Add parameter outofsync_interval

manifests/config.pp

@@ -60,14 +60,14 @@
   }
 
   $db_context = {
-    'managed'   => $foreman::db_manage,
-    'rails_env' => $foreman::rails_env,
-    'host'      => $foreman::db_host,
-    'port'      => $foreman::db_port,
-    'sslmode'   => $foreman::db_sslmode_real,
-    'database'  => $foreman::db_database,
-    'username'  => $foreman::db_username,
-    'password'  => $foreman::db_password,
+    'managed'       => $foreman::db_manage,
+    'rails_env'     => $foreman::rails_env,
+    'host'          => $foreman::db_host,
+    'port'          => $foreman::db_port,
+    'sslmode'       => $foreman::db_sslmode_real,
+    'database'      => $foreman::db_database,
+    'username'      => $foreman::db_username,
+    'password'      => $foreman::db_password,
     # Set the pool size to at least the amount of puma threads + 4 threads that are spawned automatically by the process.
     # db_pool is optional, and undef means "use default" and the second part of the max statement will be set.
     # The number 4 is for 4 threads that are spawned internally during the execution:
@@ -76,7 +76,8 @@
     # 3. Stomp listener (required by Katello)
     # 4. Puma server listener thread
     # This means for systems without Katello we can reduce the amount of the pool to puma_threads_max + 1
-    'db_pool'   => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4),
+    'db_pool'       => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4),
+    'extra_options' => $foreman::db_extra_options,
   }
 
   file { '/etc/foreman/database.yml':

manifests/init.pp

@@ -87,6 +87,9 @@
 # $db_pool::                      Database 'production' size of connection pool. If the value is not set, it will be
 #                                 set by default to the amount of puma threads + 4 (for internal system threads)
 #
+# $db_extra_options::             Database 'production' extra options. Can be used for extra options, not made
+#                                 available by the above db_* parameters.
+#
 # $db_manage_rake::               if enabled, will run rake jobs, which depend on the database
 #
 # $server_port::                  Defines Apache port for HTTP requests
@@ -211,6 +214,30 @@
 #
 # $keycloak_realm::               The realm as passed to keycloak-httpd-client-install
 #
+# === OIDC parameters:
+#
+# $authorize_login_delegation::   Authorize login delegation with REMOTE_USER HTTP header (true/false)
+#
+# $authorize_login_delegation_auth_source_user_autocreate::   Name of the external auth source where unknown externally authentication
+#                                                             users (see authorize_login_delegation) should be created. Empty means no autocreation.
+#
+# $login_delegation_logout_url::  Redirect your users to this url on logout (authorize_login_delegation should also be enabled)
+#
+# $oidc_jwks_url::                OpenID Connect JSON Web Key Set(JWKS) URL.
+#                                 Typically https://keycloak.example.com/auth/realms/<realm name>/protocol/openid-connect/certs when using
+#                                 Keycloak as an OpenID provider
+#
+# $oidc_audience::                Name of the OpenID Connect Audience that is being used for Authentication. In case of Keycloak this is the Client ID.
+#                                 ['oidc_app_name']
+#
+# $oidc_issuer::                  The iss (issuer) claim identifies the principal that issued the JWT, which exists at a
+#                                 `/.well-known/openid-configuration` in case of most of the OpenID providers.
+#
+# $oidc_algorithm::               The algorithm used to encode the JWT in the OpenID provider.
+#
+# $outofsync_interval   Duration in minutes after servers are classed as out of sync.
+#
+#
 class foreman (
   Stdlib::HTTPUrl $foreman_url = $foreman::params::foreman_url,
   Boolean $unattended = true,
@@ -230,6 +257,7 @@
   Optional[String[1]] $db_sslmode = undef,
   Optional[String[1]] $db_root_cert = undef,
   Optional[Integer[0]] $db_pool = undef,
+  Hash[String, String] $db_extra_options = {},
   Boolean $db_manage_rake = true,
   Stdlib::Port $server_port = 80,
   Stdlib::Port $server_ssl_port = 443,
@@ -307,6 +335,14 @@
   Boolean $register_in_foreman = true,
   Optional[Stdlib::Absolutepath] $provisioning_ct_location = undef,
   Optional[Stdlib::Absolutepath] $provisioning_fcct_location = undef,
+  Boolean $authorize_login_delegation = false,
+  String[1] $authorize_login_delegation_auth_source_user_autocreate = 'External',
+  Optional[String[1]] $login_delegation_logout_url = undef,
+  Optional[String[1]] $oidc_jwks_url = undef,
+  Array[String[1]] $oidc_audience = [],
+  Optional[String[1]] $oidc_issuer = undef,
+  String[1] $oidc_algorithm = 'RS256',
+  Integer $outofsync_interval = 30,
 ) inherits foreman::params {
   assert_type(Array[Stdlib::IP::Address], $trusted_proxies)
 

