Skip to content

Commit

Permalink
Fixes #37121 - Automatically secure the DHCP OMAPI interface
Browse files Browse the repository at this point in the history
The tsig-keygen command can be used to generate a TSIG key to secure the
OMAPI communication.
  • Loading branch information
ekohl committed May 17, 2024
1 parent c31f90c commit 2716643
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 12 deletions.
4 changes: 3 additions & 1 deletion .fixtures.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ fixtures:
cron_core: "https://github.com/puppetlabs/puppetlabs-cron_core"
datacat: 'https://github.com/richardc/puppet-datacat'
dhcp: 'https://github.com/theforeman/puppet-dhcp'
dns: 'https://github.com/theforeman/puppet-dns'
dns:
repo: 'https://github.com/ekohl/puppet-dns'
branch: add-tsig-keygen
extlib: 'https://github.com/voxpupuli/puppet-extlib'
foreman: 'https://github.com/theforeman/puppet-foreman'
puppet: 'https://github.com/theforeman/puppet-puppet'
Expand Down
4 changes: 2 additions & 2 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@
#
# $dhcp_key_name:: DHCP key name
#
# $dhcp_key_secret:: DHCP password
# $dhcp_key_secret:: DHCP key secret
#
# $dhcp_omapi_port:: DHCP server OMAPI port
#
Expand Down Expand Up @@ -363,7 +363,7 @@
String $dhcp_server = '127.0.0.1',
Stdlib::Absolutepath $dhcp_config = $foreman_proxy::params::dhcp_config,
Stdlib::Absolutepath $dhcp_leases = $foreman_proxy::params::dhcp_leases,
Optional[String] $dhcp_key_name = undef,
String[1] $dhcp_key_name = 'omapi_key',
Optional[String] $dhcp_key_secret = undef,
Stdlib::Port $dhcp_omapi_port = 7911,
Optional[String] $dhcp_peer_address = undef,
Expand Down
32 changes: 23 additions & 9 deletions manifests/proxydhcp.pp
Original file line number Diff line number Diff line change
Expand Up @@ -62,16 +62,30 @@
$_dhcp_ipxefilename = undef
}

# TODO parametrize
$dhcp_key_algorithm = 'hmac-sha256'
if $foreman_proxy::dhcp_key_name {
if $foreman_proxy::dhcp_key_secret {
$dhcp_key_secret = $foreman_proxy::dhcp_key_secret
} else {
$tsig_key = extlib::cache_data('theforeman', 'dhcp_omapi', dns::tsig_keygen($foreman_proxy::dhcp_key_name, $dhcp_key_algorithm))
$dhcp_key_secret = $tsig_key['secret']
}
} else {
$dhcp_key_secret = $foreman_proxy::dhcp_key_secret
}

class { 'dhcp':
dnsdomain => $foreman_proxy::dhcp_option_domain,
nameservers => $nameservers,
interfaces => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
pxeserver => $ip,
pxefilename => $foreman_proxy::dhcp_pxefilename,
ipxe_filename => $_dhcp_ipxefilename,
omapi_name => $foreman_proxy::dhcp_key_name,
omapi_key => $foreman_proxy::dhcp_key_secret,
conf_dir_mode => $conf_dir_mode,
dnsdomain => $foreman_proxy::dhcp_option_domain,
nameservers => $nameservers,
interfaces => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
pxeserver => $ip,
pxefilename => $foreman_proxy::dhcp_pxefilename,
ipxe_filename => $_dhcp_ipxefilename,
omapi_name => $foreman_proxy::dhcp_key_name,
omapi_key => $dhcp_key_secret,
omapi_algorithm => $dhcp_key_algorithm,
conf_dir_mode => $conf_dir_mode,
}

dhcp::pool { $facts['networking']['domain']:
Expand Down

0 comments on commit 2716643

Please sign in to comment.