Move profile::git_webhook into seperate module pe_code_manager_webhook
Prior to this commit the functionality to setup the either code manager or zack/r10k was tightly coupled to this control-repo. In an effort to make that functionality useful to more people we're splitting it into a dedicated module. After this commit, the pe_code_manager_webhook module will contain all logic around setting up the webhook while this control-repo will still gloss over the details needed to get everything in PE setup correctly to use that module. This commit removes the files associated with the profile including some custom functions that were only there to make it work. This commit removes the all_in_one_pe_2015_2 role as it was exactly the same as the all_in_one_pe role. This commit modifies all_in_one_pe to use the pe_code_manager_webhook module instead of the profile.
This commit is contained in:
parent
d250d971b9
commit
00d3aa1f4f
@ -28,6 +28,10 @@ mod 'r10k',
|
||||
:git => 'https://github.com/acidprime/r10k',
|
||||
:tag => 'v3.1.1'
|
||||
|
||||
mod 'pe_code_manager_webhook',
|
||||
:git => 'https://github.com/npwalker/pe_code_manager_webhook',
|
||||
:ref => '20d9f2e274325edaa10d8ec3b4f98a62ad726335'
|
||||
|
||||
mod 'gms',
|
||||
:git => 'https://github.com/npwalker/abrader-gms',
|
||||
:branch => 'gitlab_disable_ssl_verify_support'
|
||||
|
@ -1,36 +0,0 @@
|
||||
require 'puppet/file_system'
|
||||
|
||||
Puppet::Parser::Functions::newfunction(
|
||||
:no_fail_file, :arity => -2, :type => :rvalue,
|
||||
:doc => "Loads a file from a module and returns its contents as a string.
|
||||
|
||||
This is a replacement to the file function that returns nothing
|
||||
if the file specified cannot be found instead of erroring out.
|
||||
|
||||
The argument to this function should be a `<MODULE NAME>/<FILE>`
|
||||
reference, which will load `<FILE>` from a module's `files`
|
||||
directory. (For example, the reference `mysql/mysqltuner.pl` will load the
|
||||
file `<MODULES DIRECTORY>/mysql/files/mysqltuner.pl`.)
|
||||
|
||||
This function can also accept:
|
||||
|
||||
* An absolute path, which can load a file from anywhere on disk.
|
||||
* Multiple arguments, which will return the contents of the **first** file
|
||||
found, skipping any files that don't exist.
|
||||
"
|
||||
) do |vals|
|
||||
path = nil
|
||||
vals.each do |file|
|
||||
found = Puppet::Parser::Files.find_file(file, compiler.environment)
|
||||
if found && Puppet::FileSystem.exist?(found)
|
||||
path = found
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
if path
|
||||
Puppet::FileSystem.read_preserve_line_endings(path)
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
@ -1,12 +0,0 @@
|
||||
class profile::git_webhook (
|
||||
$force_zack_r10k_webhook = false
|
||||
) {
|
||||
|
||||
if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook {
|
||||
include profile::git_webhook::zack_r10k_webhook
|
||||
} else {
|
||||
include profile::git_webhook::code_manager
|
||||
include profile::git_webhook::zack_r10k_webhook_disable
|
||||
}
|
||||
|
||||
}
|
@ -1,150 +0,0 @@
|
||||
class profile::git_webhook::code_manager {
|
||||
|
||||
$authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true)
|
||||
|
||||
$code_manager_service_user = 'code_manager_service_user'
|
||||
$code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
|
||||
|
||||
#puppet_master_classifier_settings is a custom function
|
||||
$classifier_settings = puppet_master_classifer_settings()
|
||||
$classifier_hostname = $classifier_settings['server']
|
||||
$classifier_port = $classifier_settings['port']
|
||||
|
||||
$token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs'
|
||||
$token_filename = "${token_directory}/${code_manager_service_user}_token"
|
||||
|
||||
$gms_api_token = hiera('gms_api_token', undef)
|
||||
$git_management_system = hiera('git_management_system', undef)
|
||||
|
||||
$code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key'
|
||||
exec { 'create code manager ssh key' :
|
||||
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''",
|
||||
creates => $code_manager_ssh_key_file,
|
||||
}
|
||||
|
||||
file { $code_manager_ssh_key_file :
|
||||
ensure => file,
|
||||
owner => 'pe-puppet',
|
||||
group => 'pe-puppet',
|
||||
require => Exec['create code manager ssh key'],
|
||||
}
|
||||
|
||||
#If files exist in the codedir code manager can't manage them unless pe-puppet can read them
|
||||
exec { 'chown all environments to pe-puppet' :
|
||||
command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}",
|
||||
unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
|
||||
}
|
||||
|
||||
$code_manager_role_name = 'Deploy Environments'
|
||||
$create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
|
||||
$create_role_curl = @(EOT)
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
|
||||
https://<%= $classifier_hostname %>:4433/rbac-api/v1/roles \
|
||||
-d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
|
||||
{"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \
|
||||
--cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \
|
||||
--key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \
|
||||
--cacert <%= $::settings::certdir %>/ca.pem;
|
||||
touch <%= $create_role_creates_file %>
|
||||
| EOT
|
||||
|
||||
exec { 'create deploy environments role' :
|
||||
command => inline_epp( $create_role_curl ),
|
||||
creates => $create_role_creates_file,
|
||||
logoutput => true,
|
||||
path => $::path,
|
||||
require => File[$token_directory],
|
||||
}
|
||||
|
||||
rbac_user { $code_manager_service_user :
|
||||
ensure => 'present',
|
||||
name => $code_manager_service_user,
|
||||
email => "${code_manager_service_user}@example.com",
|
||||
display_name => 'Code Manager Service Account',
|
||||
password => $code_manager_service_user_password,
|
||||
roles => [ $code_manager_role_name ],
|
||||
require => Exec['create deploy environments role'],
|
||||
}
|
||||
|
||||
file { $token_directory :
|
||||
ensure => directory,
|
||||
owner => 'pe-puppet',
|
||||
group => 'pe-puppet',
|
||||
}
|
||||
|
||||
exec { "Generate Token for ${code_manager_service_user}" :
|
||||
command => epp('profile/git_webhook/code_manager/create_rbac_token.epp',
|
||||
{ 'code_manager_service_user' => $code_manager_service_user,
|
||||
'code_manager_service_user_password' => $code_manager_service_user_password,
|
||||
'classifier_hostname' => $classifier_hostname,
|
||||
'classifier_port' => $classifier_port,
|
||||
'token_filename' => $token_filename
|
||||
}),
|
||||
creates => $token_filename,
|
||||
require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
|
||||
}
|
||||
|
||||
#this file cannont be read until the next run after the above exec
|
||||
#because the file function runs on the master not on the agent
|
||||
#so the file doesn't exist at the time the function is run
|
||||
$rbac_token_file_contents = no_fail_file($token_filename)
|
||||
|
||||
#Only mv code if this is at least the 2nd run of puppet
|
||||
#Code manager needs to be enabled and puppet server restarted
|
||||
#before this exec can complete. Gating on the token file
|
||||
#ensures at least one run has completed
|
||||
if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) {
|
||||
|
||||
$timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S'))
|
||||
|
||||
exec { 'mv files out of $environmentpath' :
|
||||
command => "mkdir /etc/puppetlabs/env_back_${timestamp};
|
||||
mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/;
|
||||
rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt;
|
||||
TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`;