manifests/settings.pp

@@ -10,6 +10,7 @@
   Optional[String] $email_smtp_password = $foreman::email_smtp_password,
   Optional[String] $email_reply_address = $foreman::email_reply_address,
   Optional[String] $email_subject_prefix = $foreman::email_subject_prefix,
+  Optional[Integer] $outofsync_interval = $foreman::outofsync_interval,
 ) {
   unless empty($email_delivery_method) {
     foreman_config_entry { 'delivery_method':
@@ -52,4 +53,9 @@
       value => $email_subject_prefix,
     }
   }
+  unless empty($outofsync_interval) {
+    foreman_config_entry { 'outofsync_interval':
+      value => $outofsync_interval,
+    }
+  }
 }

spec/classes/foreman_spec.rb

@@ -200,6 +200,7 @@
             db_password: 'secret',
             db_sslmode: 'prefer',
             db_pool: 9,
+            db_extra_options: { 'target_session_attrs': 'read-write' },
             db_manage_rake: true,
             server_port: 80,
             server_ssl_port: 443,
@@ -250,6 +251,14 @@
             keycloak_realm: 'myrealm',
             provisioning_ct_location: '/usr/bin/myct',
             provisioning_fcct_location: '/usr/bin/myfcct',
+            authorize_login_delegation: true,
+            authorize_login_delegation_auth_source_user_autocreate: 'External',
+            login_delegation_logout_url: 'https://foreman.top.com/users/extlogout',
+            oidc_jwks_url: 'https://keycloak.top.com/realms/myrealm/protocol/openid-connect/certs',
+            oidc_audience: ['cloack-app'],
+            oidc_issuer: 'https://keycloak.top.com/realms/myrealm',
+            oidc_algorithm: 'RS256',
+            outofsync_interval: 30,
           }
         end
 

templates/database.yml.epp

@@ -8,6 +8,7 @@
   Optional[String[1]] $username,
   Variant[Undef, String[1], Sensitive[String[1]]] $password,
   Integer[0] $db_pool,
+  Hash[String, String] $extra_options,
 | -%>
 ---
 <%= template('foreman/_header.erb') %>
@@ -33,3 +34,6 @@
   password: <%= stdlib::to_ruby($password) %>
 <% } -%>
   pool: <%= $db_pool %>
+<% $extra_options.each |String $k, String $v| { -%>
+  <%= $k %>: <%= $v %>
+<% } -%>

templates/settings.yaml.erb

@@ -10,6 +10,17 @@
 :oauth_consumer_key: <%= scope.lookupvar("foreman::oauth_consumer_key") %>
 :oauth_consumer_secret: <%= scope.lookupvar("foreman::oauth_consumer_secret") %>
 
+<% if scope.lookupvar('foreman::authorize_login_delegation') -%>
+# The following values are used for oidc authentication
+:authorize_login_delegation: <%= scope.lookupvar("foreman::authorize_login_delegation") %>
+:authorize_login_delegation_auth_source_user_autocreate: <%= scope.lookupvar("foreman::authorize_login_delegation_auth_source_user_autocreate") %>
+:login_delegation_logout_url: <%= scope.lookupvar("foreman::login_delegation_logout_url") %>
+:oidc_jwks_url: <%= scope.lookupvar("foreman::oidc_jwks_url") %>
+:oidc_audience: <%= scope.lookupvar("foreman::oidc_audience") %>
+:oidc_issuer: <%= scope.lookupvar("foreman::oidc_issuer") %>
+:oidc_algorithm: <%= scope.lookupvar("foreman::oidc_algorithm") %>
+
+<% end -%>
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
 :websockets_ssl_key: <%= @websockets_ssl_key %>
@@ -46,7 +57,7 @@
 :trusted_proxies:
 <% scope.lookupvar('foreman::trusted_proxies').each do |proxy| -%>
  - '<%= proxy %>'
-<% end -%>
+ <% end -%>
 
 <% end -%>
 # Individual logging types can be toggled on/off here