puppet: Support setting an ssl_mode verification level.

2025-10-23 04:52:12 +00:00 · 2022-03-10 20:07:50 +00:00
parent 253bef27f5
commit d17006da55
6 changed files with 14 additions and 0 deletions
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -712,6 +712,15 @@ client connections.
 Set to the path to the PEM-encoded private key used to secure client
 connections.

+#### `ssl_mode`
+
+The mode that should be used to verify the server certificate. The
+PostgreSQL default is `prefer`, which provides no security benefit; we
+strongly suggest setting this to `require` or better if you are using
+certificate authentication. See the [PostgreSQL
+documentation](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
+for potential values.
+
 #### `version`

 The version of PostgreSQL that is in use. Do not set by hand; use the
--- a/puppet/zulip/manifests/profile/postgresql.pp
+++ b/puppet/zulip/manifests/profile/postgresql.pp
@@ -21,6 +21,7 @@ class zulip::profile::postgresql {
  $ssl_cert_file = zulipconf('postgresql', 'ssl_cert_file', undef)
  $ssl_key_file = zulipconf('postgresql', 'ssl_key_file', undef)
  $ssl_ca_file = zulipconf('postgresql', 'ssl_ca_file', undef)
+  $ssl_mode = zulipconf('postgresql', 'ssl_mode', undef)

  file { $zulip::postgresql_base::postgresql_confdirs:
    ensure => directory,
--- a/puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb
@@ -796,6 +796,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb
@@ -827,6 +827,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb
@@ -848,6 +848,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>
--- a/puppet/zulip/templates/postgresql/recovery.conf.template.erb
+++ b/puppet/zulip/templates/postgresql/recovery.conf.template.erb
@@ -4,5 +4,6 @@ recovery_target_timeline = 'latest'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>