git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/site/profile/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'site/profile/manifests')
-rw-r--r--site/profile/manifests/git_webhook.pp12
-rw-r--r--site/profile/manifests/git_webhook/code_manager.pp150
-rw-r--r--site/profile/manifests/git_webhook/zack_r10k_webhook.pp58
-rw-r--r--site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp14
-rw-r--r--site/profile/manifests/puppetmaster.pp53
-rw-r--r--site/profile/manifests/zack_r10k_webhook.pp29
6 files changed, 250 insertions, 66 deletions
diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp
new file mode 100644
index 0000000..12ef786
--- /dev/null
+++ b/site/profile/manifests/git_webhook.pp
@@ -0,0 +1,12 @@
+class profile::git_webhook (
+ $force_zack_r10k_webhook = false
+) {
+
+ if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook {
+ include profile::git_webhook::zack_r10k_webhook
+ } else {
+ include profile::git_webhook::code_manager
+ include profile::git_webhook::zack_r10k_webhook_disable
+ }
+
+}
diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp
new file mode 100644
index 0000000..7470e1c
--- /dev/null
+++ b/site/profile/manifests/git_webhook/code_manager.pp
@@ -0,0 +1,150 @@
+class profile::git_webhook::code_manager {
+
+ $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true)
+
+ $code_manager_service_user = 'code_manager_service_user'
+ $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
+
+ #puppet_master_classifier_settings is a custom function
+ $classifier_settings = puppet_master_classifer_settings()
+ $classifier_hostname = $classifier_settings['server']
+ $classifier_port = $classifier_settings['port']
+
+ $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs'
+ $token_filename = "${token_directory}/${code_manager_service_user}_token"
+
+ $gms_api_token = hiera('gms_api_token', undef)
+ $git_management_system = hiera('git_management_system', undef)
+
+ $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key'
+ exec { 'create code manager ssh key' :
+ command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''",
+ creates => $code_manager_ssh_key_file,
+ }
+
+ file { $code_manager_ssh_key_file :
+ ensure => file,
+ owner => 'pe-puppet',
+ group => 'pe-puppet',
+ require => Exec['create code manager ssh key'],
+ }
+
+ #If files exist in the codedir code manager can't manage them unless pe-puppet can read them
+ exec { 'chown all environments to pe-puppet' :
+ command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}",
+ unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
+ }
+
+ $code_manager_role_name = 'Deploy Environments'
+ $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
+ $create_role_curl = @(EOT)
+ /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
+ https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
+ -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
+ {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \
+ --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \
+ --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \
+ --cacert <%= $::settings::certdir %>/ca.pem;
+ touch <%= $create_role_creates_file %>
+ | EOT
+
+ exec { 'create deploy environments role' :
+ command => inline_epp( $create_role_curl ),
+ creates => $create_role_creates_file,
+ logoutput => true,
+ path => $::path,
+ require => File[$token_directory],
+ }
+
+ rbac_user { $code_manager_service_user :
+ ensure => 'present',
+ name => $code_manager_service_user,
+ email => "${code_manager_service_user}@example.com",
+ display_name => 'Code Manager Service Account',
+ password => $code_manager_service_user_password,
+ roles => [ $code_manager_role_name ],
+ require => Exec['create deploy environments role'],
+ }
+
+ file { $token_directory :
+ ensure => directory,
+ owner => 'pe-puppet',
+ group => 'pe-puppet',
+ }
+
+ exec { "Generate Token for ${code_manager_service_user}" :
+ command => epp('profile/git_webhook/code_manager/create_rbac_token.epp',
+ { 'code_manager_service_user' => $code_manager_service_user,
+ 'code_manager_service_user_password' => $code_manager_service_user_password,
+ 'classifier_hostname' => $classifier_hostname,
+ 'classifier_port' => $classifier_port,
+ 'token_filename' => $token_filename
+ }),
+ creates => $token_filename,
+ require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
+ }
+
+ #this file cannont be read until the next run after the above exec
+ #because the file function runs on the master not on the agent
+ #so the file doesn't exist at the time the function is run
+ $rbac_token_file_contents = no_fail_file($token_filename)
+
+ #Only mv code if this is at least the 2nd run of puppet
+ #Code manager needs to be enabled and puppet server restarted
+ #before this exec can complete. Gating on the token file
+ #ensures at least one run has completed
+ if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) {
+
+ $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S'))
+
+ exec { 'mv files out of $environmentpath' :
+ command => "mkdir /etc/puppetlabs/env_back_${timestamp};
+ mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/;
+ rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt;
+ TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`;
+ /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}';
+ /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}';
+ sleep 15",
+ path => $::path,
+ logoutput => true,
+ require => Exec["Generate Token for ${code_manager_service_user}"],
+ }
+ }
+
+ if !empty($gms_api_token) {
+ if $authenticate_webhook and !empty($rbac_token_file_contents) {
+
+ $rbac_token = parsejson($rbac_token_file_contents)['token']
+
+ $token_info = "&token=${rbac_token}"
+ }
+ else {
+ $token_info = ''
+ }
+
+ $code_manager_webhook_type = $git_management_system ? {
+ 'gitlab' => 'github',
+ default => $git_management_system,
+ }
+
+ git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
+ ensure => present,
+ name => $::fqdn,
+ path => "${code_manager_ssh_key_file}.pub",
