puppet-mongodb
puppet-mongodb copied to clipboard
voxpupuli
provider mongodb.rb has confusion between client and server configurations/arguments
- Module version: all (?)
How to reproduce (e.g Puppet code you use)
When trying to set mTLS authentication in mongod there will be issues. I Did not hit it directly but when configuring SSL/TLS for mongod I was misled by a CA validation issue and reading the code I found a big confusion between mongod (server) and mongo (client) in provider command setup.
What are you seeing
At lines: 30-31 the mongo_conf (client configuration) function loads the mongod_conf_file (server configuration file): https://github.com/voxpupuli/puppet-mongodb/blob/7cd4c0636559df9f556659915a2665d40fd0cdb3/lib/puppet/provider/mongodb.rb#L30-L31
Then at line 85 https://github.com/voxpupuli/puppet-mongodb/blob/7cd4c0636559df9f556659915a2665d40fd0cdb3/lib/puppet/provider/mongodb.rb#L85 the argument to mongo (client) for mTLS authentication (--sslPEMKeyFile) is setup using the sslcert value from the hash. This entry in the hash is the sslPEMKeyFile parameter from the Server configuration file. This means that the client will perform mTLS authentication using the Server certificate. In a general case, mTLS will be disabled on the server side, but if enabled this will most likely make the client fail to connect every single time.
What behaviour did you expect instead
The client configuration should be set separately from the server configuration in the puppet module. For the following reasons:
- the
sslCAFile(ortlsCAFile) parameter of the server (used to validate client certificates during mTLS) is not expected to be the same as thesslCAFile(ortlsCAFile) parameter of the client (used to validate the server certificate) - the
sslPEMKeyFile(ortlsPEMKeyFile) of the server (used to allow ssl/tls connections to the server) is not the same as thesslPEMKeyFile(ortlsPEMKeyFile) of the client (used to enable mTLS authentication)
