From d2db2750284dfeee15f375ce06bbcbc301738b84 Mon Sep 17 00:00:00 2001
From: Nick Walker <nick.walker@puppetlabs.com>
Date: Mon, 21 Dec 2015 15:19:38 -0800
Subject: Create profile::git_webhook to abstract away the details

Prior to this commit there were two possible webhooks
 - zack/r10k webhook
 - code manager

I moved these two profiles under git_webhook and choose the correct
one based on the version of PE being used.

As a safety hatch, I provide the $force_zack_r10k_webhook param
on profile::git_webhook in case someone needs to continue using it
instead of code manager.
---
 site/profile/manifests/git_webhook/code_manager.pp | 128 +++++++++++++++++++++
 .../manifests/git_webhook/zack_r10k_webhook.pp     |  58 ++++++++++
 2 files changed, 186 insertions(+)
 create mode 100644 site/profile/manifests/git_webhook/code_manager.pp
 create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook.pp

(limited to 'site/profile/manifests/git_webhook')

diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp
new file mode 100644
index 0000000..60cabf4
--- /dev/null
+++ b/site/profile/manifests/git_webhook/code_manager.pp
@@ -0,0 +1,128 @@
+class profile::git_webhook::code_manager {
+
+  $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true)
+
+  $code_manager_service_user = 'code_manager_service_user'
+  $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
+
+  #puppet_master_classifier_settings is a custom function
+  $classifier_settings   = puppet_master_classifer_settings()
+  $classifier_hostname   = $classifier_settings['server']
+  $classifier_port       = $classifier_settings['port']
+
+  $token_directory       = '/etc/puppetlabs/puppetserver/.puppetlabs'
+  $token_filename        = "${token_directory}/${code_manager_service_user}_token"
+
+  $gms_api_token         = hiera('gms_api_token', undef)
+  $git_management_system = hiera('git_management_system', undef)
+
+  $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key'
+  exec { 'create code manager ssh key' :
+    command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''",
+    creates => $code_manager_ssh_key_file,
+  }
+
+  file { $code_manager_ssh_key_file :
+    ensure  => file,
+    owner   => 'pe-puppet',
+    group   => 'pe-puppet',
+    require => Exec['create code manager ssh key'],
+  }
+
+  #If files exist in the codedir code manager can't manage them unless pe-puppet can read them
+  exec { 'chown all environments to pe-puppet' :
+    command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}",
+    unless  => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
+  }
+
+  rbac_user { $code_manager_service_user :
+    ensure       => 'present',
+    name         => $code_manager_service_user,
+    email        => "${code_manager_service_user}@example.com",
+    display_name => 'Code Manager Service Account',
+    password     => $code_manager_service_user_password,
+    roles        => [ 'Deploy Environments' ],
+  }
+
+  file { $token_directory :
+    ensure => directory,
+    owner  => 'pe-puppet',
+    group  => 'pe-puppet',
+  }
+
+  exec { "Generate Token for ${code_manager_service_user}" :
+    command => epp('profile/git_webhook/code_manager/create_rbac_token.epp',
+                  { 'code_manager_service_user'          => $code_manager_service_user,
+                    'code_manager_service_user_password' => $code_manager_service_user_password,
+                    'classifier_hostname'                => $classifier_hostname,
+                    'classifier_port'                    => $classifier_port,
+                    'token_filename'                     => $token_filename
+                  }),
+    creates => $token_filename,
+    require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
+  }
+
+  #this file cannont be read until the next run after the above exec
+  #because the file function runs on the master not on the agent
+  #so the file doesn't exist at the time the function is run
+  $rbac_token_file_contents = no_fail_file($token_filename)
+
+  #Only mv code if this is at least the 2nd run of puppet
+  #Code manager needs to be enabled and puppet server restarted
+  #before this exec can complete.  Gating on the token file
+  #ensures at least one run has completed
+  if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) {
+
+    $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S'))
+
+    exec { 'mv files out of $environmentpath' :
