Conversation
|
This looks related to #141 but is not an aspect I have incorporated. I was wanting to get in a version of remote database testing and then harden it with more of the options. |
|
It is, @Gauravtalreja1 ran into this when testing ext db stuff |
evgeni
force-pushed
the
ssldb
branch
5 times, most recently
from
f8a1e26 to
1ba7910
Compare
evgeni
force-pushed
the
ssldb
branch
4 times, most recently
from
921e621 to
7355577
Compare
| containers.podman.podman_secret: | ||
| state: present | ||
| name: candlepin-db-ca | ||
| data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}" |
There was a problem hiding this comment.
This is creating an empty secret if there is no database SSL cert? Why not use a when conditional on the sercret?
There was a problem hiding this comment.
Because then I need to also conditionally mount it, and that's painful ;)
There was a problem hiding this comment.
I get that, I worry about this being a red herring while debugging.
There was a problem hiding this comment.
what kind of red herring? the file being present?
There was a problem hiding this comment.
Correct. The file / secret being present but empty raises the "should it be empty? or is it accidentally empty?"
There was a problem hiding this comment.
That's why the string is "empty", or should I do "this secret was intentionally left blank"?
|
What else do you think is needed to take it out of draft? |
|
I wanted to write up some tests to validate it. |
evgeni
force-pushed
the
ssldb
branch
2 times, most recently
from
46aeafa to
3a61d77
Compare
.github/workflows/test.yml
Outdated
| - certificate_source: default | ||
| security: none | ||
| database: external | ||
| - certificate_source: default | ||
| security: none | ||
| database: externalssl |
There was a problem hiding this comment.
I personally think that users should never run external db without SSL, but I know that today we document and support that, so I added this as another matrix entry instead of repurposing the external one. But do we really need to test both?
There was a problem hiding this comment.
If you are proposing that we test external database only with TLS - I agree.
There was a problem hiding this comment.
Correct, that's what I wanted to say
There was a problem hiding this comment.
Do we intend to drop support for external DB without SSL altogether? If not, we should make sure both cases are covered by tests
There was a problem hiding this comment.
I see little chance that non-SSL ext-DB breaks while SSL-enabled continues to work.
and you can still verify that in robotello for formal support, I just don't think it needs to happen here
There was a problem hiding this comment.
The internal database scenario should effectively test the non-ssl scenario for us since it's doing the same style connection and handling.
There was a problem hiding this comment.
yeah.
I've now pushed a separate commit, flipping the setup to "only ssl" -- we can still drop it if Gaurav strongly disagrees :)
evgeni
force-pushed
the
ssldb
branch
7 times, most recently
from
481ca09 to
d157f1a
Compare
evgeni
force-pushed
the
ssldb
branch
3 times, most recently
from
a0572e5 to
9adce9d
Compare
|
@ehelms look, no draft! |
| - name: Run deployment | ||
| run: | | ||
| ./foremanctl deploy --certificate-source=${{ matrix.certificate_source }} ${{ matrix.database == 'external' && '--database-mode=external --database-host=database.example.com' || '' }} --foreman-initial-admin-password=changeme --tuning development | ||
| ./foremanctl deploy --certificate-source=${{ matrix.certificate_source }} ${{ matrix.database == 'external' && '--database-mode=external --database-host=database.example.com --database-ssl-ca $(pwd)/.var/lib/foremanctl/db-ca.crt --database-ssl-mode verify-full' || '' }} --foreman-initial-admin-password=changeme --tuning development |
There was a problem hiding this comment.
is this path $(pwd)/.var/.. to ssl-ca correct OR should it be $(pwd)/var/..?
And, I couldn't find, where do we generate this cert for these test?
There was a problem hiding this comment.
It's correct, as that's the local, non-root path for foremanctl to store things in (as used in CI)
The certs are generated by the certificates role that was added to development/playbooks/remote-database/remote-database.yaml and is then copied to the path you see here in the Fetch PostgreSQL SSL CA task in the same playbook.
| vars: | ||
| certificates_hostnames: | ||
| - "{{ ansible_facts['fqdn'] }}" | ||
| certificates_ca_password: "CHANGEME" |
There was a problem hiding this comment.
Does this passwd needs to be hardcoded here?
There was a problem hiding this comment.
given it's a devel playbook for test only, I see no problem with it being hardcoded
| jpa.config.hibernate.connection.password={{ candlepin_database_password }} | ||
| jpa.config.hibernate.connection.driver_class=org.postgresql.Driver | ||
| jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert={{ candlepin_database_ssl_ca }}{% endif %} | ||
| jpa.config.hibernate.connection.url=jdbc:postgresql://{{ candlepin_database_host }}:{{ candlepin_database_port }}/{{ candlepin_database_name }}?sslmode={{ candlepin_database_ssl_mode }}{% if candlepin_database_ssl_ca is defined %}&sslrootcert=/etc/candlepin/certs/db-ca.crt{% endif %} |
There was a problem hiding this comment.
Can we move this path to candlepin role defaults instead of hardcoding it here?
There was a problem hiding this comment.
We can, but what would be the benefit? It's a path inside the container that shouldn't be changed by the user.
Or do you mean to make it easier to keep consistent between the config here and the secret mount?
| state: present | ||
| name: foreman-database-url | ||
| data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_ssl_mode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert={{ foreman_database_ssl_ca }}{% endif %}" # yamllint disable-line rule:line-length | ||
| data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_ssl_mode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert=/etc/foreman/db-ca.crt{% endif %}" # yamllint disable-line rule:line-length |
There was a problem hiding this comment.
Can we move this path to sslrootcert in foreman role defaults instead of hardcoding it here?
3 participants
No description provided.