Skip to content

Prefer clientcert=verify-full to the deprecated clientcert=1 in hba rules #370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Prefer clientcert=verify-full to the deprecated clientcert=1 in hba rules #370

wants to merge 1 commit into from

Conversation

marszip
Copy link

@marszip marszip commented Aug 30, 2023

We have updated to Puppet 8.2 and in the release notes it states that PostgreSQL 13 is not supported. The most current version for us is PostgreSQL 15, but we run into a problem with the Puppetforge module for Puppet DB.

The clientcert=1 parameter in the pg_hba.conf is not valid anymore.
This should be clientcert=verify-ca or clientcert=verify-full.

@marszip marszip requested review from bastelfreak, smortex and a team as code owners August 30, 2023 10:23
@CLAassistant
Copy link

CLAassistant commented Aug 30, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@marszip marszip force-pushed the remove_deprecated_postgresql branch 2 times, most recently from 3361d85 to 7ebe481 Compare August 30, 2023 10:45
@marszip marszip closed this Aug 30, 2023
@marszip marszip reopened this Aug 30, 2023
smortex
smortex approved these changes Sep 30, 2023
View reviewed changes
Copy link
Collaborator

@smortex smortex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clientcert=verify-full (or verify-ca) was introduced in PostgreSQL 12, so all supported versions of PostgreSQL support this setting. It seems safe to update it.

@smortex smortex added the bugfix label Sep 30, 2023
@smortex smortex changed the title remove deprecated Postgresql hbaconf parameter Prefer clientcert=verify-full to the deprecated clientcert=1 in hba rules Sep 30, 2023
@h0tw1r3
Copy link
Contributor

h0tw1r3 commented Dec 14, 2023

clientcert=verify-full (or verify-ca) was introduced in PostgreSQL 12, so all supported versions of PostgreSQL support this setting. It seems safe to update it.

Unless I'm reading this wrong, Postgresql 11 is usually installed by default.

puppetlabs-puppetdb/manifests/params.pp

Line 29 in 0053513

$postgres_version = '11'

@smortex
Copy link
Collaborator

smortex commented Dec 14, 2023

clientcert=verify-full (or verify-ca) was introduced in PostgreSQL 12, so all supported versions of PostgreSQL support this setting. It seems safe to update it.

Unless I'm reading this wrong, Postgresql 11 is usually installed by default.

puppetlabs-puppetdb/manifests/params.pp

Line 29 in 0053513

$postgres_version = '11'

This should probably be changed. These versions have reached EOL a long time ago.

As far as I am concerned, I set manage_dbserver => false in my control-repo's puppetdb profile. Managing the server from this module is probably a smell.

@h0tw1r3
Copy link
Contributor

h0tw1r3 commented Feb 4, 2024

closing in favor of #380

@h0tw1r3 h0tw1r3 closed this Feb 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smortex smortex smortex approved these changes

@bastelfreak bastelfreak Awaiting requested review from bastelfreak bastelfreak is a code owner

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marszip @CLAassistant @h0tw1r3 @smortex