Skip to content

Commit 90ec746

Browse files
Filipovici-AndreiFilipovici-Andrei
committed
(PDB-4764) Agent SSL certificates are used for communication with the postgresql
1 parent 11dc0df commit 90ec746

7 files changed

Lines changed: 172 additions & 12 deletions

File tree

lib/puppet/type/puppetdb_conn_validator.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@
2323
end
2424

2525
newparam(:use_ssl) do
26-
desc 'Whether the connection will be attemped using https'
26+
desc 'Whether the connection will be attempted using https'
2727
defaultto true
2828
end
2929

manifests/database/postgresql.pp

Lines changed: 89 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,19 @@
11
# Class for creating the PuppetDB postgresql database. See README.md for more
22
# information.
33
class puppetdb::database::postgresql(
4-
$listen_addresses = $puppetdb::params::database_host,
5-
$database_name = $puppetdb::params::database_name,
6-
$database_username = $puppetdb::params::database_username,
7-
$database_password = $puppetdb::params::database_password,
8-
$database_port = $puppetdb::params::database_port,
9-
$manage_database = $puppetdb::params::manage_database,
10-
$manage_server = $puppetdb::params::manage_dbserver,
11-
$manage_package_repo = $puppetdb::params::manage_pg_repo,
12-
$postgres_version = $puppetdb::params::postgres_version,
4+
$listen_addresses = $puppetdb::params::database_host,
5+
$database_name = $puppetdb::params::database_name,
6+
$database_username = $puppetdb::params::database_username,
7+
$database_password = $puppetdb::params::database_password,
8+
$database_port = $puppetdb::params::database_port,
9+
$manage_database = $puppetdb::params::manage_database,
10+
$manage_server = $puppetdb::params::manage_dbserver,
11+
$manage_package_repo = $puppetdb::params::manage_pg_repo,
12+
$postgres_version = $puppetdb::params::postgres_version,
13+
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
14+
$postgresql_ssl_key_path = $puppetdb::params::postgresql_ssl_key_path,
15+
$postgresql_ssl_cert_path = $puppetdb::params::postgresql_ssl_cert_path,
16+
$postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path
1317
) inherits puppetdb::params {
1418

1519
if $manage_server {
@@ -24,6 +28,82 @@
2428
port => scanf($database_port, '%i')[0],
2529
}
2630

31+
# configure PostgreSQL communication with Puppet Agent SSL certificates if
32+
# postgresql_ssl_on is set to true
33+
if $postgresql_ssl_on {
34+
file {'postgres private key':
35+
ensure => present,
36+
path => "${postgresql::params::datadir}/server.key",
37+
source => $postgresql_ssl_key_path,
38+
owner => 'postgres',
39+
mode => '0600',
40+
require => Package['postgresql-server'],
41+
}
42+
43+
file {'postgres public key':
44+
ensure => present,
45+
path => "${postgresql::params::datadir}/server.crt",
46+
source => $postgresql_ssl_cert_path,
47+
owner => 'postgres',
48+
mode => '0600',
49+
require => Package['postgresql-server'],
50+
}
51+
52+
postgresql::server::config_entry {'ssl':
53+
ensure => present,
54+
value => 'on',
55+
require => [File['postgres private key'], File['postgres public key']]
56+
}
57+
58+
postgresql::server::config_entry {'ssl_cert_file':
59+
ensure => present,
60+
value => "${postgresql::params::datadir}/server.crt",
61+
require => [File['postgres private key'], File['postgres public key']]
62+
}
63+
64+
postgresql::server::config_entry {'ssl_key_file':
65+
ensure => present,
66+
value => "${postgresql::params::datadir}/server.key",
67+
require => [File['postgres private key'], File['postgres public key']]
68+
}
69+
70+
postgresql::server::config_entry {'ssl_ca_file':
71+
ensure => present,
72+
value => $postgresql_ssl_ca_cert_path,
73+
require => [File['postgres private key'], File['postgres public key']]
74+
}
75+
76+
$identity_map_key = "${database_name}-${database_username}-map"
77+
78+
postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as \
79+
${database_username} (ipv4)":
80+
type => 'hostssl',
81+
database => $database_name,
82+
user => $database_username,
83+
address => '0.0.0.0/0',
84+
auth_method => 'cert',
85+
order => 0,
86+
auth_option => "map=${identity_map_key} clientcert=1"
87+
}
88+
89+
postgresql::server::pg_hba_rule { "Allow certificate mapped connections to ${database_name} as \
90+
${database_username} (ipv6)":
91+
type => 'hostssl',
92+
database => $database_name,
93+
user => $database_username,
94+
address => '::0/0',
95+
auth_method => 'cert',
96+
order => 0,
97+
auth_option => "map=${identity_map_key} clientcert=1"
98+
}
99+
100+
postgresql::server::pg_ident_rule {"Map the SSL certificate of the server as a ${database_username} user":
101+
map_name => "${identity_map_key}",
102+
system_username => $fqdn,
103+
database_username => $database_username,
104+
}
105+
}
106+
27107
# Only install pg_trgm extension, if database it is actually managed by the module
28108
if $manage_database {
29109

