Fixes #37835 - Add user and netapi to Salt config

* Set user for running Salt Master service due to 3006 changes
  https://docs.saltproject.io/en/3006/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group

Salt API

* Add netapi_enable_clients explicitly due to 3006 changes
  https://docs.saltproject.io/en/master/topics/netapi/netapi-enable-clients.html#select-client-interfaces-to-enable
* Add api_interfaces parameter to enable configuration of API
  accessibility. However, smart_proxy_salt utilizes only
  the "runner" API interface.

Author: Bastian Schmidt

manifests/plugin/salt.pp

@@ -22,6 +22,8 @@
 #
 # $api_password::    Salt API password
 #
+# $api_interfaces::  Salt API interfaces
+#
 # $saltfile::        Path to Saltfile
 #
 # === Advanced parameters:
@@ -42,6 +44,7 @@
   String $api_auth = $foreman_proxy::plugin::salt::params::api_auth,
   String $api_username = $foreman_proxy::plugin::salt::params::api_username,
   String $api_password = $foreman_proxy::plugin::salt::params::api_password,
+  Array[String] $api_interfaces = $foreman_proxy::plugin::salt::params::api_interfaces,
   Optional[Stdlib::Absolutepath] $saltfile = $foreman_proxy::plugin::salt::params::saltfile,
 ) inherits foreman_proxy::plugin::salt::params {
   $foreman_ssl_cert = pick($foreman_proxy::foreman_ssl_cert, $foreman_proxy::ssl_cert)

manifests/plugin/salt/params.pp

@@ -15,5 +15,6 @@
   $api_auth      = 'pam'
   $api_username  = 'saltuser'
   $api_password  = 'saltpassword'
+  $api_interfaces = ['runner']
   $saltfile      = undef
 }

spec/classes/foreman_proxy__plugin__salt_spec.rb

@@ -18,6 +18,15 @@
               :content => /:enabled: https/
             })
         end
+
+        it 'should configure master.d/foreman.conf' do
+          should contain_file('/etc/salt/master.d/foreman.conf').
+            with_content(%r{autosign_grains_dir: /var/lib/foreman-proxy/salt/grains}).
+            with_content(%r{autosign_file: /etc/salt/autosign.conf}).
+            with_content(%r{user: root}).
+            with_content(%r{netapi_enable_clients:\n  - runner}).
+            with_content(%r{external_auth:\n  pam:\n    saltuser:\n      - '@runner'})
+        end
       end
 
       describe 'with overwritten parameters' do
@@ -30,6 +39,7 @@
           :api_auth      => 'ldap',
           :api_username  => 'saltapi',
           :api_password  => 'letmein',
+          :api_interfaces => ['runner', 'local', 'ssh', 'wheel'],
           :saltfile      => '/etc/salt/Saltfile',
         } end
 
@@ -45,6 +55,15 @@
             with_content(%r{:api_password: letmein}).
             with_content(%r{:saltfile: /etc/salt/Saltfile})
         end
+
+        it 'should change master.d/foreman.conf parameters' do
+          should contain_file('/etc/salt/master.d/foreman.conf').
+            with_content(%r{user: example}).
+            with_content(%r{autosign_grains_dir: /var/lib/foreman-proxy/salt/grains}).
+            with_content(%r{autosign_file: /etc/salt/example.conf}).
+            with_content(%r{netapi_enable_clients:\n  - runner\n  - local\n  - ssh\n  - wheel}).
+            with_content(%r{external_auth:\n  ldap:\n    saltuser:\n      - '@runner'})
+        end
       end
     end
   end

templates/plugin/salt_master.conf.erb

@@ -15,6 +15,11 @@ autosign_file: <%= scope.lookupvar('foreman_proxy::plugin::salt::autosign_file')
 # permissive_pki_access: True
 
 
+##
+# Salt Master service user
+user: <%= scope.lookupvar('::foreman_proxy::plugin::salt::user') %>
+
+
 ##
 # Node classifier
 master_tops:
@@ -39,6 +44,13 @@ rest_cherrypy:
   ssl_key: <%= @foreman_ssl_key %>
   ssl_crt: <%= @foreman_ssl_cert %>
 
+<% if scope.lookupvar('foreman_proxy::plugin::salt::api_interfaces').any? -%>
+netapi_enable_clients:
+  <%- scope.lookupvar('foreman_proxy::plugin::salt::api_interfaces').each do |api_item| -%>
+  - <%= api_item %>
+  <%- end -%>
+<% end -%>
+
 
 ##
 # Remote execution provider