CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## [22.0.0](https://github.com/theforeman/puppet-foreman/tree/22.0.0) (2022-11-03)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.2.0...22.0.0)
+
+**Breaking changes:**
+
+- drop abrt and chef plugins [\#1094](https://github.com/theforeman/puppet-foreman/pull/1094) ([evgeni](https://github.com/evgeni))
+- drop support for host\_reports, the plugin was dropped [\#1081](https://github.com/theforeman/puppet-foreman/pull/1081) ([evgeni](https://github.com/evgeni))
+- Drop /pulp2 and /streamer from no\_proxy\_uris [\#1080](https://github.com/theforeman/puppet-foreman/pull/1080) ([evgeni](https://github.com/evgeni))
+- Fixes [\#33956](https://projects.theforeman.org/issues/33956) - serve static assets directly via Apache [\#1078](https://github.com/theforeman/puppet-foreman/pull/1078) ([evgeni](https://github.com/evgeni))
+
+**Implemented enhancements:**
+
+- Refs [\#35414](https://projects.theforeman.org/issues/35414) - Expect a different message in journal [\#1096](https://github.com/theforeman/puppet-foreman/pull/1096) ([ekohl](https://github.com/ekohl))
+- Fixes [\#35685](https://projects.theforeman.org/issues/35685) - allow setting GssapiLocalName to Off [\#1093](https://github.com/theforeman/puppet-foreman/pull/1093) ([evgeni](https://github.com/evgeni))
+- Refs [\#35675](https://projects.theforeman.org/issues/35675) - Add hammer-cli-foreman-google plugin [\#1090](https://github.com/theforeman/puppet-foreman/pull/1090) ([ofedoren](https://github.com/ofedoren))
+- Allow sensitive type for plugin configuration [\#1088](https://github.com/theforeman/puppet-foreman/pull/1088) ([kobybr](https://github.com/kobybr))
+- Fixes [\#35524](https://projects.theforeman.org/issues/35524) - Require puppetlabs-apache 8.x [\#1086](https://github.com/theforeman/puppet-foreman/pull/1086) ([ekohl](https://github.com/ekohl))
+- Refs [\#33956](https://projects.theforeman.org/issues/33956) - make it easier to toggle asset proxying [\#1085](https://github.com/theforeman/puppet-foreman/pull/1085) ([evgeni](https://github.com/evgeni))
+- Refs [\#35473](https://projects.theforeman.org/issues/35473) - Configure Apache for API extlogin [\#1083](https://github.com/theforeman/puppet-foreman/pull/1083) ([ofedoren](https://github.com/ofedoren))
+
+**Fixed bugs:**
+
+- Convert per\_page in foreman::foreman to string [\#1089](https://github.com/theforeman/puppet-foreman/pull/1089) ([ekohl](https://github.com/ekohl))
+
+**Merged pull requests:**
+
+- Puppet-lint fixes [\#1092](https://github.com/theforeman/puppet-foreman/pull/1092) ([ekohl](https://github.com/ekohl))
+
+## [21.2.0](https://github.com/theforeman/puppet-foreman/tree/21.2.0) (2022-09-20)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.1.0...21.2.0)
+
+**Implemented enhancements:**
+
+- puppetlabs/apt: Allow 9.x [\#1082](https://github.com/theforeman/puppet-foreman/pull/1082) ([bastelfreak](https://github.com/bastelfreak))
+
 ## [21.1.0](https://github.com/theforeman/puppet-foreman/tree/21.1.0) (2022-08-26)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.0.0...21.1.0)

HISTORY.md

@@ -1,5 +1,52 @@
 # Changelog
 
+## [22.0.0](https://github.com/theforeman/puppet-foreman/tree/22.0.0) (2022-11-03)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.2.0...22.0.0)
+
+**Breaking changes:**
+
+- drop abrt and chef plugins [\#1094](https://github.com/theforeman/puppet-foreman/pull/1094) ([evgeni](https://github.com/evgeni))
+- drop support for host\_reports, the plugin was dropped [\#1081](https://github.com/theforeman/puppet-foreman/pull/1081) ([evgeni](https://github.com/evgeni))
+- Drop /pulp2 and /streamer from no\_proxy\_uris [\#1080](https://github.com/theforeman/puppet-foreman/pull/1080) ([evgeni](https://github.com/evgeni))
+- Fixes [\#33956](https://projects.theforeman.org/issues/33956) - serve static assets directly via Apache [\#1078](https://github.com/theforeman/puppet-foreman/pull/1078) ([evgeni](https://github.com/evgeni))
+
+**Implemented enhancements:**
+
+- Refs [\#35414](https://projects.theforeman.org/issues/35414) - Expect a different message in journal [\#1096](https://github.com/theforeman/puppet-foreman/pull/1096) ([ekohl](https://github.com/ekohl))
+- Fixes [\#35685](https://projects.theforeman.org/issues/35685) - allow setting GssapiLocalName to Off [\#1093](https://github.com/theforeman/puppet-foreman/pull/1093) ([evgeni](https://github.com/evgeni))
+- Refs [\#35675](https://projects.theforeman.org/issues/35675) - Add hammer-cli-foreman-google plugin [\#1090](https://github.com/theforeman/puppet-foreman/pull/1090) ([ofedoren](https://github.com/ofedoren))
+- Allow sensitive type for plugin configuration [\#1088](https://github.com/theforeman/puppet-foreman/pull/1088) ([kobybr](https://github.com/kobybr))
+- Fixes [\#35524](https://projects.theforeman.org/issues/35524) - Require puppetlabs-apache 8.x [\#1086](https://github.com/theforeman/puppet-foreman/pull/1086) ([ekohl](https://github.com/ekohl))
+- Refs [\#33956](https://projects.theforeman.org/issues/33956) - make it easier to toggle asset proxying [\#1085](https://github.com/theforeman/puppet-foreman/pull/1085) ([evgeni](https://github.com/evgeni))
+- Refs [\#35473](https://projects.theforeman.org/issues/35473) - Configure Apache for API extlogin [\#1083](https://github.com/theforeman/puppet-foreman/pull/1083) ([ofedoren](https://github.com/ofedoren))
+
+**Fixed bugs:**
+
+- Convert per\_page in foreman::foreman to string [\#1089](https://github.com/theforeman/puppet-foreman/pull/1089) ([ekohl](https://github.com/ekohl))
+
+**Merged pull requests:**
+
+- Puppet-lint fixes [\#1092](https://github.com/theforeman/puppet-foreman/pull/1092) ([ekohl](https://github.com/ekohl))
+
+## [21.2.0](https://github.com/theforeman/puppet-foreman/tree/21.2.0) (2022-09-20)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.1.0...21.2.0)
+
+**Implemented enhancements:**
+
+- puppetlabs/apt: Allow 9.x [\#1082](https://github.com/theforeman/puppet-foreman/pull/1082) ([bastelfreak](https://github.com/bastelfreak))
+
+## [21.1.0](https://github.com/theforeman/puppet-foreman/tree/21.1.0) (2022-08-26)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman/compare/21.0.0...21.1.0)
+
+**Implemented enhancements:**
+
+- Add hammer plugin for ssh [\#1076](https://github.com/theforeman/puppet-foreman/pull/1076) ([dgoetz](https://github.com/dgoetz))
+- Allow puppetlabs/apache 8.x [\#1075](https://github.com/theforeman/puppet-foreman/pull/1075) ([ekohl](https://github.com/ekohl))
+- Fixes [\#35356](https://projects.theforeman.org/issues/35356) - Don't proxy /server-status [\#1074](https://github.com/theforeman/puppet-foreman/pull/1074) ([ekohl](https://github.com/ekohl))
+
 ## [21.0.0](https://github.com/theforeman/puppet-foreman/tree/21.0.0) (2022-08-04)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman/compare/20.2.0...21.0.0)

README.md

@@ -77,6 +77,14 @@ previous stable release.
 This module targets Foreman 3.1+.
 The module can not be used to manage Foreman installations on EL7.
 
