password, | |||
| $database_name = $puppetdb::params::database_name, | |||
| $database_ssl = $puppetdb::params::database_ssl, | |||
There was a problem hiding this comment.
Sorry, should have picked this up before, this needs to be documented now in README.md
There was a problem hiding this comment.
Also as per convention it needs to be available in the main class puppetdb as well, I think that is what is normally documented. For good or bad.
PostgreSQL supports secure connections through SSL. For PuppetDB to connect with SSL, "?ssl=true" has to be specified on the connection string. This patch adds such a switch, by default PuppetDB will not use SSL to connect to the database.
|
@kbarber |
|
retest this please |
|
Merged build triggered. |
|
Merged build started. |
|
Merged build finished. |
|
Test PASSed. |
|
I've raised this to cover the postgresql change: puppetlabs/puppetlabs-postgresql#287 But I'm going to allow this merge, since it gets us partly there and might provide enough impetus for someone to fix it completely. |
Add switch to configure database SSL connection
Hi,
this patch adds a switch, to optionally use SSL for PostgreSQL database connections. This adds only the switch, setting up the appropriate trust- and keystores has to be done outside of this module (e.g. puppetlabs-java_ks).
By default, all database connections will be without SSL.
I have disabled the database connection validation, if SSL is enabled. The psql command expects the certificates in the .postgresql folder of the executing user. Otherwise you would have to store the certificates multiple times on the machine.
Regards,
Stefan