Foreman is an open source server lifecycle management tool, used for Linux configuration management. It makes the work of administrators of physical and virtual servers easier through automation. It’s also a great tool for speeding up deployment and for proactive server management. It can be used with Amazon EC2, Google Compute Engine, OpenStack, Libvirt, oVirt, VMware and other providers, which makes Foreman very versatile. The tool produces activity reports and allows users to track the health of their hosts. iRonin partnered with a client whose DevOps team used Foreman. Our job involved Foreman plugin development, as well as Foreman API development, as part of a wider collaboration with a client.

Our client used Foreman for DevOps, and their team was satisfied with it - but they lacked a few small functionalities that would make their work more efficient. Our cooperation began with a tool called LISA, which was the client’s Foreman web interface. Soon, it became clear that writing a GraphQL API for Foreman would be necessary to finish LISA according to requirements. We provided commits to the project’s official repository, then built two more plugins, ForemanGitTemplates and ForemanVault.

The first plugin, ForemanGitTemplates, supports the usage of templates from Git repositories in Foreman. Repositories are fetched as tarball files and require a specific file structure. Only one template for each template type is supported, but the tool offers support for multiple snippets. A default local boot template can be easily defined.

By default in Foreman, templates are downloaded from the database. Our client wanted to store them in a Git repository instead, as it would be easier to manage them and allow people to modify them by using the repository’s versioning capabilities. Initially, we refactored a big part of the template rendering engine to make it more extendable through plugins. Now, rendering a template from the repository involves downloading the repository as an archive, unpacking it and fetching the correct template file. Thanks to ForemanGitTemplates, it’s much easier to manage templates while storing them in a Git repo rather than in a database. It helps the client’s team save valuable time.

To use repository templates, you’ll need to to set a template_url host parameter (and specify the HTTP authentication credentials if necessary). This can be achieved by going to the edit host page and opening the “Parameters” tab. Once you do that, the host’s template content will be fetched from the repository. To make sure everything works as intended, you can run a quick test. Open /unattended/provision?spoof=<host_ip>. The template stored in the provision directory should be rendered there.

As the tool is integrated with GitLab, you can use a private, GitLab-hosted repository to store Foreman templates. To do so, you’ll need to use GitLab’s API to construct the template_url parameter in Foreman. Next, create a dedicated Foreman user in GitLab and set up a Personal Access Token that you can use in the template_url. And that’s it, quick and easy.

The second plugin, ForemanVault, adds support for HashiCorp credentials. Our client needed to be able to store sensitive data in the templates (passwords, security tokens - things that shouldn’t be accessible directly in the database). The goal was to load the data from Vault (a tool for storing sensitive data) during the rendering of the template. Establishing communication with the Vault API was another big step. We used Vault Ruby, the official Ruby client for HashiCorp’s Vault. In the end, our plugin is a tool which allows easy integration of Foreman and Vault.

Setup requires you to follow several steps. First, you need to set up a connection between Foreman and Vault. Go to the “Infrastructure” > “Vault Connections” menu and hit “Create Vault Connection”. You should see a form appear. Fill in the required fields (you can get a token with the $ vault token create -period=60m command) and hit the “Submit” button. Congratulations, you can now use the vault_secret(vault_connection_name, secret_path) macro in your templates to fetch secrets from Vault. And you can add secrets with the $ vault write kv/my_secret foo=bar command.

Both plugins were created to meet very specific needs of a particular client, and both have been made publicly available by iRonin’s client as open source tools. As the client’s team had a lot of technical know-how, iRonin’s developers had a blast looking for a way to provide them with the best, most efficient solutions possible. The plugins are available on the client’s GitHub page. Some of our work (specifically, commits related to the template rendering engine and the GraphQL API) ended up in the official Foreman project codebase.

If you need custom software development services or want to update existing open source solutions to fit your needs, let us know. iRonin is an experienced technological partner providing advanced tools for IT specialists.