From 24aa475d20c413aa3d2925a110be767176989ef3 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 27 May 2015 15:02:50 -0700 Subject: Add a site directory with example role and profile module --- site/profile/manifests/base.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 site/profile/manifests/base.pp (limited to 'site/profile') diff --git a/site/profile/manifests/base.pp b/site/profile/manifests/base.pp new file mode 100644 index 0000000..ae85e65 --- /dev/null +++ b/site/profile/manifests/base.pp @@ -0,0 +1,5 @@ +class profile::base { + + #the base profile should include component modules that will be on all nodes + +} -- cgit v1.2.3 From 437433ff44cd77915a4a7b1d61d7aa624c44b41a Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 3 Aug 2015 14:44:35 -0700 Subject: Remove hiera.yaml and instead manage it with puppet code Added hunner/hiera to the Puppetfile and a manifest to use it instead of placing a hiera.yaml in the repo. --- Puppetfile | 5 +++++ hiera.yaml | 9 --------- site/profile/manifests/puppetmaster.pp | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 9 deletions(-) delete mode 100644 hiera.yaml create mode 100644 site/profile/manifests/puppetmaster.pp (limited to 'site/profile') diff --git a/Puppetfile b/Puppetfile index bba46dd..fde9831 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,6 +15,11 @@ mod "saz/ssh", :latest # Modules from Github using various references # Further examples: https://github.com/puppetlabs/r10k/blob/master/doc/puppetfile.mkd#examples +# update the tag to the most current release when implementing +mod 'hiera', + :git => 'https://github.com/hunner/puppet-hiera', + :tag => '1.3.1' + #mod 'notifyme', # :git => 'git://github.com/glarizza/puppet-notifyme', # :ref => '50c01703b2e3e352520a9a2271ea4947fe17a51f' diff --git a/hiera.yaml b/hiera.yaml deleted file mode 100644 index bc98555..0000000 --- a/hiera.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -:backends: - - yaml -:hierarchy: - - "nodes/%{clientcert}" - - common - -:yaml: - :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata" diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp new file mode 100644 index 0000000..8242110 --- /dev/null +++ b/site/profile/manifests/puppetmaster.pp @@ -0,0 +1,14 @@ +class profile::puppetmaster { + + class { 'hiera': + hierarchy => [ + "nodes/%{::trusted.certname}", + :common", + ], + hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', + datadir => "/etc/puppetlabs/code/environments/%{environment}/hieradata", + owner => 'root', + group => 'root', + } + +} -- cgit v1.2.3 From 70690333eedbb28b3f286912e6d9749b4a7e2618 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 13 Aug 2015 15:41:11 -0700 Subject: Fix some quoting issues and add role:: to the include in site.pp --- manifests/site.pp | 2 +- site/profile/manifests/puppetmaster.pp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'site/profile') diff --git a/manifests/site.pp b/manifests/site.pp index cc02727..5ba0af4 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -41,7 +41,7 @@ node default { #incude a role on any node that specifies it's role via a trusted fact at provision time #https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts #https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#aws-attributes-and-extensions-population-example - include $trusted['extensions']['pp_role'] + include "role::${trusted['extensions']['pp_role']}" # This is where you can declare classes for all nodes. # Example: diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 8242110..b22500c 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -2,11 +2,11 @@ class profile::puppetmaster { class { 'hiera': hierarchy => [ - "nodes/%{::trusted.certname}", - :common", + "\"nodes/%{::trusted.certname}\"", + "common", ], hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', - datadir => "/etc/puppetlabs/code/environments/%{environment}/hieradata", + datadir => "\"/etc/puppetlabs/code/environments/%{environment}/hieradata\"", owner => 'root', group => 'root', } -- cgit v1.2.3 From 6a78949ca8b24fd0e655b34cfc1406d967fe6e26 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 13 Aug 2015 17:10:55 -0700 Subject: Fix some incorrect quoting in the hiera class I thought I needed to double quote items that had interpolated variables but it turns out I don't need to which is good because I effectively can't due to .to_yaml not doing what I wanted it to do. --- site/profile/manifests/puppetmaster.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index b22500c..2747d40 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -2,11 +2,11 @@ class profile::puppetmaster { class { 'hiera': hierarchy => [ - "\"nodes/%{::trusted.certname}\"", - "common", + 'nodes/%{::trusted.certname}', + 'common', ], hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', - datadir => "\"/etc/puppetlabs/code/environments/%{environment}/hieradata\"", + datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata\', owner => 'root', group => 'root', } -- cgit v1.2.3 From 6425d2bbe2759ba2bbbf75131f9abdd0a5e675df Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 14 Aug 2015 10:41:03 -0700 Subject: Remove extraneous slash from puppetmaster profile --- site/profile/manifests/puppetmaster.