Merge pull request #548 from lbetz/enhancement/547

TheMeier · web-flow · commit 499a5f3331a2 · 2025-08-15T10:00:32.000+02:00
Add support for tls-key-file-pass
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -184,6 +184,7 @@ The following parameters are available in the `redis` class:
 * [`tls_port`](#-redis--tls_port)
 * [`tls_cert_file`](#-redis--tls_cert_file)
 * [`tls_key_file`](#-redis--tls_key_file)
+* [`tls_key_file_pass`](#-redis--tls_key_file_pass)
 * [`tls_ca_cert_file`](#-redis--tls_ca_cert_file)
 * [`tls_ca_cert_dir`](#-redis--tls_ca_cert_dir)
 * [`tls_auth_clients`](#-redis--tls_auth_clients)
@@ -1043,6 +1044,14 @@ Specify which privaye key file to use for TLS connections.
 
 Default value: `undef`
 
+##### <a name="-redis--tls_key_file_pass"></a>`tls_key_file_pass`
+
+Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
+
+Passphrase to encrypt the private key file.
+
+Default value: `undef`
+
 ##### <a name="-redis--tls_ca_cert_file"></a>`tls_ca_cert_file`
 
 Data type: `Optional[Stdlib::Absolutepath]`
@@ -1546,6 +1555,7 @@ The following parameters are available in the `redis::sentinel` class:
 * [`service_enable`](#-redis--sentinel--service_enable)
 * [`tls_cert_file`](#-redis--sentinel--tls_cert_file)
 * [`tls_key_file`](#-redis--sentinel--tls_key_file)
+* [`tls_key_file_pass`](#-redis--sentinel--tls_key_file_pass)
 * [`tls_ca_cert_file`](#-redis--sentinel--tls_ca_cert_file)
 * [`tls_ca_cert_dir`](#-redis--sentinel--tls_ca_cert_dir)
 * [`tls_auth_clients`](#-redis--sentinel--tls_auth_clients)
@@ -1834,6 +1844,14 @@ Specify which privaye key file to use for TLS connections.
 
 Default value: `undef`
 
+##### <a name="-redis--sentinel--tls_key_file_pass"></a>`tls_key_file_pass`
+
+Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
+
+Passphrase to encrypt the private key file.
+
+Default value: `undef`
+
 ##### <a name="-redis--sentinel--tls_ca_cert_file"></a>`tls_ca_cert_file`
 
 Data type: `Optional[Stdlib::Absolutepath]`
@@ -2031,6 +2049,7 @@ The following parameters are available in the `redis::instance` defined type:
 * [`tls_port`](#-redis--instance--tls_port)
 * [`tls_cert_file`](#-redis--instance--tls_cert_file)
 * [`tls_key_file`](#-redis--instance--tls_key_file)
+* [`tls_key_file_pass`](#-redis--instance--tls_key_file_pass)
 * [`tls_ca_cert_file`](#-redis--instance--tls_ca_cert_file)
 * [`tls_ca_cert_dir`](#-redis--instance--tls_ca_cert_dir)
 * [`tls_auth_clients`](#-redis--instance--tls_auth_clients)
@@ -2742,6 +2761,14 @@ Specify which privaye key file to use for TLS connections.
 
 Default value: `$redis::tls_key_file`
 
+##### <a name="-redis--instance--tls_key_file_pass"></a>`tls_key_file_pass`
+
+Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
+
+Passphrase to encrypt the private key file.
+
+Default value: `$redis::tls_key_file_pass`
+
 ##### <a name="-redis--instance--tls_ca_cert_file"></a>`tls_ca_cert_file`
 
 Data type: `Optional[Stdlib::Absolutepath]`
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -231,6 +231,8 @@
 #   Specify which X.509 certificate file to use for TLS connections.
 # @param tls_key_file
 #   Specify which privaye key file to use for TLS connections.
+# @param tls_key_file_pass
+#   Passphrase to encrypt the private key file.
 # @param tls_ca_cert_file
 #   Specify which X.509 CA certificate(s) bundle file to use.
 # @param tls_ca_cert_dir
@@ -453,6 +455,7 @@
   Optional[Stdlib::Port] $tls_port                               = undef,
   Optional[Stdlib::Absolutepath] $tls_cert_file                  = undef,
   Optional[Stdlib::Absolutepath] $tls_key_file                   = undef,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $tls_key_file_pass = undef,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_file               = undef,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_dir                = undef,
   Enum['yes', 'no', 'optional'] $tls_auth_clients                = 'no',
diff --git a/manifests/instance.pp b/manifests/instance.pp
@@ -185,6 +185,8 @@
 #   Specify which X.509 certificate file to use for TLS connections.
 # @param tls_key_file
 #   Specify which privaye key file to use for TLS connections.
+# @param tls_key_file_pass
+#   Passphrase to encrypt the private key file.
 # @param tls_ca_cert_file
 #   Specify which X.509 CA certificate(s) bundle file to use.
 # @param tls_ca_cert_dir
@@ -368,6 +370,7 @@
   Optional[Stdlib::Port] $tls_port                               = $redis::tls_port,
   Optional[Stdlib::Absolutepath] $tls_cert_file                  = $redis::tls_cert_file,
   Optional[Stdlib::Absolutepath] $tls_key_file                   = $redis::tls_key_file,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $tls_key_file_pass = $redis::tls_key_file_pass,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_file               = $redis::tls_ca_cert_file,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_dir                = $redis::tls_ca_cert_dir,
   Optional[String[1]] $tls_ciphers                               = $redis::tls_ciphers,
@@ -578,6 +581,7 @@
     tls_port                      => $tls_port,
     tls_cert_file                 => $tls_cert_file,
     tls_key_file                  => $tls_key_file,
+    tls_key_file_pass             => $tls_key_file_pass,
     tls_ca_cert_file              => $tls_ca_cert_file,
     tls_ca_cert_dir               => $tls_ca_cert_dir,
     tls_ciphers                   => $tls_ciphers,
diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp
@@ -111,6 +111,9 @@
 # @param tls_key_file
 #   Specify which privaye key file to use for TLS connections.
 #
+# @param tls_key_file_pass
+#   Passphrase to encrypt the private key file.
+#
 # @param tls_ca_cert_file
 #   Specify which X.509 CA certificate(s) bundle file to use.
 #
@@ -191,6 +194,7 @@
   String[1] $service_user = 'redis',
   Optional[Stdlib::Absolutepath] $tls_cert_file = undef,
   Optional[Stdlib::Absolutepath] $tls_key_file = undef,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $tls_key_file_pass = undef,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_file = undef,
   Optional[Stdlib::Absolutepath] $tls_ca_cert_dir = undef,
   Enum['yes', 'no', 'optional'] $tls_auth_clients = 'no',
diff --git a/spec/classes/redis_sentinel_spec.rb b/spec/classes/redis_sentinel_spec.rb
@@ -126,6 +126,7 @@ class { 'redis':
             sentinel_announce_port: 1234,
             tls_cert_file: '/etc/pki/cert.pem',
             tls_key_file: '/etc/pki/privkey.pem',
+            tls_key_file_pass: '_VALUE_',
             tls_ca_cert_file: '/etc/pki/cacert.pem',
             tls_ca_cert_dir: '/etc/pki/cacerts',
             tls_auth_clients: 'yes',
@@ -163,6 +164,7 @@ class { 'redis':
 
             tls-cert-file /etc/pki/cert.pem
             tls-key-file /etc/pki/privkey.pem
+            tls-key-file-pass _VALUE_
             tls-ca-cert-file /etc/pki/cacert.pem
             tls-ca-cert-dir /etc/pki/cacerts
             tls-auth-clients yes
diff --git a/spec/classes/redis_spec.rb b/spec/classes/redis_spec.rb
@@ -1442,6 +1442,7 @@ class { 'redis':
             tls_port: 7777,
             tls_cert_file: '/etc/ssl/certs/dummy.crt',
             tls_key_file: '/etc/ssl/private/dummy.key',
+            tls_key_file_pass: '_VALUE_',
             tls_ca_cert_file: '/etc/ssl/certs/ca_bundle.pem',
             tls_ca_cert_dir: '/etc/ssl/some/dir',
             tls_auth_clients: 'no',
@@ -1459,6 +1460,7 @@ class { 'redis':
             with_content(%r{^tls-port 7777$}).
             with_content(%r{^tls-cert-file\s*/etc/ssl/certs/dummy\.crt$}).
             with_content(%r{^tls-key-file\s*/etc/ssl/private/dummy\.key$}).
+            with_content(%r{^tls-key-file-pass\s*_VALUE_$}).
             with_content(%r{^tls-ca-cert-file\s*/etc/ssl/certs/ca_bundle\.pem$}).
             with_content(%r{^tls-ca-cert-dir\s*/etc/ssl/some/dir$}).
             with_content(%r{^tls-auth-clients\s*no$}).
@@ -1471,6 +1473,21 @@ class { 'redis':
         end
       end
 
+      describe 'with TLS key file pass is set sensitive' do
+        let(:params) do
+          {
+            tls_port: 7777,
+            tls_key_file_pass: sensitive('_VALUE_'),
+          }
+        end
+
+        it {
+          is_expected.to contain_file(config_file_orig).with(
+            'content' => sensitive(%r{tls-key-file-pass.*_VALUE_})
+          )
+        }
+      end
+
       describe 'with parameter manage_service_file' do
         let(:params) do
           {
diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb
@@ -50,6 +50,9 @@ requirepass <%= @requirepass %>
 
 tls-cert-file <%= @tls_cert_file %>
 tls-key-file <%= @tls_key_file %>
+<% if @tls_key_file_pass -%>
+tls-key-file-pass <%= @tls_key_file_pass %>
+<% end -%>
 <% if @tls_ca_cert_file -%>
 tls-ca-cert-file <%= @tls_ca_cert_file %>
 <% end -%>
diff --git a/templates/redis.conf.epp b/templates/redis.conf.epp
@@ -75,6 +75,7 @@
   Optional[Stdlib::Port]                             $tls_port,
   Optional[Stdlib::Absolutepath]                     $tls_cert_file,
   Optional[Stdlib::Absolutepath]                     $tls_key_file,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $tls_key_file_pass,
   Optional[Stdlib::Absolutepath]                     $tls_ca_cert_file,
   Optional[Stdlib::Absolutepath]                     $tls_ca_cert_dir,
   Optional[String[1]]                                $tls_ciphers,
@@ -177,6 +178,9 @@ tls-port <%= $tls_port %>
 # PEM formatted.
 tls-cert-file <%= $tls_cert_file %>
 tls-key-file <%= $tls_key_file %>
+<% if $tls_key_file_pass { -%>
+tls-key-file-pass <%= $tls_key_file_pass %>
+<% } -%>
 
 # Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
 # clients and peers.  Redis requires an explicit configuration of at least one