+This module configures Apache to serve static assets from
+`/var/lib/foreman/public` directly. This requires an appropriate
+SELinux policy, like the one introduced in [`foreman-selinux`
+version 3.5](https://projects.theforeman.org/issues/35402).
+Additionally, some plugin packages might be incomplatible with such
+a deployment. To serve assets via Rails again, set
+`foreman::config::apache::proxy_assets` to `true`.
+
 ## Types and providers
 
 `foreman_config_entry` can be used to manage settings in Foreman's database, as

lib/puppet/functions/foreman/foreman.rb

@@ -62,7 +62,7 @@ def foreman(item, search, per_page = "20", foreman_url = "https://localhost", fo
     raise Puppet::ParseError, "Foreman: Invalid filter_result: #{filter_result}, must not be boolean true" if filter_result == true
 
     begin
-      path = "/api/#{CGI.escape(item)}?search=#{CGI.escape(search)}&per_page=#{CGI.escape(per_page)}"
+      path = "/api/#{CGI.escape(item)}?search=#{CGI.escape(search)}&per_page=#{CGI.escape(per_page.to_s)}"
 
       req = Net::HTTP::Get.new(path)
       req['Content-Type'] = 'application/json'

manifests/cli/google.pp

@@ -0,0 +1,10 @@
+# = Hammer Google plugin
+#
+# This installs the Google plugin for Hammer CLI
+#
+# === Parameters:
+#
+class foreman::cli::google {
+  foreman::cli::plugin { 'foreman_google':
+  }
+}

manifests/config.pp

@@ -190,6 +190,8 @@
         mode   => '0600',
       }
 
+      $gssapi_local_name = bool2str($foreman::gssapi_local_name, 'On', 'Off')
+
       foreman::config::apache::fragment { 'intercept_form_submit':
         ssl_content => template('foreman/intercept_form_submit.conf.erb'),
       }

manifests/config/apache.pp

@@ -58,6 +58,9 @@
 # @param proxy_no_proxy_uris
 #   URIs not to proxy
 #
+# @param proxy_assets
+#   Whether assets paths (/assets, /webpack) should be proxied or not.
+#
 # @param foreman_url
 #   The URL Foreman should be reachable under. Used for loading the application
 #   on startup rather than on demand.
@@ -96,7 +99,8 @@
   Pattern['^(https?|unix)://'] $proxy_backend = 'unix:///run/foreman.sock',
   Boolean $proxy_add_headers = true,
   Hash $proxy_params = { 'retry' => '0' },
-  Array[String] $proxy_no_proxy_uris = ['/pulp', '/pulp2', '/streamer', '/pub', '/icons', '/server-status'],
+  Array[String] $proxy_no_proxy_uris = ['/pulp', '/pub', '/icons', '/server-status'],
+  Boolean $proxy_assets = false,
   Boolean $ssl = false,
   Optional[Stdlib::Absolutepath] $ssl_ca = undef,
   Optional[Stdlib::Absolutepath] $ssl_chain = undef,
@@ -174,12 +178,18 @@
     "unset ${header}"
   }
 
