| The open source module can only configure puppetdb's postgres access via a password. In PE the default database configuration of PuppetDB is done without a password. This is advantageous because our config files store the password in plain text, which many customers don't want to do. The connection involves using the Puppet agent certs to configure SSL and giving the PuppetDB certname access to the puppetdb database in the pg_hba.conf. It would be ideal to give our open source users an easy way to improve their security, for now this should be opt-in as we shouldn't change this in a y release, but once it's circulated in the community we should do a major release of the module and make this connection strategy the default. When I want to deploy a quick open source monolithic primary server I apply a manifest like this to configure an SSL connection with the database. I think this still uses password authentication to access the database, but shows how to configure an agent cert based SSL connection to postgres.
class { 'puppetdb::globals': |
version => $puppetdb_version, |
} |
|
class { 'puppetdb': |
database_host => $trusted['certname'], |
database_listen_address => '*', |
jdbc_ssl_properties => '?ssl=true&sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem', |
} |
|
class { 'puppetdb::master::config': |
manage_report_processor => true, |
enable_reports => true, |
} |
|
file {'postgres private key': |
ensure => present, |
path => "${postgresql::params::datadir}/server.key", |
source => "file:///etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem", |
owner => 'postgres', |
mode => '0600', |
require => Package['postgresql-server'], |
} |
|
concat {'postgres cert bundle': |
ensure => present, |
path => "${postgresql::params::datadir}/server.crt", |
owner => 'postgres', |
require => Package['postgresql-server'], |
} |
|
concat::fragment {'agent cert': |
target => 'postgres cert bundle', |
source => "file:///etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem", |
order => '1', |
} |
|
concat::fragment {'CA bundle': |
target => 'postgres cert bundle', |
source => 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem', |
order => '2', |
} |
|
postgresql::server::config_entry {'ssl_key_file': |
ensure => present, |
value => "${postgresql::params::datadir}/server.key", |
require => [File['postgres private key'], Concat['postgres cert bundle']], |
} |
|
postgresql::server::config_entry {'ssl_cert_file': |
ensure => present, |
value => "${postgresql::params::datadir}/server.crt", |
require => [File['postgres private key'], Concat['postgres cert bundle']], |
} |
|
postgresql::server::config_entry {'ssl': |
ensure => present, |
value => 'on', |
require => [File['postgres private key'], Concat['postgres cert bundle']], |
}
|
And I believe something similar could be used in our module. |