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 2747d40..7bd9bea 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -6,7 +6,7 @@ class profile::puppetmaster { 'common', ], hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', - datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata\', + datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', owner => 'root', group => 'root', } -- cgit v1.2.3 From ab679260c6d04f08d70cda5b452c2accfeceac35 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 14 Aug 2015 16:17:25 -0700 Subject: Add a gitlab profile / add ssh-keygen to puppetmaster profile --- site/profile/manifests/gitlab.pp | 7 +++++++ site/profile/manifests/puppetmaster.pp | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 site/profile/manifests/gitlab.pp (limited to 'site/profile') diff --git a/site/profile/manifests/gitlab.pp b/site/profile/manifests/gitlab.pp new file mode 100644 index 0000000..720ee7f --- /dev/null +++ b/site/profile/manifests/gitlab.pp @@ -0,0 +1,7 @@ +class profile::gitlab { + + class { 'gitlab': + external_url => hiera( 'gms_server_url', "http://${::fqdn}") , + } + +} diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 7bd9bea..1b00bdf 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -11,4 +11,42 @@ class profile::puppetmaster { group => 'root', } + ##BEGIN - r10k webhook support + include r10k::mcollective + + include r10k::webhook::config + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + ##END - r10k webhook support + + #BEGIN - Generate an SSH key for r10k to connect to git + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + #END - Generate an SSH key for r10k to connect to git + + #BEGIN - Add deploy key to git management system + $git_management_system = hiera('git_management_system', '') + + if $git_management_system in ['gitlab', 'github'] { + + git_deploy_key { "add_deploy_key_to_puppet_control-${fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => hiera('gms_api_token'), + project_name => 'puppet/control', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + + } + #END - Add deploy key to git management system + } -- cgit v1.2.3 From 1525bf59548068834a897d54a1f84cee117676b8 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 17 Aug 2015 14:00:21 -0700 Subject: Add webhook config to git management system --- site/profile/manifests/puppetmaster.pp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 1b00bdf..20a4416 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -31,7 +31,7 @@ class profile::puppetmaster { } #END - Generate an SSH key for r10k to connect to git - #BEGIN - Add deploy key to git management system + #BEGIN - Add deploy key and webook to git management system $git_management_system = hiera('git_management_system', '') if $git_management_system in ['gitlab', 'github'] { @@ -46,7 +46,16 @@ class profile::puppetmaster { provider => $git_management_system, } + git_webhook { 'web_post_receive_webhook' : + ensure => present, + webhook_url => "http://${fqdn}:8088/payload", + token => hiera('gms_api_token'), + project_name => 'puppet/control', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + } - #END - Add deploy key to git management system + #END - Add deploy key and webhook to git management system } -- cgit v1.2.3 From 184cf7e80e1c1585e6365181e8b6528bcee32977 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 17 Aug 2015 15:45:22 -0700 Subject: Change default gitlab url to be https instead of http --- site/profile/manifests/gitlab.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'site/profile') diff --git a/site/profile/manifests/gitlab.pp b/site/profile/manifests/gitlab.pp index 720ee7f..e8cc2fd 100644 --- a/site/profile/manifests/gitlab.pp +++ b/site/profile/manifests/gitlab.pp @@ -1,7 +1,7 @@ class profile::gitlab { class { 'gitlab': - external_url => hiera( 'gms_server_url', "http://${::fqdn}") , + external_url => hiera( 'gms_server_url', "https://${::fqdn}") , } } -- cgit v1.2.3 From 246626e6394c444f661692ac8c0e7e590a5da226 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 18 Aug 2015 13:53:21 -0700 Subject: Copy agent certs into Gitlab directory for Gitlab SSL --- site/profile/manifests/gitlab.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'site/profile') diff --git a/site/profile/manifests/gitlab.pp b/site/profile/manifests/gitlab.pp index e8cc2fd..f4b5bfe 100644 --- a/site/profile/manifests/gitlab.pp +++ b/site/profile/manifests/gitlab.pp @@ -1,7 +1,20 @@ class profile::gitlab { + file { "/etc/gitlab/ssl/${fqdn}.key" : + ensure => file, + source => "${settings::privatekeydir}/${trusted['certname']}.pem", + notify => Exec['gitlab_reconfigure'], + } + + file { "/etc/gitlab/ssl/${fqdn}.crt" : + ensure => file, + source => "${settings::certdir}/${trusted['certname']}.pem", + notify => Exec['gitlab_reconfigure'], + } + class { 'gitlab': external_url => hiera( 'gms_server_url', "https://${::fqdn}") , + require => File["/etc/gitlab/ssl/${fqdn}.key", "/etc/gitlab/ssl/${fqdn}.key"], } } -- cgit v1.2.3 From 0af9bbf52d7283902141f05da3c642dcd2d64231 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 18 Aug 2015 14:01:20 -0700 Subject: Move some hieradata around for easier testing in vagrant I now have a virtual hierarchy level for setting up my lower memory settings when using vagrant/virtualbox. The gms settings are in an example-puppet-master.yaml file in the nodes directory which are needed for the instructions. --- hieradata/nodes/example-puppet-master.yaml | 4 +++ hieradata/nodes/puppet-master.yaml | 42 ------------------------------ hieradata/virtual/virtualbox.yaml | 42 ++++++++++++++++++++++++++++++ site/profile/manifests/puppetmaster.pp | 1 + 4 files changed, 47 insertions(+), 42 deletions(-) create mode 100644 hieradata/nodes/example-puppet-master.yaml delete mode 100644 hieradata/nodes/puppet-master.yaml create mode 100644 hieradata/virtual/virtualbox.yaml (limited to 'site/profile') diff --git a/hieradata/nodes/example-puppet-master.yaml b/hieradata/nodes/example-puppet-master.yaml new file mode 100644 index 0000000..677e10d --- /dev/null +++ b/hieradata/nodes/example-puppet-master.yaml @@ -0,0 +1,4 @@ +--- +git_management_system: 'gitlab' +gms_server_url: 'https://gitlab-server' +gms_api_token: 'BDkZfWWnk4LVTLHdAywd' diff --git a/hieradata/nodes/puppet-master.yaml b/hieradata/nodes/puppet-master.yaml deleted file mode 100644 index ba1a8ad..0000000 --- a/hieradata/nodes/puppet-master.yaml +++ /dev/null @@ -1,42 +0,0 @@ -#These setting are intended for low memory testing VMs -#Not intended for general usage ---- -#Drop puppetdb Java Heap Size -#PE3.2 and above -pe_puppetdb::pe::java_args: - -Xmx: '256m' - -Xms: '64m' -#PE3.1 and below -pe_puppetdb::java_args: - -Xmx: '256m' - -Xms: '64m' -#Drop the activemq java heap size -pe_mcollective::role::master::activemq_heap_mb: '96' -#Allow access to the puppetdb performance dashboard from non-localhost -#This is insecure and also allows access to all API endpoints without