From 4c2be74083287516b72ab4f3ccaaf317ea7a2eb0 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:41:34 -0800 Subject: Add support for code manager which will replace zack r10k Add pltraing-rbac module Added a new profile for code_manager that: - creates a service users for code manager - creates a token for that service user - creates a hook on a git server using the token Turns out that the file function in puppet cannot read files in /root. The pe-puppet user needs read permissions on the file and traversal on the directory which giving to /root would probably be a bad idea. So, I just put the file containing the token in /etc/puppetlabs/puppetserver since I'm not sure where would be better. --- site/profile/manifests/code_manager.pp | 66 ++++++++++++++++++++++ site/profile/manifests/puppetmaster.pp | 3 +- site/profile/manifests/zack_r10k_webhook.pp | 11 ++++ .../templates/code_manager/create_rbac_token.epp | 7 +++ 4 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 site/profile/manifests/code_manager.pp create mode 100644 site/profile/templates/code_manager/create_rbac_token.epp (limited to 'site/profile') diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp new file mode 100644 index 0000000..f244564 --- /dev/null +++ b/site/profile/manifests/code_manager.pp @@ -0,0 +1,66 @@ +class profile::code_manager { + + $code_manager_service_user = 'code_manager_service_user' + $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") + + #puppet_master_classifier_settings is a custom function + $classifier_settings = puppet_master_classifer_settings() + $classifier_hostname = $classifier_settings['server'] + $classifier_port = $classifier_settings['port'] + + $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' + $token_filename = "${token_directory}/${code_manager_service_user}_token" + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + rbac_user { $code_manager_service_user : + ensure => 'present', + name => $code_manager_service_user, + email => "${code_manager_service_user}@example.com", + display_name => 'Code Manager Service Account', + password => $code_manager_service_user_password, + roles => [ 'Deploy Environments' ], + } + + file { $token_directory : + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + } + + exec { "Generate Token for ${code_manager_service_user}" : + command => epp('profile/code_manager/create_rbac_token.epp', + { 'code_manager_service_user' => $code_manager_service_user, + 'code_manager_service_user_password' => $code_manager_service_user_password, + 'classifier_hostname' => $classifier_hostname, + 'classifier_port' => $classifier_port, + 'token_filename' => $token_filename + }), + creates => $token_filename, + require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], + } + + + if !empty($gms_api_token) { + + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + $rbac_token = parsejson(file($token_filename))['token'] + + $code_manager_webhook_type = $git_management_system ? { + 'gitlab' => 'github', + default => $git_management_system, + } + + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 0954807..e63d819 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -25,7 +25,8 @@ class profile::puppetmaster ( #END - Generate an SSH key for r10k to connect to git #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', '') + $git_management_system = hiera('git_management_system', undef) + $gms_api_token = hiera('gms_api_token', undef) if $git_management_system in ['gitlab', 'github'] { diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index 7e0bd40..3dae9d7 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -26,4 +26,15 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + if !empty($gms_api_token) { + git_webhook { "web_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } } diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp new file mode 100644 index 0000000..31bf00f --- /dev/null +++ b/site/profile/templates/code_manager/create_rbac_token.epp @@ -0,0 +1,7 @@ +<%- | String $code_manager_service_user, + String $code_manager_service_user_password, + String $classifier_hostname, + Integer $classifier_port, + String $token_filename +| -%> +/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> -- cgit v1.2.3 From 2d7a9a72e10526c07bdc77b2b8eefcc368db8b45 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:43:57 -0800 Subject: Refactor puppetmaster and zack_r10k_webhook Moved the webhook resource out of puppetmaster and into zack_r10k to support exchaning code_manager in place of zack_r10k As a result I cleaned up some unnecessary parameters. Installing both the r10k webhook and the code_manager at this time for testing --- site/profile/manifests/puppetmaster.pp | 19 +++---------------- site/profile/manifests/zack_r10k_webhook.pp | 8 ++++++-- site/role/manifests/all_in_one_pe.pp | 15 +++------------ 3 files changed, 12 insertions(+), 30 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index e63d819..d6a657f 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,7 +1,4 @@ -class profile::puppetmaster ( - $webhook_username, - $webhook_password -) { +class profile::puppetmaster { class { 'hiera': hierarchy => [ @@ -28,28 +25,18 @@ class