The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication.
This is a draft since I realized I need to rewrite some things. Initially it was based on https://github.com/theforeman/foreman-documentation/pull/2709 but then reading the manual I realized dnssec-keygen in Fedora can no longer create TSIG keys. Luckily, tsig-keygen also exists on EL8. Probably also on Debian/Ubuntu.
Another thing I realized was the very complex permission model. It would be way easier if puppet-dhcp creates a separate file for the OMAPI key with strict permissions and the regular DHCP file only includes that. This would allow us to drop the posix ACLs.
The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication.
This is a draft since I realized I need to rewrite some things. Initially it was based on https://github.com/theforeman/foreman-documentation/pull/2709 but then reading the manual I realized dnssec-keygen in Fedora can no longer create TSIG keys. Luckily, tsig-keygen also exists on EL8. Probably also on Debian/Ubuntu.
Another thing I realized was the very complex permission model. It would be way easier if puppet-dhcp creates a separate file for the OMAPI key with strict permissions and the regular DHCP file only includes that. This would allow us to drop the posix ACLs.