From cc34e25fd54e60caf744130d90c14f8d839c7823 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 7 Dec 2015 07:55:32 -0800 Subject: Final steps to make Code Manager work - Moved ssh key generation and git deploy key out of the puppetmaster profile and into zack_r10k and code_manager - Swapped code manager into the all_in_one role - Made a 2015.2 all_in_one role if users prefer to use it - Conditionally move all existing code out of environmentpath to allow file sync to sync files - Update the README to compliment the new puppet code --- site/profile/manifests/code_manager.pp | 50 +++++++++++++++++++++++++++-- site/profile/manifests/puppetmaster.pp | 27 ---------------- site/profile/manifests/zack_r10k_webhook.pp | 18 +++++++++-- site/role/manifests/all_in_one_pe.pp | 1 - site/role/manifests/all_in_one_pe_2015_2.pp | 6 ++++ 5 files changed, 69 insertions(+), 33 deletions(-) create mode 100644 site/role/manifests/all_in_one_pe_2015_2.pp (limited to 'site') diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index db1d901..fc0eb8b 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -1,10 +1,10 @@ class profile::code_manager { - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) $code_manager_service_user = 'code_manager_service_user' $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - + #puppet_master_classifier_settings is a custom function $classifier_settings = puppet_master_classifer_settings() $classifier_hostname = $classifier_settings['server'] @@ -16,6 +16,19 @@ class profile::code_manager { $gms_api_token = hiera('gms_api_token', undef) $git_management_system = hiera('git_management_system', undef) + $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' + exec { 'create code manager ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", + creates => $code_manager_ssh_key_file, + } + + file { $code_manager_ssh_key_file : + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + require => Exec['create code manager ssh key'], + } + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them exec { 'chown all environments to pe-puppet' : command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", @@ -49,12 +62,33 @@ class profile::code_manager { require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], } - #this file cannont be read until the next run after the above exec #because the file function runs on the master not on the agent #so the file doesn't exist at the time the function is run $rbac_token_file_contents = no_fail_file($token_filename) + #Only mv code if this is at least the 2nd run of puppet + #Code manager needs to be enabled and puppet server restarted + #before this exec can complete. Gating on the token file + #ensures at least one run has completed + if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { + + $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) + + exec { 'mv files out of $environmentpath' : + command => "mkdir /etc/puppetlabs/env_back_${timestamp}; + mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; + rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; + TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; + sleep 15", + path => $::path, + logoutput => true, + require => Exec["Generate Token for ${code_manager_service_user}"], + } + } + if !empty($gms_api_token) { if $authenticate_webhook and !empty($rbac_token_file_contents) { @@ -71,6 +105,16 @@ class profile::code_manager { default => $git_management_system, } + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${code_manager_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index d6a657f..28b3bdf 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -13,33 +13,6 @@ class profile::puppetmaster { notify => Service['pe-puppetserver'], } - #BEGIN - Generate an SSH key for r10k to connect to git - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - #END - Generate an SSH key for r10k to connect to git - - #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', undef) - $gms_api_token = hiera('gms_api_token', undef) - - if !empty($gms_api_token) { - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - } - #END - Add deploy key and webhook to git management system - #Lay down update-classes.sh for use in r10k postrun_command #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index f35f856..0ab4da2 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -9,11 +9,9 @@ class profile::zack_r10k_webhook ( $git_management_system = hiera('git_management_system', undef) if $use_mcollective { - class { 'r10k::mcollective': notify => Service['mcollective'], } - } class {'r10k::webhook::config': @@ -30,7 +28,23 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + if !empty($gms_api_token) { + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 3807e46..a8152b1 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,7 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::zack_r10k_webhook include profile::code_manager } diff --git a/site/role/manifests/all_in_one_pe_2015_2.pp b/site/role/manifests/all_in_one_pe_2015_2.pp new file mode 100644 index 0000000..01bf717 --- /dev/null +++ b/site/role/manifests/all_in_one_pe_2015_2.pp @@ -0,0 +1,6 @@ +class role::all_in_one_pe_2015_2 { + + include profile::puppetmaster + include profile::zack_r10k_webhook + +} -- cgit v1.2.3