puppet: Support setting an `ssl_mode` verification level.

2022-03-10 20:07:50 +00:00 · 2022-03-10 20:07:50 +00:00 · d17006da55
parent 253bef27f5
commit d17006da55
6 changed files with 14 additions and 0 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@ -712,6 +712,15 @@ client connections.
 Set to the path to the PEM-encoded private key used to secure client
 connections.

+#### `ssl_mode`
+
+The mode that should be used to verify the server certificate. The
+PostgreSQL default is `prefer`, which provides no security benefit; we
+strongly suggest setting this to `require` or better if you are using
+certificate authentication. See the [PostgreSQL
+documentation](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
+for potential values.
+
 #### `version`

 The version of PostgreSQL that is in use. Do not set by hand; use the
--- a/puppet/zulip/manifests/profile/postgresql.pp
+++ b/puppet/zulip/manifests/profile/postgresql.pp
@ -21,6 +21,7 @@ class zulip::profile::postgresql {
  $ssl_cert_file = zulipconf('postgresql', 'ssl_cert_file', undef)
  $ssl_key_file = zulipconf('postgresql', 'ssl_key_file', undef)
  $ssl_ca_file = zulipconf('postgresql', 'ssl_ca_file', undef)
+  $ssl_mode = zulipconf('postgresql', 'ssl_mode', undef)

  file { $zulip::postgresql_base::postgresql_confdirs:
    ensure => directory,
--- a/puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb
@ -796,6 +796,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb
@ -827,6 +827,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb
@ -848,6 +848,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/recovery.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/recovery.conf.template.erb
@ -4,5 +4,6 @@ recovery_target_timeline = 'latest'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>