diff options
9 files changed, 5 insertions, 282 deletions
@@ -28,6 +28,10 @@ mod 'r10k', :git => 'https://github.com/acidprime/r10k', :tag => 'v3.1.1' +mod 'pe_code_manager_webhook', + :git => 'https://github.com/npwalker/pe_code_manager_webhook', + :ref => '20d9f2e274325edaa10d8ec3b4f98a62ad726335' + mod 'gms', :git => 'https://github.com/npwalker/abrader-gms', :branch => 'gitlab_disable_ssl_verify_support' diff --git a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb deleted file mode 100644 index 3819ebf..0000000 --- a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb +++ /dev/null @@ -1,36 +0,0 @@ -require 'puppet/file_system' - -Puppet::Parser::Functions::newfunction( - :no_fail_file, :arity => -2, :type => :rvalue, - :doc => "Loads a file from a module and returns its contents as a string. - - This is a replacement to the file function that returns nothing - if the file specified cannot be found instead of erroring out. - - The argument to this function should be a `<MODULE NAME>/<FILE>` - reference, which will load `<FILE>` from a module's `files` - directory. (For example, the reference `mysql/mysqltuner.pl` will load the - file `<MODULES DIRECTORY>/mysql/files/mysqltuner.pl`.) - - This function can also accept: - - * An absolute path, which can load a file from anywhere on disk. - * Multiple arguments, which will return the contents of the **first** file - found, skipping any files that don't exist. - " -) do |vals| - path = nil - vals.each do |file| - found = Puppet::Parser::Files.find_file(file, compiler.environment) - if found && Puppet::FileSystem.exist?(found) - path = found - break - end - end - - if path - Puppet::FileSystem.read_preserve_line_endings(path) - else - nil - end -end diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp deleted file mode 100644 index 12ef786..0000000 --- a/site/profile/manifests/git_webhook.pp +++ /dev/null @@ -1,12 +0,0 @@ -class profile::git_webhook ( - $force_zack_r10k_webhook = false -) { - - if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook { - include profile::git_webhook::zack_r10k_webhook - } else { - include profile::git_webhook::code_manager - include profile::git_webhook::zack_r10k_webhook_disable - } - -} diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp deleted file mode 100644 index 41c9e16..0000000 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ /dev/null @@ -1,150 +0,0 @@ -class profile::git_webhook::code_manager { - - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) - - $code_manager_service_user = 'code_manager_service_user' - $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - - #puppet_master_classifier_settings is a custom function - $classifier_settings = puppet_master_classifer_settings() - $classifier_hostname = $classifier_settings['server'] - $classifier_port = $classifier_settings['port'] - - $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' - $token_filename = "${token_directory}/${code_manager_service_user}_token" - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' - exec { 'create code manager ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", - creates => $code_manager_ssh_key_file, - } - - file { $code_manager_ssh_key_file : - ensure => file, - owner => 'pe-puppet', - group => 'pe-puppet', - require => Exec['create code manager ssh key'], - } - - #If files exist in the codedir code manager can't manage them unless pe-puppet can read them - exec { 'chown all environments to pe-puppet' : - command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", - unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", - } - - $code_manager_role_name = 'Deploy Environments' - $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' - $create_role_curl = @(EOT) - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ - https://<%= $classifier_hostname %>:4433/rbac-api/v1/roles \ - -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, - {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ - --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ - --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ - --cacert <%= $::settings::certdir %>/ca.pem; - touch <%= $create_role_creates_file %> - | EOT - - exec { 'create deploy environments role' : - command => inline_epp( $create_role_curl ), - creates => $create_role_creates_file, - logoutput => true, - path => $::path, - require => File[$token_directory], - } - - rbac_user { $code_manager_service_user : - ensure => 'present', - name => $code_manager_service_user, - email => "${code_manager_service_user}@example.com", - display_name => 'Code Manager Service Account', - password => $code_manager_service_user_password, - roles => [ $code_manager_role_name ], - require => Exec['create deploy environments role'], - } - - file { $token_directory : - ensure => directory, - owner => 'pe-puppet', - group => 'pe-puppet', - } - - exec { "Generate Token for ${code_manager_service_user}" : - command => epp('profile/git_webhook/code_manager/create_rbac_token.epp', - { 'code_manager_service_user' => $code_manager_service_user, - 'code_manager_service_user_password' => $code_manager_service_user_password, - 'classifier_hostname' => $classifier_hostname, - 'classifier_port' => $classifier_port, - 'token_filename' => $token_filename - }), - creates => $token_filename, - require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], - } - - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - #so the file doesn't exist at the time the function is run - $rbac_token_file_contents = no_fail_file($token_filename) - - #Only mv code if this is at least the 2nd run of puppet - #Code manager needs to be enabled and puppet server restarted - #before this exec can complete. Gating on the token file - #ensures at least one run has completed - if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { - - $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) - - exec { 'mv files out of $environmentpath' : - command => "mkdir /etc/puppetlabs/env_back_${timestamp}; - mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; - rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; - TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; - sleep 15", - path => $::path, - logoutput => true, - require => Exec["Generate Token for ${code_manager_service_user}"], - } - } - - if !empty($gms_api_token) { - if $authenticate_webhook and !empty($rbac_token_file_contents) { - - $rbac_token = parsejson($rbac_token_file_contents)['token'] - - $token_info = "&token=${rbac_token}" - } - else { - $token_info = '' - } - - $code_manager_webhook_type = $git_management_system ? { - 'gitlab' => 'github', - default => $git_management_system, - } - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${code_manager_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp deleted file mode 100644 index ed05282..0000000 --- a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp +++ /dev/null @@ -1,58 +0,0 @@ -class profile::git_webhook::zack_r10k_webhook ( - $use_mcollective = false, -) { - - $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - if $use_mcollective { - class { 'r10k::mcollective': - notify => Service['mcollective'], - } - } - - class {'r10k::webhook::config': - enable_ssl => true, - protected => true, - user => $username, - pass => $password, - use_mcollective => $use_mcollective, - } - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - - if !empty($gms_api_token) { - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp deleted file mode 100644 index ec54fc6..0000000 --- a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp +++ /dev/null @@ -1,14 +0,0 @@ -class profile::git_webhook::zack_r10k_webhook_disable { - - file { '/etc/webhook.yaml' : - ensure => absent, - notify => Exec['stop and disable webhook service'], - } - - exec { 'stop and disable webhook service' : - command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false', - logoutput => true, - refreshonly => true, - } - -} diff --git a/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb b/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb deleted file mode 100644 index 5559849..0000000 --- a/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb +++ /dev/null @@ -1,5 +0,0 @@ -module Puppet::Parser::Functions - newfunction(:puppet_master_classifer_settings, :type => :rvalue) do |args| - function_parseyaml([function_file([File.join(lookupvar('settings::confdir').to_s, 'classifier.yaml')])]) - end -end diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 9e93155..5f72a30 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::git_webhook + include pe_code_manager_webhook } diff --git a/site/role/manifests/all_in_one_pe_2015_2.pp b/site/role/manifests/all_in_one_pe_2015_2.pp deleted file mode 100644 index 337ca45..0000000 --- a/site/role/manifests/all_in_one_pe_2015_2.pp +++ /dev/null @@ -1,6 +0,0 @@ -class role::all_in_one_pe_2015_2 { - - include profile::puppetmaster - include profile::git_webhook - -} |