{"id":15103537,"url":"https://github.com/tjm/puppet-patching-automation","last_synced_at":"2026-01-19T18:01:01.140Z","repository":{"id":232120050,"uuid":"706274248","full_name":"TJM/puppet-patching-automation","owner":"TJM","description":"Web application, written GO to query PuppetDB, organize and orchestrate server patching process.","archived":false,"fork":false,"pushed_at":"2023-10-17T16:17:41.000Z","size":163,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-05T12:09:21.364Z","etag":null,"topics":["patching","puppet","puppetdb"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TJM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-10-17T16:14:57.000Z","updated_at":"2023-10-17T16:26:01.000Z","dependencies_parsed_at":"2024-04-08T03:57:53.472Z","dependency_job_id":"df51d7b5-27ee-4f4a-9bb9-3cd1d209ac40","html_url":"https://github.com/TJM/puppet-patching-automation","commit_stats":null,"previous_names":["tjm/puppet-patching-automation"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/TJM/puppet-patching-automation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TJM%2Fpuppet-patching-automation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TJM%2Fpuppet-patching-automation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TJM%2Fpuppet-patching-automation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TJM%2Fpuppet-patching-automation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TJM","download_url":"https://codeload.github.com/TJM/puppet-patching-automation/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TJM%2Fpuppet-patching-automation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28578952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T17:42:58.221Z","status":"ssl_error","status_checked_at":"2026-01-19T17:40:54.158Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["patching","puppet","puppetdb"],"created_at":"2024-09-25T19:40:20.357Z","updated_at":"2026-01-19T18:01:01.112Z","avatar_url":"https://github.com/TJM.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DevOps SRE - Patching Automation\n\nGo application for the patching automation project.\n\n## Install\n\n* Basic Helm installation\n\n```bash\nhelm repo add BLAH URLTBD\nhelm repo update\nhelm upgrade --install patching-automation BLAH/patching-automation\n```\n\n## Upgrade\n\n### v0.12.x to v0.13.x\n\n* Updated `bitnami/postgresql` chart from 9.x to 11.x.\nPlease see *their* [upgrade docs](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/).\nSome of the authentication and persistence parameters are now deprecated as they have been moved under `primary`.\nWe have had pretty good luck with just removing the helmRelease and re-installing it after getting our values in order.\nThis does cause a small downtime, but re-starts with all the old data.\n\n## Building (compiling) patching-automation\n\n### Local Build Prequisites\n\n* Go 1.20+\n* make\n\n### Building Locally\n\n* Full build process (linting, gosec, etc.):\n\n```bash\nmake\n```\n\n* Build the application only:\n\n```bash\nmake patching-automation\n```\n\n## Running Locally (for testing)\n\nAfter compiling above, here are the basics:\n\n```bash\n./patching-automation --version\n./patching-automation --help\n```\n\n### Local Run Prerequisites\n\nRequired:\n\n* Authentication (OIDC) Configuration: (See [Authentication Options](#authentication-options) below)\n  * OIDC_CLIENT_ID=xxx.xxxx.xxxxxx\n  * OIDC_CLIENT_SECRET=xxxxxxxxx\n  * OIDC_REDIRECT_URL=\"http://127.0.0.1:8080/auth/google/callback\"\n  * OIDC_ISSUER_URL=\"https://oidc.example.com\"\n\n* `PuppetServer` - This application will *query* PuppetDB, so you need access to a PuppetServer to actually use the application, once it is running.\n  * Visit: `http://localhost:8080/config/puppetServer` to add a PuppetServer\n\n### Get Puppet Server token\n\n* Get Puppet CA Cert from: `cat /etc/puppetlabs/puppet/ssl/certs/ca.pem` (from any puppet client or the puppet primary)\n  * Be sure to include the **BEGIN** and **END** lines\n\n* Create a Patching Automation service account in Puppet with the following access:\n  * Nodes -\u003e View node data from PuppetDB\n  * Job Orchestrator -\u003e Start, Stop and view jobs\n  * Plans -\u003e Run Plans -\u003e\n    * `patchy::cluster_patching`\n    * `patchy::patching`\n  * Tasks -\u003e Run Tasks -\u003e\n    * `pe_patch::agent_health`\n    * `pe_patch::clean_cache`\n    * `pe_patch::last_boot_time`\n    * `pe_patch::patch_server`\n    * `pe_patch::refresh_fact`\n\n* To get a puppet token, SSH into the puppet server and run:\n  * `puppet access login --username SERVICEACCOUNT --print --lifetime 30d`\n    * Adjust the lifetime option for the token to suit your needs.