From 4c2be74083287516b72ab4f3ccaaf317ea7a2eb0 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:41:34 -0800 Subject: [PATCH] Add support for code manager which will replace zack r10k Add pltraing-rbac module Added a new profile for code_manager that: - creates a service users for code manager - creates a token for that service user - creates a hook on a git server using the token Turns out that the file function in puppet cannot read files in /root. The pe-puppet user needs read permissions on the file and traversal on the directory which giving to /root would probably be a bad idea. So, I just put the file containing the token in /etc/puppetlabs/puppetserver since I'm not sure where would be better. --- Puppetfile | 4 ++ site/profile/manifests/code_manager.pp | 66 +++++++++++++++++++ site/profile/manifests/puppetmaster.pp | 3 +- site/profile/manifests/zack_r10k_webhook.pp | 11 ++++ .../code_manager/create_rbac_token.epp | 7 ++ 5 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 site/profile/manifests/code_manager.pp create mode 100644 site/profile/templates/code_manager/create_rbac_token.epp diff --git a/Puppetfile b/Puppetfile index ac90e14..6bc31f8 100644 --- a/Puppetfile +++ b/Puppetfile @@ -34,3 +34,7 @@ mod 'r10k', mod 'gms', :git => 'https://github.com/npwalker/abrader-gms', :branch => 'gitlab_disable_ssl_verify_support' + +mod 'pltraining-rbac', + :git => 'https://github.com/puppetlabs/pltraining-rbac', + :ref => '2f60e1789a721ce83f8df061e13f8bf81cd4e4ce' diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp new file mode 100644 index 0000000..f244564 --- /dev/null +++ b/site/profile/manifests/code_manager.pp @@ -0,0 +1,66 @@ +class profile::code_manager { + + $code_manager_service_user = 'code_manager_service_user' + $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") + + #puppet_master_classifier_settings is a custom function + $classifier_settings = puppet_master_classifer_settings() + $classifier_hostname = $classifier_settings['server'] + $classifier_port = $classifier_settings['port'] + + $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' + $token_filename = "${token_directory}/${code_manager_service_user}_token" + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + rbac_user { $code_manager_service_user : + ensure => 'present', + name => $code_manager_service_user, + email => "${code_manager_service_user}@example.com", + display_name => 'Code Manager Service Account', + password => $code_manager_service_user_password, + roles => [ 'Deploy Environments' ], + } + + file { $token_directory : + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + } + + exec { "Generate Token for ${code_manager_service_user}" : + command => epp('profile/code_manager/create_rbac_token.epp', + { 'code_manager_service_user' => $code_manager_service_user, + 'code_manager_service_user_password' => $code_manager_service_user_password, + 'classifier_hostname' => $classifier_hostname, + 'classifier_port' => $classifier_port, + 'token_filename' => $token_filename + }), + creates => $token_filename, + require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], + } + + + if !empty($gms_api_token) { + + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + $rbac_token = parsejson(file($token_filename))['token'] + + $code_manager_webhook_type = $git_management_system ? { + 'gitlab' => 'github', + default => $git_management_system, + } + + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 0954807..e63d819 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -25,7 +25,8 @@ class profile::puppetmaster ( #END - Generate an SSH key for r10k to connect to git #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', '') + $git_management_system = hiera('git_management_system', undef) + $gms_api_token = hiera('gms_api_token', undef) if $git_management_system in ['gitlab', 'github'] { diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index 7e0bd40..3dae9d7 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -26,4 +26,15 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + if !empty($gms_api_token) { + git_webhook { "web_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } } diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp new file mode 100644 index 0000000..31bf00f --- /dev/null +++ b/site/profile/templates/code_manager/create_rbac_token.epp @@ -0,0 +1,7 @@ +<%- | String $code_manager_service_user, + String $code_manager_service_user_password, + String $classifier_hostname, + Integer $classifier_port, + String $token_filename +| -%> +/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %>