Commit 2c9fe225 authored by Robert Marshall's avatar Robert Marshall Committed by Balasankar "Balu" C

Allow forced ssl on all postgres connections

- Adds postgresql['hostssl']; defaults to `false`. If set to `true`,
  then `host` type connections will be set as `hostssl` for
  `trust_auth_cidr_addresses` and `md5_auth_cidr_addresses` entries.
Signed-off-by: Robert Marshall's avatarRobert Marshall <[email protected]>
parent ca662d8e
---
title: Allow forced ssl on defined cidr_addresses
merge_request: 3724
author:
type: added
......@@ -211,6 +211,9 @@ postgresql['sql_user'] = "gitlab"
##! SQL_USER_PASSWORD_HASH can be generated using the command `gitlab-ctl pg-password-md5 gitlab`,
##! where `gitlab` is the name of the SQL user that connects to GitLab.
postgresql['sql_user_password'] = "SQL_USER_PASSWORD_HASH"
# force ssl on all connections defined in trust_auth_cidr_addresses and md5_auth_cidr_addresses
postgresql['hostssl'] = true
```
Any client or GitLab service which will connect over the network will need to
......
......@@ -983,6 +983,7 @@ external_url 'GENERATED_EXTERNAL_URL'
### SSL settings
# See https://www.postgresql.org/docs/11/static/runtime-config-connection.html#GUC-SSL-CERT-FILE for more details
# postgresql['ssl'] = 'on'
# postgresql['hostssl'] = false
# postgresql['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
# postgresql['ssl_cert_file'] = 'server.crt'
# postgresql['ssl_key_file'] = 'server.key'
......
......@@ -28,6 +28,7 @@ default['postgresql']['md5_auth_cidr_addresses'] = []
default['postgresql']['trust_auth_cidr_addresses'] = []
default['postgresql']['ssl'] = 'on'
default['postgresql']['hostssl'] = false
default['postgresql']['ssl_ciphers'] = 'HIGH:MEDIUM:+3DES:!aNULL:!SSLv3:!TLSv1'
default['postgresql']['ssl_cert_file'] = 'server.crt'
default['postgresql']['ssl_key_file'] = 'server.key'
......
......@@ -76,16 +76,16 @@
local all all peer map=gitlab
<% @trust_auth_cidr_addresses.each do |cidr| %>
host all all <%= cidr %> trust
host<% if @hostssl %>ssl<% end %> all all <%= cidr %> trust
<% if @sql_replication_user %>
host replication <%= @sql_replication_user %> <%= cidr %> trust
host<% if @hostssl %>ssl<% end %> replication <%= @sql_replication_user %> <%= cidr %> trust
<% end %>
<% end %>
<% @md5_auth_cidr_addresses.each do |cidr| %>
host all all <%= cidr %> md5
host<% if @hostssl %>ssl<% end %> all all <%= cidr %> md5
<% if @sql_replication_user %>
host replication <%= @sql_replication_user %> <%= cidr %> md5
host<% if @hostssl %>ssl<% end %> replication <%= @sql_replication_user %> <%= cidr %> md5
<% end %>
<% end %>
......@@ -745,6 +745,17 @@ describe 'postgresql 9.6' do
.with_content('local all all peer map=gitlab')
end
it 'prefers hostssl when configured in pg_hba.conf' do
stub_gitlab_rb(
postgresql: {
hostssl: true,
trust_auth_cidr_addresses: ['127.0.0.1/32']
}
)
expect(chef_run).to render_file(pg_hba_conf)
.with_content('hostssl all all 127.0.0.1/32 trust')
end
it 'adds users custom entries to pg_hba.conf' do
stub_gitlab_rb(
postgresql: {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment