Extend connection functionn to use ssl_mode

REFERENCE.md

@@ -1964,7 +1964,7 @@ with or without TLS information.
       database => String,
       username => String,
       password => Optional[Variant[String, Sensitive[String]]],
-  }] $db, Hash[String, Any] $tls, Optional[Boolean] $use_tls = undef)`
+  }] $db, Hash[String, Any] $tls, Optional[Boolean] $use_tls = undef, Optional[Enum['verify-full', 'verify-ca']] $ssl_mode = undef)`
 
 The icinga::db::connect function.
 
@@ -1985,19 +1985,25 @@ Struct[{
   }]
 ```
 
-
+Data hash with database information.
 
 ##### `tls`
 
 Data type: `Hash[String, Any]`
 
-
+Data hash with TLS connection information.
 
 ##### `use_tls`
 
 Data type: `Optional[Boolean]`
 
+Wether or not to use TLS encryption.
+
+##### `ssl_mode`
+
+Data type: `Optional[Enum['verify-full', 'verify-ca']]`
 
+Enable SSL connection mode.
 
 ### <a name="icinga--newline"></a>`icinga::newline`
 

functions/db/connect.pp

@@ -5,6 +5,18 @@
 # @return
 #   Connection string to connect database.
 #
+# @param db
+#    Data hash with database information.
+#
+# @param tls
+#   Data hash with TLS connection information.
+#
+# @param use_tls
+#   Wether or not to use TLS encryption.
+#
+# @param ssl_mode
+#   Enable SSL connection mode.
+#
 function icinga::db::connect(
   Struct[{
       type     => Enum['pgsql','mysql','mariadb'],
@@ -16,21 +28,14 @@ function icinga::db::connect(
   }]                   $db,
   Hash[String, Any]    $tls,
   Optional[Boolean]    $use_tls = undef,
+  Optional[Enum['verify-full', 'verify-ca']] $ssl_mode = undef,
 ) >> String {
-  # @param db
-  #    Data hash with database information.
-  #
-  # @param tls
-  #   Data hash with TLS connection information.
-  #
-  # @param use_tls
-  #   Wether or not to use TLS encryption.
-  #
   if $use_tls {
     case $db['type'] {
       'pgsql': {
+        $real_ssl_mode = if $ssl_mode { $ssl_mode } else { 'verify-full' }
         $tls_options = regsubst(join(any2array(delete_undef_values({
-                  'sslmode='     => if $tls['noverify'] { 'require' } else { 'verify-full' },
+                  'sslmode='     => if $tls['noverify'] { 'require' } else { $real_ssl_mode },
                   'sslcert='     => $tls['cert_file'],
                   'sslkey='      => $tls['key_file'],
                   'sslrootcert=' => $tls['cacert_file'],
@@ -72,7 +77,7 @@ function icinga::db::connect(
               'dbname='      => $db['database'],
     })), ' '), '= ', '=', 'G')
   } else {
-    $_password = icinga::unwrap($db['password'])
+    $_password = icinga2::unwrap($db['password'])
     $options = join(any2array(delete_undef_values({
             '-h'               => $db['host'] ? {
               /localhost/  => undef,

spec/functions/db_connect_spec.rb

@@ -75,6 +75,15 @@
     ).and_return('host=db.example.org user=bar dbname=foo sslmode=verify-full sslrootcert=/cacert.file')
   end
 
+  it 'with PostgreSQL TLS on 192.168.0.1 and password' do
+    is_expected.to run.with_params(
+      { 'type' => 'pgsql', 'host' => '192.168.0.1', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' },
+      { 'cacert_file' => '/etc/pki/ca-trust/source/anchors/mycacert.crt' },
+      true,
+      'verify-ca',
+    ).and_return('host=192.168.0.1 user=bar dbname=foo sslmode=verify-ca sslrootcert=/etc/pki/ca-trust/source/anchors/mycacert.crt')
+  end
+
   it 'with PostgreSQL TLS (insecure) on db.example.org and password' do
     is_expected.to run.with_params(
       { 'type' => 'pgsql', 'host' => 'db.example.org', 'database' => 'foo', 'username' => 'bar', 'password' => 'supersecret' },