(PDB-4764) Agent SSL certificates are used for communication with the postgresql

Filipovici-Andrei · Filipovici-Andrei · commit cb44ace16fe1 · 2021-03-04T18:06:14.000+02:00
diff --git a/lib/puppet/type/puppetdb_conn_validator.rb b/lib/puppet/type/puppetdb_conn_validator.rb
@@ -23,7 +23,7 @@
   end
 
   newparam(:use_ssl) do
-    desc 'Whether the connection will be attemped using https'
+    desc 'Whether the connection will be attempted using https'
     defaultto true
   end
 
diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -10,6 +10,7 @@
   $manage_server        = $puppetdb::params::manage_dbserver,
   $manage_package_repo  = $puppetdb::params::manage_pg_repo,
   $postgres_version     = $puppetdb::params::postgres_version,
+  $postgresql_ssl_on    = $puppetdb::params::postgresql_ssl_on
 ) inherits puppetdb::params {
 
   if $manage_server {
@@ -24,6 +25,30 @@
       port                    => scanf($database_port, '%i')[0],
     }
 
+    # configure PostgreSQL communication with Puppet Agent SSL certificates if
+    # postgresql_ssl_on is set to true
+    if $postgresql_ssl_on {
+      postgresql::server::config_entry {'ssl':
+        ensure  => present,
+        value   => 'on',
+      }
+
+      postgresql::server::config_entry {'ssl_key_file':
+        ensure  => present,
+        value   => $postgresql_ssl_key_path,
+      }
+
+      postgresql::server::config_entry {'ssl_cert_file':
+        ensure  => present,
+        value   => $postgresql_ssl_cert_path,
+      }
+
+      postgresql::server::config_entry {'ssl_ca_file':
+        ensure  => present,
+        value   => $postgresql_ssl_ca_cert_path,
+      }
+    }
+
     # Only install pg_trgm extension, if database it is actually managed by the module
     if $manage_database {
 
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -19,6 +19,11 @@
   $ssl_cert                                = $puppetdb::params::ssl_cert,
   $ssl_ca_cert                             = $puppetdb::params::ssl_ca_cert,
   $ssl_protocols                           = $puppetdb::params::ssl_protocols,
+  $postgresql_ssl_on                       = $puppetdb::params::postgresql_ssl_on,
+  $postgresql_ssl_folder                   = $puppetdb::params::postgresql_ssl_folder,
+  $postgresql_ssl_cert_path                = $puppetdb::params::postgresql_ssl_cert_path,
+  $postgresql_ssl_key_path                 = $puppetdb::params::postgresql_ssl_key_path,
+  $postgresql_ssl_ca_cert_path             = $puppetdb::params::postgresql_ssl_ca_cert_path,
   $cipher_suites                           = $puppetdb::params::cipher_suites,
   $migrate                                 = $puppetdb::params::migrate,
   $manage_dbserver                         = $puppetdb::params::manage_dbserver,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -180,6 +180,14 @@
   $cleanup_timer_interval   = "*-*-* ${fqdn_rand(24)}:${fqdn_rand(60)}:00"
   $dlo_max_age              = 90
 
+  # certificats used for PostgreSQL SSL configuration. Puppet certificates are used
+  $postgresql_ssl_on            = true
+  $postgresql_ssl_folder        = "${puppet_confdir}/ssl"
+  $postgresql_ssl_cert_path     = "${postgresql_ssl_folder}/certs/${trusted['certname']}.pem"
+  $postgresql_ssl_key_path      = "${postgresql_ssl_folder}/private_keys/${trusted['certname']}.pem"
+  $postgresql_ssl_ca_cert_path  = "${postgresql_ssl_folder}/certs/ca.pem"
+
+  # certificats used for Jetty configuration
   $ssl_set_cert_paths       = false
   $ssl_cert_path            = "${ssl_dir}/public.pem"
   $ssl_key_path             = "${ssl_dir}/private.pem"
diff --git a/manifests/server/database.pp b/manifests/server/database.pp
@@ -25,6 +25,7 @@
   $puppetdb_group         = $puppetdb::params::puppetdb_group,
   $database_max_pool_size = $puppetdb::params::database_max_pool_size,
   $migrate                = $puppetdb::params::migrate,
+  $postgresql_ssl_on      = $puppetdb::params::postgresql_ssl_on
 ) inherits puppetdb::params {
 
   if str2bool($database_validate) {
@@ -87,6 +88,14 @@
 
     $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
 
+    if $postgresql_ssl_on {
+      $subname += @("EOT")
+      ?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&
+      sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&
+      sslkey=${ssl_key_path}&sslcert=${ssl_cert_path}
+      |-EOT
+    }
+
     ##Only setup for postgres
     ini_setting {'puppetdb_psdatabase_username':
       setting => 'username',
diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp
@@ -17,6 +17,7 @@
   $puppetdb_user          = $puppetdb::params::puppetdb_user,
   $puppetdb_group         = $puppetdb::params::puppetdb_group,
   $database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
+  $postgresql_ssl_on    = $puppetdb::params::postgresql_ssl_on
 ) inherits puppetdb::params {
 
   # Only add the read database configuration if database host is defined.
@@ -75,6 +76,14 @@
 
       $subname = "//${database_host}:${database_port}/${database_name}${database_suffix}"
 
+      if $postgresql_ssl_on {
+        $subname += @("EOT")
+      ?ssl=true&sslfactory=org.postgresql.ssl.LibPQFactory&
+      sslmode=verify-full&sslrootcert=${ssl_ca_cert_path}&
+      sslkey=${ssl_key_path}&sslcert=${ssl_cert_path}
+      |-EOT
+      }
+
       ini_setting { 'puppetdb_read_database_username':
         setting => 'username',
         value   => $database_username,