verification -pe_puppetdb::pe::listen_address: '0.0.0.0' - -#PE3.7+ -#Allow access to the puppetdb performance dashboard from non-localhost -#This is insecure and also allows access to all API endpoints without verification -puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' -puppet_enterprise::profile::amq::broker::heap_mb: '96' -puppet_enterprise::profile::master::java_args: - Xmx: '128m' - Xms: '128m' - 'XX:MaxPermSize': '=96m' - 'XX:PermSize': '=64m' -puppet_enterprise::profile::puppetdb::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:MaxPermSize': '=96m' - 'XX:PermSize': '=64m' -puppet_enterprise::profile::console::java_args: - Xmx: '64m' - Xms: '64m' - 'XX:MaxPermSize': '=96m' - 'XX:PermSize': '=64m' -puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only -puppet_enterprise::profile::console::delayed_job_workers: 1 -#shared_buffers takes affect during install but is not managed after -puppet_enterprise::profile::database::shared_buffers: '4MB' diff --git a/hieradata/virtual/virtualbox.yaml b/hieradata/virtual/virtualbox.yaml new file mode 100644 index 0000000..ba1a8ad --- /dev/null +++ b/hieradata/virtual/virtualbox.yaml @@ -0,0 +1,42 @@ +#These setting are intended for low memory testing VMs +#Not intended for general usage +--- +#Drop puppetdb Java Heap Size +#PE3.2 and above +pe_puppetdb::pe::java_args: + -Xmx: '256m' + -Xms: '64m' +#PE3.1 and below +pe_puppetdb::java_args: + -Xmx: '256m' + -Xms: '64m' +#Drop the activemq java heap size +pe_mcollective::role::master::activemq_heap_mb: '96' +#Allow access to the puppetdb performance dashboard from non-localhost +#This is insecure and also allows access to all API endpoints without verification +pe_puppetdb::pe::listen_address: '0.0.0.0' + +#PE3.7+ +#Allow access to the puppetdb performance dashboard from non-localhost +#This is insecure and also allows access to all API endpoints without verification +puppet_enterprise::profile::puppetdb::listen_address: '0.0.0.0' +puppet_enterprise::profile::amq::broker::heap_mb: '96' +puppet_enterprise::profile::master::java_args: + Xmx: '128m' + Xms: '128m' + 'XX:MaxPermSize': '=96m' + 'XX:PermSize': '=64m' +puppet_enterprise::profile::puppetdb::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:MaxPermSize': '=96m' + 'XX:PermSize': '=64m' +puppet_enterprise::profile::console::java_args: + Xmx: '64m' + Xms: '64m' + 'XX:MaxPermSize': '=96m' + 'XX:PermSize': '=64m' +puppet_enterprise::master::puppetserver::jruby_max_active_instances: 1 #PE3.7.2 only +puppet_enterprise::profile::console::delayed_job_workers: 1 +#shared_buffers takes affect during install but is not managed after +puppet_enterprise::profile::database::shared_buffers: '4MB' diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 20a4416..95a4408 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -2,6 +2,7 @@ class profile::puppetmaster { class { 'hiera': hierarchy => [ + 'virtual/%{::virtual}', 'nodes/%{::trusted.certname}', 'common', ], -- cgit v1.2.3 From 01baf7695aa63041d6639e9422d86ad28e902a90 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 18 Aug 2015 16:11:25 -0700 Subject: Update the repo name for deploy keys and webhook to match README --- site/profile/manifests/puppetmaster.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 95a4408..7ae8c18 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -42,7 +42,7 @@ class profile::puppetmaster { name => $::fqdn, path => "${r10k_ssh_key_file}.pub", token => hiera('gms_api_token'), - project_name => 'puppet/control', + project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), provider => $git_management_system, } @@ -51,7 +51,7 @@ class profile::puppetmaster { ensure => present, webhook_url => "http://${fqdn}:8088/payload", token => hiera('gms_api_token'), - project_name => 'puppet/control', + project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), provider => $git_management_system, } -- cgit v1.2.3 From 04f3239514f39333e91b88e27908eea916ecfa75 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 25 Aug 2015 16:51:42 -0700 Subject: add modules for stash and a profile --- Puppetfile | 14 ++++---------- site/profile/manifests/stash.pp | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 10 deletions(-) create mode 100644 site/profile/manifests/stash.pp (limited to 'site/profile') diff --git a/Puppetfile b/Puppetfile index 10c4b3e..a220865 100644 --- a/Puppetfile +++ b/Puppetfile @@ -8,6 +8,9 @@ mod "puppetlabs/stdlib", :latest mod "puppetlabs/concat", :latest mod "puppetlabs/ntp", :latest mod "saz/ssh", :latest +mod "puppetlabs/postgresql", '4.5.0' +mod "puppetlabs/stash", '1.3.0' +mod "puppetlabs/java", '1.4.1' #An example of using a specific forge module version instead of latest #Notice the addition of single quotes @@ -30,13 +33,4 @@ mod 'r10k', mod 'gms', :git => 'https://github.com/abrader/abrader-gms', - :tag => '3d088c8ba8cef6d108236a8cee06ab7bedd6deeb' - -#mod 'notifyme', -# :git => 'git://github.com/glarizza/puppet-notifyme', -# :ref => '50c01703b2e3e352520a9a2271ea4947fe17a51f' - -#mod 'profiles', -# :git => 'git://github.com/glarizza/puppet-profiles', -# :ref => '3611ae4253ff01762f9bda1d93620edf8f9a3b22' - + :tag => 'bb5bcaa4e0fbeb2dae08eedb09d7eec1681a6172' diff --git a/site/profile/manifests/stash.pp b/site/profile/manifests/stash.pp new file mode 100644 index 0000000..b3298e4 --- /dev/null +++ b/site/profile/manifests/stash.pp @@ -0,0 +1,28 @@ +class profile::stash { + + class { 'java' : + version => present, + } -> + + class { 'postgresql::globals': + manage_package_repo => true, + version => '9.4', + }-> + class { 'postgresql::server': } -> + + postgresql::server::db { 'stash': + user => 'stash', + password => postgresql_password('stash', 'password'), + } -> + + class { 'stash': + javahome => '/etc/alternatives/java_sdk', + #dev.mode grants a 24-hour license for testing + java_opts => '-Datlassian.dev.mode=true', + } + + file { '/opt/puppetlabs/bin/stash_mco.rb': + source => 'puppet:///modules/r10k/stash_mco.rb', + } + +} -- cgit v1.2.3 From 0c486e2fccf762f0d1bb6aa8a800f1e67cb8e510 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 24 Sep 2015 14:59:39 -0700 Subject: Ensure /etc/gitlab/ssl exists before putting certs in it --- site/profile/manifests/gitlab.