From d2db2750284dfeee15f375ce06bbcbc301738b84 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 15:19:38 -0800 Subject: Create profile::git_webhook to abstract away the details Prior to this commit there were two possible webhooks - zack/r10k webhook - code manager I moved these two profiles under git_webhook and choose the correct one based on the version of PE being used. As a safety hatch, I provide the $force_zack_r10k_webhook param on profile::git_webhook in case someone needs to continue using it instead of code manager. --- site/profile/manifests/code_manager.pp | 128 --------------------- site/profile/manifests/git_webhook.pp | 11 ++ site/profile/manifests/git_webhook/code_manager.pp | 128 +++++++++++++++++++++ .../manifests/git_webhook/zack_r10k_webhook.pp | 58 ++++++++++ site/profile/manifests/zack_r10k_webhook.pp | 58 ---------- .../templates/code_manager/create_rbac_token.epp | 7 -- .../git_webhook/code_manager/create_rbac_token.epp | 7 ++ site/role/manifests/all_in_one_pe.pp | 2 +- 8 files changed, 205 insertions(+), 194 deletions(-) delete mode 100644 site/profile/manifests/code_manager.pp create mode 100644 site/profile/manifests/git_webhook.pp create mode 100644 site/profile/manifests/git_webhook/code_manager.pp create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook.pp delete mode 100644 site/profile/manifests/zack_r10k_webhook.pp delete mode 100644 site/profile/templates/code_manager/create_rbac_token.epp create mode 100644 site/profile/templates/git_webhook/code_manager/create_rbac_token.epp diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp deleted file mode 100644 index fc0eb8b..0000000 --- a/site/profile/manifests/code_manager.pp +++ /dev/null @@ -1,128 +0,0 @@ -class profile::code_manager { - - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) - - $code_manager_service_user = 'code_manager_service_user' - $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - - #puppet_master_classifier_settings is a custom function - $classifier_settings = puppet_master_classifer_settings() - $classifier_hostname = $classifier_settings['server'] - $classifier_port = $classifier_settings['port'] - - $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' - $token_filename = "${token_directory}/${code_manager_service_user}_token" - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' - exec { 'create code manager ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", - creates => $code_manager_ssh_key_file, - } - - file { $code_manager_ssh_key_file : - ensure => file, - owner => 'pe-puppet', - group => 'pe-puppet', - require => Exec['create code manager ssh key'], - } - - #If files exist in the codedir code manager can't manage them unless pe-puppet can read them - exec { 'chown all environments to pe-puppet' : - command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", - unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", - } - - rbac_user { $code_manager_service_user : - ensure => 'present', - name => $code_manager_service_user, - email => "${code_manager_service_user}@example.com", - display_name => 'Code Manager Service Account', - password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], - } - - file { $token_directory : - ensure => directory, - owner => 'pe-puppet', - group => 'pe-puppet', - } - - exec { "Generate Token for ${code_manager_service_user}" : - command => epp('profile/code_manager/create_rbac_token.epp', - { 'code_manager_service_user' => $code_manager_service_user, - 'code_manager_service_user_password' => $code_manager_service_user_password, - 'classifier_hostname' => $classifier_hostname, - 'classifier_port' => $classifier_port, - 'token_filename' => $token_filename - }), - creates => $token_filename, - require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], - } - - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - #so the file doesn't exist at the time the function is run - $rbac_token_file_contents = no_fail_file($token_filename) - - #Only mv code if this is at least the 2nd run of puppet - #Code manager needs to be enabled and puppet server restarted - #before this exec can complete. Gating on the token file - #ensures at least one run has completed - if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { - - $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) - - exec { 'mv files out of $environmentpath' : - command => "mkdir /etc/puppetlabs/env_back_${timestamp}; - mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; - rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; - TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; - sleep 15", - path => $::path, - logoutput => true, - require => Exec["Generate Token for ${code_manager_service_user}"], - } - } - - if !empty($gms_api_token) { - if $authenticate_webhook and !empty($rbac_token_file_contents) { - - $rbac_token = parsejson($rbac_token_file_contents)['token'] - - $token_info = "&token=${rbac_token}" - } - else { - $token_info = '' - } - - $code_manager_webhook_type = $git_management_system ? { - 'gitlab' => 'github', - default => $git_management_system, - } - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${code_manager_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp new file mode 100644 index 0000000..a46d4ea --- /dev/null +++ b/site/profile/manifests/git_webhook.pp @@ -0,0 +1,11 @@ +class profile::git_webhook ( + $force_zack_r10k_webhook = false +) { + + if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook { + include profile::git_webhook::zack_r10k_webhook + } else { + include profile::git_webhook::code_manager + } + +} diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp new file mode 100644 index 0000000..60cabf4 --- /dev/null +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -0,0 +1,128 @@ +class profile::git_webhook::code_manager { + + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + + $code_manager_service_user = 'code_manager_service_user' + $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") + + #puppet_master_classifier_settings is a custom function + $classifier_settings = puppet_master_classifer_settings() + $classifier_hostname = $classifier_settings['server'] + $classifier_port = $classifier_settings['port'] + + $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' + $token_filename = "${token_directory}/${code_manager_service_user}_token" + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' + exec { 'create code manager ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", + creates => $code_manager_ssh_key_file, + } + + file { $code_manager_ssh_key_file : + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + require => Exec['create code manager ssh key'], + } + + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them + exec { 'chown all environments to pe-puppet' : + command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", + unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", + } + + rbac_user { $code_manager_service_user : + ensure => 'present', + name => $code_manager_service_user, + email => "${code_manager_service_user}@example.com", + display_name => 'Code Manager Service Account', + password => $code_manager_service_user_password, + roles => [ 'Deploy Environments' ], + } + + file { $token_directory : + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + } + + exec { "Generate Token for ${code_manager_service_user}" : + command => epp('profile/git_webhook/code_manager/create_rbac_token.epp', + { 'code_manager_service_user' => $code_manager_service_user, + 'code_manager_service_user_password' => $code_manager_service_user_password, + 'classifier_hostname' => $classifier_hostname, + 'classifier_port' => $classifier_port, + 'token_filename' => $token_filename + }), + creates => $token_filename, + require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], + } + + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + #so the file doesn't exist at the time the function is run + $rbac_token_file_contents = no_fail_file($token_filename) + + #Only mv code if this is at least the 2nd run of puppet + #Code manager needs to be enabled and puppet server restarted + #before this exec can complete. Gating on the token file + #ensures at least one run has completed + if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { + + $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) + + exec { 'mv files out of $environmentpath' : + command => "mkdir /etc/puppetlabs/env_back_${timestamp}; + mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; + rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; + TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; + sleep 15", + path => $::path, + logoutput => true, + require => Exec["Generate Token for ${code_manager_service_user}"], + } + } + + if !empty($gms_api_token) { + if $authenticate_webhook and !empty($rbac_token_file_contents) { + + $rbac_token = parsejson($rbac_token_file_contents)['token'] + + $token_info = "&token=${rbac_token}" + } + else { + $token_info = '' + } + + $code_manager_webhook_type = $git_management_system ? { + 'gitlab' => 'github', + default => $git_management_system, + } + + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${code_manager_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp new file mode 100644 index 0000000..ed05282 --- /dev/null +++ b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp @@ -0,0 +1,58 @@ +class profile::git_webhook::zack_r10k_webhook ( + $use_mcollective = false, +) { + + $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) + $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + if $use_mcollective { + class { 'r10k::mcollective': + notify => Service['mcollective'], + } + } + + class {'r10k::webhook::config': + enable_ssl => true, + protected => true, + user => $username, + pass => $password, + use_mcollective => $use_mcollective, + } + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + + if !empty($gms_api_token) { + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + + git_webhook { "web_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp deleted file mode 100644 index 0ab4da2..0000000 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ /dev/null @@ -1,58 +0,0 @@ -class profile::zack_r10k_webhook ( - $use_mcollective = false, -) { - - $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - if $use_mcollective { - class { 'r10k::mcollective': - notify => Service['mcollective'], - } - } - - class {'r10k::webhook::config': - enable_ssl => true, - protected => true, - user => $username, - pass => $password, - use_mcollective => $use_mcollective, - } - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - - if !empty($gms_api_token) { - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp deleted file mode 100644 index 31bf00f..0000000 --- a/site/profile/templates/code_manager/create_rbac_token.epp +++ /dev/null @@ -1,7 +0,0 @@ -<%- | String $code_manager_service_user, - String $code_manager_service_user_password, - String $classifier_hostname, - Integer $classifier_port, - String $token_filename -| -%> -/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> diff --git a/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp b/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp new file mode 100644 index 0000000..31bf00f --- /dev/null +++ b/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp @@ -0,0 +1,7 @@ +<%- | String $code_manager_service_user, + String $code_manager_service_user_password, + String $classifier_hostname, + Integer $classifier_port, + String $token_filename +| -%> +/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index a8152b1..9e93155 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::code_manager + include profile::git_webhook } -- cgit v1.2.3