From be627d4e3bf47811123b0ba981395bd314145783 Mon Sep 17 00:00:00 2001
From: ben <benrobertson9876@gmail.com>
Date: Fri, 21 Jun 2024 16:11:23 +1000
Subject: [PATCH] Update readme and changelog

---
 CHANGELOG.md | 25 ++++++++++++++++++++++++
 README.md    | 55 ++++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 76 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34729a9..3fd04db 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 3.0.0
+
+**Upgrade warning**
+
+The following default parameters for passwords have been removed from the modules. 
+- observium::db_password
+- observium::rootdb_password
+- observium::snmpv3_authpass
+- observium::snmpv3_cryptopass
+- observium::admin_password
+
+If you were relying on these defaults you will need to set them in your control repo hiera before upgrading to 3.0.0. Passwords and other sensitive data in your control repo should be encrypted and protected, see https://www.puppet.com/docs/puppet/8/securing-sensitive-data.html.
+
+**Features**
+
+- Added support for RHEL9
+- Added support for stdlib 9.0 or later. **Note:** the observium module itself supports stdlib 9, however its dependencies did not. When upgrading to stdlib 9 please ensure you upgrade other dependant modules.
+- Incorporated security recommendations from baile320, removal of default passwords. 
+- Bumped module dependencies to later versions.
+- Bumped PDK version to 3.2.0.
+- Lint and other minor fixes. 
+- Added lint, unit and litmus tests within Github actions. 
+
+Thanks to https://github.com/baile320 for their security recommendations for this release. :)
+
 ## Release 2.0.0
 
 **Features**
diff --git a/README.md b/README.md
index 540e378..36f3e02 100644
--- a/README.md
+++ b/README.md
@@ -52,16 +52,51 @@ Please ensure you meet the dependency requirements and have the following in you
 - puppet-snmp
 - puppet-firewalld - only required for RHEL and if managing firewall
 - puppetlabs-resource_api
-- domkrm-ufw - only required for Ubuntu and if managing firewall
+- puppetlabs-firewall - only required for Ubuntu and if managing firewall
 - puppetlabs-translate
 - camptocamp-systemd
 
+### Password requirements ###
+
+Beginning with the 3.0.0 release, default passwords are no longer provided by this module. This was a insecure default as every instances of observium setup with these defaults would use the same passwords. 
+
+With the removal of the default, users now need to specify these password when using this module. There are two methods to do this in Puppet.
+
+1. Via parameters through resource like declarations. (Least preferred as you cannot protect these values)
+```
+class { 'observium':
+  db_password       => 'your_password_here',
+  rootdb_password   => 'your_password_here',
+  snmpv3_authpass   => 'your_password_here',
+  snmpv3_cryptopass => 'your_password_here',
+  admin_password    => 'very_secure',
+}
+```
+
+2. Via environment hiera. (Preferred as we can encrypt these values)
+Within environment hiera place the values as shown.
+```
+---
+observium::db_password: "your_password_here"
+observium::rootdb_password: "your_password_here"
+observium::snmpv3_authpass: "your_password_here"
+observium::snmpv3_cryptopass: "your_password_here"
+observium::admin_password: "very_secure"
+```
+
+These values should be encrypted using the [hiera-eyaml][11] gem. See Puppet [documentation][12].
 
 ### Beginning with observium
 
 In its most basic form you can install observium by
 ```
-include observium
+class { 'observium':
+  db_password       => 'your_password_here',
+  rootdb_password   => 'your_password_here',
+  snmpv3_authpass   => 'your_password_here',
+  snmpv3_cryptopass => 'your_password_here',
+  admin_password    => 'very_secure',
+}
 ```
 
 ## Usage
@@ -118,6 +153,7 @@ Tested with the following setups.
 - RHEL
     - 7
     - 8
+    - 9 
 - Rocky
     - 8
 - Ubuntu
@@ -134,7 +170,7 @@ RHEL 7 requires the following yum repos for installation - these will be automat
 - [remi-php72][7]
 - [remi-safe][8]
 
-RHEL 8 require the follwing yum repos for installation - these will be automatically added if you host has internet connection.
+RHEL 8 require the following yum repos for installation - these will be automatically added if you host has internet connection.
 
 - [EPEL][4]
 - [OpenNMS common][5]
@@ -145,6 +181,14 @@ RHEL 8 require the follwing yum repos for installation - these will be automatic
 ```
 - [remi-safe][10]
 
+RHEL 9 require the following yum repos for installation - these will be automatically added if you host has internet connection.
+
+- [EPEL][4]
+- [OpenNMS common][5]
+- [OpenNMS RHEL8][13]
+- [remi-modular][14]
+- [remi-safe][14]
+
 
 ## Upgrading Observium 
 Please see [Upgrading][2] steps from Observium to upgrade. If you are managaing Observium with Puppet, 
@@ -175,4 +219,7 @@ If you find any issues with this module, please log them in the issues register
 [8]: http://cdn.remirepo.net/enterprise/7/safe/mirro
 [9]: https://yum.opennms.org/stable/rhel8/
 [10]: https://rpms.remirepo.net/enterprise/8/
-
+[11]: https://github.com/voxpupuli/hiera-eyaml
+[12]: https://www.puppet.com/docs/puppet/8/securing-sensitive-data.html
+[13]: https://yum.opennms.org/stable/rhel9/
+[14]: https://rpms.remirepo.net/enterprise/9/