I want to place an encrypted one-time-password in my provisioning template.
This is then used to request a certificate at install time. This OTP is
only valid for 1 hour, so my idea was to create a host parameter containing
the OTP right before the provisioning template is requested/rendered, and
let the template get the OTP from that host parameter.
This is bare-metal installations so I cant set the OTP parameter in Foreman
at host creation since the actual OS install might happen some time later,
and then the OTP is invalid.
Q1: Is there any way to run a foreman hook script at the time of provision
template rendering?
Q2: Any other suggestions on how to do this?
You can turn off safemode and then you have full Ruby interpreter at
your hands in your template, just do <% anything_you_want_here %>, so
you can make HTTP request or call an external script to generate the
token for you (just make sure you update SELinux policy if on Red Hat
to allow this). You can also install additional gems.
Cleaner way is to write your own plugin, we have an example template,
generator and docs. Such a plugin can add a new function into ERB
(even in safemode) that will do the job for you. Example how to do
this is here:
Hooks is not the way to do it. Good luck and share your plugin with us!
···
On Wed, Jun 21, 2017 at 2:18 PM, Adam Winberg wrote:
> Hi all,
>
> I want to place an encrypted one-time-password in my provisioning template.
> This is then used to request a certificate at install time. This OTP is only
> valid for 1 hour, so my idea was to create a host parameter containing the
> OTP right before the provisioning template is requested/rendered, and let
> the template get the OTP from that host parameter.
>
> This is bare-metal installations so I cant set the OTP parameter in Foreman
> at host creation since the actual OS install might happen some time later,
> and then the OTP is invalid.
>
> Q1: Is there any way to run a foreman hook script at the time of provision
> template rendering?
> Q2: Any other suggestions on how to do this?
>
> Regards
> Adam
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
Thanks for the pointers, much appreciated! I'll give the template ruby
interpreter a go. Plugin is nicer of course, so I'll look into that as
well.
//Adam
···
On Thu, Jun 29, 2017 at 12:08 PM, Lukas Zapletal wrote:
You can turn off safemode and then you have full Ruby interpreter at
your hands in your template, just do <% anything_you_want_here %>, so
you can make HTTP request or call an external script to generate the
token for you (just make sure you update SELinux policy if on Red Hat
to allow this). You can also install additional gems.
Cleaner way is to write your own plugin, we have an example template,
generator and docs. Such a plugin can add a new function into ERB
(even in safemode) that will do the job for you. Example how to do
this is here:
I want to place an encrypted one-time-password in my provisioning
template.
This is then used to request a certificate at install time. This OTP is
only
valid for 1 hour, so my idea was to create a host parameter containing
the
OTP right before the provisioning template is requested/rendered, and let
the template get the OTP from that host parameter.
This is bare-metal installations so I cant set the OTP parameter in
Foreman
at host creation since the actual OS install might happen some time
later,
and then the OTP is invalid.
Q1: Is there any way to run a foreman hook script at the time of
provision
template rendering?
Q2: Any other suggestions on how to do this?