+  if $proxy_assets {
+    $_proxy_no_proxy_uris = $proxy_no_proxy_uris
+  } else {
+    $_proxy_no_proxy_uris = $proxy_no_proxy_uris + ['/webpack', '/assets']
+  }
+
   $vhost_http_internal_options = {
     'proxy_preserve_host' => true,
     'proxy_add_headers'   => $proxy_add_headers,
     'request_headers'     => $vhost_http_request_headers,
     'proxy_pass'          => {
-      'no_proxy_uris' => $proxy_no_proxy_uris,
+      'no_proxy_uris' => $_proxy_no_proxy_uris,
       'path'          => pick($suburi, '/'),
       'url'           => $_proxy_backend,
       'params'        => $proxy_params,

manifests/init.pp

@@ -123,6 +123,8 @@
 #
 # $http_keytab::                  Path to keytab to be used for Kerberos authentication on the WebUI. If left empty, it will be automatically determined.
 #
+# $gssapi_local_name::            Whether to enable GssapiLocalName when using mod_auth_gssapi
+#
 # $pam_service::                  PAM service used for host-based access control in IPA
 #
 # $ipa_manage_sssd::              If ipa_authentication is true, should the installer manage SSSD? You can disable it
@@ -248,6 +250,7 @@
   Optional[String] $initial_location = undef,
   Boolean $ipa_authentication = false,
   Optional[Stdlib::Absolutepath] $http_keytab = undef,
+  Boolean $gssapi_local_name = true,
   String $pam_service = 'foreman',
   Boolean $ipa_manage_sssd = true,
   Boolean $websockets_encrypt = true,

manifests/plugin.pp

@@ -27,7 +27,7 @@
   String[1] $config_file_owner = 'root',
   String[1] $config_file_group = $foreman::group,
   Stdlib::Filemode $config_file_mode = '0640',
-  Optional[String] $config = undef,
+  Optional[Variant[String, Sensitive[String]]] $config = undef,
 ) {
   # Debian gem2deb converts underscores to hyphens
   case $facts['os']['family'] {

manifests/rake.pp

@@ -18,16 +18,13 @@
   Stdlib::Absolutepath $app_root = $foreman::app_root,
   Variant[Undef, String[1], Array[String[1]]] $unless = undef,
 ) {
-  # https://github.com/rodjek/puppet-lint/issues/327
-  # lint:ignore:arrow_alignment
   exec { "foreman-rake-${title}":
     command     => "/usr/sbin/foreman-rake ${title}",
     user        => $user,
-    environment => sort(join_keys_to_values(merge( { 'HOME' => $app_root }, $environment), '=')),
+    environment => sort(join_keys_to_values({ 'HOME' => $app_root } + $environment, '=')),
     logoutput   => 'on_failure',
     refreshonly => $unless =~ Undef,
     timeout     => $timeout,
     unless      => $unless,
   }
-  # lint:endignore
 }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman",
-  "version": "21.1.0",
+  "version": "22.0.0",
   "author": "theforeman",
   "summary": "Foreman server configuration",
   "license": "GPL-3.0+",
@@ -18,11 +18,11 @@
     },
     {
       "name": "puppetlabs/apache",
-      "version_requirement": ">= 5.5.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     },
     {
       "name": "puppetlabs/apt",
-      "version_requirement": ">= 2.0.0 < 9.0.0"
+      "version_requirement": ">= 2.0.0 < 10.0.0"
     },
     {
       "name": "puppetlabs/concat",

spec/acceptance/foreman_cli_plugins_spec.rb

@@ -19,20 +19,20 @@ class { 'foreman::cli':
           include foreman::cli::azure
         }
         include foreman::cli::discovery
-        include foreman::cli::host_reports
         include foreman::cli::remote_execution
         include foreman::cli::ssh
         include foreman::cli::tasks
         include foreman::cli::templates
         include foreman::cli::webhooks
         include foreman::cli::puppet
+        include foreman::cli::google
         PUPPET
       end
     end
 
     it_behaves_like 'hammer'
 