+      command    => "mkdir /etc/puppetlabs/env_back_${timestamp};
+                    mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/;
+                    rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt;
+                    TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`;
+                    /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}';
+                    /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}';
+                    sleep 15",
+      path       => $::path,
+      logoutput  => true,
+      require    => Exec["Generate Token for ${code_manager_service_user}"],
+    }
+  }
+
+  if !empty($gms_api_token) {
+    if $authenticate_webhook and !empty($rbac_token_file_contents) {
+
+      $rbac_token = parsejson($rbac_token_file_contents)['token']
+
+      $token_info = "&token=${rbac_token}"
+    }
+    else {
+      $token_info = ''
+    }
+
+    $code_manager_webhook_type = $git_management_system ? {
+                                   'gitlab' => 'github',
+                                   default  => $git_management_system,
+    }
+
+    git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
+      ensure       => present,
+      name         => $::fqdn,
+      path         => "${code_manager_ssh_key_file}.pub",
+      token        => $gms_api_token,
+      project_name => 'puppet/control-repo',
+      server_url   => hiera('gms_server_url'),
+      provider     => $git_management_system,
+    }
+
+    git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
+      ensure             => present,
+      webhook_url        => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}",
+      token              => $gms_api_token,
+      project_name       => 'puppet/control-repo',
+      server_url         => hiera('gms_server_url'),
+      provider           => $git_management_system,
+      disable_ssl_verify => true,
+    }
+  }
+}
diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp
new file mode 100644
index 0000000..ed05282
--- /dev/null
+++ b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp
@@ -0,0 +1,58 @@
+class profile::git_webhook::zack_r10k_webhook (
+  $use_mcollective = false,
+) {
+
+  $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username'))
+  $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password'))
+
+  $gms_api_token         = hiera('gms_api_token', undef)
+  $git_management_system = hiera('git_management_system', undef)
+
+  if $use_mcollective {
+    class { 'r10k::mcollective':
+      notify  => Service['mcollective'],
+    }
+  }
+
+  class {'r10k::webhook::config':
+    enable_ssl      => true,
+    protected       => true,
+    user            => $username,
+    pass            => $password,
+    use_mcollective => $use_mcollective,
+  }
+
+  class {'r10k::webhook':
+    user    => 'root',
+    group   => '0',
+    require => Class['r10k::webhook::config'],
+  }
+
+  $r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
+  exec { 'create r10k ssh key' :
+    command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
+    creates => $r10k_ssh_key_file,
+  }
+
+  if !empty($gms_api_token)  {
+    git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
+      ensure       => present,
+      name         => $::fqdn,
+      path         => "${r10k_ssh_key_file}.pub",
+      token        => $gms_api_token,
+      project_name => 'puppet/control-repo',
+      server_url   => hiera('gms_server_url'),
+      provider     => $git_management_system,
+    }
+
+    git_webhook { "web_post_receive_webhook-${::fqdn}" :
+      ensure             => present,
+      webhook_url        => "https://${username}:${password}@${::fqdn}:8088/payload",
+      token              => $gms_api_token,
+      project_name       => 'puppet/control-repo',
+      server_url         => hiera('gms_server_url'),
+      provider           => $git_management_system,
+      disable_ssl_verify => true,
+    }
+  }
+}
-- 
cgit v1.2.3


From ec7a8d81a65051503e9f27e142f29b187327959b Mon Sep 17 00:00:00 2001
From: Nick Walker <nick.walker@puppetlabs.com>
Date: Mon, 21 Dec 2015 15:52:15 -0800
Subject: Add functionality to disable the zack/r10k webhook

Prior to this commit, if you upgraded from a previous version of
the control-repo both code manager and zack/r10k webhook would
be running and ready to receive data.  This can present problems
if the webhook isn't disbled in the git management system is
sending data to both receivers.