\n\nOptional:\n\n* `JenkinsServer` - If you want to be able to run Jenkins jobs, you will need a Jenkins Server.\n  * Visit `http://localhost:8080/config/jenkinsServer` to add a JenkinsServer\n  * For local development, you can use `docker run -p 8000:8080 -v jenkins_home:/var/jenkins_home jenkins/jenkins:lts` (and add localhost:8000 as a jenkinsServer).\n* `TRELLO_TOKEN` - If you want to generate a trello board, you will need a trello token. This grants this specific application (patching-automation) full access to *your* trello account. You can get this by visiting the following URL: \u003chttps://trello.com/1/connect?key=5a453a8d5b4ab0ae9a5746b34cc0b09e\u0026name=PatchingAutomation\u0026response_type=token\u0026scope=read,write\u003e\n\n* See Database Options - By default local development will use a local sqlite3 DB, which is fine for local development, but other options are available. See Database Options below...\n\n### Starting Server\n\nWhile developing, there is a shortcut `make run` which will compile *and* start the server. This is extremely handy when you are actively developing and want to test changes. NOTE: if you are only changing templates (views), you do not need to recompile, as they will be picked up automatically.\n\n```bash\n./patching-automation\n```\n\nNOTE: If you receive an error about port 8080 being in use, you can select a different port with `export PORT=8081` for example before running. You will need to adjust each of the examples below if you change the port.\n\n## Interacting with the WebUI\n\n* Visit the URL to the server, by default: `http://localhost:8080/`\n* Click the `[Patch Runs]` button to enter the main part of the application.\n* There are several different interfaces...\n  * Puppet\n    * Puppet Servers (`/config/puppetServer`) - Add/Manage Puppet Servers\n    * Puppet Tasks (`/config/puppetTask`) - Add/Manage Puppet Tasks (on Puppet Servers)\n    * Puppet Plans (`/config/puppetPlan`) - Add/Manage Puppet Plans (on Puppet Servers)\n  * Jenkins Servers (`/config/jenkinsServer`) - Add/Manage Jenkins Servers\n    * Jenkins Jobs (`/config/jenkinsJob`) - Add/Manage JenkinsJobs/Params (inside Jenkins Servers)\n  * Chat Rooms (`/config/ChatRoom`) - Add/Manage Chat Rooms (WebEx Teams) for notifications\n  * Patch Runs (`/patchRun`) - Add/Manange Patch Runs (the main point of the app)\n    * /application, /environment, /component, /server - view information about sub-parts of patch runs.\n\n## Interacting with the API\n\nNOTE: Currently the JSON API is **broken**. When we enabled Authentication, the API interactions became more difficult. We have an open issue to figure out and document how to authenticate with the API in the future.\n\nYou can interact with the JSON API using a tool like [Postman](https://www.postman.com/downloads/), or you can use curl. The paths are the same as above, but with a header like: `Accept: application/json`\n\nYou can also use `applcation/x-yaml` or `application/xml` if you prefer.\n\n-----\n\n## Authentication Options\n\nWe currently use [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect) for authentication.\n\n* Oauth2 Identity Provider (IdP) service that supports [OIDC](https://en.wikipedia.org/wiki/OpenID_Connect)\n  * You can use something like [DEX](https://github.com/dexidp/dex) to test with.\n  * Alternatively, you could also use something like:\n    * [Google](https://developers.google.com/identity/protocols/oauth2/openid-connect)\n    * [GitHub](https://plugins.miniorange.com/oauth-openid-login-using-github)\n    * etc\n\n### DEX Identity Provider\n\nThe example below will use [DEX IdP](https://dexidp.io/). Please clone their [repo](https://github.com/dexidp/dex) and start DEX in a separate window. You can follow their [Getting Started](https://dexidp.io/docs/getting-started/#building-the-dex-binary) docs.\n\n* Start DEX IdP:\n\nNOTE: This is only for example purposes, and should not be used in production. You can configure dex properly to authenticate against corporate LDAP or many other sources.\n\n```console\n./bin/dex serve examples/config-dev.yaml\n```\n\n* Create a `.env` file with the following contents:\n\n```bash\nPORT=5555\nOIDC_CLIENT_ID=\"example-app\"\nOIDC_CLIENT_SECRET=\"ZXhhbXBsZS1hcHAtc2VjcmV0\"\nOIDC_REDIRECT_URL=\"http://127.0.0.1:5555/callback\"\nOIDC_ISSUER_URL=\"http://127.0.0.1:5556/dex\"\nINIT_ADMINS=\"admin@example.com\"\nINIT_USERS=\"kilgore@kilgore.trout\"\n```\n\nNOTE: Since we are using the dex example configuration, you will need to access Patching Automation as \u003chttp://127.0.0.1:5555/\u003e\n\n### Google Accounts Identity Provider\n\nThe example below will use Google Accounts. See: [go-oidc examples readme](https://github.com/coreos/go-oidc/tree/v3/example).\n\n* Setup Google\n\n  1. Visit your [Google Developer Console](https://console.developers.google.com/).\n  1. **ONLY DO ONCE**: Click \"Configure Consent Screen\"\n        1. Select **Internal**\n        2. Create\n        3. At a minimum fill in a name for your App: ie: local_app, user support email, and Developer email.\n  1. Click \"Credentials\" on the left column.\n  1. Click the \"Create credentials\" button followed by \"OAuth client ID\".\n  1. **Application type** - \"Web application\"\n  1. **Name** - Add a unique Name.\n  1. **Authorized JavaScript origins** - Skip\n  1. **Authorized redirect URIs**\n      1. *Add URI*: \"http://127.0.0.1:8080/auth/google/callback\"\n  1. Click create and add the printed client ID and secret to your environment using the following variables: (`.env` file)\n\n```bash\nOIDC_CLIENT_ID=\"(value provided by google)\"\nOIDC_CLIENT_SECRET=\"(value provided by google)\"\nOIDC_REDIRECT_URL=\"http://127.0.0.1:8080/auth/google/callback\"\nOIDC_ISSUER_URL=\"https://accounts.google.com\"\nINIT_ADMINS=\"your.email@company.com\"\n```\n\n-----\n\n## Database Options\n\nBy default, the application will create a local sqlite3 database called `db/padb.db` which is sufficient for local development. These other database options are also supported: mysql, postgresql\n\n### MySQL Example\n\nNOTE: This will persist the database data in `./db/mysql`, if you need to start over clean or just want to clean up, make sure the database is stopped, then you can remove the directory.\n\n* Start the Database\n\n```bash\ndocker run -p 3306:3306 -d --rm -P -e MYSQL_DATABASE=padb -e MYSQL_USER=padb -e MYSQL_PASSWORD=padb -e MYSQL_ROOT_PASSWORD=notEmpty123 -v $PWD/db/mysql:/bitnami/mysql/data --name padb-mysql bitnami/mysql\n```\n\nNOTE: Port is hard coded to 3306, if you change it you will have to add `--dbport xxxx` below\n\n* Run patching-automation with requisite options:\n\n```bash\n ./patching-automation --dbtype mysql\n```\n\n* Stop the database (when you are done with it)\n\n```bash\ndocker stop padb-mysql\n```\n\n### PostgreSQL Example\n\nNOTE: This will persist the database data in `./db/postgresql`, if you need to start over clean or just want to clean up, make sure the database is stopped, then you can remove the directory.\n\n* Start the database\n\n```bash\ndocker run -p 5432:5432 -d --rm -v $PWD/db/postgresql:/bitnami/postgresql -P -e POSTGRES_USER=padb -e POSTGRES_PASSWORD=padb -e POSTGRES_DATABASE=padb --name padb-postgresql bitnami/postgresql\n```\n\nNOTE: Port is hard coded to 5432, if you change it you will have to add `--dbport xxxx` below\n\n* Run patching-automation with requisite options:\n\n```bash\n ./patching-automation --dbtype postgresql\n```\n\n* Stop the database (when you are done with it)\n\n```bash\ndocker stop padb-postgresql\n```\n\n-----\n\n## Docker\n\n### Building Docker image\n\n* Build Docker Image\n\n```bash\nmake docker\n```\n\n... do whatever testing you deem fit.\n\n### Publish Docker image\n\n```bash\nmake dockerpush\n```\n\n## Running in Docker\n\n### Prerequisites\n\n* Database: For local development, we can use sqlite3, but docker images are ephemeral. Assuming you want to keep your state, you probably want to use an external database. We will create a test database below in a \"user defined network\" so they can find eachother.\n\n### Running\n\nBasic Test:\n\n```bash\ndocker run patching-automation --version\ndocker run patching-automation --help\n```\n\nNOTE: You will need a database (as per Database Options). The important option below is `--network pa-test`.