diff --git a/README.md b/README.md index 6a988a96..c821d1b1 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,15 @@ configuration layout changed significantly. To configure older versions of the Smart Proxy use version 2.x of this module for 1.5 to 1.10 and 3.x for 1.11. +### 1.15 compatibility notes + +On Smart Proxy 1.15 with realm support, also set: + + realm_split_config_files => true, + +to ensure the new separate `realm.yml` and `realm_freeipa.yaml` files are +configured correctly. + ## Examples ### Minimal setup for Puppet/PuppetCA Smart Proxy diff --git a/manifests/config.pp b/manifests/config.pp index 88063f34..5a6225e8 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -86,6 +86,11 @@ enabled => $::foreman_proxy::realm, listen_on => $::foreman_proxy::realm_listen_on, } + if $::foreman_proxy::realm_split_config_files { + foreman_proxy::settings_file { 'realm_freeipa': + module => false, + } + } foreman_proxy::settings_file { 'tftp': enabled => $::foreman_proxy::tftp, listen_on => $::foreman_proxy::tftp_listen_on, diff --git a/manifests/init.pp b/manifests/init.pp index d8734d7b..8dcaee63 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -330,11 +330,14 @@ # $realm:: Enable realm management feature # type:Boolean # +# $realm_split_config_files:: Split realm configuration files. This is needed since version 1.15. +# type:Boolean +# # $realm_listen_on:: Realm proxy to listen on https, http, or both # type:Foreman_proxy::ListenOn # # $realm_provider:: Realm management provider -# type:Enum['freeipa'] +# type:String # # $realm_keytab:: Kerberos keytab path to authenticate realm updates # type:Stdlib::Absolutepath @@ -475,6 +478,7 @@ $bmc_listen_on = $foreman_proxy::params::bmc_listen_on, $bmc_default_provider = $foreman_proxy::params::bmc_default_provider, $realm = $foreman_proxy::params::realm, + $realm_split_config_files = $foreman_proxy::params::realm_split_config_files, $realm_listen_on = $foreman_proxy::params::realm_listen_on, $realm_provider = $foreman_proxy::params::realm_provider, $realm_keytab = $foreman_proxy::params::realm_keytab, @@ -559,9 +563,11 @@ validate_re($bmc_default_provider, '^(freeipmi|ipmitool|shell)$') # Validate realm params - validate_bool($freeipa_remove_dns) + validate_bool($freeipa_remove_dns, $realm_split_config_files) validate_string($realm_provider, $realm_principal) - validate_re($realm_provider, '^freeipa$', 'Invalid provider: choose freeipa') + unless $realm_split_config_files { + validate_re($realm_provider, '^freeipa$', 'Invalid provider: choose freeipa') + } validate_absolute_path($realm_keytab) $real_registered_proxy_url = pick($registered_proxy_url, "https://${::fqdn}:${ssl_port}") diff --git a/manifests/params.pp b/manifests/params.pp index 9b86c50d..ad686bdc 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -315,6 +315,7 @@ $realm_keytab = "${etc}/foreman-proxy/freeipa.keytab" $realm_principal = 'realm-proxy@EXAMPLE.COM' $freeipa_remove_dns = true + $realm_split_config_files = false # Proxy can register itself within a Foreman instance $register_in_foreman = true diff --git a/spec/classes/foreman_proxy__config__spec.rb b/spec/classes/foreman_proxy__config__spec.rb index 4268bd21..0f45aa6b 100644 --- a/spec/classes/foreman_proxy__config__spec.rb +++ b/spec/classes/foreman_proxy__config__spec.rb @@ -518,12 +518,39 @@ 'class {"foreman_proxy": realm => true, realm_provider => "invalid", + realm_split_config_files => false, }' end it { expect { subject.call } .to raise_error(/Invalid provider: choose freeipa/) } end + context 'with realm_split_config_files => true' do + let :pre_condition do + 'class {"foreman_proxy": + realm => true, + realm_split_config_files => true, + }' + end + + it 'should generate correct realm.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/realm.yml", [ + '---', + ':enabled: https', + ':use_provider: realm_freeipa', + ]) + end + + it 'should generate correct realm_freeipa.yml' do + verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/realm_freeipa.yml", [ + '---', + ":keytab_path: #{etc_dir}/foreman-proxy/freeipa.keytab", + ':principal: realm-proxy@EXAMPLE.COM', + ':remove_dns: true', + ]) + end + end + context 'with tftp_managed enabled and tftp_syslinux_filenames set' do let :pre_condition do 'class {"foreman_proxy": diff --git a/templates/realm.yml.erb b/templates/realm.yml.erb index c8501d12..28020d3a 100644 --- a/templates/realm.yml.erb +++ b/templates/realm.yml.erb @@ -1,4 +1,12 @@ --- +<% if scope.lookupvar("foreman_proxy::realm_split_config_files") -%> +# Can be true, false, or http/https to enable just one of the protocols +:enabled: <%= @module_enabled %> + +# Available providers: +# realm_freeipa +:use_provider: realm_<%= scope.lookupvar("foreman_proxy::realm_provider") %> +<% else -%> # Manage joining realms e.g. FreeIPA :enabled: <%= @module_enabled %> @@ -13,3 +21,4 @@ # FreeIPA specific settings # Remove from DNS when deleting the FreeIPA entry :freeipa_remove_dns: <%= scope.lookupvar("foreman_proxy::freeipa_remove_dns") %> +<% end -%> diff --git a/templates/realm_freeipa.yml.erb b/templates/realm_freeipa.yml.erb new file mode 100644 index 00000000..431609da --- /dev/null +++ b/templates/realm_freeipa.yml.erb @@ -0,0 +1,7 @@ +--- +# Authentication for Kerberos-based Realms +:keytab_path: <%= scope.lookupvar("foreman_proxy::realm_keytab") %> +:principal: <%= scope.lookupvar("foreman_proxy::realm_principal") %> + +# Remove from DNS when deleting the FreeIPA entry +:remove_dns: <%= scope.lookupvar("foreman_proxy::freeipa_remove_dns") %>