diff --git a/manifests/config.pp b/manifests/config.pp index 9572f367a..87df9a1e7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -60,14 +60,14 @@ } $db_context = { - 'managed' => $foreman::db_manage, - 'rails_env' => $foreman::rails_env, - 'host' => $foreman::db_host, - 'port' => $foreman::db_port, - 'sslmode' => $foreman::db_sslmode_real, - 'database' => $foreman::db_database, - 'username' => $foreman::db_username, - 'password' => $foreman::db_password, + 'managed' => $foreman::db_manage, + 'rails_env' => $foreman::rails_env, + 'host' => $foreman::db_host, + 'port' => $foreman::db_port, + 'sslmode' => $foreman::db_sslmode_real, + 'database' => $foreman::db_database, + 'username' => $foreman::db_username, + 'password' => $foreman::db_password, # Set the pool size to at least the amount of puma threads + 4 threads that are spawned automatically by the process. # db_pool is optional, and undef means "use default" and the second part of the max statement will be set. # The number 4 is for 4 threads that are spawned internally during the execution: @@ -76,7 +76,8 @@ # 3. Stomp listener (required by Katello) # 4. Puma server listener thread # This means for systems without Katello we can reduce the amount of the pool to puma_threads_max + 1 - 'db_pool' => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4), + 'db_pool' => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4), + 'extra_options' => $foreman::db_extra_options, } file { '/etc/foreman/database.yml': diff --git a/manifests/init.pp b/manifests/init.pp index a3dde8393..99ad99596 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -87,6 +87,9 @@ # $db_pool:: Database 'production' size of connection pool. If the value is not set, it will be # set by default to the amount of puma threads + 4 (for internal system threads) # +# $db_extra_options:: Database 'production' extra options. Can be used for extra options, not made +# available by the above db_* parameters. +# # $db_manage_rake:: if enabled, will run rake jobs, which depend on the database # # $server_port:: Defines Apache port for HTTP requests @@ -211,6 +214,30 @@ # # $keycloak_realm:: The realm as passed to keycloak-httpd-client-install # +# === OIDC parameters: +# +# $authorize_login_delegation:: Authorize login delegation with REMOTE_USER HTTP header (true/false) +# +# $authorize_login_delegation_auth_source_user_autocreate:: Name of the external auth source where unknown externally authentication +# users (see authorize_login_delegation) should be created. Empty means no autocreation. +# +# $login_delegation_logout_url:: Redirect your users to this url on logout (authorize_login_delegation should also be enabled) +# +# $oidc_jwks_url:: OpenID Connect JSON Web Key Set(JWKS) URL. +# Typically https://keycloak.example.com/auth/realms//protocol/openid-connect/certs when using +# Keycloak as an OpenID provider +# +# $oidc_audience:: Name of the OpenID Connect Audience that is being used for Authentication. In case of Keycloak this is the Client ID. +# ['oidc_app_name'] +# +# $oidc_issuer:: The iss (issuer) claim identifies the principal that issued the JWT, which exists at a +# `/.well-known/openid-configuration` in case of most of the OpenID providers. +# +# $oidc_algorithm:: The algorithm used to encode the JWT in the OpenID provider. +# +# $outofsync_interval Duration in minutes after servers are classed as out of sync. +# +# class foreman ( Stdlib::HTTPUrl $foreman_url = $foreman::params::foreman_url, Boolean $unattended = true, @@ -230,6 +257,7 @@ Optional[String[1]] $db_sslmode = undef, Optional[String[1]] $db_root_cert = undef, Optional[Integer[0]] $db_pool = undef, + Hash[String, String] $db_extra_options = {}, Boolean $db_manage_rake = true, Stdlib::Port $server_port = 80, Stdlib::Port $server_ssl_port = 443, @@ -307,6 +335,14 @@ Boolean $register_in_foreman = true, Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef, Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef, + Boolean $authorize_login_delegation = false, + String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External', + Optional[String[1]] $login_delegation_logout_url = undef, + Optional[String[1]] $oidc_jwks_url = undef, + Array[String[1]] $oidc_audience = [], + Optional[String[1]] $oidc_issuer = undef, + String[1] $oidc_algorithm = 'RS256', + Integer $outofsync_interval = 30, ) inherits foreman::params { assert_type(Array[Stdlib::IP::Address], $trusted_proxies) diff --git a/manifests/settings.pp b/manifests/settings.pp index ded89e00b..5eeb2d5a4 100644 --- a/manifests/settings.pp +++ b/manifests/settings.pp @@ -10,6 +10,7 @@ Optional[String] $email_smtp_password = $foreman::email_smtp_password, Optional[String] $email_reply_address = $foreman::email_reply_address, Optional[String] $email_subject_prefix = $foreman::email_subject_prefix, + Optional[Integer] $outofsync_interval = $foreman::outofsync_interval, ) { unless empty($email_delivery_method) { foreman_config_entry { 'delivery_method': @@ -52,4 +53,9 @@ value => $email_subject_prefix, } } + unless empty($outofsync_interval) { + foreman_config_entry { 'outofsync_interval': + value => $outofsync_interval, + } + } } diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb index 35e4a2d65..96f194327 100644 --- a/spec/classes/foreman_spec.rb +++ b/spec/classes/foreman_spec.rb @@ -200,6 +200,7 @@ db_password: 'secret', db_sslmode: 'prefer', db_pool: 9, + db_extra_options: { 'target_session_attrs': 'read-write' }, db_manage_rake: true, server_port: 80, server_ssl_port: 443, @@ -250,6 +251,14 @@ keycloak_realm: 'myrealm', provisioning_ct_location: '/usr/bin/myct', provisioning_fcct_location: '/usr/bin/myfcct', + authorize_login_delegation: true, + authorize_login_delegation_auth_source_user_autocreate: 'External', + login_delegation_logout_url: 'https://foreman.top.com/users/extlogout', + oidc_jwks_url: 'https://keycloak.top.com/realms/myrealm/protocol/openid-connect/certs', + oidc_audience: ['cloack-app'], + oidc_issuer: 'https://keycloak.top.com/realms/myrealm', + oidc_algorithm: 'RS256', + outofsync_interval: 30, } end diff --git a/templates/database.yml.epp b/templates/database.yml.epp index 444cdfd10..a8281b7a1 100644 --- a/templates/database.yml.epp +++ b/templates/database.yml.epp @@ -8,6 +8,7 @@ Optional[String[1]] $username, Variant[Undef, String[1], Sensitive[String[1]]] $password, Integer[0] $db_pool, + Hash[String, String] $extra_options, | -%> --- <%= template('foreman/_header.erb') %> @@ -33,3 +34,6 @@ password: <%= stdlib::to_ruby($password) %> <% } -%> pool: <%= $db_pool %> +<% $extra_options.each |String $k, String $v| { -%> + <%= $k %>: <%= $v %> +<% } -%> diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb index 50bcf8da0..d93dfcf05 100644 --- a/templates/settings.yaml.erb +++ b/templates/settings.yaml.erb @@ -10,6 +10,17 @@ :oauth_consumer_key: <%= scope.lookupvar("foreman::oauth_consumer_key") %> :oauth_consumer_secret: <%= scope.lookupvar("foreman::oauth_consumer_secret") %> +<% if scope.lookupvar('foreman::authorize_login_delegation') -%> +# The following values are used for oidc authentication +:authorize_login_delegation: <%= scope.lookupvar("foreman::authorize_login_delegation") %> +:authorize_login_delegation_auth_source_user_autocreate: <%= scope.lookupvar("foreman::authorize_login_delegation_auth_source_user_autocreate") %> +:login_delegation_logout_url: <%= scope.lookupvar("foreman::login_delegation_logout_url") %> +:oidc_jwks_url: <%= scope.lookupvar("foreman::oidc_jwks_url") %> +:oidc_audience: <%= scope.lookupvar("foreman::oidc_audience") %> +:oidc_issuer: <%= scope.lookupvar("foreman::oidc_issuer") %> +:oidc_algorithm: <%= scope.lookupvar("foreman::oidc_algorithm") %> + +<% end -%> # Websockets :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %> :websockets_ssl_key: <%= @websockets_ssl_key %> @@ -46,7 +57,7 @@ :trusted_proxies: <% scope.lookupvar('foreman::trusted_proxies').each do |proxy| -%> - '<%= proxy %>' -<% end -%> + <% end -%> <% end -%> # Individual logging types can be toggled on/off here