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'site/profile') diff --git a/site/profile/manifests/gitlab.pp b/site/profile/manifests/gitlab.pp index f4b5bfe..c3e5f82 100644 --- a/site/profile/manifests/gitlab.pp +++ b/site/profile/manifests/gitlab.pp @@ -1,5 +1,9 @@ class profile::gitlab { + file { ['/etc/gitlab', '/etc/gitlab/ssl'] : + ensure => directory, + } + file { "/etc/gitlab/ssl/${fqdn}.key" : ensure => file, source => "${settings::privatekeydir}/${trusted['certname']}.pem", -- cgit v1.2.3 From 6ff5658a2a47cd3e6feaf20fa4083d33342e4b91 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 15 Oct 2015 12:22:45 -0700 Subject: Add some notifies to pe services after making changes --- site/profile/manifests/puppetmaster.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 7ae8c18..4fc06f2 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -10,6 +10,7 @@ class profile::puppetmaster { datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', owner => 'root', group => 'root', + notify => Service['pe-puppetserver'], } ##BEGIN - r10k webhook support @@ -21,6 +22,7 @@ class profile::puppetmaster { user => 'root', group => '0', require => Class['r10k::webhook::config'], + notify => Service['mcollective'], } ##END - r10k webhook support -- cgit v1.2.3 From 1828e2162304d7d9a2e26743f175d76256b6e0c1 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 16 Oct 2015 10:53:16 -0700 Subject: Change to using the webhook without mcollective In order to complete the change I refactered the webhook into its own set of profiles, one with mcollective and the other without. --- README.md | 6 ++++-- site/profile/manifests/puppetmaster.pp | 13 ------------- site/profile/manifests/webhook_mcollective.pp | 15 +++++++++++++++ site/profile/manifests/webhook_no_mcollective.pp | 13 +++++++++++++ site/role/manifests/all_in_one_pe.pp | 1 + 5 files changed, 33 insertions(+), 15 deletions(-) create mode 100644 site/profile/manifests/webhook_mcollective.pp create mode 100644 site/profile/manifests/webhook_no_mcollective.pp (limited to 'site/profile') diff --git a/README.md b/README.md index 97d5795..2125c09 100644 --- a/README.md +++ b/README.md @@ -46,16 +46,18 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html - http://doc.gitlab.com/ce/workflow/groups.html 6. Create a user called `r10k_api_user` and add them to the `puppet` group + - From the landing page, select groups + - Choose the puppet group + - In the left hand pane, select memembers + - Add the `r10k_api_user` with `master` permissions 7. Add your user to the `puppet` group as well 7. Create a project called `control-repo` and set the Namespace to be the `puppet` group - - TODO: Change permissions on the group? 8. Logout of root and login as the `r10k_api_user` - Go to profile settings -> account ( https:///profile/account ) - Copy the api token - - TODO: Change permissions for this user? 9. Clone this control repository to your laptop/workstation - `git clone https://github.com/npwalker/control-repo.git` diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 4fc06f2..bc52d3b 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -12,19 +12,6 @@ class profile::puppetmaster { group => 'root', notify => Service['pe-puppetserver'], } - - ##BEGIN - r10k webhook support - include r10k::mcollective - - include r10k::webhook::config - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - notify => Service['mcollective'], - } - ##END - r10k webhook support #BEGIN - Generate an SSH key for r10k to connect to git $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' diff --git a/site/profile/manifests/webhook_mcollective.pp b/site/profile/manifests/webhook_mcollective.pp new file mode 100644 index 0000000..395cc7a --- /dev/null +++ b/site/profile/manifests/webhook_mcollective.pp @@ -0,0 +1,15 @@ +class profile::webhook_mcollective { + + class { 'r10k::mcollective': + notify => Service['mcollective'], + } + + include r10k::webhook::config + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + +} diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp new file mode 100644 index 0000000..42c4954 --- /dev/null +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -0,0 +1,13 @@ +class profile::webhook_no_mcollective { + + class {'r10k::webhook::config': + use_mcollective => false, + } + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + +} diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index ca99139..f34a261 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,5 +1,6 @@ class role::all_in_one_pe { + include profile::webhook_no_mcollective include profile::puppetmaster } -- cgit v1.2.3 From 65820675e5d02ed55c2cd3627a0d95a5ed9b6ac0 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 20 Oct 2015 21:24:44 -0700 Subject: Change the zack/r10k webhook to not authenticate --- README.md | 32 +++++++++++++++++++++++- site/profile/manifests/webhook_no_mcollective.pp | 2 ++ 2 files changed, 33 insertions(+), 1 deletion(-) (limited to 'site/profile') diff --git a/README.md b/README.md index 2125c09..2e6bc99 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html 7. Add your user to the `puppet` group as well 7. Create a project called `control-repo` and set the Namespace to be the `puppet` group + - Set the permissions of the project to `Public' + - We'll change this back to private at the end 8. Logout of root and login as the `r10k_api_user` - Go to profile settings -> account ( https:///profile/account ) @@ -69,6 +71,8 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html - edit `git_management_system` to be 'gitlab' - edit the `gms_server_url` +11. `git add hieradata/nodes/.yaml` + 11. `git commit -m "renaming example-puppet-master.yaml"` 11. Rename my repository as the upstream remote @@ -77,9 +81,13 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html 12. Add your internal repository as the origin remote - `git remote add origin ` +13. `git branch --set-upstream-to origin/production` + 13. Push the production branch of the repository from your machine up to your git server - `git push origin production` +14. Change the permission of control-repo in your gitlab server to `private` + ###Stash ###Github @@ -109,7 +117,7 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html 7. Push the production branch of the repository from your machine up to your git server - `git push origin production` -8. Find the url to your internal repo this is usually on the front page of the repo +8. Find the url to your internal repo. This is usually on the front page of the repo 9. Add the repo as a remote - git remote add origin git@your-git-server:puppet/control-repo.git @@ -131,6 +139,28 @@ If you run into any issues or have more questions about the installer you can se http://docs.puppetlabs.com/pe/latest/install_basic.html +##Get the Control-Repo Deployed On Your Master + +At this point you have my control-repo code deployed into your git server. However, we have one final challenge getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server. + +So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else. + +1. On your puppet master, make an ssh key for r10k to connect to gitlab + - `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f /root/.ssh/r10k_rsa -q -N ''` + - http://doc.gitlab.com/ce/ssh/README.html + - https://help.github.com/articles/generating-ssh-keys/ +2. Create a deploy key on the `control-repo` project in Gitlab + - paste in the public key from above +3. Follow https://docs.puppetlabs.com/pe/latest/r10k_config_console.html + - The remote is on the front page of the project in the gitlab UI + - git_settings should be: + - `{"provider": "rugged", + "private_key": "/root/.ssh/r10k_rsa"}` +3. Run `puppet agent -t` + - Expect to see changes to `r10k.yaml` +3. Run `r10k deploy environment -pv` +4. Run `puppet agent -t` + ### Update Your Existing Install To Point To The Control Repository https://docs.puppetlabs.com/pe/latest/r10k_config_console.html diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index 42c4954..a245cf0 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,6 +1,8 @@ class profile::webhook_no_mcollective { class {'r10k::webhook::config': + enable_ssl => false, + protected => false, use_mcollective => false, } -- cgit v1.2.3 From ae3b7c7d4ad94753a58d75cce37d659b2eb35d62 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 21 Oct 2015 08:47:57 -0700 Subject: fix whitespace --- site/profile/manifests/webhook_no_mcollective.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index a245cf0..9f4b7fa 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,8 +1,8 @@ class profile::webhook_no_mcollective { class {'r10k::webhook::config': - enable_ssl => false, - protected => false, + enable_ssl => false, + protected => false, use_mcollective => false, } -- cgit v1.2.3 From 92f8d2d251d9e6fde5c124cb9a6974b1455269f7 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 26 Oct 2015 14:59:20 -0700 Subject: Configure the MoM to update the classifier after deploying code This entailed configring the classifier to never sync on a schedule. Changing environment_timeout to unlimited for all masters. Setting a postrun command for r10k that would update the class information in the classifier (the update-classes endpoint). --- hieradata/common.yaml | 5 +++++ hieradata/nodes/example-puppet-master.yaml | 4 ++++ site/profile/files/puppetmaster/update-classes.sh | 11 +++++++++++ site/profile/manifests/puppetmaster.pp | 16 ++++++++++++++++ 4 files changed, 36 insertions(+) create mode 100644 site/profile/files/puppetmaster/update-classes.sh (limited to 'site/profile') diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 07fbd80..f3fb25a 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -3,3 +3,8 @@ message: "This node is using common data" #Puppet Server Tuning puppet_enterprise::master::puppetserver::jruby_max_requests_per_instance: 10000 + +#pe-console-services tuning +#https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period +#disable classifier scheduled sync and rely on r10k postrun command to sync the classes +puppet_enterprise::profile::consolei::classifier_synchronization_period: 0 diff --git a/hieradata/nodes/example-puppet-master.yaml b/hieradata/nodes/example-puppet-master.yaml index 677e10d..584faac 100644 --- a/hieradata/nodes/example-puppet-master.yaml +++ b/hieradata/nodes/example-puppet-master.yaml @@ -2,3 +2,7 @@ git_management_system: 'gitlab' gms_server_url: 'https://gitlab-server' gms_api_token: 'BDkZfWWnk4LVTLHdAywd' + +#setup r10k to update classes in the console after code deploy +pe_r10k::postrun: + - '/usr/local/bin/update-classes.sh' diff --git a/site/profile/files/puppetmaster/update-classes.sh b/site/profile/files/puppetmaster/update-classes.sh new file mode 100644 index 0000000..dea10a9 --- /dev/null +++ b/site/profile/files/puppetmaster/update-classes.sh @@ -0,0 +1,11 @@ +#https://docs.puppetlabs.com/pe/latest/nc_update_classes.html#post-v1update-classes + +CONFDIR=$(puppet master --configprint confdir) + +CERT=$(puppet master --confdir ${CONFDIR} --configprint hostcert) +CACERT=$(puppet master --confdir ${CONFDIR} --configprint localcacert) +PRVKEY=$(puppet master --confdir ${CONFDIR} --configprint hostprivkey) +OPTIONS="--cert ${CERT} --cacert ${CACERT} --key ${PRVKEY}" +CONSOLE=$(awk '/server =/{print $NF}' ${CONFDIR}/console.conf) + +curl -k -X POST ${OPTIONS} "https://${CONSOLE}:4433/classifier-api/v1/update-classes" diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index bc52d3b..687b957 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -48,4 +48,20 @@ class profile::puppetmaster { } #END - Add deploy key and webhook to git management system + #Lay down update-classes.sh for use in r10k postrun_command + #This is configured via the pe_r10k::postrun key in hiera + file { '/usr/local/bin/update-classes.sh' : + ensure => file, + source => 'puppet::///modules/profile/puppetmaster/update-classes.sh', + } + + #https://docs.puppetlabs.com/puppet/latest/reference/config_file_environment.html#environmenttimeout + ini_setting { "environment_timeout = unlimited": + ensure => present, + path => '/etc/puppetlabs/puppet/puppet.conf', + section => 'main', + setting => 'environment_timeout', + value => 'unlimited', + } + } -- cgit v1.2.3 From 1cb89d981a7845453529a3a86ac9a9b1254fe61f Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 26 Oct 2015 15:12:39 -0700 Subject: Fix some embarassing typos --- hieradata/common.yaml | 2 +- site/profile/manifests/puppetmaster.