You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using multiple postgresql_access resources addressing the same entry, trigger changes in pg_hba.conf at each Chef run and thus don't converge to a stable result.
In this example the authentication method in the corresponding pg_hba.conf-entry will flap between scram-sha-256 and md5 with each Chef client run.
π Expected behavior
The attributes of the most recent resource definition should win over all earlier definitions.
β Additional context
Up to version 10 of the cookbook, the content of pg_hba.conf was solely defined by the postgresql_access-resource. Since version 11 existing entries will be kept. To deleted unnecessary default entries, the cookbook author has to delete them manually through the :delete action.
In our organisation we maintain a PostgreSQL wrapper cookbook defining all common configurations of a PostgreSQL server. Administrators of a PostgreSQL server use this wrapper cookbook and just need to apply their custom configuration. Our security policy requires to drop all non-necessary access entries. We want to implement this by using the :delete-action inside the common wrapper cookbook. When later (re-)adding a pg_hba.conf entry similar to such a default rule in a custom server cookbook, the above mentioned behavior can be observed.
The text was updated successfully, but these errors were encountered:
π» Brief Description
Using multiple
postgresql_access
resources addressing the same entry, trigger changes inpg_hba.conf
at each Chef run and thus don't converge to a stable result.π₯ Cookbook version
11.4.0
π©βπ³ Chef-Infra Version
17.10.0
π© Platform details
Debian 11
Steps To Reproduce
Steps to reproduce the behavior:
pg_hba.conf
A similar behavior can be observed in the following recipe.
In this example the authentication method in the corresponding
pg_hba.conf
-entry will flap betweenscram-sha-256
andmd5
with each Chef client run.π Expected behavior
The attributes of the most recent resource definition should win over all earlier definitions.
β Additional context
Up to version 10 of the cookbook, the content of
pg_hba.conf
was solely defined by thepostgresql_access
-resource. Since version 11 existing entries will be kept. To deleted unnecessary default entries, the cookbook author has to delete them manually through the:delete
action.In our organisation we maintain a PostgreSQL wrapper cookbook defining all common configurations of a PostgreSQL server. Administrators of a PostgreSQL server use this wrapper cookbook and just need to apply their custom configuration. Our security policy requires to drop all non-necessary access entries. We want to implement this by using the
:delete
-action inside the common wrapper cookbook. When later (re-)adding apg_hba.conf
entry similar to such a default rule in a custom server cookbook, the above mentioned behavior can be observed.The text was updated successfully, but these errors were encountered: