Repository files navigation

Copyright 2023 betadots GmbH

This Rails application displaysPuppet Hiera data and offers a WebGUI to read/update/create that configuration.

You can find screenshots in thescreenshots.

At the moment manual installation is only tested on macOS, CentOS 7 and 8 Streams. But we highly recommend to use the Docker image!

SeeMANUAL_INSTALL.md

Docker containers are made available. You can find more information inDOCKER.md.For automated installations we recommend using Puppet code. A working profile example can be found inPUPPET.md

HDM needs a configuration file (hdm.yml). Location depends on installation method:

• Manual installation: within the HDM git clone inconfig/hdm.yml
• Docker installation: on the docker host in/etc/hdm/hdm.yml

Configurations are provided as a Hash. The main hash key describes the Rails environment HDM is running in:

• Manual installation: depending on RAILS ENVIRONMENT env var - defaults todevelopment
• Docker installation: set toproduction

The following configuration options are possible:

# hdm.ymlproduction:authentication_disabled:false# disable user auth and managementread_only:true# read/write mode?allow_encryption:false# encypting eyamlpuppet_db:# PuppetDB access - plain text (default)server:http://localhost:8080puppet_db:# PuppetDB access-  PE token authserver:'https://localhost:8081'token:'/etc/hdm/puppetdb.token'cacert:'<path to cacert>'puppet_db:# PuppetDB access - SSL Cert authserver:'https://localhost:8081'pem:key:<path to key>cert:<path to cert>ca_file:<path to ca_file>hiera_config_file:"hiera.yaml"# hiera config file nameconfig_dir:/etc/puppetlabs/code# puppet code directoryglobal_hiera_yaml:/etc/puppetlabs/puppet/hiera.yamlbase_module_path:"/etc/puppetlabs/puppet/code:/opt/puppetlabs/puppet/modules"# optional, in case you overwrite `basemodulepath` in puppet.confldap:# LDAP User authhost:'localhost'port:389base_dn:'ou=hdm,dc=nodomain'bind_dn:'cn=admin,dc=nodomain'bind_dn_password:'openldap'ldaps:false

Usermanagement can be disabled in HDM config file by specifying theauthentication_disabled option.

A fresh installation needs an admin which has to be created first with the WebGUI. That admin can not read the Puppet configuration. He/She can only create/delete new users. Normal users have the ability to read/change/delete the Puppet configuration data.

HDM can edit live hiera yaml files directly in the file system. While this mightbe fine for smaller installations, it might not be desireable in many others.

In those cases you should make sure that the user HDM runs as has no writeaccess to the files. If you still want to be able to make changes, you shouldconsider making them in a git repository instead. This will afford you a fullhistory of edits and the possibility to roll back changes if necessary.

HDM supports this by allowing you to substitute directories from the file systemhosting the live hiera files with directories from a git repository.

Say your live data lives in/etc/puppetlabs/code/myenv/data. To replace thiswith data from the git repository atgithost.example.com:puppet/hiera_data.gitwhere the corresponding directory is calledenvironments/myenv/data add thefollowing toconfig/hdm.yml:

production:# ... existing production config ...git_data:    -datadir:/etc/puppetlabs/code/myenv/datagit_url:git@githost.example.com:puppet/hiera_data.gitpath_in_repo:environments/myenv/data

You can substitute as many directories with ones from git repositories as youlike.

Please note that the user HDM runs as needs to be able to clone the repository.Cloned repos are stored in HDM'srepos directory. Repositories are clonedthe first time they are needed. This might take a long time, so HDM alsoprovides a task to prefetch all needed repositories:

bundleexec rails hdm:clone_repos

Any changes made to files from a git repository will be commited and pushed backto the origin repository. Please note that HDM will not pull updates from theorigin repository and isnot able to resolve possible conflicts, so you mightwant to make sure that your repository is only edited by HDM.

Don't forget to set SECRET_KEY_BASE env var in docker run, docker-compose, systemd or hieradata.

openssl rand -hex 169dea7603c008dec285e4b231602a00b2SECRET_KEY_BASE="9dea7603c008dec285e4b231602a00b2"docker run -it --rm -p 3000:3000 -e DEVELOP=1 -e SECRET_KEY_BASE=9dea7603c008dec285e4b231602a00b2 ghcr.io/betadots/hdm:development

Seedocker-compose.yaml.

Move existing db/development.sqlite3 to db/production.sqlite3

dockerexec -it<container_id> bashmv db/development.sqlite3 db/production.sqlite3bin/rails db:environment:set RAILS_ENV=production

seeCONTRIBUTING.md