From 7cb4062c4fd027eb0ff5a943e5069f39bb0d936a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 24 Aug 2023 10:36:36 +0200
Subject: [PATCH] Don't force SSL verify-full mode for localhost report DB

When the report database is installed on the server we don't need and
can't use SSL to connect to it using localhost hostname. This comes in
handy to avoid hairpin requests in the container setup.
---
 java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java  | 2 +-
 java/spacewalk-java.changes.cbosdo.local-reportdb             | 1 +
 spacewalk/setup/lib/Spacewalk/Setup.pm                        | 4 +++-
 spacewalk/setup/spacewalk-setup.changes.cbosdo.local-reportdb | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 java/spacewalk-java.changes.cbosdo.local-reportdb
 create mode 100644 spacewalk/setup/spacewalk-setup.changes.cbosdo.local-reportdb

diff --git a/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java b/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
index 40375438cd9a..246950a5500e 100644
--- a/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
+++ b/java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java
@@ -851,7 +851,7 @@ private String buildConnectionString(String name, String backend, String host, S
         }
         connectionUrl.append(name);
 
-        if (useSsl) {
+        if (!"localhost".equals(host) && useSsl) {
             connectionUrl.append("?ssl=true&sslrootcert=" + sslrootcert + "&sslmode=" + sslmode);
         }
 
diff --git a/java/spacewalk-java.changes.cbosdo.local-reportdb b/java/spacewalk-java.changes.cbosdo.local-reportdb
new file mode 100644
index 000000000000..d7338755b62a
--- /dev/null
+++ b/java/spacewalk-java.changes.cbosdo.local-reportdb
@@ -0,0 +1 @@
+- Don't force ssl verification on reportdb using localhost
diff --git a/spacewalk/setup/lib/Spacewalk/Setup.pm b/spacewalk/setup/lib/Spacewalk/Setup.pm
index 7ff72ddbe492..d28700cb0955 100644
--- a/spacewalk/setup/lib/Spacewalk/Setup.pm
+++ b/spacewalk/setup/lib/Spacewalk/Setup.pm
@@ -893,7 +893,9 @@ sub postgresql_reportdb_setup {
     }
 
     $ENV{PGSSLROOTCERT} = $answers->{'report-db-ca-cert'};
-    $ENV{PGSSLMODE} = "verify-full";
+    if ($answers->{'report-db-host'} ne 'localhost') {
+        $ENV{PGSSLMODE} = "verify-full";
+    }
 
     write_rhn_conf($answers, 'externaldb-admin-user','externaldb-admin-password', 'report-db-backend', 'report-db-host', 'report-db-port', 'report-db-name', 'report-db-user', 'report-db-password', 'report-db-ssl-enabled');
 
diff --git a/spacewalk/setup/spacewalk-setup.changes.cbosdo.local-reportdb b/spacewalk/setup/spacewalk-setup.changes.cbosdo.local-reportdb
new file mode 100644
index 000000000000..372a906b5d98
--- /dev/null
+++ b/spacewalk/setup/spacewalk-setup.changes.cbosdo.local-reportdb
@@ -0,0 +1 @@
+- Don't force ssl verification to setup reportdb using localhost