manifests/init.pp

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,18 @@
1313
$ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
1414
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
1515
$ssl_key_path = $puppetdb::params::ssl_key_path,
16+
$ssl_key_pk8_path = $puppetdb::params::ssl_key_pk8_path,
1617
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
1718
$ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs,
1819
$ssl_key = $puppetdb::params::ssl_key,
1920
$ssl_cert = $puppetdb::params::ssl_cert,
2021
$ssl_ca_cert = $puppetdb::params::ssl_ca_cert,
2122
$ssl_protocols = $puppetdb::params::ssl_protocols,
23+
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
24+
$postgresql_ssl_folder = $puppetdb::params::postgresql_ssl_folder,
25+
$postgresql_ssl_cert_path = $puppetdb::params::postgresql_ssl_cert_path,
26+
$postgresql_ssl_key_path = $puppetdb::params::postgresql_ssl_key_path,
27+
$postgresql_ssl_ca_cert_path = $puppetdb::params::postgresql_ssl_ca_cert_path,
2228
$cipher_suites = $puppetdb::params::cipher_suites,
2329
$migrate = $puppetdb::params::migrate,
2430
$manage_dbserver = $puppetdb::params::manage_dbserver,
@@ -98,12 +104,14 @@
98104
ssl_set_cert_paths => $ssl_set_cert_paths,
99105
ssl_cert_path => $ssl_cert_path,
100106
ssl_key_path => $ssl_key_path,
107+
ssl_key_pk8_path => $ssl_key_pk8_path,
101108
ssl_ca_cert_path => $ssl_ca_cert_path,
102109
ssl_deploy_certs => $ssl_deploy_certs,
103110
ssl_key => $ssl_key,
104111
ssl_cert => $ssl_cert,
105112
ssl_ca_cert => $ssl_ca_cert,
106113
ssl_protocols => $ssl_protocols,
114+
postgresql_ssl_on => $postgresql_ssl_on,
107115
cipher_suites => $cipher_suites,
108116
migrate => $migrate,
109117
database => $database,
@@ -183,6 +191,7 @@
183191
manage_database => $manage_database,
184192
manage_package_repo => $manage_package_repo,
185193
postgres_version => $postgres_version,
194+
postgresql_ssl_on => $postgresql_ssl_on,
186195
before => $database_before
187196
}
188197
}

manifests/params.pp

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,14 @@
180180
$cleanup_timer_interval = "*-*-* ${fqdn_rand(24)}:${fqdn_rand(60)}:00"
181181
$dlo_max_age = 90
182182

183+
# certificats used for PostgreSQL SSL configuration. Puppet certificates are used
184+
$postgresql_ssl_on = false
185+
$postgresql_ssl_folder = "${puppet_confdir}/ssl"
186+
$postgresql_ssl_cert_path = "${postgresql_ssl_folder}/certs/${trusted['certname']}.pem"
187+
$postgresql_ssl_key_path = "${postgresql_ssl_folder}/private_keys/${trusted['certname']}.pem"
188+
$postgresql_ssl_ca_cert_path = "${postgresql_ssl_folder}/certs/ca.pem"
189+
190+
# certificats used for Jetty configuration
183191
$ssl_set_cert_paths = false
184192
$ssl_cert_path = "${ssl_dir}/public.pem"
185193
$ssl_key_path = "${ssl_dir}/private.pem"
@@ -189,6 +197,9 @@
189197
$ssl_cert = undef
190198
$ssl_ca_cert = undef
191199

200+
# certificate used by PuppetDB SSL Configuration
201+
$ssl_key_pk8_path = regsubst($ssl_key_path, '.pem', '.pk8')
202+
192203
$certificate_whitelist_file = "${etcdir}/certificate-whitelist"
193204
# the default is free access for now
194205
$certificate_whitelist = [ ]

