Add support for code manager which will replace zack r10k

Add pltraing-rbac module
Added a new profile for code_manager that:
 - creates a service users for code manager
 - creates a token for that service user
 - creates a hook on a git server using the token

Turns out that the file function in puppet cannot read files in
/root.  The pe-puppet user needs read permissions on the file
and traversal on the directory which giving to /root would
probably be a bad idea.  So, I just put the file containing
the token in /etc/puppetlabs/puppetserver since I'm not sure
where would be better.

5 files changed, 90 insertions, 1 deletions

diff --git a/Puppetfile b/Puppetfile
index ac90e14..6bc31f8 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -34,3 +34,7 @@ mod 'r10k',
 mod 'gms',
   :git    => 'https://github.com/npwalker/abrader-gms',
   :branch => 'gitlab_disable_ssl_verify_support'
+
+mod 'pltraining-rbac',
+  :git    => 'https://github.com/puppetlabs/pltraining-rbac',
+  :ref    => '2f60e1789a721ce83f8df061e13f8bf81cd4e4ce'
diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp
new file mode 100644
index 0000000..f244564
--- /dev/null
+++ b/site/profile/manifests/code_manager.pp
@@ -0,0 +1,66 @@
+class profile::code_manager {
+
+  $code_manager_service_user = 'code_manager_service_user'
+  $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
+  
+  #puppet_master_classifier_settings is a custom function
+  $classifier_settings   = puppet_master_classifer_settings()
+  $classifier_hostname   = $classifier_settings['server']
+  $classifier_port       = $classifier_settings['port']
+
+  $token_directory       = '/etc/puppetlabs/puppetserver/.puppetlabs'
+  $token_filename        = "${token_directory}/${code_manager_service_user}_token"
+
+  $gms_api_token         = hiera('gms_api_token', undef)
+  $git_management_system = hiera('git_management_system', undef)
+
+  rbac_user { $code_manager_service_user :
+    ensure       => 'present',
+    name         => $code_manager_service_user,
+    email        => "${code_manager_service_user}@example.com",
+    display_name => 'Code Manager Service Account',
+    password     => $code_manager_service_user_password,
+    roles        => [ 'Deploy Environments' ],
+  }
+
+  file { $token_directory :
+    ensure => directory,
+    owner  => 'pe-puppet',
+    group  => 'pe-puppet',
+  }
+
+  exec { "Generate Token for ${code_manager_service_user}" :
+    command => epp('profile/code_manager/create_rbac_token.epp',
+                  { 'code_manager_service_user'          => $code_manager_service_user,
+                    'code_manager_service_user_password' => $code_manager_service_user_password,
+                    'classifier_hostname'                => $classifier_hostname,
+                    'classifier_port'                    => $classifier_port,
+                    'token_filename'                     => $token_filename
+                  }),
+    creates => $token_filename,
+    require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
+  }
+
+
+  if !empty($gms_api_token)  {
+
+    #this file cannont be read until the next run after the above exec
+    #because the file function runs on the master not on the agent
+    $rbac_token = parsejson(file($token_filename))['token']
+
+    $code_manager_webhook_type = $git_management_system ? {
+                                   'gitlab' => 'github',
+                                   default  => $git_management_system,
+    }
+
+    git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
+      ensure             => present,
+      webhook_url        => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}",
+      token              => $gms_api_token,
+      project_name       => 'puppet/control-repo',
+      server_url         => hiera('gms_server_url'),
+      provider           => $git_management_system,
+      disable_ssl_verify => true,
+    }
+  }
+}
diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp
index 0954807..e63d819 100644
--- a/site/profile/manifests/puppetmaster.pp
+++ b/site/profile/manifests/puppetmaster.pp
@@ -25,7 +25,8 @@ class profile::puppetmaster (
   #END - Generate an SSH key for r10k to connect to git  
 
   #BEGIN - Add deploy key and webook to git management system
-  $git_management_system = hiera('git_management_system', '')
+  $git_management_system = hiera('git_management_system', undef)
+  $gms_api_token         = hiera('gms_api_token', undef)
 
   if $git_management_system in ['gitlab', 'github'] {
 
diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp
index 7e0bd40..3dae9d7 100644
--- a/site/profile/manifests/zack_r10k_webhook.pp
+++ b/site/profile/manifests/zack_r10k_webhook.pp
@@ -26,4 +26,15 @@ class profile::zack_r10k_webhook (
     require => Class['r10k::webhook::config'],
   }
 
+  if !empty($gms_api_token)  {
+    git_webhook { "web_post_receive_webhook-${::fqdn}" :
+      ensure             => present,
+      webhook_url        => "https://${username}:${password}@${::fqdn}:8088/payload",
+      token              => $gms_api_token,
+      project_name       => 'puppet/control-repo',
+      server_url         => hiera('gms_server_url'),
+      provider           => $git_management_system,
+      disable_ssl_verify => true,
+    }
+  }
 }
diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp
new file mode 100644
index 0000000..31bf00f
--- /dev/null
+++ b/site/profile/templates/code_manager/create_rbac_token.epp
@@ -0,0 +1,7 @@
+<%- | String  $code_manager_service_user,
+      String  $code_manager_service_user_password,
+      String  $classifier_hostname,
+      Integer $classifier_port,
+      String  $token_filename
+| -%>
+/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %>