(PDB-4764) Agent SSL certificates are used for communication with the postgresql

Author: Filipovici-Andrei

lib/puppet/type/puppetdb_conn_validator.rb

@@ -23,7 +23,7 @@
   end
 
   newparam(:use_ssl) do
-    desc 'Whether the connection will be attemped using https'
+    desc 'Whether the connection will be attempted using https'
     defaultto true
   end
 

manifests/database/postgresql.pp

@@ -1,15 +1,19 @@
 # Class for creating the PuppetDB postgresql database. See README.md for more
 # information.
 class puppetdb::database::postgresql(
-  $listen_addresses     = $puppetdb::params::database_host,
-  $database_name        = $puppetdb::params::database_name,
-  $database_username    = $puppetdb::params::database_username,
-  $database_password    = $puppetdb::params::database_password,
-  $database_port        = $puppetdb::params::database_port,
-  $manage_database      = $puppetdb::params::manage_database,
-  $manage_server        = $puppetdb::params::manage_dbserver,
-  $manage_package_repo  = $puppetdb::params::manage_pg_repo,
-  $postgres_version     = $puppetdb::params::postgres_version,
+  $listen_addresses            = $puppetdb::params::database_host,
+  $database_name               = $puppetdb::params::database_name,
+  $database_username           = $puppetdb::params::database_username,
+  $database_password           = $puppetdb::params::database_password,
+  $database_port               = $puppetdb::params::database_port,
+  $manage_database             = $puppetdb::params::manage_database,
+  $manage_server               = $puppetdb::params::manage_dbserver,
+  $manage_package_repo         = $puppetdb::params::manage_pg_repo,
+  $postgres_version            = $puppetdb::params::postgres_version,
+  $postgresql_ssl_on           = $puppetdb::params::postgresql_ssl_on,
+  $postgresql_ssl_key_path     = $puppetdb::params::postgresql_ssl_key_path,
+  $postgresql_ssl_cert_path    = $puppetdb::params::postgresql_ssl_cert_path,
+  $postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -24,6 +28,62 @@
       port                    => scanf($database_port, '%i')[0],
     }
 
+    # configure PostgreSQL communication with Puppet Agent SSL certificates if
+    # postgresql_ssl_on is set to true
+    if $postgresql_ssl_on {
+      file {'postgres private key':
+        ensure  => present,
+        path    => "${postgresql::params::datadir}/server.key",
+        source  => $postgresql_ssl_key_path,
+        owner   => 'postgres',
+        mode    => '0600',
+        require => Package['postgresql-server'],
+      }
+
+      concat {'postgres cert bundle':
+        ensure  => present,
+        path    => "${postgresql::params::datadir}/server.crt",
+        owner   => 'postgres',
+        require => Package['postgresql-server'],
+      }
+
+      concat::fragment {'agent cert':
+        target => 'postgres cert bundle',
+        source => $postgresql_ssl_cert_path,
+        order  => '1',
+      }
+
+      concat::fragment {'CA bundle':
+        target => 'postgres cert bundle',
+        source => $postgresql_ssl_ca_cert_path,
+        order  => '2',
+      }
+
+      postgresql::server::config_entry {'ssl':
+        ensure  => present,
+        value   => 'on',
+        require => [File['postgres private key'], Concat['postgres cert bundle']]
+      }
+
+      postgresql::server::config_entry {'ssl_key_file':
+        ensure  => present,
+        value   => "${postgresql::params::datadir}/server.key",
+        require => [File['postgres private key'], Concat['postgres cert bundle']]
+      }
+
+      postgresql::server::config_entry {'ssl_cert_file':
+        ensure  => present,
+        value   => "${postgresql::params::datadir}/server.crt",
+        require => [File['postgres private key'], Concat['postgres cert bundle']]
+      }
+
+      # postgresql::server::config_entry {'ssl_ca_file':
+      #   ensure  => present,
+      #   value   => $postgresql_ssl_ca_cert_path,
+      #   require => [File['postgres private key'], Concat['postgres cert bundle']]
+      # }
+    }
+
     # Only install pg_trgm extension, if database it is actually managed by the module
     if $manage_database {
 

manifests/init.pp

@@ -19,6 +19,11 @@
   $ssl_cert                                = $puppetdb::params::ssl_cert,
   $ssl_ca_cert                             = $puppetdb::params::ssl_ca_cert,
   $ssl_protocols                           = $puppetdb::params::ssl_protocols,
+  $postgresql_ssl_on                       = $puppetdb::params::postgresql_ssl_on,
+  $postgresql_ssl_folder                   = $puppetdb::params::postgresql_ssl_folder,
+  $postgresql_ssl_cert_path                = $puppetdb::params::postgresql_ssl_cert_path,
+  $postgresql_ssl_key_path                 = $puppetdb::params::postgresql_ssl_key_path,
+  $postgresql_ssl_ca_cert_path             = $puppetdb::params::postgresql_ssl_ca_cert_path,
   $cipher_suites                           = $puppetdb::params::cipher_suites,
   $migrate                                 = $puppetdb::params::migrate,
   $manage_dbserver                         = $puppetdb::params::manage_dbserver,

manifests/params.pp

@@ -180,6 +180,14 @@
   $cleanup_timer_interval   = "*-*-* ${fqdn_rand(24)}:${fqdn_rand(60)}:00"
   $dlo_max_age              = 90
 
