Jira (PDB-1013) Module: postgresql client certificate & general libpq ssl communication should be easily done in the module
Title: Message Title Claudia Petty updated an issue PuppetDB / PDB-1013 Module: postgresql client certificate & general libpq ssl communication should be easily done in the module Change By: Claudia Petty Labels: module new-feature puppetdb Add Comment This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.46221.1406917438000.2455.1687359480613%40Atlassian.JIRA.
Jira (PDB-1013) Module: postgresql client certificate general libpq ssl communication should be easily done in the module
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-1013 Module: postgresql client certificate general libpq ssl communication should be easily done in the module Change By: Kenneth Barber Summary: Module:postgresqlclientcertificate generallibpq sslcommunicationshouldbeeasilydoneinthemodule Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PDB-1013) Module: postgresql client certificate general libpq ssl communication should be easily done in the module
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-1013 Module: postgresql client certificate general libpq ssl communication should be easily done in the module Change By: Kenneth Barber Currentlythemoduledoesn'tsupportswitchingonPostgreSQLSSLsupportusingthemoreconfigurablelibpqfactoryforuserswhowantit.Thistickettracksthechangesrequiredtomakethateasyforusersandsothe$subnamecanbesetautomaticallyasapartofthisalso.Rightnow,wehaveanoptionfor ' {{ database_ssl ' }} and ' {{ read_database_ssl ' }} inthe ` {{ puppetdb::server::database_ini ` }} classbuttheseonlyturnon ` {{ ssl=true ` }} intheJDBCsubnameinthedatabase.initoday:https://github.com/puppetlabs/puppetlabs-puppetdb/blob/master/manifests/server/database_ini.pp Whilethisisinteresting,itimpliestheCAforpostgresqlisthesameasPuppet.Italsodoesn'tallowforclientbasedcertificateauthentication.Thisisbecausethefactorythatisusedisbasic. Whatwewanttoseeistheusageofthe libpq LibPQ parametersasdefinedinourdocumentation,forexampleseethesamplelinehere:https://docs.puppetlabs.com/puppetdb/2.2/postgres_ssl.html#using-your-own-self-signed-ca So Fulldocumentationforusinganewfactoryishere:http://jdbc.postgresql.org/documentation/93/ssl-factory.htmlwhichisverysparse,buttheideawouldbetousethelibpqjdbcfactorybakedintotheJDBCdrivernowinthelater9.xversions.Theoptions that there are options available to allow libpqareasfollows :*sslmode(verify-caverify-full)*sslrootcert(apathtotherootCAfile)*sslcert(pathtotheclientcertfile)*sslkey(pathtotheclientkey)*sslpassword(passwordthetheclientkey) To Ourdesirewould be setwith tohavethe{{subname}}stringbeauto-createdfromthese parameters via in themodule.Thiscouldbeatoplevelsetofparameters,orperhapsahashthatispassedintoasingleparameter ` {{ database_ssl_options ` }} ,andbrokenintoarguments? Notsure:-). Sourcecodeisthebest authoritive authoritative 'documentation'for libpq libpqfactorforjdbc today ,itcanbefoundhere .Ifyoupickthroughit,youcanseetheparametersI'veprovidedinthelistabove:https://github.com/pgjdbc/pgjdbc/blob/master/org/postgresql/ssl/jdbc4/LibPQFactory.javaCombinedwiththiswecouldalsoallowproxiedconfigurationviathepuppetdbclass ` {{ puppetdb::database::postgresql ` }} forconfigurationofSSLforthePostgreSQLmodule:https://github.com/puppetlabs/puppetlabs-puppetdb/blob/master/manifests/database/postgresql.pp.Thatwouldallowfullend-to-endconfigurationforSSLpotentially,viathe ` {{ puppetdb ` }}
Jira (PDB-1013) Module: postgresql client certificate general libpq ssl communication should be easily done in the module
Title: Message Title Kenneth Barber updated an issue PuppetDB / PDB-1013 Module: postgresql client certificate general libpq ssl communication should be easily done in the module Change By: Kenneth Barber Currentlythemoduledoesn'tsupportswitchingonPostgreSQLSSLsupportusingthemoreconfigurablelibpqfactoryforuserswhowantit.Thistickettracksthechangesrequiredtomakethateasyforusersandsothe$subnamecanbesetautomaticallyasapartofthisalso.Rightnow,wehaveanoptionfor{{database_ssl}}and{{read_database_ssl}}inthe{{puppetdb::server::database_ini}}classbuttheseonlyturnon{{ssl=true}}intheJDBCsubnameinthedatabase.initoday:https://github.com/puppetlabs/puppetlabs-puppetdb/blob/master/manifests/server/database_ini.ppWhilethisisinteresting,itimpliestheCAforpostgresqlisthesameasPuppet.Italsodoesn'tallowforclientbasedcertificateauthentication.Thisisbecausethefactorythatisusedisbasic.WhatwewanttoseeistheusageoftheLibPQparametersasdefinedinourdocumentation,forexampleseethesamplelinehere:https://docs.puppetlabs.com/puppetdb/2.2/postgres_ssl.html#using-your-own-self-signed-caFulldocumentationforusinganewfactoryishere:http://jdbc.postgresql.org/documentation/93/ssl-factory.htmlwhichisverysparse,buttheideawouldbetousethelibpqjdbcfactorybakedintotheJDBCdrivernowinthelater9.xversions.Theoptionsthatareavailabletolibpqareasfollows:*sslmode(verify-caverify-full)*sslrootcert(apathtotherootCAfile)*sslcert(pathtotheclientcertfile)*sslkey(pathtotheclientkey)*sslpassword(passwordthetheclientkey)Ourdesirewouldbetohavethe{{subname}}stringbeauto-createdfromtheseparametersinthemodule ,soyouendedupwithaconfigurationlinelikethis:{code}subname=//HOST:PORT/DATABASE?ssl=truesslfactory=org . postgresql.ssl.jdbc4.LibPQFactorysslmode=verify-fullsslrootcert=/etc/puppetdb/ssl/ca.pem{code} Thiscouldbeatoplevelsetofparameters fortheclass ,orperhapsahashthatispassedintoasingleparameter{{database_ssl_options}},andbrokenintoarguments?Notsure:-). Thenwewouldsimplyproxytheseconfigurationparametersvia{{puppetdb::server}}forcompleteness.