Fix some issues if tls and noverify for mariadb/mysql

README.md

@@ -328,7 +328,7 @@ Setting `manage_database` to `true` also setups a database as specified in `db_t
 
 The class supports:
 
-* [puppet] >= 6.0 < 8.0
+* [puppet] >= 7.0 < 9.0
 
 And requires:
 

functions/db/connect.pp

@@ -39,20 +39,20 @@ function icinga::db::connect(
       'mariadb': {
         $tls_options = join(any2array(delete_undef_values({
                 '--ssl'        => '',
-                '--ssl-ca'     => $tls['cacert_file'],
+                '--ssl-ca'     => if $tls['noverify'] { undef } else { $tls['cacert_file'] },
                 '--ssl-cert'   => $tls['cert_file'],
                 '--ssl-key'    => $tls['key_file'],
-                '--ssl-capath' => $tls['capath'],
+                '--ssl-capath' => if $tls['noverify'] { undef } else { $tls['capath'] },
                 '--ssl-cipher' => $tls['cipher'],
         })), ' ')
       }
       'mysql': {
         $tls_options = join(any2array(delete_undef_values({
-                '--ssl-mode'   => 'required',
-                '--ssl-ca'     => $tls['cacert_file'],
+                '--ssl-mode'   => if $tls['noverify'] { 'REQUIRED' } else { 'VERIFY_CA' },
+                '--ssl-ca'     => if $tls['noverify'] { undef } else { $tls['cacert_file'] },
                 '--ssl-cert'   => $tls['cert_file'],
                 '--ssl-key'    => $tls['key_file'],
-                '--ssl-capath' => $tls['capath'],
+                '--ssl-capath' => if $tls['noverify'] { undef } else { $tls['capath'] },
                 '--ssl-cipher' => $tls['cipher'],
         })), ' ')
       }

manifests/web.pp

@@ -64,6 +64,9 @@
   -> Class['apache']
   -> Class['icingaweb2']
 
+  # version if the used icingaweb2 puppet module
+  $icingaweb2_version = load_module_metadata('icingaweb2')['version']
+
   #
   # Platform
   #
@@ -181,7 +184,7 @@
   #
   # Icinga Web 2
   #
-  if versioncmp(load_module_metadata('icingaweb2')['version'], '4.0.0') < 0 {
+  if versioncmp($icingaweb2_version, '4.0.0') < 0 {
     class { 'icingaweb2':
       db_type                => $db_type,
       db_host                => $_db_host,

spec/functions/db_connect_spec.rb

@@ -23,6 +23,14 @@
     ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl  --ssl-ca /cacert.file")
   end
 
+  it "with MariaDB TLS and noverify 'true' on db.example.org and password" do
+    is_expected.to run.with_params(
+      { 'type' => 'mariadb', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' },
+      { 'noverify' => true, 'cacert_file' => '/cacert.file' },
+      true,
+    ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl")
+  end
+
   it 'with MariaDB client TLS cert on db.example.org' do
     is_expected.to run.with_params(
       { 'type' => 'mariadb', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar' },
@@ -36,15 +44,15 @@
       { 'type' => 'mysql', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar' },
       { 'key_file' => '/key.file', 'cert_file' => '/cert.file', 'cacert_file' => '/cacert.file' },
       true,
-    ).and_return('-h db.example.org -u bar -D foo --ssl-mode required --ssl-ca /cacert.file --ssl-cert /cert.file --ssl-key /key.file')
+    ).and_return('-h db.example.org -u bar -D foo --ssl-mode VERIFY_CA --ssl-ca /cacert.file --ssl-cert /cert.file --ssl-key /key.file')
   end
 
-  it 'with MySQL TLS on db.example.org and password' do
+  it "with MySQL TLS and noverify 'true' on db.example.org and password" do
     is_expected.to run.with_params(
       { 'type' => 'mysql', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' },
-      { 'cacert_file' => '/cacert.file' },
+      { 'noverify' => true, 'cacert_file' => '/cacert.file' },
       true,
-    ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl-mode required --ssl-ca /cacert.file")
+    ).and_return("-h db.example.org -u bar -p'supersecret' -D foo --ssl-mode REQUIRED")
   end
 
   it 'with PostgreSQL' do