Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Use SSL for database connection when zabbix_server_dbtlsconnect is set #1404

Merged
merged 1 commit into from
Nov 15, 2024

Conversation

ChandlerSwift
Copy link
Contributor

SUMMARY

A reworking of #951

I am setting up Zabbix with a database where SSL is enforced. Zabbix itself works fine with this, thanks to the zabbix_server_dbtlsconnect parameter, but a few of the playbook's setup tasks try to connect without TLS, which fails. This adds a parameter to enable TLS if the server would also be set to use it.

This isn't a perfect solution, but the community.mysql collection doesn't provide a way to use a TLS connection without setting one of check_hostname, ca_cert, client_key, or client_hostname, and we don't (can't, in our case) specify a cert/key. This will potentially fail when the host presents a cert with the wrong hostname (which can happen if zabbix_server_dbtlsconnect is set to required rather than verify_ca or verify_full). However, there's not a way to enable TLS without setting one of these options without also changing the MySQL collection.

There's some more background on this issue in the community.mysql collection: ansible-collections/community.mysql#90

(I'm not convinced this is the right approach, though it does fix our particular use case! If there's another way to fix this that would be better, I'd appreciate the feedback and can try to update the PR if desired.)

I've tested this to work in my configuration, and believe the only configuration it should break is cases where the server has a valid TLS certificate but assigned to the wrong hostname, as mentioned above.

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

zabbix_server role

Signed-off-by: Chandler Swift <chandler+pearson@chandlerswift.com>
@eb4x
Copy link
Collaborator

eb4x commented Oct 15, 2024

Thanks, I'll have a look at this and set up some test scenarios over the weekend to get a better understanding of the issue. We might want the same type of functionality on the postgres side aswell.

@ChandlerSwift
Copy link
Contributor Author

Hey @eb4x, anything I can do to help this along?

@eb4x
Copy link
Collaborator

eb4x commented Nov 15, 2024

Thanks for pinging, I got distracted and let this one slip. I wrote up some additional code to test and verify (https://github.com/eb4x/community.zabbix/tree/vagrant), and this PR checks out.

I was pondering if we actually needed the additional zabbix_server_dbtlsconnect != '' check, but it's probably the right call checking that, given the case where someone decides to leave the variable as an empty string rather than removing it.

And thanks for the link explaining the unfortunate name check_hostname option.

@eb4x eb4x merged commit 89e949a into ansible-collections:main Nov 15, 2024
49 of 50 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants