theforeman · evgeni · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024 · evgeni
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -226,7 +226,7 @@
   Optional[Stdlib::Port] $db_port = undef,
   String[1] $db_database = 'foreman',
   String[1] $db_username = 'foreman',
-  String[1] $db_password = $foreman::params::db_password,
+  Variant[String[1], Sensitive[String[1]]] $db_password = $foreman::params::db_password,
   Optional[String[1]] $db_sslmode = undef,
   Optional[String[1]] $db_root_cert = undef,
   Optional[Integer[0]] $db_pool = undef,

diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
@@ -484,6 +484,17 @@
 
         it { should contain_user('foreman').with('groups' => []) }
       end
+
+      describe 'with sensitive passwords' do
+        let(:params) do
+          super().merge(db_password: sensitive('secret'))
+        end
+
+        it 'should configure the database' do
+          should contain_file('/etc/foreman/database.yml')
+            .with_content(/password: "secret"/)
+        end
+      end
     end
   end
 end
diff --git a/templates/database.yml.epp b/templates/database.yml.epp
@@ -30,6 +30,6 @@
   username: <%= $username %>
 <% } -%>
 <% if $password { -%>
-  password: "<%= $password %>"
+  password: <%= stdlib::to_ruby($password) %>
 <% } -%>
   pool: <%= $db_pool %>