(maint) Supply Postgres ssl files absolutely

[Iristyle]

• Just use the files where they're dumped rather than using symlinks inside Postgres. This removes the need to generate any links in 10-config-postgres-ssl.sh

  Postgres 12 made a change in how Postgres SSL is initialized that wasn't accounted for in 750460f. Instead of making it necessary to copy links to the standard expected Postgres locations for the 4 ssl files (which worked in 9.6, but no longer works in 12.4), configure Postgres to use the pathing produced by the ssl.sh script.

  Postgres 12 now seems to require the cert files exist before completing the init process and running user specified entrypoint scripts, whereas 9.6 didn't require this.

  Figured this out in k8s 4 months ago, but didn't carry the change over to container testing: puppetlabs/holodeck-manifests@425b98d

  • Temporarily disable running open source tests in favor of running the more comprehensive PE tests.

  There isn't yet a great way to include service definitions for both PE and OSS in the same docker-compose file.

  Until that can be resolved, it's PE only!

  That would look something like: SpecHelpers.load_compose_services = 'postgres,puppetdb,puppet'

  OSS also called restart_stack helper, but PE suite instead stops a random service.

  • Add new helper check_report_timestamp that uses a pe-client-tools container and the PDB cli puppet-query to grab the last report timestamp of a given agent name from PE. The previous version of the test suite queried the open port 8080 of PDB, while the PE version requires the use of port 8081 and SSL instead.

  • Make sure callsites are updated to use pupperware network instead of pupperware-commercial network

• Move folder "commercial" -> "enterprise"

[jpartlow]

This passes, but I don't think it makes use of the pe-postgres.yml. Locally, using this with pe-bolt-vanagon fails to stand up postgres:

FATAL:  could not load server certificate file "${SSLDIR}/certs/server.crt": No such file or directory        
LOG:  database system is shut down                   
FATAL:  could not load server certificate file "${SSLDIR}/certs/server.crt": No such file or directory
LOG:  database system is shut down  

Possibly because of an escaping issue in how the entrypoint script is handling the args.

The same pr but with the full paths typed out worked for me.

[Iristyle]

Yeah @jpartlow I think that I'm going to move pupperware-commercial repo into pupperware tomorrow so that we get validation against both FOSS and PE with PRs to this repo. I don't see a compelling reason to have pupperware-commercial be its own repo anymore (barring a check for any secrets) -- having it separate is a hindrance.

[Iristyle]

Not quite right yet...

2021-04-09 04:27:15.183 UTC [1] FATAL:  private key file "/var/lib/postgresql/data/certs/private_keys/server.key" has group or world access
2021-04-09 04:27:15.183 UTC [1] DETAIL:  File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.

[jpartlow]

Hmm, that's odd; I wasn't hitting that. That's going to be tricky though. Whatever is generating the certs has to get the permissions right before the entrypoint begins.

[jpartlow]

Given that the pdb port had been set to map 8080 to the host, I'm not sure why check_report was failing. The logs did look as though pdb had come up, orchestrator had waited on it before issuing the node run, and the agent completed after pdb was up, and should therefore have produced a report. But I guess Net::HTTP timed out trying to reach pdb for the query? Unless there's something about the Travis env that is more restrictive.

[Iristyle]

@jpartlow I'm pretty sure it's because the PE version of PDB isn't accepting non-SSL connections, right?

That last commit adds a call to client tools to do the retrieval instead. As long as that works, I'll get this cleaned up and merged 🤞🏻