puppetlabs / puppetlabs-puppetdb

A puppet module for installing and managing puppetdb
https://forge.puppetlabs.com/puppetlabs/puppetdb
Apache License 2.0
55 stars 231 forks source link

puppetdb and puppet postgres authentication method mismatch #394

Open ukgaz opened 8 months ago

ukgaz commented 8 months ago

Fresh installation of puppet 7 with puppetdb and postgres backend caused a reoccurring puppet change to appear

/Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]

Packages in use

puppetserver-7.15.0-1.el7.noarch
puppetdb-termini-7.16.0-1.el7.noarch
puppet-agent-7.28.0-1.el7.x86_64
puppetdb-7.17.1-1.el7.noarch
postgresql15-server-15.6-1PGDG.rhel7.x86_64
postgresql15-libs-15.6-1PGDG.rhel7.x86_64
postgresql15-contrib-15.6-1PGDG.rhel7.x86_64
postgresql15-15.6-1PGDG.rhel7.x86_64

With basic puppetdb config

    class { 'puppetdb': }
    class { 'puppetdb::master::config': }

and in hiera node definition puppetdb::postgres_version: '15'

I think the issue is due to the following change made for postgres puppet module https://github.com/puppetlabs/puppetlabs-postgresql/issues/1402

To fix I had to set in hiera

postgresql::server::password_encryption: 'md5'

puppetdb basic configuration in theory should be matching configuration or documentation at https://www.puppet.com/docs/puppetdb/7/configure_postgres should be considered updating.

h0tw1r3 commented 6 months ago

@ukgaz #400 should fix the issue. Can you test with the latest release?

ukgaz commented 6 months ago

Great to see this is being inveistigated. I setup a server from scratch so I don't interfere with our live systems. Cloned our code folder and change the hostname on the puppet master so it targets a different server.

Anyhow I'm still seeing

Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]/command: changed [redacted] to [redacted]

in ENV.pp

class { 'puppetdb': }
class { 'puppetdb::master::config': }

class { 'repo_postgres':
  pg_version => '15',
}

In Hiera

puppetdb::concurrent_writes: 18
puppetdb::manage_package_repo: false
puppetdb::postgres_version: '15'
repo_rhel::exclude_base: 'postgresql-server'
repo_rhel::exclude_updates: 'postgresql-server'

As you can see for this change I've removed only the postgresql::server::password_encryption: 'md5' Since I could see within params scram-sha-256 should be considered default. I can keep the guest up just in case you wish for me to do any further testing.

repo_* is our our own repo management module

h0tw1r3 commented 6 months ago

Just released 8.0.1, which bumps the postgres dependency #402 Maybe that'll do it :) If I have time tomorrow I'll spin up a test.