Fixes #37121 - Automatically secure the DHCP OMAPI interface

The tsig-keygen command can be used to generate a TSIG key to secure the
OMAPI communication.

Author: ekohl

.fixtures.yml

@@ -7,7 +7,9 @@ fixtures:
     cron_core: "https://github.com/puppetlabs/puppetlabs-cron_core"
     datacat:  'https://github.com/richardc/puppet-datacat'
     dhcp:     'https://github.com/theforeman/puppet-dhcp'
-    dns:      'https://github.com/theforeman/puppet-dns'
+    dns:
+      repo: 'https://github.com/ekohl/puppet-dns'
+      branch: add-tsig-keygen
     extlib:   'https://github.com/voxpupuli/puppet-extlib'
     foreman:  'https://github.com/theforeman/puppet-foreman'
     puppet:   'https://github.com/theforeman/puppet-puppet'

manifests/init.pp

@@ -163,7 +163,7 @@
 #
 # $dhcp_key_name::              DHCP key name
 #
-# $dhcp_key_secret::            DHCP password
+# $dhcp_key_secret::            DHCP key secret. If not provided, a secret will be generated.
 #
 # $dhcp_omapi_port::            DHCP server OMAPI port
 #
@@ -363,7 +363,7 @@
   String $dhcp_server = '127.0.0.1',
   Stdlib::Absolutepath $dhcp_config = $foreman_proxy::params::dhcp_config,
   Stdlib::Absolutepath $dhcp_leases = $foreman_proxy::params::dhcp_leases,
-  Optional[String] $dhcp_key_name = undef,
+  String[1] $dhcp_key_name = 'omapi_key',
   Optional[String] $dhcp_key_secret = undef,
   Stdlib::Port $dhcp_omapi_port = 7911,
   Optional[String] $dhcp_peer_address = undef,

manifests/proxydhcp.pp

@@ -62,16 +62,29 @@
     $_dhcp_ipxefilename = undef
   }
 
+  if $foreman_proxy::dhcp_key_secret {
+    # TODO parametrize
+    $dhcp_key_algorithm = undef
+    $dhcp_key_secret = $foreman_proxy::dhcp_key_secret
+  } else {
+    # TODO: ensure bind-utils is installed before dns::tsig_keygen runs
+    # TODO: if the function runs on a server, do you need it on the server? Or use Deferred?
+    $tsig_key = extlib::cache_data('theforeman', 'dhcp_omapi', dns::tsig_keygen($foreman_proxy::dhcp_key_name))
+    $dhcp_key_algorithm = $tsig_key['algorithm']
+    $dhcp_key_secret = $tsig_key['secret']
+  }
+
   class { 'dhcp':
-    dnsdomain     => $foreman_proxy::dhcp_option_domain,
-    nameservers   => $nameservers,
-    interfaces    => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
-    pxeserver     => $ip,
-    pxefilename   => $foreman_proxy::dhcp_pxefilename,
-    ipxe_filename => $_dhcp_ipxefilename,
-    omapi_name    => $foreman_proxy::dhcp_key_name,
-    omapi_key     => $foreman_proxy::dhcp_key_secret,
-    conf_dir_mode => $conf_dir_mode,
+    dnsdomain       => $foreman_proxy::dhcp_option_domain,
+    nameservers     => $nameservers,
+    interfaces      => [$foreman_proxy::dhcp_interface] + $foreman_proxy::dhcp_additional_interfaces,
+    pxeserver       => $ip,
+    pxefilename     => $foreman_proxy::dhcp_pxefilename,
+    ipxe_filename   => $_dhcp_ipxefilename,
+    omapi_name      => $foreman_proxy::dhcp_key_name,
+    omapi_key       => $dhcp_key_secret,
+    omapi_algorithm => $dhcp_key_algorithm,
+    conf_dir_mode   => $conf_dir_mode,
   }
 
   dhcp::pool { $facts['networking']['domain']: