Generate db_encrypted_fields_keyfile

Pulpcore 3.15 will require a Fernet symmetric encryption
key to encrypt certain sensitive database fields.
This is expected to contain 32 pseudorandom bytes in
url-safe base64-encoded format, with padding.

lib/puppet/functions/generate_fernet_key.rb

@@ -0,0 +1,12 @@
+require 'securerandom'
+
+Puppet::Functions.create_function(:generate_fernet_key) do
+  # @return 32 byte url-safe base64-encoded (with padding) Fernet symmetric encryption key
+  dispatch :generate_fernet_key do
+    return_type 'String'
+  end
+
+  def generate_fernet_key
+    SecureRandom.urlsafe_base64(32)+"="
+  end
+end

manifests/config.pp

@@ -8,6 +8,16 @@
     mode   => '0755',
   }
 
+  file { $pulpcore::db_encrypted_fields_keyfile:
+    ensure    => file,
+    content   => $pulpcore::db_encrypted_fields_key,
+    owner     => 'root',
+    group     => $pulpcore::group,
+    mode      => '0640',
+    show_diff => false,
+    require   => File[$pulpcore::config_dir],
+  }
+
   concat { 'pulpcore settings':
     ensure         => present,
     path           => $pulpcore::settings_file,

manifests/init.pp

@@ -205,7 +205,9 @@
   Integer[0] $api_service_worker_timeout = 90,
   Hash[String[1], String[1]] $api_client_auth_cn_map = {},
 ) {
-  $settings_file = "${config_dir}/settings.py"
+  $settings_file               = "${config_dir}/settings.py"
+  $db_encrypted_fields_keyfile = "${config_dir}/db_encrypted_fields_key"
+  $db_encrypted_fields_key     = extlib::cache_data('pulpcore_cache_data', 'db_encrypted_fields_key', generate_fernet_key())
 
   contain pulpcore::install
   contain pulpcore::database

spec/acceptance/basic_spec.rb

@@ -73,6 +73,14 @@ class { 'pulpcore':
     its(:body) { is_expected.to contain('artifacts_list') }
     its(:exit_status) { is_expected.to eq 0 }
   end
+
+  describe file('/etc/pulp/db_encrypted_fields_key') do
+    it { is_expected.to be_file }
+    it { is_expected.to be_mode 640 }
+    it { is_expected.to be_owned_by 'root' }
+    it { is_expected.to be_grouped_into 'pulp' }
+    its(:content) { is_expected.to match /\A([a-zA-Z]|\d|-|_){43}=\z/ }
+  end
 end
 
 describe 'reducing worker count' do