+ token => $gms_api_token,
+ project_name => 'puppet/control-repo',
+ server_url => hiera('gms_server_url'),
+ provider => $git_management_system,
+ }
+
+ git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
+ ensure => present,
+ webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}",
+ token => $gms_api_token,
+ project_name => 'puppet/control-repo',
+ server_url => hiera('gms_server_url'),
+ provider => $git_management_system,
+ disable_ssl_verify => true,
+ }
+ }
+}
diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp
new file mode 100644
index 0000000..ed05282
--- /dev/null
+++ b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp
@@ -0,0 +1,58 @@
+class profile::git_webhook::zack_r10k_webhook (
+ $use_mcollective = false,
+) {
+
+ $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username'))
+ $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password'))
+
+ $gms_api_token = hiera('gms_api_token', undef)
+ $git_management_system = hiera('git_management_system', undef)
+
+ if $use_mcollective {
+ class { 'r10k::mcollective':
+ notify => Service['mcollective'],
+ }
+ }
+
+ class {'r10k::webhook::config':
+ enable_ssl => true,
+ protected => true,
+ user => $username,
+ pass => $password,
+ use_mcollective => $use_mcollective,
+ }
+
+ class {'r10k::webhook':
+ user => 'root',
+ group => '0',
+ require => Class['r10k::webhook::config'],
+ }
+
+ $r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
+ exec { 'create r10k ssh key' :
+ command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
+ creates => $r10k_ssh_key_file,
+ }
+
+ if !empty($gms_api_token) {
+ git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
+ ensure => present,
+ name => $::fqdn,
+ path => "${r10k_ssh_key_file}.pub",
+ token => $gms_api_token,
+ project_name => 'puppet/control-repo',
+ server_url => hiera('gms_server_url'),
+ provider => $git_management_system,
+ }
+
+ git_webhook { "web_post_receive_webhook-${::fqdn}" :
+ ensure => present,
+ webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload",
+ token => $gms_api_token,
+ project_name => 'puppet/control-repo',
+ server_url => hiera('gms_server_url'),
+ provider => $git_management_system,
+ disable_ssl_verify => true,
+ }
+ }
+}
diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp
new file mode 100644
index 0000000..ec54fc6
--- /dev/null
+++ b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp
@@ -0,0 +1,14 @@
+class profile::git_webhook::zack_r10k_webhook_disable {
+
+ file { '/etc/webhook.yaml' :
+ ensure => absent,
+ notify => Exec['stop and disable webhook service'],
+ }
+
+ exec { 'stop and disable webhook service' :
+ command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false',
+ logoutput => true,
+ refreshonly => true,
+ }
+
+}
diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp
index 0954807..d73236f 100644
--- a/site/profile/manifests/puppetmaster.pp
+++ b/site/profile/manifests/puppetmaster.pp
@@ -1,7 +1,6 @@
-class profile::puppetmaster (
- $webhook_username,
- $webhook_password
-) {
+class profile::puppetmaster {
+
+ $hiera_yaml = "${::settings::confdir}/hiera.yaml"
class { 'hiera':
hierarchy => [
@@ -9,48 +8,28 @@ class profile::puppetmaster (
'nodes/%{::trusted.certname}',
'common',
],
- hiera_yaml => '/etc/puppetlabs/code/hiera.yaml',
+ hiera_yaml => $hiera_yaml,
datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata',
owner => 'pe-puppet',
group => 'pe-puppet',
notify => Service['pe-puppetserver'],
}
- #BEGIN - Generate an SSH key for r10k to connect to git
- $r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
- exec { 'create r10k ssh key' :
- command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
- creates => $r10k_ssh_key_file,
+ ini_setting { 'puppet.conf hiera_config' :
+ ensure => present,
+ path => "${::settings::confdir}/puppet.conf",
+ section => 'master',
+ setting => 'hiera_config',
+ value => $hiera_yaml,
+ notify => Service['pe-puppetserver'],
}
- #END - Generate an SSH key for r10k to connect to git
-
- #BEGIN - Add deploy key and webook to git management system
- $git_management_system = hiera('git_management_system', '')
-
- if $git_management_system in ['gitlab', 'github'] {
-
- git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
- ensure => present,
- name => $::fqdn,
- path => "${r10k_ssh_key_file}.pub",
- token => hiera('gms_api_token'),
- project_name => 'puppet/control-repo',
- server_url => hiera('gms_server_url'),
- provider => $git_management_system,
- }
-
- git_webhook { "web_post_receive_webhook-${::fqdn}" :
- ensure => present,
- webhook_url => "https://${webhook_username}:${webhook_password}@${::fqdn}:8088/payload",
- token => hiera('gms_api_token'),
- project_name => 'puppet/control-repo',
- server_url => hiera('gms_server_url'),
- provider => $git_management_system,
- disable_ssl_verify => true,
- }
+ #remove the default hiera.yaml from the code-staging directory
+ #after the next code manager deployment it should be removed
+ #from the live codedir
+ file { '/etc/puppetlabs/code-staging/hiera.yaml' :
+ ensure => absent,
}
- #END - Add deploy key and webhook to git management system
#Lay down update-classes.sh for use in r10k postrun_command
#This is configured via the pe_r10k::postrun key in hiera
diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp
deleted file mode 100644
index 7e0bd40..0000000
--- a/site/profile/manifests/zack_r10k_webhook.pp
+++ /dev/null
@@ -1,29 +0,0 @@
-class profile::zack_r10k_webhook (
- $username,
- $password,
- $use_mcollective = false,
-) {
-
- if $use_mcollective {
-
- class { 'r10k::mcollective':
- notify => Service['mcollective'],
- }
-
- }
-
- class {'r10k::webhook::config':
- enable_ssl => true,
- protected => true,
- user => $username,
- pass => $password,
- use_mcollective => $use_mcollective,
- }
-
- class {'r10k::webhook':
- user => 'root',
- group => '0',
- require => Class['r10k::webhook::config'],
- }
-
-}
© 2014-2019 lirion.de – served by cgit – All Rights Reverse Engineered