diff --git a/README.md b/README.md index 38a2e8a..cb6e097 100644 --- a/README.md +++ b/README.md @@ -328,7 +328,7 @@ Setting `manage_database` to `true` also setups a database as specified in `db_t The class supports: -* [puppet] >= 6.0 < 8.0 +* [puppet] >= 7.0 < 9.0 And requires: diff --git a/functions/db/connect.pp b/functions/db/connect.pp index 205f6eb..3aa5367 100644 --- a/functions/db/connect.pp +++ b/functions/db/connect.pp @@ -39,20 +39,20 @@ function icinga::db::connect( 'mariadb': { $tls_options = join(any2array(delete_undef_values({ '--ssl' => '', - '--ssl-ca' => $tls['cacert_file'], + '--ssl-ca' => if $tls['noverify'] { undef } else { $tls['cacert_file'] }, '--ssl-cert' => $tls['cert_file'], '--ssl-key' => $tls['key_file'], - '--ssl-capath' => $tls['capath'], + '--ssl-capath' => if $tls['noverify'] { undef } else { $tls['capath'] }, '--ssl-cipher' => $tls['cipher'], })), ' ') } 'mysql': { $tls_options = join(any2array(delete_undef_values({ - '--ssl-mode' => 'required', - '--ssl-ca' => $tls['cacert_file'], + '--ssl-mode' => if $tls['noverify'] { 'REQUIRED' } else { 'VERIFY_CA' }, + '--ssl-ca' => if $tls['noverify'] { undef } else { $tls['cacert_file'] }, '--ssl-cert' => $tls['cert_file'], '--ssl-key' => $tls['key_file'], - '--ssl-capath' => $tls['capath'], + '--ssl-capath' => if $tls['noverify'] { undef } else { $tls['capath'] }, '--ssl-cipher' => $tls['cipher'], })), ' ') } diff --git a/manifests/web.pp b/manifests/web.pp index 155da02..9534706 100644 --- a/manifests/web.pp +++ b/manifests/web.pp @@ -64,6 +64,9 @@ -> Class['apache'] -> Class['icingaweb2'] + # version if the used icingaweb2 puppet module + $icingaweb2_version = load_module_metadata('icingaweb2')['version'] + # # Platform # @@ -181,7 +184,7 @@ # # Icinga Web 2 # - if versioncmp(load_module_metadata('icingaweb2')['version'], '4.0.0') < 0 { + if versioncmp($icingaweb2_version, '4.0.0') < 0 { class { 'icingaweb2': db_type => $db_type, db_host => $_db_host, diff --git a/spec/functions/db_connect_spec.rb b/spec/functions/db_connect_spec.rb index 1b4f705..4d42cf2 100644 --- a/spec/functions/db_connect_spec.rb +++ b/spec/functions/db_connect_spec.rb @@ -23,6 +23,14 @@ ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl --ssl-ca /cacert.file") end + it "with MariaDB TLS and noverify 'true' on db.example.org and password" do + is_expected.to run.with_params( + { 'type' => 'mariadb', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' }, + { 'noverify' => true, 'cacert_file' => '/cacert.file' }, + true, + ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl") + end + it 'with MariaDB client TLS cert on db.example.org' do is_expected.to run.with_params( { 'type' => 'mariadb', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar' }, @@ -36,15 +44,15 @@ { 'type' => 'mysql', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar' }, { 'key_file' => '/key.file', 'cert_file' => '/cert.file', 'cacert_file' => '/cacert.file' }, true, - ).and_return('-h db.example.org -u bar -D foo --ssl-mode required --ssl-ca /cacert.file --ssl-cert /cert.file --ssl-key /key.file') + ).and_return('-h db.example.org -u bar -D foo --ssl-mode VERIFY_CA --ssl-ca /cacert.file --ssl-cert /cert.file --ssl-key /key.file') end - it 'with MySQL TLS on db.example.org and password' do + it "with MySQL TLS and noverify 'true' on db.example.org and password" do is_expected.to run.with_params( { 'type' => 'mysql', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' }, - { 'cacert_file' => '/cacert.file' }, + { 'noverify' => true, 'cacert_file' => '/cacert.file' }, true, - ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl-mode required --ssl-ca /cacert.file") + ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl-mode REQUIRED") end it 'with PostgreSQL' do