Using Foreman Installer & foreman-answers.yaml without passwords in the file?


I want to store our foreman-answers.yaml configuraiton in Git, but the file contains sensitive information such as passwords & encrypted secrets.

Is there a way to have two configuration files, so that I can store foreman-answers.yaml in a Git repo and store the sensitive information seperately?

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

  • Foreman 1.23.1
  • Foreman Installer: 1.23.1

Distribution and version:

Ubuntu 18.04

Other relevant data:

The parameters, in this case, would be db_password: under foreman: and some other parameters.

I suppose I could remove the password from the foreman-answers.yaml file and use the --foreman-db-password option to set the value. But I believe that --foreman-db-password write the password hash to the answers file, and I’m trying to avoid having secrets in the answers file.

No, we don’t easily support that. The file /etc/foreman-installer/custom-hiera.yaml takes precedence over the answers so you could store them there. You will have passwords in your answers file, but they shouldn’t actually be used in that case.

If you have thoughts on how to do this better, I’d be interested to hear them. Right now I’m thinking about the patttern to have them as undef by default and pick a cached generated password when it’s undefined later in the code. That would avoid the need to store it in the answers file when using a local database. It wouldn’t solve it for remote databases.