Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure PostgreSQL ssl by default #162

Merged
merged 6 commits into from
Dec 14, 2017
Merged

Configure PostgreSQL ssl by default #162

merged 6 commits into from
Dec 14, 2017

Conversation

carbonin
Copy link
Member

This PR adds the ability to use generate_miq_server_cert.sh for generating certs in arbitrary locations by providing the NEW_CERT_FILE and NEW_KEY_FILE environment variables.

It also removes the conditional logic around using ssl in the postgres configuration files.
We will now generate certs in the default location when initializing the database so we will always set ssl to on, can remove the erb from pg_hba.conf and no-longer need to specify alternate cert locations.

@carbonin
Remove ssl_ca_file setting from postgres conf
2ee33b1 
This is only used when clientcert = 1 in pg_hba.conf
We never set clientcert so we don't need this.

ref: https://www.postgresql.org/docs/9.5/static/ssl-tcp.html
@carbonin
Set ssl = on in our override file
b6dd969
@carbonin
Use ENV variables to specify the cert and key file in the generate sc…
c46cc00 
…ript

This will allow us to generate new postgres certs with the following command:

NEW_CERT_FILE=/var/www/miq/vmdb/certs/postgres.crt \
NEW_KEY_FILE=/var/www/miq/vmdb/certs/postgres.key \
generate_miq_server_cert.sh
@carbonin
Always use hostssl in pg_hba.conf
6c0857a
@carbonin
Rename pg_hba.conf.erb to pg_hba.conf as there is no more erb
6a311ab
@carbonin
Remove the override paths for postgresl ssl key and cert
afd8e04 
There is no reason we can't use the default location
@carbonin carbonin requested a review from jrafanie December 11, 2017 19:59
@carbonin carbonin mentioned this pull request Dec 11, 2017
Merged
@carbonin
Copy link
Member Author

Should be merged with ManageIQ/manageiq-appliance_console#22

@miq-bot
Copy link
Member

miq-bot commented Dec 11, 2017

Checked commits carbonin/manageiq-appliance@2ee33b1~...afd8e04 with ruby 2.3.3, rubocop 0.47.1, haml-lint 0.20.0, and yamllint 1.10.0
0 files checked, 0 offenses detected
Everything looks fine. 🍰

@carbonin
Copy link
Member Author

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1482697 and https://bugzilla.redhat.com/show_bug.cgi?id=1519079

bdunne
bdunne approved these changes Dec 13, 2017
View reviewed changes
Copy link
Member

@bdunne bdunne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM

@bdunne bdunne merged commit c64f84a into ManageIQ:master Dec 14, 2017
@bdunne bdunne assigned bdunne and unassigned gtanzillo Dec 14, 2017
@bdunne bdunne added this to the Sprint 76 Ending Jan 1, 2018 milestone Dec 14, 2017
simaishi pushed a commit that referenced this pull request Dec 15, 2017
@bdunne @simaishi
Merge pull request #162 from carbonin/ssl_by_default
02c6232 
Configure PostgreSQL ssl by default
(cherry picked from commit c64f84a)
@simaishi
Copy link
Contributor

Gaprindashvili backport details:

$ git log -1
commit 02c62321dce1d10707a5f5be04eb6b81aaef32fa
Author: Brandon Dunne <[email protected]>
Date:   Thu Dec 14 11:55:35 2017 -0500

    Merge pull request #162 from carbonin/ssl_by_default
    
    Configure PostgreSQL ssl by default
    (cherry picked from commit c64f84a236b70645425b4d44bb7bf96599af1894)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdunne bdunne bdunne approved these changes

@jrafanie jrafanie Awaiting requested review from jrafanie jrafanie is a code owner

Assignees

@bdunne bdunne

Labels
enhancement gaprindashvili/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@carbonin @miq-bot @simaishi @bdunne @gtanzillo