From 20bf3ccff4102fa7450e21d39c51fbdcc4e53a4b Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Fri, 1 Dec 2023 15:37:20 +0100 Subject: [PATCH 1/2] Update README - add section on SECRET_KEY - add example for PuppetDB SSL within Puppet code - correct parameter explanation --- README.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d6aea5dd..e7151d25 100644 --- a/README.md +++ b/README.md @@ -46,12 +46,15 @@ To see how to get it working with RedHat/Centos 7 check out these [docs](https:/ We provide [an official Docker image in the GitHub Container Registry](https://github.com/orgs/voxpupuli/packages/container/package/puppetboard). +You must provide a secret key. Generate one by running `ruby -e "require 'securerandom'; puts SecureRandom.hex(32)"`. + You can run the app on your PuppetDB host with this command: ```bash docker run -it \ -e PUPPETDB_HOST=localhost \ -e PUPPETDB_PORT=8080 \ + -e SECRET_KEY=XXXXXXXX \ --net=host \ ghcr.io/voxpupuli/puppetboard ``` @@ -71,11 +74,54 @@ docker::run { 'puppetboard': 'PUPPETDB_HOST=127.0.0.1', 'PUPPETDB_PORT=8080', 'PUPPETBOARD_PORT=8088', + 'SECRET_KEY=XXXXXXXX', ], net => 'host', } ``` +If you want to have all features enabled, you must use SSL talking to PuppetDB: + +```puppet +file { '/etc/puppetboard': + ensure => directory, +} +file { '/etc/puppetboard/key.pem': + ensure => file, + mode => '0644', + source => "/etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem", +} +file { '/etc/puppetboard/cert.pem': + ensure => file, + mode => '0644', + source => "/etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem", +} + +include docker + +docker::image { 'ghcr.io/voxpupuli/puppetboard': } + +docker::run { 'puppetboard': + image => 'ghcr.io/voxpupuli/puppetboard', + volumes => ['/etc/puppetboard:/etc/puppetboard:ro'], + env => [ + 'PUPPETDB_HOST=puppet', # this must be the certname or DNS_ALT_NAME of the PuppetDB host + 'PUPPETDB_PORT=8081', + 'PUPPETBOARD_PORT=8080', + 'ENABLE_CATALOG=true', + 'PUPPETDB_SSL_VERIFY=false', + 'PUPPETDB_KEY=/etc/puppetboard/key.pem', + 'PUPPETDB_CERT=/etc/puppetboard/cert.pem', + 'SECRET_KEY=XXXXXXXX', + 'DEFAULT_ENVIRONMENT=*', + ], + net => 'host', +} +``` + +Within an air gapped environment you want to load all content from your local puppetboard web service. +Add: `'OFFLINE_MODE=true',` to the `env` parameter list of the `docker::run` Puppet type. + We also provide the Dockerfile, so you can build the image yourself: ```bash docker build -t puppetboard . @@ -144,7 +190,7 @@ Assuming your webserver and PuppetDB machine are not identical you will at least By default PuppetDB requires SSL to be used when a non-local client wants to connect. Therefore you'll also have to supply the following settings: -- `PUPPETDB_SSL_VERIFY = /path/to/ca/keyfile.pem` +- `PUPPETDB_SSL_VERIFY = True` - `PUPPETDB_KEY = /path/to/private/keyfile.pem` - `PUPPETDB_CERT = /path/to/public/keyfile.crt` From 2d71904817e96f106d6785faea64ccbc7e8ff15e Mon Sep 17 00:00:00 2001 From: Martin Alfke Date: Tue, 5 Dec 2023 08:12:04 +0100 Subject: [PATCH 2/2] Update comment on secret key generation make it clear, that the code is an example. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e7151d25..263c7614 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ To see how to get it working with RedHat/Centos 7 check out these [docs](https:/ We provide [an official Docker image in the GitHub Container Registry](https://github.com/orgs/voxpupuli/packages/container/package/puppetboard). -You must provide a secret key. Generate one by running `ruby -e "require 'securerandom'; puts SecureRandom.hex(32)"`. +You must provide a secret key! Generate one for example by running `ruby -e "require 'securerandom'; puts SecureRandom.hex(32)"`. You can run the app on your PuppetDB host with this command: