From a0d654a7296cc0c72895ce980baf2dcfe2d2c9a2 Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 31 Jan 2023 13:31:11 +0100 Subject: [PATCH 1/4] fixes for production --- REFERENCE.md | 125 ++++++++++++++++++++++-------------------- manifests/docker.pp | 1 + manifests/init.pp | 5 ++ metadata.json | 2 +- templates/hdm.yml.epp | 2 +- 5 files changed, 75 insertions(+), 60 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index cf596c2..e4fcc16 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -17,9 +17,9 @@ ### Data types -* [`Hdm::Gitdata`](#hdmgitdata): type to enforce git settings for HDM -* [`Hdm::Ldap_settings`](#hdmldap_settings): type to enforce ldap settings for HDM -* [`Hdm::Puppetdb`](#hdmpuppetdb): type to enforce puppetdb settings for HDM +* [`Hdm::Gitdata`](#Hdm--Gitdata): type to enforce git settings for HDM +* [`Hdm::Ldap_settings`](#Hdm--Ldap_settings): type to enforce ldap settings for HDM +* [`Hdm::Puppetdb`](#Hdm--Puppetdb): type to enforce puppetdb settings for HDM ## Classes @@ -39,27 +39,28 @@ include hdm The following parameters are available in the `hdm` class: -* [`method`](#method) -* [`manage_docker`](#manage_docker) -* [`version`](#version) -* [`ruby_version`](#ruby_version) -* [`port`](#port) -* [`bind_ip`](#bind_ip) -* [`hostname`](#hostname) -* [`timezone`](#timezone) -* [`hdm_path`](#hdm_path) -* [`git_url`](#git_url) -* [`user`](#user) -* [`group`](#group) -* [`puppetdb_settings`](#puppetdb_settings) -* [`puppet_code_dir`](#puppet_code_dir) -* [`allow_encryption`](#allow_encryption) -* [`read_only`](#read_only) -* [`git_data`](#git_data) -* [`ldap_settings`](#ldap_settings) -* [`hdm_hiera_config_file`](#hdm_hiera_config_file) - -##### `method` +* [`method`](#-hdm--method) +* [`manage_docker`](#-hdm--manage_docker) +* [`version`](#-hdm--version) +* [`ruby_version`](#-hdm--ruby_version) +* [`port`](#-hdm--port) +* [`bind_ip`](#-hdm--bind_ip) +* [`hostname`](#-hdm--hostname) +* [`timezone`](#-hdm--timezone) +* [`hdm_path`](#-hdm--hdm_path) +* [`secret_key_base`](#-hdm--secret_key_base) +* [`git_url`](#-hdm--git_url) +* [`user`](#-hdm--user) +* [`group`](#-hdm--group) +* [`puppetdb_settings`](#-hdm--puppetdb_settings) +* [`puppet_code_dir`](#-hdm--puppet_code_dir) +* [`allow_encryption`](#-hdm--allow_encryption) +* [`read_only`](#-hdm--read_only) +* [`git_data`](#-hdm--git_data) +* [`ldap_settings`](#-hdm--ldap_settings) +* [`hdm_hiera_config_file`](#-hdm--hdm_hiera_config_file) + +##### `method` Data type: `Enum['docker', 'rvm']` @@ -70,7 +71,7 @@ bundler gem. Default value: `'docker'` -##### `manage_docker` +##### `manage_docker` Data type: `Boolean` @@ -81,9 +82,9 @@ RedHat and windows systems. SLES users must install and start docker via puppet package and service resource. -Default value: ``true`` +Default value: `true` -##### `version` +##### `version` Data type: `String[1]` @@ -93,7 +94,7 @@ the git tag when using rvm Default value: `'main'` -##### `ruby_version` +##### `ruby_version` Data type: `String[1]` @@ -102,7 +103,7 @@ Please check [hdm ruby version requirement](https://github.com/betadots/hdm/blob Default value: `'3.1.2'` -##### `port` +##### `port` Data type: `Stdlib::Port` @@ -110,7 +111,7 @@ The port where HDM should run on Default value: `3000` -##### `bind_ip` +##### `bind_ip` Data type: `Stdlib::IP::Address::Nosubnet` @@ -118,7 +119,7 @@ The ip address to bind the process to Default value: `'0.0.0.0'` -##### `hostname` +##### `hostname` Data type: `String[1]` @@ -126,7 +127,7 @@ The HDM webservice hostname Default value: `$facts['networking']['fqdn']` -##### `timezone` +##### `timezone` Data type: `String[1]` @@ -134,7 +135,7 @@ THe timezone to use when running with docker Default value: `$facts['timezone']` -##### `hdm_path` +##### `hdm_path` Data