This commit adds rudimentary ability to break the zack/r10k
webhook so it can't receive data.
---
 site/profile/manifests/git_webhook.pp                      |  1 +
 .../manifests/git_webhook/zack_r10k_webhook_disable.pp     | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp

(limited to 'site/profile/manifests/git_webhook')

diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp
index a46d4ea..12ef786 100644
--- a/site/profile/manifests/git_webhook.pp
+++ b/site/profile/manifests/git_webhook.pp
@@ -6,6 +6,7 @@ class profile::git_webhook (
     include profile::git_webhook::zack_r10k_webhook
   } else {
     include profile::git_webhook::code_manager
+    include profile::git_webhook::zack_r10k_webhook_disable
   }
 
 }
diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp
new file mode 100644
index 0000000..ec54fc6
--- /dev/null
+++ b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp
@@ -0,0 +1,14 @@
+class profile::git_webhook::zack_r10k_webhook_disable {
+
+  file { '/etc/webhook.yaml' :
+    ensure => absent,
+    notify => Exec['stop and disable webhook service'],
+  }
+
+  exec { 'stop and disable webhook service' :
+    command     => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false',
+    logoutput   => true,
+    refreshonly => true,
+  }
+
+}
-- 
cgit v1.2.3


From ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 Mon Sep 17 00:00:00 2001
From: Nick Walker <nick.walker@puppetlabs.com>
Date: Mon, 21 Dec 2015 17:47:05 -0800
Subject: Add an exec to create the Deploy Environments RBAC Role

Prior to this commit there was a requirement for the user of this
repo to create a RBAC role in order for code manager to work.

After this commit an exec statement will curl the RBAC API to
create the role one time and hopefully it works otherwise the exec
will not run again.
---
 README.md                                          | 10 ++-------
 site/profile/manifests/git_webhook/code_manager.pp | 24 +++++++++++++++++++++-
 2 files changed, 25 insertions(+), 9 deletions(-)

(limited to 'site/profile/manifests/git_webhook')

diff --git a/README.md b/README.md
index ed90d4f..9818554 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ Table of Contents
 
 This control repo and the steps below are intended to be used during a new installation of PE.
 
-This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested.
+This control repo has only been tested against PE2015.2.z and PE2015.3.z.  It is likely close to working on PE3.8.z but has not been tested.
 
 If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile.  Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.  
 
@@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak
  - Paste in the public key from above
  - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub`
 3. Login to the PE console
-4. Select Access Control in the left hand panel
-5. On the User Roles page, add a new role called `Deploy Environments`
- - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name
-6. After creating the role click through and select the permissions tab
- - Add Puppet Environment type, Deploy Code permission, and All object
- - Add Tokens type, override default expiry permission
-7. Still in the PE Console, navigate to the Classification page
+7. Navigate to the Classification page
  - Click on the PE Master group
  - Click the Classes tab
  - Add the `puppet_enterprise::profile::master`
diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp
index 60cabf4..7470e1c 100644
--- a/site/profile/manifests/git_webhook/code_manager.pp
+++ b/site/profile/manifests/git_webhook/code_manager.pp
@@ -35,13 +35,35 @@ class profile::git_webhook::code_manager {
     unless  => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
   }
 
+  $code_manager_role_name = 'Deploy Environments'
+  $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
+  $create_role_curl = @(EOT)
+    /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
+    https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
+    -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
+    {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name  %>", "description": ""}' \
+    --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem  \
+    --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem  \
+    --cacert <%= $::settings::certdir %>/ca.pem;
+    touch <%= $create_role_creates_file %>
+    | EOT
+
+  exec { 'create deploy environments role' :
+    command   => inline_epp( $create_role_curl ),
+    creates   => $create_role_creates_file,
+    logoutput => true,
+    path      => $::path,
+    require   => File[$token_directory],
+  }
+
   rbac_user { $code_manager_service_user :
     ensure       => 'present',
     name         => $code_manager_service_user,
     email        => "${code_manager_service_user}@example.com",
     display_name => 'Code Manager Service Account',
     password     => $code_manager_service_user_password,
-    roles        => [ 'Deploy Environments' ],
+    roles        => [ $code_manager_role_name ],
+    require      => Exec['create deploy environments role'],
   }
 
   file { $token_directory :
-- 
cgit v1.2.3