+  # certificats used for PostgreSQL SSL configuration. Puppet certificates are used
+  $postgresql_ssl_on            = true
+  $postgresql_ssl_folder        = "${puppet_confdir}/ssl"
+  $postgresql_ssl_cert_path     = "${postgresql_ssl_folder}/certs/${trusted['certname']}.pem"
+  $postgresql_ssl_key_path      = "${postgresql_ssl_folder}/private_keys/${trusted['certname']}.pem"
+  $postgresql_ssl_ca_cert_path  = "${postgresql_ssl_folder}/certs/ca.pem"
+
+  # certificats used for Jetty configuration
   $ssl_set_cert_paths       = false
   $ssl_cert_path            = "${ssl_dir}/public.pem"
   $ssl_key_path             = "${ssl_dir}/private.pem"

manifests/server/database.pp

@@ -25,6 +25,10 @@
   $puppetdb_group         = $puppetdb::params::puppetdb_group,
   $database_max_pool_size = $puppetdb::params::database_max_pool_size,
   $migrate                = $puppetdb::params::migrate,
+  $postgresql_ssl_on      = $puppetdb::params::postgresql_ssl_on,
+  $ssl_cert_path          = $puppetdb::params::ssl_cert_path,
+  $ssl_key_path           = $puppetdb::params::ssl_key_path,
+  $ssl_ca_cert_path       = $puppetdb::params::ssl_ca_cert_path
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {
@@ -85,7 +89,16 @@
       $database_suffix = ''
     }
 
-    $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
+    $subname_default = "//${database_host}:${database_port}/${database_name}${database_suffix}"
+
+    if $postgresql_ssl_on {
+      $subname = "${subname_default}?\
+          ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
+          sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
+          sslkey=${ssl_key_path}&sslcert=${ssl_cert_path}"
+    } else {
+      $subname = $subname_default
+    }
 
     ##Only setup for postgres
     ini_setting {'puppetdb_psdatabase_username':

manifests/server/read_database.pp

@@ -17,6 +17,10 @@
   $puppetdb_user          = $puppetdb::params::puppetdb_user,
   $puppetdb_group         = $puppetdb::params::puppetdb_group,
   $database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
+  $postgresql_ssl_on    = $puppetdb::params::postgresql_ssl_on,
+  $ssl_cert_path          = $puppetdb::params::ssl_cert_path,
+  $ssl_key_path           = $puppetdb::params::ssl_key_path,
+  $ssl_ca_cert_path       = $puppetdb::params::ssl_ca_cert_path
 ) inherits puppetdb::params {
 
   # Only add the read database configuration if database host is defined.
@@ -73,7 +77,17 @@
         $database_suffix = ''
       }
 
-      $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
+      $subname_default = "//${database_host}:${database_port}/${database_name}${database_suffix}"
+
+      notify { "ssl_on ${postgresql_ssl_on}": }
+      if $postgresql_ssl_on {
+        $subname = "${subname_default}?\
+          ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
+          sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
+          sslkey=${ssl_key_path}&sslcert=${ssl_cert_path}"
+      } else {
+        $subname = $subname_default
+      }
 
       ini_setting { 'puppetdb_read_database_username':
         setting => 'username',

manifests/server/validate_db.pp

@@ -7,6 +7,7 @@
   $database_password   = $puppetdb::params::database_password,
   $database_name       = $puppetdb::params::database_name,
   $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties,
+
 ) inherits puppetdb::params {
 
   # We don't need any validation for the embedded database, presumably.
@@ -17,8 +18,11 @@
     postgresql::validate_db_connection { 'validate puppetdb postgres connection':
       database_host     => $database_host,
       database_port     => $database_port,
-      database_username => $database_username,
-      database_password => $database_password,
+      # database_username => $database_username,
+      # database_password => $database_password,
+      connect_settings => { 'PGSSLCERT' => '/var/lib/postgresql/9.6/main/server.crt',
+      'PGSSLKEY' => '/var/lib/postgresql/9.6/main/server.key',
+      'PGSSLMODE' => 'verify-full'},
       database_name     => $database_name,
     }
   }

manifests/server/validate_read_db.pp

@@ -17,8 +17,11 @@
     postgresql::validate_db_connection { 'validate puppetdb postgres (read) connection':
       database_host     => $database_host,
       database_port     => $database_port,
-      database_username => $database_username,
-      database_password => $database_password,
+      # database_username => $database_username,
+      # database_password => $database_password,
+      connect_settings => { 'PGSSLCERT' => '/var/lib/postgresql/9.6/main/server.crt',
+        'PGSSLKEY' => '/var/lib/postgresql/9.6/main/server.key',
+        'PGSSLMODE' => 'verify-full'},
       database_name     => $database_name,
     }
   }