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/hieradata/common.yaml b/hieradata/common.yaml index f3fb25a..191061c 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -7,4 +7,4 @@ puppet_enterprise::master::puppetserver::jruby_max_requests_per_instance: 10000 #pe-console-services tuning #https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period #disable classifier scheduled sync and rely on r10k postrun command to sync the classes -puppet_enterprise::profile::consolei::classifier_synchronization_period: 0 +puppet_enterprise::profile::console::classifier_synchronization_period: 0 diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 687b957..ec85155 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -52,7 +52,7 @@ class profile::puppetmaster { #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : ensure => file, - source => 'puppet::///modules/profile/puppetmaster/update-classes.sh', + source => 'puppet:///modules/profile/puppetmaster/update-classes.sh', } #https://docs.puppetlabs.com/puppet/latest/reference/config_file_environment.html#environmenttimeout -- cgit v1.2.3 From 4598483d0f7faf357c443e12816a45cd0f975e50 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 26 Oct 2015 15:50:22 -0700 Subject: Fix the update-classes script and set appropriate perms on it --- site/profile/files/puppetmaster/update-classes.sh | 2 +- site/profile/manifests/puppetmaster.pp | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'site/profile') diff --git a/site/profile/files/puppetmaster/update-classes.sh b/site/profile/files/puppetmaster/update-classes.sh index dea10a9..fc33026 100644 --- a/site/profile/files/puppetmaster/update-classes.sh +++ b/site/profile/files/puppetmaster/update-classes.sh @@ -6,6 +6,6 @@ CERT=$(puppet master --confdir ${CONFDIR} --configprint hostcert) CACERT=$(puppet master --confdir ${CONFDIR} --configprint localcacert) PRVKEY=$(puppet master --confdir ${CONFDIR} --configprint hostprivkey) OPTIONS="--cert ${CERT} --cacert ${CACERT} --key ${PRVKEY}" -CONSOLE=$(awk '/server =/{print $NF}' ${CONFDIR}/console.conf) +CONSOLE=$(awk '/server: /{print $NF}' ${CONFDIR}/classifier.yaml) curl -k -X POST ${OPTIONS} "https://${CONSOLE}:4433/classifier-api/v1/update-classes" diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index ec85155..193f0ca 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -53,6 +53,7 @@ class profile::puppetmaster { file { '/usr/local/bin/update-classes.sh' : ensure => file, source => 'puppet:///modules/profile/puppetmaster/update-classes.sh', + mode => '755', } #https://docs.puppetlabs.com/puppet/latest/reference/config_file_environment.html#environmenttimeout -- cgit v1.2.3 From 8fe670beb09ffa086c5c8937bfc12d64d3296578 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 26 Oct 2015 16:32:24 -0700 Subject: make environment timeout setting refresh the puppet master service --- site/profile/manifests/puppetmaster.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 193f0ca..1c618a2 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -63,6 +63,7 @@ class profile::puppetmaster { section => 'main', setting => 'environment_timeout', value => 'unlimited', + notify => Service['pe-puppetserver'], } } -- cgit v1.2.3 From d6cb170a787da4ca4c0d830c5002893f7ae72bb3 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 28 Oct 2015 10:37:59 -0700 Subject: enable ssl on the webhook --- site/profile/manifests/puppetmaster.pp | 30 +++++++++++++----------- site/profile/manifests/webhook_no_mcollective.pp | 2 +- 2 files changed, 17 insertions(+), 15 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 1c618a2..3085300 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -27,22 +27,24 @@ class profile::puppetmaster { if $git_management_system in ['gitlab', 'github'] { git_deploy_key { "add_deploy_key_to_puppet_control-${fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => hiera('gms_api_token'), - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => hiera('gms_api_token'), + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, } git_webhook { 'web_post_receive_webhook' : - ensure => present, - webhook_url => "http://${fqdn}:8088/payload", - token => hiera('gms_api_token'), - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, + ensure => present, + webhook_url => "http://${fqdn}:8088/payload", + token => hiera('gms_api_token'), + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, } } @@ -63,7 +65,7 @@ class profile::puppetmaster { section => 'main', setting => 'environment_timeout', value => 'unlimited', - notify => Service['pe-puppetserver'], + notify => Service['pe-puppetserver'], } } diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index 9f4b7fa..f4f50d7 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,7 +1,7 @@ class profile::webhook_no_mcollective { class {'r10k::webhook::config': - enable_ssl => false, + enable_ssl => true, protected => false, use_mcollective => false, } -- cgit v1.2.3 From c2aeccd388fb56fdb7b02d4796ab5e140bce00e8 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 28 Oct 2015 11:27:57 -0700 Subject: disable SSL on the zack/r10k webhook The abrader/gms provider for gitlab doesn't support disabling ssl verification but will soon. --- site/profile/manifests/puppetmaster.pp | 1 - site/profile/manifests/webhook_no_mcollective.pp | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 3085300..8e0817c 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -34,7 +34,6 @@ class profile::puppetmaster { project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), provider => $git_management_system, - disable_ssl_verify => true, } git_webhook { 'web_post_receive_webhook' : diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index f4f50d7..9f4b7fa 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,7 +1,7 @@ class profile::webhook_no_mcollective { class {'r10k::webhook::config': - enable_ssl => true, + enable_ssl => false, protected => false, use_mcollective => false, } -- cgit v1.2.3 From b6351f9e5d80bbf93374575591e8a95ad07c255d Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 28 Oct 2015 13:16:36 -0700 Subject: Add $::fqdn to post receive hook title Also, change other references of $fqdn to $::fqdn --- site/profile/manifests/puppetmaster.