diff --git a/README.md b/README.md index 8db27c7..9e0e706 100644 --- a/README.md +++ b/README.md @@ -210,6 +210,11 @@ The password for the database user (defaults to `puppetdb`; ignored for `embedde The name of the database instance to connect to (defaults to `puppetdb`; ignored for `embedded` db). +####`database_ssl` + +If true, puppetdb will use SSL to connect to the postgres database (defaults to false; ignored for `embedded` db). +Setting up proper trust- and keystores has to be managed outside of the puppetdb module. + ####`node_ttl` The length of time a node can go without receiving any new data before it's automatically deactivated. (defaults to '0', which disables auto-deactivation). This option is supported in PuppetDB >= 1.1.0. diff --git a/manifests/init.pp b/manifests/init.pp index 54c4fdd..1aee9b3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,6 +24,7 @@ class puppetdb( $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, + $database_ssl = $puppetdb::params::database_ssl, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, @@ -94,6 +95,7 @@ class puppetdb( database_username => $database_username, database_password => $database_password, database_name => $database_name, + database_ssl => $database_ssl, node_ttl => $node_ttl, node_purge_ttl => $node_purge_ttl, report_ttl => $report_ttl, diff --git a/manifests/params.pp b/manifests/params.pp index 3fc8633..76b6692 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -30,6 +30,7 @@ class puppetdb::params { $database_name = 'puppetdb' $database_username = 'puppetdb' $database_password = 'puppetdb' + $database_ssl = false # These settings manage the various auto-deactivation and auto-purge settings $node_ttl = '0s' diff --git a/manifests/server.pp b/manifests/server.pp index a9a0932..2e456f7 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -32,6 +32,7 @@ class puppetdb::server( $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, + $database_ssl = $puppetdb::params::database_ssl, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, @@ -99,22 +100,23 @@ class puppetdb::server( } class { 'puppetdb::server::database_ini': - database => $database, - database_host => $database_host, - database_port => $database_port, - database_username => $database_username, - database_password => $database_password, - database_name => $database_name, - node_ttl => $node_ttl, - node_purge_ttl => $node_purge_ttl, - report_ttl => $report_ttl, - gc_interval => $gc_interval, + database => $database, + database_host => $database_host, + database_port => $database_port, + database_username => $database_username, + database_password => $database_password, + database_name => $database_name, + database_ssl => $database_ssl, + node_ttl => $node_ttl, + node_purge_ttl => $node_purge_ttl, + report_ttl => $report_ttl, + gc_interval => $gc_interval, log_slow_statements => $log_slow_statements, - conn_max_age => $conn_max_age, - conn_keep_alive => $conn_keep_alive, - conn_lifetime => $conn_lifetime, - confdir => $confdir, - notify => Service[$puppetdb_service], + conn_max_age => $conn_max_age, + conn_keep_alive => $conn_keep_alive, + conn_lifetime => $conn_lifetime, + confdir => $confdir, + notify => Service[$puppetdb_service], } class { 'puppetdb::server::jetty_ini': diff --git a/manifests/server/database_ini.pp b/manifests/server/database_ini.pp index cf2d501..fab7996 100644 --- a/manifests/server/database_ini.pp +++ b/manifests/server/database_ini.pp @@ -6,6 +6,7 @@ class puppetdb::server::database_ini( $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, + $database_ssl = $puppetdb::params::database_ssl, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, @@ -46,7 +47,11 @@ class puppetdb::server::database_ini( } elsif $database == 'postgres' { $classname = 'org.postgresql.Driver' $subprotocol = 'postgresql' - $subname = "//${database_host}:${database_port}/${database_name}" + + $subname = $database_ssl ? { + true => "//${database_host}:${database_port}/${database_name}?ssl=true", + default => "//${database_host}:${database_port}/${database_name}", + } ##Only setup for postgres ini_setting {'puppetdb_psdatabase_username': diff --git a/manifests/server/validate_db.pp b/manifests/server/validate_db.pp index 5f693ed..ceeff52 100644 --- a/manifests/server/validate_db.pp +++ b/manifests/server/validate_db.pp @@ -48,11 +48,14 @@ class puppetdb::server::validate_db( $database_port = $puppetdb::params::database_port, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, - $database_name = $puppetdb::params::database_name + $database_name = $puppetdb::params::database_name, + $database_ssl = $puppetdb::params::database_ssl ) inherits puppetdb::params { # We don't need any validation for the embedded database, presumably. - if ($database == 'postgres' and $database_password != undef) { + if ($database == 'postgres' and ( + $database_password != undef and $database_ssl == false) + ) { postgresql::validate_db_connection { 'validate puppetdb postgres connection': database_host => $database_host, database_port => $database_port,