Skip to content

pass in the configured DB ca (if any) to the container #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
evgeni wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

pass in the configured DB ca (if any) to the container #345

evgeni wants to merge 2 commits into from

Conversation

@evgeni
Copy link
Member

@evgeni evgeni commented Dec 2, 2025

No description provided.

@ehelms
Copy link
Member

ehelms commented Dec 2, 2025

This looks related to #141 but is not an aspect I have incorporated. I was wanting to get in a version of remote database testing and then harden it with more of the options.

@evgeni
Copy link
Member Author

evgeni commented Dec 2, 2025

It is, @Gauravtalreja1 ran into this when testing ext db stuff

@evgeni evgeni force-pushed the ssldb branch 5 times, most recently from f8a1e26 to 1ba7910 Compare December 2, 2025 17:37
evgeni
evgeni commented Dec 3, 2025
View reviewed changes
src/roles/foreman/tasks/main.yaml Outdated
state: present
name: foreman-database-url
data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_ssl_ca is defined %}&sslrootcert={{ foreman_database_ssl_ca }}{% endif %}" # yamllint disable-line rule:line-length
data: "postgresql://{{ foreman_database_user }}:{{ foreman_database_password }}@{{ foreman_database_host }}:{{ foreman_database_port }}/{{ foreman_database_name }}?pool={{ foreman_database_pool }}&sslmode={{ foreman_database_sslmode }}{% if foreman_database_sslrootcert is defined %}&sslrootcert=/etc/foreman/db-ca.crt{% endif %}" # yamllint disable-line rule:line-length
Copy link
Member Author

@evgeni evgeni Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ehelms the other roles (pulp, candlepin) use *_ssl_mode and *_ssl_ca, while foreman uses _sslmode and _sslrootcert. given those vars are internal, it doesn't hurt too much, but probably a good idea to still align them?

Copy link
Member

@ehelms ehelms Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds fair, most of these names were lifted from their puppet predecessors.

Copy link
Member Author

@evgeni evgeni Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

@evgeni evgeni force-pushed the ssldb branch 3 times, most recently from f5d3e14 to 921e621 Compare December 3, 2025 09:03
evgeni added 2 commits December 5, 2025 09:36
@evgeni
pass in the configured DB ca (if any) to the container
f5a301e
@evgeni
Update foreman database SSL params to match the other roles
7355577 
Renames foreman_database_sslrootcert to foreman_database_ssl_ca
and foreman_database_sslmode to foreman_database_ssl_mode
ehelms
ehelms reviewed Dec 5, 2025
View reviewed changes
src/roles/candlepin/tasks/main.yml
containers.podman.podman_secret:
state: present
name: candlepin-db-ca
data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}"
Copy link
Member

@ehelms ehelms Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is creating an empty secret if there is no database SSL cert? Why not use a when conditional on the sercret?

Copy link
Member Author

@evgeni evgeni Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because then I need to also conditionally mount it, and that's painful ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehelms ehelms ehelms left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evgeni @ehelms