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 8e0817c..5c9b59a 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -26,7 +26,7 @@ class profile::puppetmaster { if $git_management_system in ['gitlab', 'github'] { - git_deploy_key { "add_deploy_key_to_puppet_control-${fqdn}": + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": ensure => present, name => $::fqdn, path => "${r10k_ssh_key_file}.pub", @@ -36,9 +36,9 @@ class profile::puppetmaster { provider => $git_management_system, } - git_webhook { 'web_post_receive_webhook' : + git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, - webhook_url => "http://${fqdn}:8088/payload", + webhook_url => "http://${::fqdn}:8088/payload", token => hiera('gms_api_token'), project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), -- cgit v1.2.3 From e045f172bd5d1b14873bf323fe83230f7cc1aa2c Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 29 Oct 2015 09:44:01 -0700 Subject: enable SSL on the zack/r10k webhook --- site/profile/manifests/puppetmaster.pp | 2 +- site/profile/manifests/webhook_no_mcollective.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 5c9b59a..d306ad5 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -38,7 +38,7 @@ class profile::puppetmaster { git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, - webhook_url => "http://${::fqdn}:8088/payload", + webhook_url => "https://${::fqdn}:8088/payload", token => hiera('gms_api_token'), project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index 9f4b7fa..f4f50d7 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,7 +1,7 @@ class profile::webhook_no_mcollective { class {'r10k::webhook::config': - enable_ssl => false, + enable_ssl => true, protected => false, use_mcollective => false, } -- cgit v1.2.3 From 8e271e3043fd55ce7c39f520360214e6844085af Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 30 Oct 2015 13:04:42 -0700 Subject: Change the zack/r10k webhook to utilize username and password To accomodate generating random usernames and passwords, I had to parameterize the profiles which I didn't feel great about but I also didn't want to have to put the username and pass in hiera. --- site/profile/manifests/puppetmaster.pp | 7 +++++-- site/profile/manifests/webhook_no_mcollective.pp | 9 +++++++-- site/role/manifests/all_in_one_pe.pp | 14 ++++++++++++-- 3 files changed, 24 insertions(+), 6 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index d306ad5..d3f1a87 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,4 +1,7 @@ -class profile::puppetmaster { +class profile::puppetmaster ( + $webhook_username, + $webhook_password +) { class { 'hiera': hierarchy => [ @@ -38,7 +41,7 @@ class profile::puppetmaster { git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, - webhook_url => "https://${::fqdn}:8088/payload", + webhook_url => "https://${webhook_username}:${webhook_password}@${::fqdn}:8088/payload", token => hiera('gms_api_token'), project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp index f4f50d7..dc7b1aa 100644 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ b/site/profile/manifests/webhook_no_mcollective.pp @@ -1,8 +1,13 @@ -class profile::webhook_no_mcollective { +class profile::webhook_no_mcollective ( + $username, + $password +) { class {'r10k::webhook::config': enable_ssl => true, - protected => false, + protected => true, + user => $username, + pass => $password, use_mcollective => false, } diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index f34a261..3762325 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,16 @@ class role::all_in_one_pe { - include profile::webhook_no_mcollective - include profile::puppetmaster + $webhook_username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) + $webhook_password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) + + class { 'profile::puppetmaster' : + webhook_username => $webhook_username, + webhook_password => $webhook_password, + } + + class { 'profile::webhook_no_mcollective' : + username => $webhook_username, + password => $webhook_password, + } } -- cgit v1.2.3 From 3149d9707f2882bdd4bc499a2bc65fb6dff36bf9 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 30 Oct 2015 13:42:33 -0700 Subject: Refactor webhook profiles into one profile with a parameter Previously there was a mcollective and no_mcollective version of the webhook profile. They were almost identical so I merged them and manage the difference with a "use_mcollective" parameter. I renamed the webhook profile to zack_r10k_webhook. --- site/profile/manifests/puppetmaster.pp | 22 +++++++++--------- site/profile/manifests/webhook_mcollective.pp | 15 ------------ site/profile/manifests/webhook_no_mcollective.pp | 20 ---------------- site/profile/manifests/zack_r10k_webhook.pp | 29 ++++++++++++++++++++++++ site/role/manifests/all_in_one_pe.pp | 2 +- 5 files changed, 41 insertions(+), 47 deletions(-) delete mode 100644 site/profile/manifests/webhook_mcollective.pp delete mode 100644 site/profile/manifests/webhook_no_mcollective.pp create mode 100644 site/profile/manifests/zack_r10k_webhook.pp (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index d3f1a87..1a199cd 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -23,20 +23,20 @@ class profile::puppetmaster ( creates => $r10k_ssh_key_file, } #END - Generate an SSH key for r10k to connect to git - + #BEGIN - Add deploy key and webook to git management system $git_management_system = hiera('git_management_system', '') if $git_management_system in ['gitlab', 