manifests/server.pp

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,14 @@
1212
Boolean $ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths,
1313
Stdlib::Absolutepath $ssl_cert_path = $puppetdb::params::ssl_cert_path,
1414
Stdlib::Absolutepath $ssl_key_path = $puppetdb::params::ssl_key_path,
15+
Stdlib::Absolutepath $ssl_key_pk8_path = $puppetdb::params::ssl_key_pk8_path,
1516
Stdlib::Absolutepath $ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path,
1617
Boolean $ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs,
1718
$ssl_key = $puppetdb::params::ssl_key,
1819
$ssl_cert = $puppetdb::params::ssl_cert,
1920
$ssl_ca_cert = $puppetdb::params::ssl_ca_cert,
2021
$ssl_protocols = $puppetdb::params::ssl_protocols,
22+
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
2123
$cipher_suites = $puppetdb::params::cipher_suites,
2224
$migrate = $puppetdb::params::migrate,
2325
$database = $puppetdb::params::database,
@@ -168,6 +170,10 @@
168170
database_password => $database_password,
169171
database_name => $database_name,
170172
manage_db_password => $manage_db_password,
173+
postgresql_ssl_on => $postgresql_ssl_on,
174+
ssl_key_pk8_path => $ssl_key_pk8_path,
175+
ssl_cert_path => $ssl_cert_path,
176+
ssl_ca_cert_path => $ssl_ca_cert_path,
171177
database_max_pool_size => $database_max_pool_size,
172178
jdbc_ssl_properties => $jdbc_ssl_properties,
173179
database_validate => $database_validate,
@@ -197,6 +203,10 @@
197203
database_password => $read_database_password,
198204
database_name => $read_database_name,
199205
manage_db_password => $manage_read_db_password,
206+
postgresql_ssl_on => $postgresql_ssl_on,
207+
ssl_key_pk8_path => $ssl_key_pk8_path,
208+
ssl_cert_path => $ssl_cert_path,
209+
ssl_ca_cert_path => $ssl_ca_cert_path,
200210
jdbc_ssl_properties => $read_database_jdbc_ssl_properties,
201211
database_validate => $read_database_validate,
202212
log_slow_statements => $read_log_slow_statements,
@@ -241,6 +251,26 @@
241251
}
242252
}
243253

254+
if $postgresql_ssl_on {
255+
exec { $ssl_key_pk8_path:
256+
path => [ '/opt/puppetlabs/puppet/bin', $facts['path'] ],
257+
command => "openssl pkcs8 -topk8 -inform PEM -outform DER -in ${ssl_key_path} -out ${ssl_key_pk8_path} -nocrypt",
258+
# Generate a .pk8 key if one doesn't exist or is older than the .pem input.
259+
# NOTE: bash file time checks, like -ot, can't always discern sub-second
260+
# differences.
261+
onlyif => "test ! -e '${ssl_key_pk8_path}' -o '${ssl_key_pk8_path}' -ot '${ssl_key_path}'",
262+
before => File[$ssl_key_pk8_path]
263+
}
264+
265+
file { $ssl_key_pk8_path:
266+
ensure => present,
267+
owner => $puppetdb_user,
268+
group => $puppetdb_group,
269+
mode => '0600',
270+
notify => Service[$puppetdb_service]
271+
}
272+
}
273+
244274
class { 'puppetdb::server::jetty':
245275
listen_address => $listen_address,
246276
listen_port => $listen_port,

manifests/server/database.pp

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@
2525
$puppetdb_group = $puppetdb::params::puppetdb_group,
2626
$database_max_pool_size = $puppetdb::params::database_max_pool_size,
2727
$migrate = $puppetdb::params::migrate,
28+
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
29+
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
30+
$ssl_key_pk8_path = $puppetdb::params::ssl_key_pk8_path,
31+
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path
2832
) inherits puppetdb::params {
2933

3034
if str2bool($database_validate) {
@@ -85,7 +89,18 @@
8589
$database_suffix = ''
8690
}
8791

88-
$subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
92+
$subname_default = "//${database_host}:${database_port}/${database_name}${database_suffix}"
93+
94+
if $postgresql_ssl_on {
95+
$subname = @("EOT"/L)
96+
${subname_default}?\
97+
ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
98+
sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
99+
sslkey=${ssl_key_pk8_path}&sslcert=${ssl_cert_path}\
100+
| EOT
101+
} else {
102+
$subname = $subname_default
103+
}
89104

90105
##Only setup for postgres
91106
ini_setting {'puppetdb_psdatabase_username':

manifests/server/read_database.pp

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@
1717
$puppetdb_user = $puppetdb::params::puppetdb_user,
1818
$puppetdb_group = $puppetdb::params::puppetdb_group,
1919
$database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
20+
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
21+
$ssl_cert_path = $puppetdb::params::ssl_cert_path,
22+
$ssl_key_pk8_path = $puppetdb::params::ssl_key_pk8_path,
23+
$ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path
2024
) inherits puppetdb::params {
2125

2226
# Only add the read database configuration if database host is defined.
@@ -73,7 +77,18 @@
7377
$database_suffix = ''
7478
}
7579

76-
$subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
80+
$subname_default = "//${database_host}:${database_port}/${database_name}${database_suffix}"
81+
82+
if $postgresql_ssl_on {
83+
$subname = @("EOT"/L)
84+
${subname_default}?\
85+
ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&\
86+
sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&\
87+
sslkey=${ssl_key_pk8_path}&sslcert=${ssl_cert_path}\
88+
| EOT
89+
} else {
90+
$subname = $subname_default
91+
}
7792

7893
ini_setting { 'puppetdb_read_database_username':
7994
setting => 'username',

0 commit comments

Comments
 (0)