Skip to content

pass in the configured DB ca (if any) to the container#345

Open
evgeni wants to merge 5 commits intomasterfrom
ssldb
Open

pass in the configured DB ca (if any) to the container#345
evgeni wants to merge 5 commits intomasterfrom
ssldb

Conversation

@evgeni
Copy link
Member

@evgeni evgeni commented Dec 2, 2025

No description provided.

@ehelms
Copy link
Member

ehelms commented Dec 2, 2025

This looks related to #141 but is not an aspect I have incorporated. I was wanting to get in a version of remote database testing and then harden it with more of the options.

@evgeni
Copy link
Member Author

evgeni commented Dec 2, 2025

It is, @Gauravtalreja1 ran into this when testing ext db stuff

@evgeni evgeni force-pushed the ssldb branch 5 times, most recently from f8a1e26 to 1ba7910 Compare December 2, 2025 17:37
evgeni
evgeni commented Dec 3, 2025
View reviewed changes
@evgeni evgeni force-pushed the ssldb branch 4 times, most recently from 921e621 to 7355577 Compare December 5, 2025 08:39
ehelms
ehelms reviewed Dec 5, 2025
View reviewed changes
src/roles/candlepin/tasks/main.yml
containers.podman.podman_secret:
state: present
name: candlepin-db-ca
data: "{{ lookup('ansible.builtin.file', candlepin_database_ssl_ca) if candlepin_database_ssl_ca else 'empty' }}"
Copy link
Member

@ehelms ehelms Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is creating an empty secret if there is no database SSL cert? Why not use a when conditional on the sercret?

Copy link
Member Author

@evgeni evgeni Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because then I need to also conditionally mount it, and that's painful ;)

Copy link
Member

@ehelms ehelms Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get that, I worry about this being a red herring while debugging.

@ehelms
Copy link
Member

ehelms commented Feb 18, 2026

What else do you think is needed to take it out of draft?

@evgeni
Copy link
Member Author

evgeni commented Feb 18, 2026

I wanted to write up some tests to validate it.

@evgeni evgeni force-pushed the ssldb branch 2 times, most recently from 46aeafa to 3a61d77 Compare February 19, 2026 08:06
evgeni
evgeni commented Feb 19, 2026
View reviewed changes
.github/workflows/test.yml
Comment on lines 53 to +58
- certificate_source: default
security: none
database: external
- certificate_source: default
security: none
database: externalssl
Copy link
Member Author

@evgeni evgeni Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I personally think that users should never run external db without SSL, but I know that today we document and support that, so I added this as another matrix entry instead of repurposing the external one. But do we really need to test both?

Copy link
Member

@ehelms ehelms Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are proposing that we test external database only with TLS - I agree.

Copy link
Member Author

@evgeni evgeni Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, that's what I wanted to say

@evgeni evgeni force-pushed the ssldb branch 7 times, most recently from 481ca09 to d157f1a Compare February 19, 2026 10:55
@evgeni evgeni force-pushed the ssldb branch 2 times, most recently from 8953b69 to a0572e5 Compare February 19, 2026 11:47
@evgeni evgeni marked this pull request as ready for review February 19, 2026 13:26
@evgeni
Copy link
Member Author

evgeni commented Feb 19, 2026

@ehelms look, no draft!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehelms ehelms ehelms left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@evgeni @ehelms

Comments