\n\n* Create a docker Network\n\n```bash\ndocker network create pa-test\n```\n\n* Start a database (postgresql in this example, see options [above](#database-options))\n\n```bash\ndocker run -d --rm --network pa-test -v $PWD/db/postgresql:/bitnami/postgresql  -e POSTGRES_USER=padb -e POSTGRES_PASSWORD=padb -e POSTGRES_DATABASE=padb --name padb-postgresql bitnami/postgresql\n```\n\n* Start Application\n\n```bash\ndocker run -p 8080:8080 --rm --network pa-test patching-automation --dbtype postgresql --dbhost padb-postgresql\n```\n\nNOTE: We are hard-coding the port to 8080, you can change as needed.\n\nALSO: The database was created with the \"default\" values the application expects. See `--help` option for more details\n\n-----\n\n## Helm Chart\n\nWe also have a Helm Chart to deploy patching-automation to Kubernetes.\n\n### Building Helm Chart\n\nNOTE: The steps below requires [helm](https://helm.sh/docs/intro/install/) v3.x to be installed locally.\n\n```bash\nmake helm\n```\n\n### Testing Helm Chart\n\nGetting access to a Kubernetes cluster or creating your own through kind/talos/whatever is outside the scope of this document.\n\n* Test rendering templates locally\n\n```bash\nhelm template helmchart/patching-automation\n```\n\n* Install test version\n\n```bash\nhelm upgrade --install ./helmchart/patching-automation -f values.yaml\n```\n\n### Publish Helm Chart\n\nWe publish our helm chart to Artfactory, see Makefile variables for details.\n\n```bash\nmake helmpush\n```\n\n### Install using helm chart\n\nWe usually use a helmRelease in flux, but to install the chart, you will need a values file.\n\n* Create `values.yaml`\n\n```yaml\n# Values for example deployment of patching-automation\n\n## Ingress\ningress:\n  enabled: true\n  annotations:\n    kubernetes.io/ingress.class: nginx\n    # probably other options here?\n  hosts:\n    - host: pa.example.com\n      paths: [\"/\"]\n  tls:\n    - hosts:\n        - pa.example.com\n\n## Database\npostgresql:\n  postgresqlPassword: sUp3rS3cr3tDatabasePW\n\n## Environment Variables to Configure Patching Automation\nextraEnvironmentVariables:\n  - name: TRELLO_TOKEN\n    value: f22XXXXXXXXXXXXXXXXX\n  - name: OIDC_CLIENT_ID\n    value: 4XXXXXXXXXr.apps.googleusercontent.com\n  - name: OIDC_CLIENT_SECRET\n    value: GOXXXXXXXXXXXXe5\n  - name: OIDC_REDIRECT_URL\n    value: https://pa.example.com/auth/google/callback\n  - name: OIDC_ISSUER_URL\n    value: https://accounts.google.com\n\n```\n\n* Install/Upgrade\n\n```bash\nhelm upgrade --install patching-automation REPO/patching-automation -f values.yaml\n```\n\n-----\n\n## Release a new version\n\nReleasing a new version has been automated through the Makefile. Running \"`make release VERSION=x.y.z`\" will create a new branch, update the version files and create a merge request.\n\n* Run `make release` with a VERSION variable\n  * Check current tag release. Two ways.\n    * Check `const Version` variable in `version/version.go`.\n    * Check gitlab tags in repository.\n  * We are using semantic versioning. (MAJOR.MINOR.PATCH)\n  * Do *not* insert the **v** in the VERSION variable below.\n  * **OPTIONAL**: If you want to create a pre-release, such as `rc1`, `beta`, or whatever, also set \"PRELEASE_TAG\" (otherwise leave it *empty*) (`make release VERSION=0.12.0 PRERELEASE_TAG=beta`)\n  * **EDIT THIS ONE!**\n\n```bash\nmake release VERSION=X.Y.Z\n```\n\n* Get approvals and merge branch in GitLab UI.\n\n* TAG the release on the **master** branch *after* merging. -- NOTE: This requires \"maintainer\" access. Command line steps below or you can compelete this step in the GitLab UI.\n\n```bash\ngit checkout master \u0026\u0026 git pull\ngit tag v${VERSION}\ngit push origin v${VERSION}\n```\n\n### Post-Release Steps\n\n* Run `make prepare_for_dev` with VERSION variable\n  * We are using semantic versioning. (MAJOR.MINOR.PATCH)\n  * Set this to the next \"minor\" version for development. If any \"patches\" (hotfixes)  are needed, they will be the PATCH release.\n    * Example: If the current release is `0.11.2`, the next dev release will be `0.11.3`\n    * Previously we set it to the next minor release, but this causes issues when auto-releasing helm charts.\n  * The `PRERELEASE_TAG` will be set to `dev`\n  * Do *NOT* insert the **v** in the VERSION variable below.\n  * **EDIT THIS ONE!**\n\n```bash\nmake prepare_for_dev VERSION=X.Y.Z\n```\n\n* Get approvals and merge branch in GitLab UI.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftjm%2Fpuppet-patching-automation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftjm%2Fpuppet-patching-automation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftjm%2Fpuppet-patching-automation/lists"}