Support IPv6 by default in Jetty

jovandeginste · jovandeginste · commit 41cc0c30d6a1 · 2021-11-26T11:11:55.000+01:00
The equivalent "all" interface to `0.0.0.0` for IPv6 is `::`; this
_includes_ IPv4's `0.0.0.0`. In other words, this should be fully
backward compatible.

Signed-off-by: Jo Vandeginste &lt;Jo.Vandeginste@kuleuven.be&gt;
diff --git a/docker/puppetdb/conf.d/jetty.ini b/docker/puppetdb/conf.d/jetty.ini
@@ -2,7 +2,7 @@
 # IP address or hostname to listen for clear-text HTTP. To avoid resolution
 # issues, IP addresses are recommended over hostnames.
 # Default is `localhost`.
-host = 0.0.0.0
+host = ::
 
 # Port to listen on for clear-text HTTP.
 port = 8080
@@ -13,8 +13,8 @@ port = 8080
 
 # IP address to listen on for HTTPS connections. Hostnames can also be used
 # but are not recommended to avoid DNS resolution issues. To listen on all
-# interfaces, use `0.0.0.0`.
-# ssl-host = 0.0.0.0
+# interfaces, use `::`.
+# ssl-host = ::
 
 # The port to listen on for HTTPS connections
 # ssl-port = 8081
diff --git a/documentation/configure.markdown b/documentation/configure.markdown
@@ -623,7 +623,7 @@ The `[jetty]` section configures HTTP for PuppetDB.
 Sets the IP interface to listen on for **unencrypted** HTTP
 traffic. If not supplied, we bind to `localhost`, which will reject
 connections from anywhere but the PuppetDB server itself. To listen on
-all available interfaces, use `0.0.0.0`.
+all available interfaces, use `::`.
 
 To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname.
 
@@ -654,7 +654,7 @@ can be made at one time. Defaults to 50.
 
 Sets which IP interface to listen on for **encrypted** HTTPS traffic. If
 not supplied, we bind to `localhost`. To listen on all available
-interfaces, use `0.0.0.0`.
+interfaces, use `::`.
 
 To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname
 
@@ -821,7 +821,7 @@ Specifies the host or IP address for the REPL service to listen on. By
 default this is `127.0.0.1` only. As this is an insecure channel this
 is the only recommended setting for production environments.
 
-If you wish to listen on all interfaces, you can specify `0.0.0.0`, for example, although this is generally not recommended for production.
+If you wish to listen on all interfaces, you can specify `::`, for example, although this is generally not recommended for production.
 
 ## `[developer]` settings
 
diff --git a/documentation/load_testing_tool.markdown b/documentation/load_testing_tool.markdown
@@ -67,7 +67,7 @@ below.
 
 * On the primary server, modify `/etc/puppetlabs/puppetdb/conf.d/jetty.ini`.
 In the `[jetty]` section, set either:
-    * `host=0.0.0.0 # http access from all agents`
+    * `host=:: # http access from all agents`
     * `host=<agent ip address> # access from specific agent`
 
 * Install java on the agent
diff --git a/documentation/release_notes_older.markdown b/documentation/release_notes_older.markdown
@@ -1541,7 +1541,7 @@ For PostgreSQL consumers this means the extra `data` key needs to be traversed t
 
 * Retire `facts.strip_internal` (terminus). ([PDB-971](https://tickets.puppetlabs.com/browse/PDB-971))
 
-    This patch adds a `maybe_strip_internal` method to Puppet::Node::Facts::Puppetdb
+    This patch adds a `maybe_strip_internal` method to Puppet0.0.0.0Node::Facts::Puppetdb
     that will call `Facts#strip_internal` if the method exists, but Facts#values if
     not. This will allow our terminus to remain backward compatible when Puppet
     retires the `strip_internal` method and the `timestamp` fact.
@@ -3075,7 +3075,7 @@ Notable improvements and fixes:
     The PuppetDB API specifies that it is JSON, so we should parse it as
     that and not as PSON.
 
-    Some Puppet classes (Puppet::Node and Puppet::Node::Facts) don't
+    Some Puppet classes (Puppet0.0.0.0Node and Puppet::Node::Facts) don't
     support JSON serialization, so continue to use PSON serialization
     for them. In Puppet 3.4.0+ they have methods to do seralization in
     other formats than PSON though, so when support for older versions
@@ -3085,7 +3085,7 @@ Notable improvements and fixes:
 
     This patch adds some select profiling blocks to the PuppetDB terminus code.
 
