Add option to disable convenience external Postgres preparation steps for edge cases
A customer reported an error for when our Ansible code attempts to set up an external Postgres server due to SSL. After investigation this was found to be due to the Postgres server having mutual 2-way SSL connections enabled, where the client also has to give a certificate (an optional setting for Google Cloud SQL).
Mutual SSL is an awkward area as not every service / client supports this and it's complex. While GitLab itself does look to support this the main Ansible community.postgres
option does not.
On review this is a tricky area. We effectively are automating the steps for the main and praefect database as a convenience via Ansible. The problem we have though is we need to handle this in a way when the database server is private - To achieve this we need to run the Ansible commands remotely via an available VM within the network that can reach the DB server. When mutual SSL is enable this will then require the transportation of both client certificates and keys to whatever machine is using it, which is a security sniff. Furthermore the Ansible community.postgres
collection outright doesn't support client certificate options.
On balance since this is a tricky area we'll add the option to disable this convenience code and document to handle setup on their end.