type: `Stdlib::Unixpath` @@ -142,7 +143,15 @@ Path where one wants to install and configure hdm Default value: `'/etc/hdm'` -##### `git_url` +##### `secret_key_base` + +Data type: `String[32,32]` + +A 32 character key. Key can be generated using `openssl rand -hex32` + +Default value: `'7a8509ab31fdb0c15c71c941d089474a'` + +##### `git_url` Data type: `String[1]` @@ -150,7 +159,7 @@ The git URL to clone the hdm repo from Default value: `'https://github.com/betadots/hdm.git'` -##### `user` +##### `user` Data type: `String[1]` @@ -158,7 +167,7 @@ The hdm user name Default value: `'hdm'` -##### `group` +##### `group` Data type: `String[1]` @@ -166,7 +175,7 @@ The hdm group name Default value: `'hdm'` -##### `puppetdb_settings` +##### `puppetdb_settings` Data type: `Hdm::Puppetdb` @@ -201,7 +210,7 @@ Using SSL cert: Default value: `{ 'server' => 'http://localhost:8080', }` -##### `puppet_code_dir` +##### `puppet_code_dir` Data type: `Stdlib::Unixpath` @@ -211,7 +220,7 @@ defaults to '/etc/puppetlabs/code' Default value: `'/etc/puppetlabs/code'` -##### `allow_encryption` +##### `allow_encryption` Data type: `Boolean` @@ -220,9 +229,9 @@ Needs HDM access to EYAML keys (public and private) Values for keys are taken from hiera.yaml file and can not be set individually. -Default value: ``false`` +Default value: `false` -##### `read_only` +##### `read_only` Data type: `Boolean` @@ -232,9 +241,9 @@ WARNING!! setting to true is untested!!! Changes are stored via GIT. Setting this to true also needs the git_data Array parameter -Default value: ``true`` +Default value: `true` -##### `git_data` +##### `git_data` Data type: `Optional[Hdm::Gitdata]` @@ -252,9 +261,9 @@ Required Array of hash data: ] ``` -Default value: ``undef`` +Default value: `undef` -##### `ldap_settings` +##### `ldap_settings` Data type: `Optional[Hdm::Ldap_settings]` @@ -271,9 +280,9 @@ Needs the following Hash: } ``` -Default value: ``undef`` +Default value: `undef` -##### `hdm_hiera_config_file` +##### `hdm_hiera_config_file` Data type: `String[1]` @@ -284,24 +293,24 @@ Default value: `'hiera.yaml'` ## Data types -### `Hdm::Gitdata` +### `Hdm::Gitdata` type to enforce git settings for HDM Alias of ```puppet -Array[Optional[Struct[ +Array[Struct[ { datadir => Stdlib::Unixpath, git_url => String[1], path_in_repo => String[1], Optional[ssh_priv_key] => String[1], } - ]]] + ]] ``` -### `Hdm::Ldap_settings` +### `Hdm::Ldap_settings` type to enforce ldap settings for HDM @@ -309,16 +318,16 @@ Alias of ```puppet Struct[{ - Optional[host] => Stdlib::Host, - Optional[port] => Stdlib::Port, - Optional[base_dn] => String[1], - Optional[bind_dn] => String[1], - Optional[bind_dn_password] => String[1], - 'ldaps' => Boolean, + 'host' => Stdlib::Host, + 'port' => Stdlib::Port, + 'base_dn' => String[1], + 'bind_dn' => String[1], + 'bind_dn_password' => Sensitive, + 'ldaps' => Boolean, }] ``` -### `Hdm::Puppetdb` +### `Hdm::Puppetdb` type to enforce puppetdb settings for HDM diff --git a/manifests/docker.pp b/manifests/docker.pp index dcfb80d..debbf31 100644 --- a/manifests/docker.pp +++ b/manifests/docker.pp @@ -58,6 +58,7 @@ env => [ "TZ=${$hdm::timezone}", "RAILS_DEVELOPMENT_HOSTS=${hdm::hostname}", + "SECRET_KEY_BASE=${hdm::secret_key_base}", ], volumes => [ "${hdm::hdm_path}:${hdm::hdm_path}", diff --git a/manifests/init.pp b/manifests/init.pp index c5077b2..04d6bed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -31,6 +31,8 @@ # # @param hdm_path Path where one wants to install and configure hdm # +# @param secret_key_base A 32 character key. Key can be generated using `openssl rand -hex32` +# # @param git_url The git URL to clone the hdm repo from # # @param user The hdm user name @@ -125,6 +127,7 @@ String[1] $hostname = $facts['networking']['fqdn'], String[1] $timezone = $facts['timezone'], Stdlib::Unixpath $hdm_path = '/etc/hdm', + String[32,32] $secret_key_base = '7a8509ab31fdb0c15c71c941d089474a', String[1] $user = 'hdm', String[1] $group = 'hdm', String[1] $git_url = 'https://github.com/betadots/hdm.git', @@ -140,9 +143,11 @@ case $method { 'docker': { include hdm::docker + $run_mode = 'production' } 'rvm': { include hdm::rvm + $run_mode = 'development' } default: { fail('Unknown HDM installation method.') diff --git a/metadata.json b/metadata.json index 108a2ae..143979c 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "betadots-hdm", - "version": "2.0.2", + "version": "2.1.0", "author": "betadots GmbH", "summary": "Manage Hiera Data Manager application", "license": "Apache-2.0", diff --git a/templates/hdm.yml.epp b/templates/hdm.yml.epp index e750ea0..8a4c74d 100644 --- a/templates/hdm.yml.epp +++ b/templates/hdm.yml.epp @@ -1,5 +1,5 @@ --- -development: +<%= $hdm::run_mode %>: read_only: <%= $hdm::read_only %> allow_encryption: <%= $hdm::allow_encryption %> puppet_db: From 5d1bedeb7a919293e3e5a2e4dda58590a005c6ce Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 31 Jan 2023 13:38:20 +0100 Subject: [PATCH 2/4] fix secret --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 04d6bed..54f400e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -31,7 +31,7 @@ # # @param hdm_path Path where one wants to install and configure hdm # -# @param secret_key_base A 32 character key. Key can be generated using `openssl rand -hex32` +# @param secret_key_base A 32 character key. Key can be generated using `openssl rand -hex 32` # # @param git_url The git URL to clone the hdm repo from # @@ -127,7 +127,7 @@ String[1] $hostname = $facts['networking']['fqdn'], String[1] $timezone = $facts['timezone'], Stdlib::Unixpath $hdm_path = '/etc/hdm', - String[32,32] $secret_key_base = '7a8509ab31fdb0c15c71c941d089474a', + String[1,32] $secret_key_base = '7a8509ab31fdb0c15c71c941d089474a', String[1] $user = 'hdm', String[1] $group = 'hdm', String[1] $git_url = 'https://github.com/betadots/hdm.git', From 74a23a6e5dc6410596ccec2fe857b29a05374f93 Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 31 Jan 2023 13:41:25 +0100 Subject: [PATCH 3/4] fix documentation on secret key --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 54f400e..9d53fc6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -31,7 +31,7 @@ # # @param hdm_path Path where one wants to install and configure hdm # -# @param secret_key_base A 32 character key. Key can be generated using `openssl rand -hex 32` +# @param secret_key_base A secret key. Key can be generated using `openssl rand -hex 16` # # @param git_url The git URL to clone the hdm repo from # @@ -127,7 +127,7 @@ String[1] $hostname = $facts['networking']['fqdn'], String[1] $timezone = $facts['timezone'], Stdlib::Unixpath $hdm_path = '/etc/hdm', - String[1,32] $secret_key_base = '7a8509ab31fdb0c15c71c941d089474a', + String[1] $secret_key_base = '7a8509ab31fdb0c15c71c941d089474a', String[1] $user = 'hdm', String[1] $group = 'hdm', String[1] $git_url = 'https://github.com/betadots/hdm.git', From 7d84777edc779ef1fe817b9b62560da2eff82a73 Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 31 Jan 2023 13:44:09 +0100 Subject: [PATCH 4/4] reorder variable and class declaration variable must be set prior including the class --- manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 9d53fc6..eba3946 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -142,12 +142,12 @@ ) { case $method { 'docker': { - include hdm::docker $run_mode = 'production' + include hdm::docker } 'rvm': { - include hdm::rvm $run_mode = 'development' + include hdm::rvm } default: { fail('Unknown HDM installation method.')