Allow overriding passwords generated by extlib

Update suggestions
theforeman · Apr 4, 2024 · 41453c5 · 41453c5
1 parent 39713ae
commit 41453c5
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -8,8 +8,10 @@
   Stdlib::Absolutepath $ca_cert = $certs::candlepin_ca_cert,
   Stdlib::Absolutepath $ca_key = $certs::candlepin_ca_key,
   Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
+  Optional[String] $keystore_password = undef,
   Stdlib::Absolutepath $keystore = $certs::candlepin_keystore,
   String $keystore_password_file = 'keystore_password-file',
+  Optional[String] $truststore_password = undef,
   Stdlib::Absolutepath $truststore = $certs::candlepin_truststore,
   String $truststore_password_file = 'truststore_password-file',
   String[2,2] $country = $certs::country,
@@ -67,8 +69,20 @@
     build_dir     => $certs::ssl_build_dir,
   }
 
-  $keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
-  $truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
+  # Generate and cache the password on the master once
+  # In multi-puppetmaster setups, the user should specify their own
+  if $keystore_password {
+    $final_keystore_password = $keystore_password
+  } else {
+    $final_keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
+  }
+
+  if $truststore_password {
+    $final_truststore_password = $truststore_password
+  } else {
+    $final_truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
+  }
+
   $keystore_password_path = "${pki_dir}/${keystore_password_file}"
   $truststore_password_path = "${pki_dir}/${truststore_password_file}"
   $client_key = $certs::foreman::client_key
@@ -109,7 +123,7 @@
 
     file { $keystore_password_path:
       ensure    => file,
-      content   => $keystore_password,
+      content   => $final_keystore_password,
       owner     => 'root',
       group     => $group,
       mode      => '0440',
@@ -134,7 +148,7 @@
 
     file { $truststore_password_path:
       ensure    => file,
-      content   => $truststore_password,
+      content   => $final_truststore_password,
       owner     => 'root',
       group     => $group,
       mode      => '0440',

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -39,6 +39,8 @@
 # $deploy::               Deploy the certs on the configured system. False means
 #                         we want to apply it to a different system
 #
+# $ca_key_password::      Optional string to use for the CA key password
+#
 # $ca_common_name::       Common name for the generated CA certificate
 #
 # $country::              Country attribute for managed certificates
@@ -73,6 +75,7 @@
   Boolean $generate = true,
   Boolean $regenerate = false,
   Boolean $deploy = true,
+  String[10] $ca_key_password = $certs::params::ca_key_password,
   String $ca_common_name = $certs::params::ca_common_name,
   String[2,2] $country = 'US',
   String $state = 'North Carolina',
@@ -103,7 +106,6 @@
   $ca_key = "${pki_dir}/private/${default_ca_name}.key"
   $ca_cert = "${pki_dir}/certs/${default_ca_name}.crt"
   $ca_cert_stripped = "${pki_dir}/certs/${default_ca_name}-stripped.crt"
-  $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
   $ca_key_password_file = "${ssl_build_dir}/${default_ca_name}.pwd"
 
   $katello_server_ca_cert = "${pki_dir}/certs/${server_ca_name}.crt"

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -19,4 +19,8 @@
   $candlepin_ca_key                 = "${candlepin_certs_dir}/candlepin-ca.key"
 
   $pulp_pki_dir = '/etc/pki/pulp'
+
+  # Generate and cache the password on the master once
+  # In multi-puppetmaster setups, the user should specify their own
+  $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
 }