From d5a6696a5fc9b85d933b6ae6b35e8d3aeca9fa24 Mon Sep 17 00:00:00 2001
From: Justin Sherrill <jsherril@redhat.com>
Date: Wed, 20 Oct 2021 10:58:22 -0400
Subject: [PATCH 1/2] Fixes #33733 - generate key for db encryption

---
 manifests/config.pp           | 15 ++++++++++++++-
 manifests/init.pp             |  2 ++
 spec/classes/pulpcore_spec.rb |  1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index 8cdaba84..540ecca5 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,7 +1,7 @@
 # Configures pulp3
 # @api private
 class pulpcore::config {
-  file { $pulpcore::config_dir:
+  file { [$pulpcore::config_dir, $pulpcore::certs_dir]:
     ensure => directory,
     owner  => 'root',
     group  => 'root',
@@ -51,4 +51,17 @@
     mode   => '0770',
   }
 
+  exec { 'Create database symmetric key':
+    path    => ['/bin', '/usr/bin'],
+    command => "openssl rand -base64 32    | tr '+/' '-_' > ${pulpcore::database_key_file}",
+    creates => $pulpcore::database_key_file,
+  }
+
+  file { $pulpcore::database_key_file:
+    owner   => 'root',
+    group   => $pulpcore::group,
+    mode    => '0640',
+    require => Exec['Create database symmetric key'],
+  }
+
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 1e00d76b..445ab4fa 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -232,6 +232,8 @@
   Enum['CRITICAL', 'ERROR', 'WARNING', 'INFO', 'DEBUG'] $log_level = 'INFO',
 ) {
   $settings_file = "${config_dir}/settings.py"
+  $certs_dir = "${config_dir}/certs"
+  $database_key_file = "${certs_dir}/database_fields.symmetric.key"
 
   contain pulpcore::install
   contain pulpcore::database
diff --git a/spec/classes/pulpcore_spec.rb b/spec/classes/pulpcore_spec.rb
index 1dc54f87..72b4d660 100644
--- a/spec/classes/pulpcore_spec.rb
+++ b/spec/classes/pulpcore_spec.rb
@@ -29,6 +29,7 @@
             .without_content(%r{sslmode})
             .without_content(%r{WORKER_TTL})
           is_expected.to contain_file('/etc/pulp')
+          is_expected.to contain_file('/etc/pulp/certs/database_fields.symmetric.key')
           is_expected.to contain_file('/var/lib/pulp')
           is_expected.to contain_file('/var/lib/pulp/sync_imports')
           is_expected.to contain_file('/var/lib/pulp/assets')

From cf185120a062f227dad49abcbef0eea88c936b6e Mon Sep 17 00:00:00 2001
From: Justin Sherrill <jlsherrill@gmail.com>
Date: Wed, 20 Oct 2021 12:48:37 -0400
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
---
 manifests/config.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index 540ecca5..317b3abf 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -53,7 +53,7 @@
 
   exec { 'Create database symmetric key':
     path    => ['/bin', '/usr/bin'],
-    command => "openssl rand -base64 32    | tr '+/' '-_' > ${pulpcore::database_key_file}",
+    command => "openssl rand -base64 32 | tr '+/' '-_' > ${pulpcore::database_key_file}",
     creates => $pulpcore::database_key_file,
   }