From e8ac296d0ea97e33185d7564554ed7a2703a2d59 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 30 Jan 2024 12:29:23 +0100 Subject: [PATCH] Fixes #37121 - Automatically secure the DHCP OMAPI interface The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication. --- manifests/init.pp | 4 ++-- manifests/proxydhcp.pp | 31 ++++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index ad86ce3f..d3efcc2e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -163,7 +163,7 @@ # # $dhcp_key_name:: DHCP key name # -# $dhcp_key_secret:: DHCP password +# $dhcp_key_secret:: DHCP key secret. If not provided, a secret will be generated. # # $dhcp_omapi_port:: DHCP server OMAPI port # @@ -363,7 +363,7 @@ String $dhcp_server = '127.0.0.1', Stdlib::Absolutepath $dhcp_config = $foreman_proxy::params::dhcp_config, Stdlib::Absolutepath $dhcp_leases = $foreman_proxy::params::dhcp_leases, - Optional[String] $dhcp_key_name = undef, + String[1] $dhcp_key_name = 'omapi_key', Optional[String] $dhcp_key_secret = undef, Stdlib::Port $dhcp_omapi_port = 7911, Optional[String] $dhcp_peer_address = undef, diff --git a/manifests/proxydhcp.pp b/manifests/proxydhcp.pp index 4dfb5f24..def30b77 100644 --- a/manifests/proxydhcp.pp +++ b/manifests/proxydhcp.pp @@ -62,16 +62,29 @@ $_dhcp_ipxefilename = undef } + if $foreman_proxy::dhcp_key_secret { + # TODO parametrize + $dhcp_key_algorithm = undef + $dhcp_key_secret = $foreman_proxy::dhcp_key_secret + } else { + # TODO: ensure bind-utils is installed before dns::tsig_keygen runs + # TODO: if the function runs on a server, do you need it on the server? Or use Deferred? + $tsig_key = extlib::cache_data('theforeman', 'dhcp_omapi', dns::tsig_keygen($foreman_proxy::dhcp_key_name)) + $dhcp_key_algorithm = $tsig_key['algorithm'] + $dhcp_key_secret = $tsig_key['secret'] + } + class { 'dhcp': - dnsdomain => $foreman_proxy::dhcp_option_domain, - nameservers => $nameservers, - interfaces => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces, - pxeserver => $ip, - pxefilename => $foreman_proxy::dhcp_pxefilename, - ipxe_filename => $_dhcp_ipxefilename, - omapi_name => $foreman_proxy::dhcp_key_name, - omapi_key => $foreman_proxy::dhcp_key_secret, - conf_dir_mode => $conf_dir_mode, + dnsdomain => $foreman_proxy::dhcp_option_domain, + nameservers => $nameservers, + interfaces => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces, + pxeserver => $ip, + pxefilename => $foreman_proxy::dhcp_pxefilename, + ipxe_filename => $_dhcp_ipxefilename, + omapi_name => $foreman_proxy::dhcp_key_name, + omapi_key => $dhcp_key_secret, + omapi_algorithm => $dhcp_key_algorithm, + conf_dir_mode => $conf_dir_mode, } dhcp::pool { $facts['networking']['domain']: