# Allow certificate mapped connections to puppetdb as puppetdb_read (ipv6) Hostssl puppetdb puppetdb_migrator ::/0 cert map=puppetdb-puppetdb-migrator-map clientcert=1 # Allow certificate mapped connections to puppetdb as puppetdb_migrator (ipv6) Hostssl puppetdb puppetdb ::/0 cert map=puppetdb-puppetdb-map clientcert=1 # Allow certificate mapped connections to puppetdb as puppetdb (ipv6)
The verify-full option is first available in PostgreSQL 12.
Option isn't supported and is instead replaced with clientcert=verify-full. In pg_hba.conf you need to add one hostssl entry for each database user Ssl_cert_file and ssl_key_file, and set the ssl_ca_file in your The certificate of your PuppetDB server, so copy the ca.pem (which can beįound with puppet config print localcacert over to the directory of your Also, your PostgreSQL server will need to be able to validate Settings to allow your PuppetDB service to access the puppetdb database using
PuppetDB and Postgres and then change the pg_hba.conf and pg_nf Need to follow the above instructions for setting up an SSL connection between To use Puppet's signed certificates to authenticate PuppetDB's databaseĬonnection (instead of using a password in the database config section), you Using Puppet Agent certificates for database authorization Your connection should nowīe SSL (but you will still be authorizing your database connection using a Restart PuppetDB and monitor your logs for errors. Subname = //:/?ssl=true&sslfactory=&sslmode=verify-full&sslrootcert=/etc/puppetlabs/puppetdb/ssl/ca.pem Make sure that ssl is set to on in nf, and then restart PostgreSQL.Īfter this is complete, modify the database JDBC connection URL in your PuppetDB configuration as follows: This process is explained in detail here. The location of these files can be found by using the following commands: # CertificateĬopy these files to the relevant directories as specified by the PostgreSQL configuration items ssl_cert_file and ssl_key_file. To begin, configure your PostgreSQL server to use the host's Puppet server certificate and key. You can remove the plaintext password from your PuppetDB config files if youĪlso configure database authorization using agent certificates We also recommend this methodology for securing the HTTPS interface for PuppetDB. This means you can reuse the local Puppet agent certificate for PostgreSQL.īecause your local Puppet agent's certificate must be signed for Puppet to work, you likely have an established workflow for getting these signed. Using Puppet certificates to secure your PostgreSQL server has the following benefits:īecause you are using PuppetDB, we can presume that you are using Puppet on each server. If you don't have a signed Puppet certificate on your PostgreSQL server, see the ssl documentaion for Configuring a Puppet/PuppetDB connection.Connecting standalone Puppet nodes to PuppetDB.
0 kommentar(er)