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}';
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}';
|
||||
sleep 15",
|
||||
path => $::path,
|
||||
logoutput => true,
|
||||
require => Exec["Generate Token for ${code_manager_service_user}"],
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($gms_api_token) {
|
||||
if $authenticate_webhook and !empty($rbac_token_file_contents) {
|
||||
|
||||
$rbac_token = parsejson($rbac_token_file_contents)['token']
|
||||
|
||||
$token_info = "&token=${rbac_token}"
|
||||
}
|
||||
else {
|
||||
$token_info = ''
|
||||
}
|
||||
|
||||
$code_manager_webhook_type = $git_management_system ? {
|
||||
'gitlab' => 'github',
|
||||
default => $git_management_system,
|
||||
}
|
||||
|
||||
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
||||
ensure => present,
|
||||
name => $::fqdn,
|
||||
path => "${code_manager_ssh_key_file}.pub",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
}
|
||||
|
||||
git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
|
||||
ensure => present,
|
||||
webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
disable_ssl_verify => true,
|
||||
}
|
||||
}
|
||||
}
|
@ -1,58 +0,0 @@
|
||||
class profile::git_webhook::zack_r10k_webhook (
|
||||
$use_mcollective = false,
|
||||
) {
|
||||
|
||||
$username = hiera('webhook_username', fqdn_rand_string(10, '', 'username'))
|
||||
$password = hiera('webhook_password', fqdn_rand_string(20, '', 'password'))
|
||||
|
||||
$gms_api_token = hiera('gms_api_token', undef)
|
||||
$git_management_system = hiera('git_management_system', undef)
|
||||
|
||||
if $use_mcollective {
|
||||
class { 'r10k::mcollective':
|
||||
notify => Service['mcollective'],
|
||||
}
|
||||
}
|
||||
|
||||
class {'r10k::webhook::config':
|
||||
enable_ssl => true,
|
||||
protected => true,
|
||||
user => $username,
|
||||
pass => $password,
|
||||
use_mcollective => $use_mcollective,
|
||||
}
|
||||
|
||||
class {'r10k::webhook':
|
||||
user => 'root',
|
||||
group => '0',
|
||||
require => Class['r10k::webhook::config'],
|
||||
}
|
||||
|
||||
$r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
|
||||
exec { 'create r10k ssh key' :
|
||||
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
|
||||
creates => $r10k_ssh_key_file,
|
||||
}
|
||||
|
||||
if !empty($gms_api_token) {
|
||||
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
||||
ensure => present,
|
||||
name => $::fqdn,
|
||||
path => "${r10k_ssh_key_file}.pub",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
}
|
||||
|
||||
git_webhook { "web_post_receive_webhook-${::fqdn}" :
|
||||
ensure => present,
|
||||
webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
disable_ssl_verify => true,
|
||||
}
|
||||
}
|
||||
}
|
@ -1,14 +0,0 @@
|
||||
class profile::git_webhook::zack_r10k_webhook_disable {
|
||||
|
||||
file { '/etc/webhook.yaml' :
|
||||
ensure => absent,
|
||||
notify => Exec['stop and disable webhook service'],
|
||||
}
|
||||
|
||||
exec { 'stop and disable webhook service' :
|
||||
command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false',
|
||||
logoutput => true,
|
||||
refreshonly => true,
|
||||
}
|
||||
|
||||
}
|
@ -1,5 +0,0 @@
|
||||
module Puppet::Parser::Functions
|
||||
newfunction(:puppet_master_classifer_settings, :type => :rvalue) do |args|
|
||||
function_parseyaml([function_file([File.join(lookupvar('settings::confdir').to_s, 'classifier.yaml')])])
|
||||
end
|
||||
end
|
@ -1,6 +1,6 @@
|
||||
class role::all_in_one_pe {
|
||||
|
||||
include profile::puppetmaster
|
||||
include profile::git_webhook
|
||||
include pe_code_manager_webhook
|
||||
|
||||
}
|
||||
|
@ -1,6 +0,0 @@
|
||||
class role::all_in_one_pe_2015_2 {
|
||||
|
||||
include profile::puppetmaster
|
||||
include profile::git_webhook
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user