-    The profiler is provided by puppet core from Puppet::Util::Puppetdb#profile,
+    The profiler is provided by puppet core from Puppet0.0.0.0Util::Puppetdb#profile,
     which has recently become public for our use. We provide here in our own utils
     library our own wrapper implementation that can be mixed in.
 
@@ -3688,7 +3688,7 @@ Notable features and improvements:
     cache terminus, intercepting the first save request and storing the values
     in PuppetDB.
 
-* Avoid Array#find in Puppet::Resource::Catalog::Puppetdb#find_resource (Aman Gupta)
+* Avoid Array#find in Puppet0.0.0.0Resource::Catalog::Puppetdb#find_resource (Aman Gupta)
 
     This patch provides performance improvements in the terminus, during the
     synthesize_edges stage. For example, in cases with 10,000 resource (with
diff --git a/resources/ext/cli/ssl-setup.erb b/resources/ext/cli/ssl-setup.erb
@@ -349,7 +349,7 @@ chown -R "$user:$group" "$ssl_dir"
 if [ -f "$jettyfile" ] ; then
   # Check settings are correct and fix or warn
   settings=(
-    "ssl-host:0.0.0.0"
+    "ssl-host:::"
     "ssl-port:8081"
     "ssl-key:${private_file}"
     "ssl-cert:${public_file}"
@@ -423,7 +423,7 @@ then
   echo "    [jetty]"
   echo "    #host       = localhost"
   echo "    port        = 8080"
-  echo "    ssl-host    = 0.0.0.0"
+  echo "    ssl-host    = ::"
   echo "    ssl-port    = 8081"
   echo "    ssl-key     = ${private_file}"
   echo "    ssl-cert    = ${public_file}"
diff --git a/resources/ext/config/conf.d/jetty.ini b/resources/ext/config/conf.d/jetty.ini
@@ -13,7 +13,7 @@ port = 8080
 
 # IP address to listen on for HTTPS connections. Hostnames can also be used
 # but are not recommended to avoid DNS resolution issues. To listen on all
-# interfaces, use `0.0.0.0`.
+# interfaces, use `::`.
 # ssl-host = <host>
 
 # The port to listen on for HTTPS connections
diff --git a/resources/puppetlabs/puppetdb/benchmark/config.ini b/resources/puppetlabs/puppetdb/benchmark/config.ini
@@ -2,5 +2,5 @@
 logging-config = resources/logback.xml
 
 [jetty]
-host = 0.0.0.0
+host = ::
 port = 8080
diff --git a/test-resources/integration-puppetdb.conf b/test-resources/integration-puppetdb.conf
@@ -19,10 +19,10 @@ nrepl: {
 }
 
 jetty: {
-  host: 0.0.0.0
+  host: ::
   port: 0
 
-  ssl-host: 0.0.0.0
+  ssl-host: ::
   ssl-port: 0 # filled out by the test harness
 
   # Original settings
diff --git a/test-resources/puppetserver/puppetserver.conf b/test-resources/puppetserver/puppetserver.conf
@@ -12,9 +12,9 @@ webserver: {
     access-log-config: ./dev/request-logging-dev.xml
     client-auth: want
     # ssl-host controls what networks the server will accept connections from.
-    # The default value below is '0.0.0.0', so will accept connections from
+    # The default value below is '::', so will accept connections from
     # any client.  For better security, you might wish to set this to 'localhost'.
-    ssl-host: 0.0.0.0
+    ssl-host: ::
     #ssl-host: localhost
     ssl-port: 8140
 }
diff --git a/test/puppetlabs/puppetdb/cli/services_test.clj b/test/puppetlabs/puppetdb/cli/services_test.clj
@@ -214,7 +214,7 @@
            (assoc :database *db*)
            (assoc :jetty (merge cert-config
                                 {:ssl-port 0
-                                 :ssl-host "0.0.0.0"
+                                 :ssl-host "::"
                                  :ssl-protocols "TLSv1,TLSv1.1,TLSv1.2"}))
            (assoc-in [:puppetdb :certificate-allowlist] (str allowlist-file)))
        (fn []