'github'] { - + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => hiera('gms_api_token'), - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => hiera('gms_api_token'), + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, } git_webhook { "web_post_receive_webhook-${::fqdn}" : @@ -57,11 +57,11 @@ class profile::puppetmaster ( file { '/usr/local/bin/update-classes.sh' : ensure => file, source => 'puppet:///modules/profile/puppetmaster/update-classes.sh', - mode => '755', + mode => '0755', } #https://docs.puppetlabs.com/puppet/latest/reference/config_file_environment.html#environmenttimeout - ini_setting { "environment_timeout = unlimited": + ini_setting { 'environment_timeout = unlimited': ensure => present, path => '/etc/puppetlabs/puppet/puppet.conf', section => 'main', diff --git a/site/profile/manifests/webhook_mcollective.pp b/site/profile/manifests/webhook_mcollective.pp deleted file mode 100644 index 395cc7a..0000000 --- a/site/profile/manifests/webhook_mcollective.pp +++ /dev/null @@ -1,15 +0,0 @@ -class profile::webhook_mcollective { - - class { 'r10k::mcollective': - notify => Service['mcollective'], - } - - include r10k::webhook::config - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - -} diff --git a/site/profile/manifests/webhook_no_mcollective.pp b/site/profile/manifests/webhook_no_mcollective.pp deleted file mode 100644 index dc7b1aa..0000000 --- a/site/profile/manifests/webhook_no_mcollective.pp +++ /dev/null @@ -1,20 +0,0 @@ -class profile::webhook_no_mcollective ( - $username, - $password -) { - - class {'r10k::webhook::config': - enable_ssl => true, - protected => true, - user => $username, - pass => $password, - use_mcollective => false, - } - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - -} diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp new file mode 100644 index 0000000..7e0bd40 --- /dev/null +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -0,0 +1,29 @@ +class profile::zack_r10k_webhook ( + $username, + $password, + $use_mcollective = false, +) { + + if $use_mcollective { + + class { 'r10k::mcollective': + notify => Service['mcollective'], + } + + } + + class {'r10k::webhook::config': + enable_ssl => true, + protected => true, + user => $username, + pass => $password, + use_mcollective => $use_mcollective, + } + + class {'r10k::webhook': + user => 'root', + group => '0', + require => Class['r10k::webhook::config'], + } + +} diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 3762325..6bc2eb3 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -8,7 +8,7 @@ class role::all_in_one_pe { webhook_password => $webhook_password, } - class { 'profile::webhook_no_mcollective' : + class { 'profile::zack_r10k_webhook' : username => $webhook_username, password => $webhook_password, } -- cgit v1.2.3 From e5be3e2ddd2201a26a848fbc412b6705ff9154f9 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 30 Oct 2015 13:50:10 -0700 Subject: fixing a bunch of puppet lint warnings --- site/profile/manifests/gitlab.pp | 10 +++++----- site/profile/manifests/stash.pp | 8 ++++---- site/role/manifests/database_server.pp | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/gitlab.pp b/site/profile/manifests/gitlab.pp index c3e5f82..72c57e5 100644 --- a/site/profile/manifests/gitlab.pp +++ b/site/profile/manifests/gitlab.pp @@ -4,21 +4,21 @@ class profile::gitlab { ensure => directory, } - file { "/etc/gitlab/ssl/${fqdn}.key" : + file { "/etc/gitlab/ssl/${::fqdn}.key" : ensure => file, - source => "${settings::privatekeydir}/${trusted['certname']}.pem", + source => "${::settings::privatekeydir}/${::trusted['certname']}.pem", notify => Exec['gitlab_reconfigure'], } - file { "/etc/gitlab/ssl/${fqdn}.crt" : + file { "/etc/gitlab/ssl/${::fqdn}.crt" : ensure => file, - source => "${settings::certdir}/${trusted['certname']}.pem", + source => "${::settings::certdir}/${::trusted['certname']}.pem", notify => Exec['gitlab_reconfigure'], } class { 'gitlab': external_url => hiera( 'gms_server_url', "https://${::fqdn}") , - require => File["/etc/gitlab/ssl/${fqdn}.key", "/etc/gitlab/ssl/${fqdn}.key"], + require => File["/etc/gitlab/ssl/${::fqdn}.key", "/etc/gitlab/ssl/${::fqdn}.key"], } } diff --git a/site/profile/manifests/stash.pp b/site/profile/manifests/stash.pp index b3298e4..18b0468 100644 --- a/site/profile/manifests/stash.pp +++ b/site/profile/manifests/stash.pp @@ -2,8 +2,8 @@ class profile::stash { class { 'java' : version => present, - } -> - + } -> + class { 'postgresql::globals': manage_package_repo => true, version => '9.4', @@ -16,9 +16,9 @@ class profile::stash { } -> class { 'stash': - javahome => '/etc/alternatives/java_sdk', + javahome => '/etc/alternatives/java_sdk', #dev.mode grants a 24-hour license for testing - java_opts => '-Datlassian.dev.mode=true', + java_opts => '-Datlassian.dev.mode=true', } file { '/opt/puppetlabs/bin/stash_mco.rb': diff --git a/site/role/manifests/database_server.pp b/site/role/manifests/database_server.pp index 8c37438..aacc912 100644 --- a/site/role/manifests/database_server.pp +++ b/site/role/manifests/database_server.pp @@ -2,6 +2,6 @@ class role::database_server { #This role would be made of all the profiles that need to be included to make a database server work #All roles should include the base profile - include profile::base + include profile::base } -- cgit v1.2.3 From 7e40513c531d98015101367baf5d480d7ea6d2e3 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 17 Nov 2015 14:10:45 -0800 Subject: Change owner/group to pe-puppet for hiera module When the owner / group was root this meant that enabling hiera-eyaml wouldn't work properly as the keys couldn't be read by puppetserver. Changing to pe-puppet should resolve the issue. --- site/profile/manifests/puppetmaster.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'site/profile') diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 1a199cd..0954807 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -11,8 +11,8 @@ class profile::puppetmaster ( ], hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', - owner => 'root', - group => 'root', + owner => 'pe-puppet', + group => 'pe-puppet', notify => Service['pe-puppetserver'], } -- cgit v1.2.3