Kafo and random passwords

lbetz · February 4, 2021, 5:18pm

I’d like to use kafo for an installer based on puppet modules, works fine. But I do not understand how kafo handles random passwords e.g. database passwords.

In my puppet manifest I use extlib::cache and random to generate random passwords and it works correct. I took a look at the foreman-installer but that didn’t help.

Thx
Lennart

ekohl · February 4, 2021, 5:28pm

We solve it at the Puppet layer using the extlib module you already found. That also has a random_password function:

github.com

theforeman/puppet-foreman/blob/cd239f88ea44991a975d2c63d4b72f9064738e83/manifests/params.pp#L46


$plugin_version    = 'present'
$cors_domains = []
# if enabled, will install and configure the database server on this host
$db_manage   = true
# Database 'production' settings
$db_username = 'foreman'
# Generate and cache the password on the master once
# In multi-puppetmaster setups, the user should specify their own
$db_password = extlib::cache_data('foreman_cache_data', 'db_password', extlib::random_password(32))
# Default database connection pool
$db_pool = 5
# if enabled, will run rake jobs, which depend on the database
$db_manage_rake = true
# Configure foreman email settings (database or email.yaml)
$email_delivery_method     = undef
$email_smtp_address        = undef
$email_smtp_port           = 25
$email_smtp_domain         = undef

lbetz · February 4, 2021, 6:20pm

I did on the same way but get the following string int the installer:

extlib::cache_data(‘my_cache_data’, ‘db_pass’, extlib::random_password(32))

lbetz · February 5, 2021, 3:42pm

Hm, all my parameter defaults are recognized as strings also arrays and hashes.

lbetz · February 5, 2021, 3:52pm

Main Config Menu

[✓] Configure icinga_ido
[✓] Configure icinga_server
Display current config
Save and run
Cancel run without Saving

Choose an option from the menu… 3

icinga_ido:
db_pass: extlib::cache_data(‘icinga_cache_data’, ‘db_pass’, extlib::random_password(32))
db_type: mysql
db_host: localhost
db_name: icinga2
db_user: icinga2
manage_database: false
enable_ha: false
icinga_server:
ca: false
config_server: false
zone: main
colocation_endpoints:
“{}”:
global_zones:
- “”
ca_server:

ekohl · February 5, 2021, 3:54pm

There is a limitation that kafo can’t really parse Puppet code. There’s some naive parsing:

github.com

theforeman/kafo_parsers/blob/b9a0432e140464d62c440fec94708d6a6db8fb53/lib/kafo_parsers/puppet_strings_module_parser.rb#L152-L164


# default values using puppet strings includes $ symbol, e.g. "$::foreman::params::ssl"
#
# values are reported as strings which is issue especially for :under
# strings are double quoted
# others must be typecast manually according to reported type
def sanitize(value)
  if (value.start_with?("'") && value.end_with?("'")) || (value.start_with?('"') && value.end_with?('"'))
    value = value[1..-2]
  end
  value = :undef if value == 'undef'
  value
end

However, puppet-strings gives a raw value. So a string shows up as "mystring". It has known limitations, like not being able to interpret [] as an array. It ends up being interpreted as "[]", so a string that contains []. This leads to Bug #31565: Validation of array's as static parameters on a class is incorrectly handled - Kafo - Foreman but there’s more ways this can manifest itself. Another is $facts['myfact'] which is also not properly understood.

We’ve always worked around this by creating params.pp and inheriting. Perhaps not so pretty, but patches welcome.

lbetz · February 5, 2021, 4:15pm

Ok, thx but that isn’t my main problem. This can I fix in answer files.

Now I tried to set

$db_pass = extlib::cache_data(‘icinga_cache_data’, ‘db_pass’, extlib::random_password(32))

in the old sytle params.pp ans inherits params but now the db_pass is shown as empty in the installer.

ekohl · February 5, 2021, 4:22pm

Do you have the code available somewhere by any chance?

lbetz · February 5, 2021, 4:28pm

sure

ekohl · February 5, 2021, 5:03pm

Code wise that looks like it should work. Do you also have the code to the actual installer? I also wonder if there’s something weird in your answers file.

lbetz · February 5, 2021, 5:09pm

lbetz · February 6, 2021, 1:54pm

Ok, the params class is applied only if the main class (init.pp) is used in the answers file.

lbetz · February 6, 2021, 2:18pm

Found my mistake, now I use mapping and all works fine. Thx for your time.