X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fpostgres%2Fmanifests%2Fcluster%2Fhba_entry.pp;h=8294ffa16a8565f8849631b628a118886671f3f5;hb=019eefed08e38a14827ba6f1cffa6bdc8b972a13;hp=e909a3cc5bf304b48c7de29f5aeb2cad9b4c7705;hpb=6d314df91bf2f73b895e096dde7eb882d4653904;p=mirror%2Fdsa-puppet.git

diff --git a/modules/postgres/manifests/cluster/hba_entry.pp b/modules/postgres/manifests/cluster/hba_entry.pp
index e909a3cc5..8294ffa16 100644
--- a/modules/postgres/manifests/cluster/hba_entry.pp
+++ b/modules/postgres/manifests/cluster/hba_entry.pp
@@ -15,18 +15,20 @@
 # @param address          hosts that match
 # @param method           auth method
 # @param order            ordering of this entry in pg_hba.conf
+# @param firewall         also add a firewall rule
 define postgres::cluster::hba_entry (
-  Integer $pg_port,
-  String $pg_cluster,
-  String $pg_version,
-  Enum['local', 'hostssl'] $connection_type = 'hostssl',
+  Optional[Integer] $pg_port = undef,
+  Optional[String] $pg_cluster = undef,
+  Optional[String] $pg_version = undef,
+  Enum['local', 'host', 'hostssl'] $connection_type = 'hostssl',
   Variant[String,Array[String]] $database = 'sameuser',
   Variant[String,Array[String]] $user = 'all',
   Optional[Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]]] $address = undef,
   Enum['md5', 'trust'] $method = 'md5',
   String $order = '50',
+  Boolean $firewall = true,
 ) {
-  $address_methods = ['md5']
+  $address_methods = ['md5', 'trust']
   if $method in $address_methods {
     if !$address {
       fail("Authentication method ${method} needs an address")
@@ -37,11 +39,40 @@ define postgres::cluster::hba_entry (
     }
   }
 
-  if ($address) {
-    ferm::rule::simple { "postgres::cluster::hba_entry::${pg_version}::${pg_cluster}::${name}":
-      description => "allow access to pg${pg_version}/${pg_cluster}: ${name}",
+  # get remaining cluster info and verify consistency
+  ###
+  $clusters = $facts['postgresql_clusters']
+  if $pg_port {
+    $filtered = $clusters.filter |$cluster| { $cluster['port'] == $pg_port }
+    if $filtered.length != 1 {
+      fail("Did not find exactly one cluster with port ${pg_port}")
+    }
+    $cluster = $filtered[0]
+  } elsif $pg_cluster and $pg_version {
+    $filtered = $clusters.filter |$cluster| { $cluster['version'] == $pg_version and $cluster['cluster'] == $pg_cluster}
+    if $filtered.length != 1 {
+      fail("Did not find exactly one cluster ${pg_version}/${pg_cluster}")
+    }
+    $cluster = $filtered[0]
+  } else {
+    fail('postgres::cluster::hba_entry needs either the port of both a pg version and cluster name')
+  }
+  $real_port    = $cluster['port']
+  $real_version = $cluster['version']
+  $real_cluster = $cluster['cluster']
+  if $pg_version and $pg_version != $real_version {
+    fail("Inconsisten cluster version information: ${pg_version} != ${real_version}")
+  }
+  if $pg_cluster and $pg_cluster != $real_cluster {
+    fail("Inconsisten cluster name information: ${pg_cluster} != ${real_cluster}")
+  }
+  ###
+
+  if ($address and $firewall) {
+    ferm::rule::simple { "postgres::cluster::hba_entry::${name}":
+      description => "allow access to pg${real_version}/${real_cluster}: ${name}",
       saddr       => $address,
-      chain       => "pg-${pg_port}",
+      chain       => "pg-${real_port}",
     }
   }
 
@@ -58,9 +89,9 @@ define postgres::cluster::hba_entry (
     }
   }
 
-  @concat::fragment { "postgres::cluster::pg_hba::${pg_version}::${pg_cluster}::${name}":
-    tag     => "postgres::cluster::${pg_version}::${pg_cluster}::hba",
-    target  => "postgres::cluster::${pg_version}::${pg_cluster}::hba",
+  @concat::fragment { "postgres::cluster::pg_hba::${name}":
+    tag     => "postgres::cluster::${real_version}::${real_cluster}::hba",
+    target  => "postgres::cluster::${real_version}::${real_cluster}::hba",
     order   => $order,
     content => inline_template( @(EOF) ),
                   #