profile::puppetmaster ( $git_management_system = hiera('git_management_system', undef) $gms_api_token = hiera('gms_api_token', undef) - if $git_management_system in ['gitlab', 'github'] { + if !empty($gms_api_token) { git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": ensure => present, name => $::fqdn, path => "${r10k_ssh_key_file}.pub", - token => hiera('gms_api_token'), + token => $gms_api_token, project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), provider => $git_management_system, } - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${webhook_username}:${webhook_password}@${::fqdn}:8088/payload", - token => hiera('gms_api_token'), - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } #END - Add deploy key and webhook to git management system diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index 3dae9d7..f35f856 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -1,9 +1,13 @@ class profile::zack_r10k_webhook ( - $username, - $password, $use_mcollective = false, ) { + $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) + $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + if $use_mcollective { class { 'r10k::mcollective': diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 6bc2eb3..3807e46 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,16 +1,7 @@ class role::all_in_one_pe { - $webhook_username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $webhook_password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - class { 'profile::puppetmaster' : - webhook_username => $webhook_username, - webhook_password => $webhook_password, - } - - class { 'profile::zack_r10k_webhook' : - username => $webhook_username, - password => $webhook_password, - } + include profile::puppetmaster + include profile::zack_r10k_webhook + include profile::code_manager } -- cgit v1.2.3 From b71ab8d42eca09d24c4f0b4955b0779fcbb3a5bc Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Sun, 15 Nov 2015 10:44:53 -0800 Subject: Allow code_manager profile to not error out on first run Prior to this commit, the code manger profile could not complete on the first run because the file function would error out I implemented a new version of the file function that returns nothing when the file does not exist instead of erroring out which allows me to gate creating the webhook on whether there is content in the file. As a result this means that it takes 2 runs to get everything setup but this is preferable over having to manually intervene in some other way if the token file doesn't exist. --- .../lib/puppet/parser/functions/no_fail_file.rb | 36 ++++++++++++++++++++++ site/profile/manifests/code_manager.pp | 11 ++++--- 2 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb (limited to 'site/profile') diff --git a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb new file mode 100644 index 0000000..3819ebf --- /dev/null +++ b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb @@ -0,0 +1,36 @@ +require 'puppet/file_system' + +Puppet::Parser::Functions::newfunction( + :no_fail_file, :arity => -2, :type => :rvalue, + :doc => "Loads a file from a module and returns its contents as a string. + + This is a replacement to the file function that returns nothing + if the file specified cannot be found instead of erroring out. + + The argument to this function should be a `/` + reference, which will load `` from a module's `files` + directory. (For example, the reference `mysql/mysqltuner.pl` will load the + file `/mysql/files/mysqltuner.pl`.) + + This function can also accept: + + * An absolute path, which can load a file from anywhere on disk. + * Multiple arguments, which will return the contents of the **first** file + found, skipping any files that don't exist. + " +) do |vals| + path = nil + vals.each do |file| + found = Puppet::Parser::Files.find_file(file, compiler.environment) + if found && Puppet::FileSystem.exist?(found) + path = found + break + end + end + + if path + Puppet::FileSystem.read_preserve_line_endings(path) + else + nil + end +end diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index f244564..6416054 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -42,11 +42,14 @@ class profile::code_manager { } - if !empty($gms_api_token) { + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + #so the file doesn't exist at the time the function is run + $rbac_token_file_contents = no_fail_file($token_filename) - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - $rbac_token = parsejson(file($token_filename))['token'] + if !empty($gms_api_token) and !empty($rbac_token_file_contents) { + + $rbac_token = parsejson($rbac_token_file_contents)['token'] $code_manager_webhook_type = $git_management_system ? { 'gitlab' => 'github', -- cgit v1.2.3 From 6ac2b30b38ebe5c0ddef3a8da3721ff9114701ab Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 20 Nov 2015 10:37:10 -0800 Subject: Allow disabling authentication on code manager webhook --- site/profile/manifests/code_manager.pp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index 6416054..f660f54 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -1,5 +1,7 @@ class profile::code_manager { + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + $code_manager_service_user = 'code_manager_service_user' $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") @@ -47,9 +49,16 @@ class profile::code_manager { #so the file doesn't exist at the time the function is run $rbac_token_file_contents = no_fail_file($token_filename) - if !empty($gms_api_token) and !empty($rbac_token_file_contents) { + if !empty($gms_api_token) { + if $authenticate_webhook and !empty($rbac_token_file_contents) { + + $rbac_token = parsejson($rbac_token_file_contents)['token'] - $rbac_token = parsejson($rbac_token_file_contents)['token'] + $token_info = "&token=${rbac_token}" + } + else { + $token_info = '' + } $code_manager_webhook_type = $git_management_system ? { 'gitlab' => 'github', @@ -58,7 +67,7 @@ class profile::code_manager { git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}", + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", token => $gms_api_token, project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), -- cgit v1.2.3 From 1b0f63be83464dc7bdc9561b3d5b3a937a4dfb39 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 20 Nov 2015 17:01:23 -0800 Subject: Chown files in codedir to pe-puppet --- site/profile/manifests/code_manager.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'site/profile') diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index f660f54..db1d901 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -16,6 +16,12 @@ class profile::code_manager { $gms_api_token = hiera('gms_api_token', undef) $git_management_system = hiera('git_management_system', undef) + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them + exec { 'chown all environments to pe-puppet' : + command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", + unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, -- cgit v1.2.3 From cc34e25fd54e60caf744130d90c14f8d839c7823 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 7 Dec 2015 07:55:32 -0800 Subject: Final steps to make Code Manager work - Moved ssh key generation and git deploy key out of the puppetmaster profile and into zack_r10k and code_manager - Swapped code manager into the all_in_one role - Made a 2015.2 all_in_one role if users prefer to use it - Conditionally move all existing code out of environmentpath to allow file sync to sync files - Update the README to compliment the new puppet code --- README.md | 73 +++++++++++++++++------------ site/profile/manifests/code_manager.pp | 50 ++++++++++++++++++-- site/profile/manifests/puppetmaster.pp | 27 ----------- site/profile/manifests/zack_r10k_webhook.pp | 18 ++++++- site/role/manifests/all_in_one_pe.pp | 1 - site/role/manifests/all_in_one_pe_2015_2.pp | 6 +++ 6 files changed, 111 insertions(+), 64 deletions(-) create mode 100644 site/role/manifests/all_in_one_pe_2015_2.pp (limited to 'site/profile') diff --git a/README.md b/README.md index 837e5f0..8d14212 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Before Starting: +# Before Starting: This control repo and the steps below are intended to be used during a new installation of PE. @@ -17,15 +17,15 @@ extension_requests: 1.3.6.1.4.1.34380.1.1.13: 'all_in_one_pe' ``` -### If You Have Not Installed PE +### If You Have Not Installed PE -Good then you can proceed forward and the trusted fact will be used when you get to the install step. +Good then you can proceed forward and the trusted fact will be used when you get to the install step. ### If You Have Already Installed PE -Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created. +Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created. -Follow this document to regenerate the certificate on your master. +Follow this document to regenerate the certificate on your master. http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html @@ -53,20 +53,20 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html - In the left hand pane, select memembers - Add the `r10k_api_user` with `master` permissions -7. Add your user to the `puppet` group as well +7. Add your user to the `puppet` group as well 8. Create a project called `control-repo` and set the Namespace to be the `puppet` group 9. Logout of root and login as the `r10k_api_user` - Go to profile settings -> account ( https:///profile/account ) - Copy the api token - + 10. Clone this control repository to your laptop/workstation - `git clone ` - `cd control-repo` 11. `git mv hieradata/nodes/example-puppet-master.yaml hieradata/nodes/.yaml` - - Open `hieradata/nodes/.yaml` + - Open `hieradata/nodes/.yaml` - edit `gms_api_token` to be your api token - edit `git_management_system` to be 'gitlab' - edit the `gms_server_url` @@ -99,7 +99,7 @@ Coming soon! ###Install PE 1. Download the latest version of the PE installer for your platform and copy it to your master - - https://puppetlabs.com/download-puppet-enterprise + - https://puppetlabs.com/download-puppet-enterprise 2. Expand the tarball and `cd` into the directory 3. Run `puppet-enterprise-installer` to install @@ -109,34 +109,50 @@ http://docs.puppetlabs.com/pe/latest/install_basic.html ###Get the Control-Repo Deployed On Your Master -At this point you have my control-repo code deployed into your git server. However, we