Fixes #37121 - Automatically secure the DHCP OMAPI interface

The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication.
theforeman · Jul 20, 2024 · e8ac296 · e8ac296
1 parent 6a3724a
commit e8ac296
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 11 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -163,7 +163,7 @@
 #
 # $dhcp_key_name::              DHCP key name
 #
-# $dhcp_key_secret::            DHCP password
+# $dhcp_key_secret::            DHCP key secret. If not provided, a secret will be generated.
 #
 # $dhcp_omapi_port::            DHCP server OMAPI port
 #
@@ -363,7 +363,7 @@
   String $dhcp_server = '127.0.0.1',
   Stdlib::Absolutepath $dhcp_config = $foreman_proxy::params::dhcp_config,
   Stdlib::Absolutepath $dhcp_leases = $foreman_proxy::params::dhcp_leases,
-  Optional[String] $dhcp_key_name = undef,
+  String[1] $dhcp_key_name = 'omapi_key',
   Optional[String] $dhcp_key_secret = undef,
   Stdlib::Port $dhcp_omapi_port = 7911,
   Optional[String] $dhcp_peer_address = undef,

diff --git a/manifests/proxydhcp.pp b/manifests/proxydhcp.pp
@@ -62,16 +62,29 @@
     $_dhcp_ipxefilename = undef
   }
 
+  if $foreman_proxy::dhcp_key_secret {
+    # TODO parametrize
+    $dhcp_key_algorithm = undef
+    $dhcp_key_secret = $foreman_proxy::dhcp_key_secret
+  } else {
+    # TODO: ensure bind-utils is installed before dns::tsig_keygen runs
+    # TODO: if the function runs on a server, do you need it on the server? Or use Deferred?
+    $tsig_key = extlib::cache_data('theforeman', 'dhcp_omapi', dns::tsig_keygen($foreman_proxy::dhcp_key_name))
+    $dhcp_key_algorithm = $tsig_key['algorithm']
+    $dhcp_key_secret = $tsig_key['secret']
+  }
+
   class { 'dhcp':
-    dnsdomain     => $foreman_proxy::dhcp_option_domain,
-    nameservers   => $nameservers,
-    interfaces    => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
-    pxeserver     => $ip,
-    pxefilename   => $foreman_proxy::dhcp_pxefilename,
-    ipxe_filename => $_dhcp_ipxefilename,
-    omapi_name    => $foreman_proxy::dhcp_key_name,
-    omapi_key     => $foreman_proxy::dhcp_key_secret,
-    conf_dir_mode => $conf_dir_mode,
+    dnsdomain       => $foreman_proxy::dhcp_option_domain,
+    nameservers     => $nameservers,
+    interfaces      => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
+    pxeserver       => $ip,
+    pxefilename     => $foreman_proxy::dhcp_pxefilename,
+    ipxe_filename   => $_dhcp_ipxefilename,
+    omapi_name      => $foreman_proxy::dhcp_key_name,
+    omapi_key       => $dhcp_key_secret,
+    omapi_algorithm => $dhcp_key_algorithm,
+    conf_dir_mode   => $conf_dir_mode,
   }
 
   dhcp::pool { $facts['networking']['domain']: