Add realm_split_config_files parameter for 1.15 compatibility

1.15 user should enable realm_split_config_files to create new
realm_freeipa.yml config file and different realm.yml format.

README.md

@@ -28,6 +28,15 @@ configuration layout changed significantly.
 To configure older versions of the Smart Proxy use version 2.x of this module
 for 1.5 to 1.10 and 3.x for 1.11.
 
+### 1.15 compatibility notes
+
+On Smart Proxy 1.15 with realm support, also set:
+
+    realm_split_config_files => true,
+
+to ensure the new separate `realm.yml` and `realm_freeipa.yaml` files are
+configured correctly.
+
 ## Examples
 
 ### Minimal setup for Puppet/PuppetCA Smart Proxy

manifests/config.pp

@@ -86,6 +86,11 @@
     enabled   => $::foreman_proxy::realm,
     listen_on => $::foreman_proxy::realm_listen_on,
   }
+  if $::foreman_proxy::realm_split_config_files {
+    foreman_proxy::settings_file { 'realm_freeipa':
+      module => false,
+    }
+  }
   foreman_proxy::settings_file { 'tftp':
     enabled   => $::foreman_proxy::tftp,
     listen_on => $::foreman_proxy::tftp_listen_on,

manifests/init.pp

@@ -330,11 +330,14 @@
 # $realm::                      Enable realm management feature
 #                               type:Boolean
 #
+# $realm_split_config_files::   Split realm configuration files. This is needed since version 1.15.
+#                               type:Boolean
+#
 # $realm_listen_on::            Realm proxy to listen on https, http, or both
 #                               type:Foreman_proxy::ListenOn
 #
 # $realm_provider::             Realm management provider
-#                               type:Enum['freeipa']
+#                               type:String
 #
 # $realm_keytab::               Kerberos keytab path to authenticate realm updates
 #                               type:Stdlib::Absolutepath
@@ -475,6 +478,7 @@
   $bmc_listen_on              = $foreman_proxy::params::bmc_listen_on,
   $bmc_default_provider       = $foreman_proxy::params::bmc_default_provider,
   $realm                      = $foreman_proxy::params::realm,
+  $realm_split_config_files   = $foreman_proxy::params::realm_split_config_files,
   $realm_listen_on            = $foreman_proxy::params::realm_listen_on,
   $realm_provider             = $foreman_proxy::params::realm_provider,
   $realm_keytab               = $foreman_proxy::params::realm_keytab,
@@ -559,9 +563,11 @@
   validate_re($bmc_default_provider, '^(freeipmi|ipmitool|shell)$')
 
   # Validate realm params
-  validate_bool($freeipa_remove_dns)
+  validate_bool($freeipa_remove_dns, $realm_split_config_files)
   validate_string($realm_provider, $realm_principal)
-  validate_re($realm_provider, '^freeipa$', 'Invalid provider: choose freeipa')
+  unless $realm_split_config_files {
+    validate_re($realm_provider, '^freeipa$', 'Invalid provider: choose freeipa')
+  }
   validate_absolute_path($realm_keytab)
 
   $real_registered_proxy_url = pick($registered_proxy_url, "https://${::fqdn}:${ssl_port}")

manifests/params.pp

@@ -315,6 +315,7 @@
   $realm_keytab       = "${etc}/foreman-proxy/freeipa.keytab"
   $realm_principal    = 'realm-proxy@EXAMPLE.COM'
   $freeipa_remove_dns = true
+  $realm_split_config_files = false
 
   # Proxy can register itself within a Foreman instance
   $register_in_foreman = true

spec/classes/foreman_proxy__config__spec.rb

@@ -518,12 +518,39 @@
           'class {"foreman_proxy":
             realm => true,
             realm_provider => "invalid",
+            realm_split_config_files => false,
           }'
         end
 
         it { expect { subject.call } .to raise_error(/Invalid provider: choose freeipa/) }
       end
 
+      context 'with realm_split_config_files => true' do
+        let :pre_condition do
+          'class {"foreman_proxy":
+            realm => true,
+            realm_split_config_files => true,
+          }'
+        end
+
+        it 'should generate correct realm.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/realm.yml", [
+            '---',
+            ':enabled: https',
+            ':use_provider: realm_freeipa',
+          ])
+        end
+
+        it 'should generate correct realm_freeipa.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/realm_freeipa.yml", [
+            '---',
+            ":keytab_path: #{etc_dir}/foreman-proxy/freeipa.keytab",
+            ':principal: realm-proxy@EXAMPLE.COM',
+            ':remove_dns: true',
+          ])
+        end
+      end
+
       context 'with tftp_managed enabled and tftp_syslinux_filenames set' do
         let :pre_condition do
           'class {"foreman_proxy":

templates/realm.yml.erb

@@ -1,4 +1,12 @@
 ---
+<% if scope.lookupvar("foreman_proxy::realm_split_config_files") -%>
+# Can be true, false, or http/https to enable just one of the protocols
+:enabled: <%= @module_enabled %>
+
+# Available providers:
+#   realm_freeipa
+:use_provider: realm_<%= scope.lookupvar("foreman_proxy::realm_provider") %>
+<% else -%>
 # Manage joining realms e.g. FreeIPA
 :enabled: <%= @module_enabled %>
 
@@ -13,3 +21,4 @@
 # FreeIPA specific settings
 # Remove from DNS when deleting the FreeIPA entry
 :freeipa_remove_dns: <%= scope.lookupvar("foreman_proxy::freeipa_remove_dns") %>
+<% end -%>

templates/realm_freeipa.yml.erb

@@ -0,0 +1,7 @@
+---
+# Authentication for Kerberos-based Realms
+:keytab_path: <%= scope.lookupvar("foreman_proxy::realm_keytab") %>
+:principal: <%= scope.lookupvar("foreman_proxy::realm_principal") %>
+
+# Remove from DNS when deleting the FreeIPA entry
+:remove_dns: <%= scope.lookupvar("foreman_proxy::freeipa_remove_dns") %>