diff options
| author | Steve Baker <sbaker@redhat.com> | 2021-08-02 11:42:44 +1200 |
|---|---|---|
| committer | Steve Baker <sbaker@redhat.com> | 2021-08-05 11:47:11 +1200 |
| commit | 6af0eb374e5565520937e5b3d8fda086d336fe9d (patch) | |
| tree | dc8b2c7649e873371ffc053c5c4bc1ab0e5a71fe | |
| parent | 512364df9dca4e9b85c67a8e708857327e673892 (diff) | |
| download | ironic-6af0eb374e5565520937e5b3d8fda086d336fe9d.tar.gz | |
Set postgresql password encryption for FIPS compliance
This is part of the work to add jobs which confirm ironic works with
FIPS enabled, but this change is also appropriate non-FIPS jobs.
Change-Id: I4af4e811104088d28d7be6df53c26e72db039e08
| -rwxr-xr-x | tools/test-setup.sh | 27 | ||||
| -rw-r--r-- | zuul.d/ironic-jobs.yaml | 1 |
2 files changed, 17 insertions, 11 deletions
diff --git a/tools/test-setup.sh b/tools/test-setup.sh index dc2a130b9..16974adb5 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -48,9 +48,25 @@ DB_ROOT_PW=${POSTGRES_ROOT_PW:-insecure_slave} # which it can't when executed as the postgres user, which is required # as same user as process for initial administrative authentication to # the postgres database - cd /tmp +# Identify and update the postgres hba file which can be in +# a version specific path. +PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file") +PG_CONF=$(sudo -H -u postgres psql -t -c "show config_file") + +# setup postgres encryption algorithm and authentication +sudo sed -i 's/ident$/scram-sha-256/g' $PG_HBA +sudo sed -i 's/md5$/scram-sha-256/g' $PG_HBA +sudo sed -i 's/^.*password_encryption =.*/password_encryption = scram-sha-256/' $PG_CONF + +sudo cat $PG_HBA +sudo cat $PG_CONF + +# restart postgres fo new HBA file is loaded +sudo systemctl stop postgresql || true +sudo systemctl start postgresql || true + # Setup user root_roles=$(sudo -H -u postgres psql -t -c " SELECT 'HERE' from pg_roles where rolname='$DB_USER'") @@ -60,15 +76,6 @@ else sudo -H -u postgres psql -c "CREATE ROLE $DB_USER WITH SUPERUSER LOGIN PASSWORD '$DB_PW'" fi -# Identify and update the postgres hba file which can be in -# a version specific path. -PG_HBA=$(sudo -H -u postgres psql -t -c "show hba_file") -sudo sed -i 's/ident/trust/g' $PG_HBA -sudo cat $PG_HBA -# restart postgres fo new HBA file is loaded and our user trusted. -sudo systemctl stop postgresql || true -sudo systemctl start postgresql || true - # Store password for tests cat << EOF > $HOME/.pgpass *:*:*:$DB_USER:$DB_PW diff --git a/zuul.d/ironic-jobs.yaml b/zuul.d/ironic-jobs.yaml index 3e9291db6..4ced3dcbd 100644 --- a/zuul.d/ironic-jobs.yaml +++ b/zuul.d/ironic-jobs.yaml @@ -23,7 +23,6 @@ - ^releasenotes/.*$ - ^setup.cfg$ - ^test-requirements.txt$ - - ^tools/.*$ - ^tox.ini$ vars: tox_envlist: all |