The parameters, in this case, would be db_password: under foreman: and some other parameters.
I suppose I could remove the password from the foreman-answers.yaml file and use the --foreman-db-password option to set the value. But I believe that --foreman-db-password write the password hash to the answers file, and I’m trying to avoid having secrets in the answers file.
No, we don’t easily support that. The file /etc/foreman-installer/custom-hiera.yaml takes precedence over the answers so you could store them there. You will have passwords in your answers file, but they shouldn’t actually be used in that case.
If you have thoughts on how to do this better, I’d be interested to hear them. Right now I’m thinking about the patttern to have them as undef by default and pick a cached generated password when it’s undefined later in the code. That would avoid the need to store it in the answers file when using a local database. It wouldn’t solve it for remote databases.