have one final challenge getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server. +At this point you have our control-repo code deployed into your git server. However, we have one final challenge: getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server. -So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else. +So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else. 1. On your puppet master, make an ssh key for r10k to connect to gitlab - - `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f /root/.ssh/r10k_rsa -q -N ''` + - `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f /etc/puppetlabs/puppetserver/code_manager.key -q -N ''` - http://doc.gitlab.com/ce/ssh/README.html - https://help.github.com/articles/generating-ssh-keys/ 2. Create a deploy key on the `control-repo` project in Gitlab - Paste in the public key from above - - `cat /root/.ssh/r10k_rsa.pub` -3. Follow https://docs.puppetlabs.com/pe/latest/r10k_config_console.html - - The remote is on the front page of the project in the gitlab UI - - git_settings should be: - - `{"provider": "rugged", - "private_key": "/root/.ssh/r10k_rsa"}` -3. Run `puppet agent -t` + - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` +3. Login to the PE console +4. Select Access Control in the left hand panel +5. On the User Roles page, add a new role called `Deploy Environments` + - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name +6. After creating the role click through and select the permissions tab + - Add Puppet Environment type, Deploy Code permission, and All object + - Add Tokens type, override default expiry permission +7. Still in the PE Console, navigate to the Classification page + - Click on the PE Master group + - Click the Classes tab + - Add the `puppet_enterprise::profile::master` + - Set the `r10k_remote` to the ssh url from the front page of your gitlab repo + - Set the `r10k_private_key` parameter to `/etc/puppetlabs/puppetserver/code_manager.key` + - Commit your changes +8. Run `puppet agent -t` - Expect to see changes to `r10k.yaml` -3. Run `r10k deploy environment -pv` -4. Run `puppet agent -t` +9. Run `r10k deploy environment -pv` +10. Run `puppet agent -t` + - Expect to see code manager enabled +10. `echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt` +11. Run `puppet agent -t` - Now you should see many more changes + - Your code has been deployed with code manager now + +## Test Code Manager + ## Test The Zack/r10k Webhook -One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`. +One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`. -1. Edit README.md +1. Edit README.md - Just add something to it 2. `git add README.md` 3. `git commit -m "edit README"` @@ -144,16 +160,14 @@ One of the components setup by this control-repo is that when you "push" code to 5. Allow the push to complete and then give it few seconds to complete - Open `/etc/puppetlabs/code/environments/production/README.md` and confirm your change is present - - ---- #Miscellaneous ## If You Want to Install Pointing To This Repo on Github -### Setting Up Gitlab +### Setting Up Gitlab -1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script). +1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script). ``` --- @@ -164,7 +178,7 @@ One of the components setup by this control-repo is that when you "push" code to ### Setting up Github -Not yet completed. +Not yet completed. ### Setting up Stash @@ -173,6 +187,3 @@ Not yet completed. #TODO Flush out generating an answer file and then appending extra answers onto the end of it. - - - diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index db1d901..fc0eb8b 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -1,10 +1,10 @@ class profile::code_manager { - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) $code_manager_service_user = 'code_manager_service_user' $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - + #puppet_master_classifier_settings is a custom function $classifier_settings = puppet_master_classifer_settings() $classifier_hostname = $classifier_settings['server'] @@ -16,6 +16,19 @@ class profile::code_manager { $gms_api_token = hiera('gms_api_token', undef) $git_management_system = hiera('git_management_system', undef) + $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' + exec { 'create code manager ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", + creates => $code_manager_ssh_key_file, + } + + file { $code_manager_ssh_key_file : + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + require => Exec['create code manager ssh key'], + } + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them exec { 'chown all environments to pe-puppet' : command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", @@ -49,12 +62,33 @@ class profile::code_manager { require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], } - #this file cannont be read until the next run after the above exec #because the file function runs on the master not on the agent #so the file doesn't exist at the time the function is run $rbac_token_file_contents = no_fail_file($token_filename) + #Only mv code if this is at least the 2nd run of puppet + #Code manager needs to be enabled and puppet server restarted + #before this exec can complete. Gating on the token file + #ensures at least one run has completed + if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { + + $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) + + exec { 'mv files out of $environmentpath' : + command => "mkdir /etc/puppetlabs/env_back_${timestamp}; + mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; + rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; + TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; + sleep 15", + path => $::path, + logoutput => true, + require => Exec["Generate Token for ${code_manager_service_user}"], + } + } + if !empty($gms_api_token) { if $authenticate_webhook and !empty($rbac_token_file_contents) { @@ -71,6 +105,16 @@ class profile::code_manager { default => $git_management_system, } + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${code_manager_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index d6a657f..28b3bdf 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -13,33 +13,6 @@ class profile::puppetmaster { notify => Service['pe-puppetserver'], } - #BEGIN - Generate an SSH key for r10k to connect to git - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - #END - Generate an SSH key for r10k to connect to git - - #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', undef) - $gms_api_token = hiera('gms_api_token', undef) - - if !empty($gms_api_token) { - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - } - #END - Add deploy key and webhook to git management system - #Lay down update-classes.sh for use in r10k postrun_command #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index f35f856..0ab4da2 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -9,11 +9,9 @@ class profile::zack_r10k_webhook ( $git_management_system = hiera('git_management_system', undef) if $use_mcollective { - class { 'r10k::mcollective': notify => Service['mcollective'], } - } class {'r10k::webhook::config': @@ -30,7 +28,23 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + if !empty($gms_api_token) { + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 3807e46..a8152b1 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,7 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::zack_r10k_webhook include profile::code_manager } diff --git a/site/role/manifests/all_in_one_pe_2015_2.pp b/site/role/manifests/all_in_one_pe_2015_2.pp new file mode 100644 index 0000000..01bf717 --- /dev/null +++ b/site/role/manifests/all_in_one_pe_2015_2.pp @@ -0,0 +1,6 @@ +class role::all_in_one_pe_2015_2 { + + include profile::puppetmaster + include profile::zack_r10k_webhook + +} -- cgit v1.2.3 From b8d4980f86eecda72928de0e9f28c32e9078d117 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 11 Dec 2015 18:22:22 -0800 Subject: Move hiera.yaml to avoid file-sync overwriting it File sync appears to sync everything in the $codedir which inlcudes hiera.yaml. When managing hiera.yaml with puppet code you don't want file sync to overwrite its contents. So, I'm moving it out of $codedir and removing the original hiera.yaml to avoid confusion for users investigating later. --- site/profile/manifests/puppetmaster.pp | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 28b3bdf..d73236f 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,18 +1,36 @@ class profile::puppetmaster { + $hiera_yaml = "${::settings::confdir}/hiera.yaml" + class { 'hiera': hierarchy => [ 'virtual/%{::virtual}', 'nodes/%{::trusted.certname}', 'common', ], - hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', + hiera_yaml => $hiera_yaml, datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', owner => 'pe-puppet', group => 'pe-puppet', notify => Service['pe-puppetserver'], } + ini_setting { 'puppet.conf hiera_config' : + ensure => present, + path => "${::settings::confdir}/puppet.conf", + section => 'master', + setting => 'hiera_config', + value => $hiera_yaml, + notify => Service['pe-puppetserver'], + } + + #remove the default hiera.yaml from the code-staging directory + #after the next code manager deployment it should be removed + #from the live codedir + file { '/etc/puppetlabs/code-staging/hiera.yaml' : + ensure => absent, + } + #Lay down update-classes.sh for use in r10k postrun_command #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : -- cgit v1.2.3 From d2db2750284dfeee15f375ce06bbcbc301738b84 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 15:19:38 -0800 Subject: Create profile::git_webhook to abstract away the details Prior to this commit there were two possible webhooks - zack/r10k webhook - code manager I moved these two profiles under git_webhook and choose the correct one based on the version of PE being used. As a safety hatch, I provide the $force_zack_r10k_webhook param on profile::git_webhook in case someone needs to continue using it instead of code manager. --- site/profile/manifests/code_manager.pp | 128 --------------------- site/profile/manifests/git_webhook.pp | 11 ++ site/profile/manifests/git_webhook/code_manager.pp | 128 +++++++++++++++++++++ .../manifests/git_webhook/zack_r10k_webhook.pp | 58 ++++++++++ site/profile/manifests/zack_r10k_webhook.pp | 58 ---------- .../templates/code_manager/create_rbac_token.epp | 7 -- .../git_webhook/code_manager/create_rbac_token.epp | 7 ++ site/role/manifests/all_in_one_pe.pp | 2 +- 8 files changed, 205 insertions(+), 194 deletions(-) delete mode 100644 site/profile/manifests/code_manager.pp create mode 100644 site/profile/manifests/git_webhook.pp create mode 100644 site/profile/manifests/git_webhook/code_manager.pp create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook.pp delete mode 100644 site/profile/manifests/zack_r10k_webhook.pp delete mode 100644 site/profile/templates/code_manager/create_rbac_token.epp create mode 100644 site/profile/templates/git_webhook/code_manager/create_rbac_token.epp (limited to 'site/profile') diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp deleted file mode 100644 index fc0eb8b..0000000 --- a/site/profile/manifests/code_manager.pp +++ /dev/null @@ -1,128 +0,0 @@ -class profile::code_manager { - - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) - - $code_manager_service_user = 'code_manager_service_user' - $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - - #puppet_master_classifier_settings is a custom function - $classifier_settings = puppet_master_classifer_settings() - $classifier_hostname = $classifier_settings['server'] - $classifier_port = $classifier_settings['port'] - - $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' - $token_filename = "${token_directory}/${code_manager_service_user}_token" - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' - exec { 'create code manager ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", - creates => $code_manager_ssh_key_file, - } - - file { $code_manager_ssh_key_file : - ensure => file, - owner => 'pe-puppet', - group => 'pe-puppet', - require => Exec['create code manager ssh key'], - } - - #If files exist in the codedir code manager can't manage them unless pe-puppet can read them - exec { 'chown all environments to pe-puppet' : - command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", - unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", - } - - rbac_user { $code_manager_service_user : - ensure => 'present', - name => $code_manager_service_user, - email => "${code_manager_service_user}@example.com", - display_name => 'Code Manager Service Account', - password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], - } - - file { $token_directory : - ensure => directory, - owner => 'pe-puppet', - group => 'pe-puppet', - } - - exec { "Generate Token for ${code_manager_service_user}" : - command => epp('profile/code_manager/create_rbac_token.epp', - { 'code_manager_service_user' => $code_manager_service_user, - 'code_manager_service_user_password' => $code_manager_service_user_password, - 'classifier_hostname' => $classifier_hostname, - 'classifier_port' => $classifier_port, - 'token_filename' => $token_filename - }), - creates => $token_filename, - require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], - } - - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - #so the file doesn't exist at the time the function is run - $rbac_token_file_contents = no_fail_file($token_filename) - - #Only mv code if this is at least the 2nd run of puppet - #Code manager needs to be enabled and puppet server restarted - #before this exec can complete. Gating on the token file - #ensures at least one run has completed - if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { - - $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) - - exec { 'mv files out of $environmentpath' : - command => "mkdir /etc/puppetlabs/env_back_${timestamp}; - mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; - rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; - TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; - sleep 15", - path => $::path, - logoutput => true, - require => Exec["Generate Token for ${code_manager_service_user}"], - } - } - - if !empty($gms_api_token) { - if $authenticate_webhook and !empty($rbac_token_file_contents) { - - $rbac_token = parsejson($rbac_token_file_contents)['token'] - - $token_info = "&token=${rbac_token}" - } - else { - $token_info = '' - } - - $code_manager_webhook_type = $git_management_system ? { - 'gitlab' => 'github', - default => $git_management_system, - } - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${code_manager_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp new file mode 100644 index 0000000..a46d4ea --- /dev/null +++ b/site/profile/manifests/git_webhook.pp @@ -0,0 +1,11 @@ +class profile::git_webhook ( + $force_zack_r10k_webhook = false +) { + + if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook { + include profile::git_webhook::zack_r10k_webhook + } else { + include profile::git_webhook::code_manager + } + +} diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp new file mode 100644 index 0000000..60cabf4 --- /dev/null +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -0,0 +1,128 @@ +class profile::git_webhook::code_manager { + + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + + $code_manager_service_user = 'code_manager_service_user' + $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") + + #puppet_master_classifier_settings