-    ['discovery', 'host_reports', 'remote_execution', 'ssh', 'tasks', 'templates', 'webhooks', 'puppet'].each do |plugin|
+    ['discovery', 'remote_execution', 'ssh', 'tasks', 'templates', 'webhooks', 'puppet'].each do |plugin|
       package_name = case fact('os.family')
                      when 'RedHat'
                        "rubygem-hammer_cli_foreman_#{plugin}"

spec/acceptance/foreman_journald_spec.rb

@@ -24,6 +24,6 @@ class { 'foreman':
   end
 
   describe command('journalctl -u dynflow-sidekiq@orchestrator') do
-    its(:stdout) { is_expected.to match(%r{Everything ready for world: }) }
+    its(:stdout) { is_expected.to match(%r{orchestrator in passive mode}) }
   end
 end

spec/classes/cli_plugins_spec.rb

@@ -2,7 +2,7 @@
 
 supported = on_supported_os
 
-['ansible', 'azure', 'discovery', 'host_reports', 'katello', 'kubevirt', 'openscap', 'remote_execution', 'ssh', 'tasks', 'templates', 'virt_who_configure', 'webhooks', 'puppet'].each do |plugin|
+['ansible', 'azure', 'discovery', 'katello', 'kubevirt', 'openscap', 'remote_execution', 'ssh', 'tasks', 'templates', 'virt_who_configure', 'webhooks', 'puppet', 'google'].each do |plugin|
   describe "foreman::cli::#{plugin}" do
     supported.each do |os, os_facts|
       context "on #{os}" do

spec/classes/foreman_config_apache_spec.rb

@@ -61,7 +61,7 @@
             'unset REMOTE_USER_GROUPS'
           ])
           .with_proxy_pass(
-            "no_proxy_uris" => ['/pulp', '/pulp2', '/streamer', '/pub', '/icons', '/server-status'],
+            "no_proxy_uris" => ['/pulp', '/pub', '/icons', '/server-status', '/webpack', '/assets'],
             "path"          => '/',
             "url"           => 'unix:///run/foreman.sock|http://foreman/',
             "params"        => { "retry" => '0' },
@@ -105,6 +105,23 @@
         }
       end
 
+      describe 'with asset proxying enabled' do
+        let(:params) do
+          super().merge(
+            proxy_assets: true
+          )
+        end
+
+        it { should contain_apache__vhost('foreman')
+            .with_proxy_pass(
+              "no_proxy_uris" => ['/pulp', '/pub', '/icons', '/server-status'],
+              "path"          => '/',
+              "url"           => 'unix:///run/foreman.sock|http://foreman/',
+              "params"        => { "retry" => '0' },
+            )
+        }
+      end
+
       describe 'with ssl' do
         let(:params) do
           {
@@ -161,7 +178,7 @@
             ])
             .with_ssl_proxyengine(true)
             .with_proxy_pass(
-              "no_proxy_uris" => ['/pulp', '/pulp2', '/streamer', '/pub', '/icons', '/server-status'],
+              "no_proxy_uris" => ['/pulp', '/pub', '/icons', '/server-status', '/webpack', '/assets'],
               "path"          => '/',
               "url"           => 'unix:///run/foreman.sock|http://foreman/',
               "params"        => { "retry" => '0' },

spec/classes/foreman_config_ipa_spec.rb

@@ -39,9 +39,19 @@
 
             should contain_foreman__config__apache__fragment('auth_gssapi')
               .with_ssl_content(%r{^\s*GssapiCredStore keytab:#{keytab_path}$})
+              .with_ssl_content(/^\s*GssapiLocalName On$/)
               .with_ssl_content(/^\s*require pam-account foreman$/)
           end
 
+          context 'with gssapi_local_name=false' do
+            let(:params) { super().merge(gssapi_local_name: false) }
+
+            it 'should contain Apache fragments' do
+              should contain_foreman__config__apache__fragment('auth_gssapi')
+                .with_ssl_content(/^\s*GssapiLocalName Off$/)
+            end
+          end
+
           context 'with SELinux' do
             let(:facts) { override_facts(super(), os: {'selinux' => {'enabled' => selinux}}) }