From 6ec95587d08e567a539cd46dd15c437fe95637f5 Mon Sep 17 00:00:00 2001 From: Bastian Schmidt Date: Tue, 21 May 2024 18:06:14 +0200 Subject: [PATCH] Fixes #37835 - Add user and netapi to Salt config * Set user for running Salt Master service due to 3006 changes https://docs.saltproject.io/en/3006/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group Salt API * Add netapi_enable_clients explicitly due to 3006 changes https://docs.saltproject.io/en/master/topics/netapi/netapi-enable-clients.html#select-client-interfaces-to-enable * Add api_interfaces parameter to enable configuration of API accessibility. However, smart_proxy_salt utilizes only the "runner" API interface. --- manifests/plugin/salt.pp | 3 +++ manifests/plugin/salt/params.pp | 1 + .../foreman_proxy__plugin__salt_spec.rb | 19 +++++++++++++++++++ templates/plugin/salt_master.conf.erb | 12 ++++++++++++ 4 files changed, 35 insertions(+) diff --git a/manifests/plugin/salt.pp b/manifests/plugin/salt.pp index a86df178..35bb2981 100644 --- a/manifests/plugin/salt.pp +++ b/manifests/plugin/salt.pp @@ -22,6 +22,8 @@ # # $api_password:: Salt API password # +# $api_interfaces:: Salt API interfaces +# # $saltfile:: Path to Saltfile # # === Advanced parameters: @@ -42,6 +44,7 @@ String $api_auth = $foreman_proxy::plugin::salt::params::api_auth, String $api_username = $foreman_proxy::plugin::salt::params::api_username, String $api_password = $foreman_proxy::plugin::salt::params::api_password, + Array[String] $api_interfaces = $foreman_proxy::plugin::salt::params::api_interfaces, Optional[Stdlib::Absolutepath] $saltfile = $foreman_proxy::plugin::salt::params::saltfile, ) inherits foreman_proxy::plugin::salt::params { $foreman_ssl_cert = pick($foreman_proxy::foreman_ssl_cert, $foreman_proxy::ssl_cert) diff --git a/manifests/plugin/salt/params.pp b/manifests/plugin/salt/params.pp index 7140e913..f3b22d07 100644 --- a/manifests/plugin/salt/params.pp +++ b/manifests/plugin/salt/params.pp @@ -15,5 +15,6 @@ $api_auth = 'pam' $api_username = 'saltuser' $api_password = 'saltpassword' + $api_interfaces = ['runner'] $saltfile = undef } diff --git a/spec/classes/foreman_proxy__plugin__salt_spec.rb b/spec/classes/foreman_proxy__plugin__salt_spec.rb index ab1b963e..078d6ede 100644 --- a/spec/classes/foreman_proxy__plugin__salt_spec.rb +++ b/spec/classes/foreman_proxy__plugin__salt_spec.rb @@ -18,6 +18,15 @@ :content => /:enabled: https/ }) end + + it 'should configure master.d/foreman.conf' do + should contain_file('/etc/salt/master.d/foreman.conf'). + with_content(%r{autosign_grains_dir: /var/lib/foreman-proxy/salt/grains}). + with_content(%r{autosign_file: /etc/salt/autosign.conf}). + with_content(%r{user: root}). + with_content(%r{netapi_enable_clients:\n - runner}). + with_content(%r{external_auth:\n pam:\n saltuser:\n - '@runner'}) + end end describe 'with overwritten parameters' do @@ -30,6 +39,7 @@ :api_auth => 'ldap', :api_username => 'saltapi', :api_password => 'letmein', + :api_interfaces => ['runner', 'local', 'ssh', 'wheel'], :saltfile => '/etc/salt/Saltfile', } end @@ -45,6 +55,15 @@ with_content(%r{:api_password: letmein}). with_content(%r{:saltfile: /etc/salt/Saltfile}) end + + it 'should change master.d/foreman.conf parameters' do + should contain_file('/etc/salt/master.d/foreman.conf'). + with_content(%r{user: example}). + with_content(%r{autosign_grains_dir: /var/lib/foreman-proxy/salt/grains}). + with_content(%r{autosign_file: /etc/salt/example.conf}). + with_content(%r{netapi_enable_clients:\n - runner\n - local\n - ssh\n - wheel}). + with_content(%r{external_auth:\n ldap:\n saltuser:\n - '@runner'}) + end end end end diff --git a/templates/plugin/salt_master.conf.erb b/templates/plugin/salt_master.conf.erb index 89e2ba65..d2270e95 100644 --- a/templates/plugin/salt_master.conf.erb +++ b/templates/plugin/salt_master.conf.erb @@ -15,6 +15,11 @@ autosign_file: <%= scope.lookupvar('foreman_proxy::plugin::salt::autosign_file') # permissive_pki_access: True +## +# Salt Master service user +user: <%= scope.lookupvar('::foreman_proxy::plugin::salt::user') %> + + ## # Node classifier master_tops: @@ -39,6 +44,13 @@ rest_cherrypy: ssl_key: <%= @foreman_ssl_key %> ssl_crt: <%= @foreman_ssl_cert %> +<% if scope.lookupvar('foreman_proxy::plugin::salt::api_interfaces').any? -%> +netapi_enable_clients: + <%- scope.lookupvar('foreman_proxy::plugin::salt::api_interfaces').each do |api_item| -%> + - <%= api_item %> + <%- end -%> +<% end -%> + ## # Remote execution provider