is a custom function + $classifier_settings = puppet_master_classifer_settings() + $classifier_hostname = $classifier_settings['server'] + $classifier_port = $classifier_settings['port'] + + $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' + $token_filename = "${token_directory}/${code_manager_service_user}_token" + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' + exec { 'create code manager ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", + creates => $code_manager_ssh_key_file, + } + + file { $code_manager_ssh_key_file : + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + require => Exec['create code manager ssh key'], + } + + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them + exec { 'chown all environments to pe-puppet' : + command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", + unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", + } + + rbac_user { $code_manager_service_user : + ensure => 'present', + name => $code_manager_service_user, + email => "${code_manager_service_user}@example.com", + display_name => 'Code Manager Service Account', + password => $code_manager_service_user_password, + roles => [ 'Deploy Environments' ], + } + + file { $token_directory : + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + } + + exec { "Generate Token for ${code_manager_service_user}" : + command => epp('profile/git_webhook/code_manager/create_rbac_token.epp', + { 'code_manager_service_user' => $code_manager_service_user, + 'code_manager_service_user_password' => $code_manager_service_user_password, + 'classifier_hostname' => $classifier_hostname, + 'classifier_port' => $classifier_port, + 'token_filename' => $token_filename + }), + creates => $token_filename, + require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], + } + + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + #so the file doesn't exist at the time the function is run + $rbac_token_file_contents = no_fail_file($token_filename) + + #Only mv code if this is at least the 2nd run of puppet + #Code manager needs to be enabled and puppet server restarted + #before this exec can complete. Gating on the token file + #ensures at least one run has completed + if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { + + $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) + + exec { 'mv files out of $environmentpath' : + command => "mkdir /etc/puppetlabs/env_back_${timestamp}; + mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; + rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; + TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; + sleep 15", + path => $::path, + logoutput => true, + require => Exec["Generate Token for ${code_manager_service_user}"], + } + } + + if !empty($gms_api_token) { + if $authenticate_webhook and !empty($rbac_token_file_contents) { + + $rbac_token = parsejson($rbac_token_file_contents)['token'] + + $token_info = "&token=${rbac_token}" + } + else { + $token_info = '' + } + + $code_manager_webhook_type = $git_management_system ? { + 'gitlab' => 'github', + default => $git_management_system, + } + + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${code_manager_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp new file mode 100644 index 0000000..ed05282 --- /dev/null +++ b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp @@ -0,0 +1,58 @@ +class profile::git_webhook::zack_r10k_webhook ( + $use_mcollective = false, +) { + + $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) + $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + if $use_mcollective { + class { 'r10k::mcollective': + notify => Service['mcollective'], + } + } + + class {'r10k::webhook::config': + enable_ssl => true, + protected => true, + user => $username, + pass => $password, + use_mcollective => $use_mcollective, + } + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + + if !empty($gms_api_token) { + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + + git_webhook { "web_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp deleted file mode 100644 index 0ab4da2..0000000 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ /dev/null @@ -1,58 +0,0 @@ -class profile::zack_r10k_webhook ( - $use_mcollective = false, -) { - - $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - if $use_mcollective { - class { 'r10k::mcollective': - notify => Service['mcollective'], - } - } - - class {'r10k::webhook::config': - enable_ssl => true, - protected => true, - user => $username, - pass => $password, - use_mcollective => $use_mcollective, - } - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - - if !empty($gms_api_token) { - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp deleted file mode 100644 index 31bf00f..0000000 --- a/site/profile/templates/code_manager/create_rbac_token.epp +++ /dev/null @@ -1,7 +0,0 @@ -<%- | String $code_manager_service_user, - String $code_manager_service_user_password, - String $classifier_hostname, - Integer $classifier_port, - String $token_filename -| -%> -/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> diff --git a/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp b/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp new file mode 100644 index 0000000..31bf00f --- /dev/null +++ b/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp @@ -0,0 +1,7 @@ +<%- | String $code_manager_service_user, + String $code_manager_service_user_password, + String $classifier_hostname, + Integer $classifier_port, + String $token_filename +| -%> +/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index a8152b1..9e93155 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::code_manager + include profile::git_webhook } -- cgit v1.2.3 From ec7a8d81a65051503e9f27e142f29b187327959b Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 15:52:15 -0800 Subject: Add functionality to disable the zack/r10k webhook Prior to this commit, if you upgraded from a previous version of the control-repo both code manager and zack/r10k webhook would be running and ready to receive data. This can present problems if the webhook isn't disbled in the git management system is sending data to both receivers. This commit adds rudimentary ability to break the zack/r10k webhook so it can't receive data. --- site/profile/manifests/git_webhook.pp | 1 + .../manifests/git_webhook/zack_r10k_webhook_disable.pp | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp (limited to 'site/profile') diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp index a46d4ea..12ef786 100644 --- a/site/profile/manifests/git_webhook.pp +++ b/site/profile/manifests/git_webhook.pp @@ -6,6 +6,7 @@ class profile::git_webhook ( include profile::git_webhook::zack_r10k_webhook } else { include profile::git_webhook::code_manager + include profile::git_webhook::zack_r10k_webhook_disable } } diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp new file mode 100644 index 0000000..ec54fc6 --- /dev/null +++ b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp @@ -0,0 +1,14 @@ +class profile::git_webhook::zack_r10k_webhook_disable { + + file { '/etc/webhook.yaml' : + ensure => absent, + notify => Exec['stop and disable webhook service'], + } + + exec { 'stop and disable webhook service' : + command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false', + logoutput => true, + refreshonly => true, + } + +} -- cgit v1.2.3 From ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 17:47:05 -0800 Subject: Add an exec to create the Deploy Environments RBAC Role Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again. --- README.md | 10 ++------- site/profile/manifests/git_webhook/code_manager.pp | 24 +++++++++++++++++++++- 2 files changed, 25 insertions(+), 9 deletions(-) (limited to 'site/profile') diff --git a/README.md b/README.md index ed90d4f..9818554 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Table of Contents This control repo and the steps below are intended to be used during a new installation of PE. -This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested. +This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested. If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. @@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak - Paste in the public key from above - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` 3. Login to the PE console -4. Select Access Control in the left hand panel -5. On the User Roles page, add a new role called `Deploy Environments` - - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name -6. After creating the role click through and select the permissions tab - - Add Puppet Environment type, Deploy Code permission, and All object - - Add Tokens type, override default expiry permission -7. Still in the PE Console, navigate to the Classification page +7. Navigate to the Classification page - Click on the PE Master group - Click the Classes tab - Add the `puppet_enterprise::profile::master` diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp index 60cabf4..7470e1c 100644 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -35,13 +35,35 @@ class profile::git_webhook::code_manager { unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", } + $code_manager_role_name = 'Deploy Environments' + $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' + $create_role_curl = @(EOT) + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ + https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \ + -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, + {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ + --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ + --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ + --cacert <%= $::settings::certdir %>/ca.pem; + touch <%= $create_role_creates_file %> + | EOT + + exec { 'create deploy environments role' : + command => inline_epp( $create_role_curl ), + creates => $create_role_creates_file, + logoutput => true, + path => $::path, + require => File[$token_directory], + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, email => "${code_manager_service_user}@example.com", display_name => 'Code Manager Service Account', password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], + roles => [ $code_manager_role_name ], + require => Exec['create deploy environments role'], } file { $token_directory : -- cgit v1.2.3