Set different clientcert values depending on version

ody · ody · commit 51b0dc325a55 · 2022-06-23T21:12:40.000Z
The possible values for the clientcert setting changed between 11 and
14, use get_psql_info to determine setting based on version
diff --git a/plans/subplans/db_populate.pp b/plans/subplans/db_populate.pp
@@ -20,6 +20,12 @@
   # Retrieve source's PSQL version
   $psql_version = run_task('peadm::get_psql_version', $source_target).first.value['version']
 
+  # Determine clientcert setting
+  $clientcert = $psql_version ? {
+    '14'    => 'verify-full',
+    default => 1
+  }
+
   # Add the following two lines to /opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_ident.conf
   #
   # These lines allow connections from destination by pg_basebackup to replicate
@@ -31,11 +37,11 @@
     }
     file_line { 'replication-pe-ha-replication-ipv4':
       path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",
-      line => 'hostssl replication    pe-ha-replication 0.0.0.0/0  cert  map=replication-pe-ha-replication-map  clientcert=1',
+      line => "hostssl replication    pe-ha-replication 0.0.0.0/0  cert  map=replication-pe-ha-replication-map  clientcert=${clientcert}",
     }
     file_line { 'replication-pe-ha-replication-ipv6':
       path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",
-      line => 'hostssl replication    pe-ha-replication ::/0       cert  map=replication-pe-ha-replication-map  clientcert=1',
+      line => "hostssl replication    pe-ha-replication ::/0       cert  map=replication-pe-ha-replication-map  clientcert=${clientcert}",
     }
   }
 
@@ -81,12 +87,12 @@
     file_line { 'replication-pe-ha-replication-ipv4':
       ensure => absent,
       path   => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",
-      line   => 'hostssl replication    pe-ha-replication 0.0.0.0/0  cert  map=replication-pe-ha-replication-map  clientcert=1',
+      line   => "hostssl replication    pe-ha-replication 0.0.0.0/0  cert  map=replication-pe-ha-replication-map  clientcert=${clientcert}",
     }
     file_line { 'replication-pe-ha-replication-ipv6':
       ensure => absent,
       path   => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",
-      line   => 'hostssl replication    pe-ha-replication ::/0       cert  map=replication-pe-ha-replication-map  clientcert=1',
+      line   => "hostssl replication    pe-ha-replication ::/0       cert  map=replication-pe-ha-replication-map  clientcert=${clientcert}",
     }
   }
 
diff --git a/tasks/get_psql_version.rb b/tasks/get_psql_version.rb
@@ -21,4 +21,4 @@ def execute!
   Puppet.initialize_settings
   task = GetPSQLInfo.new(JSON.parse(STDIN.read))
   task.execute!
-end
+end

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,12 @@`
`20`	`20`	`# Retrieve source's PSQL version`
`21`	`21`	`$psql_version = run_task('peadm::get_psql_version', $source_target).first.value['version']`
`22`	`22`
	`23`	`+ # Determine clientcert setting`
	`24`	`+ $clientcert = $psql_version ? {`
	`25`	`+ '14' => 'verify-full',`
	`26`	`+ default => 1`
	`27`	`+ }`
	`28`	`+`
`23`	`29`	`# Add the following two lines to /opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_ident.conf`
`24`	`30`	`#`
`25`	`31`	`# These lines allow connections from destination by pg_basebackup to replicate`
`@@ -31,11 +37,11 @@`
`31`	`37`	`}`
`32`	`38`	`file_line { 'replication-pe-ha-replication-ipv4':`
`33`	`39`	`path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",`
`34`		`- line => 'hostssl replication pe-ha-replication 0.0.0.0/0 cert map=replication-pe-ha-replication-map clientcert=1',`
	`40`	`+ line => "hostssl replication pe-ha-replication 0.0.0.0/0 cert map=replication-pe-ha-replication-map clientcert=${clientcert}",`
`35`	`41`	`}`
`36`	`42`	`file_line { 'replication-pe-ha-replication-ipv6':`
`37`	`43`	`path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",`
`38`		`- line => 'hostssl replication pe-ha-replication ::/0 cert map=replication-pe-ha-replication-map clientcert=1',`
	`44`	`+ line => "hostssl replication pe-ha-replication ::/0 cert map=replication-pe-ha-replication-map clientcert=${clientcert}",`
`39`	`45`	`}`
`40`	`46`	`}`
`41`	`47`
`@@ -81,12 +87,12 @@`
`81`	`87`	`file_line { 'replication-pe-ha-replication-ipv4':`
`82`	`88`	`ensure => absent,`
`83`	`89`	`path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",`
`84`		`- line => 'hostssl replication pe-ha-replication 0.0.0.0/0 cert map=replication-pe-ha-replication-map clientcert=1',`
	`90`	`+ line => "hostssl replication pe-ha-replication 0.0.0.0/0 cert map=replication-pe-ha-replication-map clientcert=${clientcert}",`
`85`	`91`	`}`
`86`	`92`	`file_line { 'replication-pe-ha-replication-ipv6':`
`87`	`93`	`ensure => absent,`
`88`	`94`	`path => "/opt/puppetlabs/server/data/postgresql/${psql_version}/data/pg_hba.conf",`
`89`		`- line => 'hostssl replication pe-ha-replication ::/0 cert map=replication-pe-ha-replication-map clientcert=1',`
	`95`	`+ line => "hostssl replication pe-ha-replication ::/0 cert map=replication-pe-ha-replication-map clientcert=${clientcert}",`
`90`	`96`	`}`
`91`	`97`	`}`
`92`	`98`