Add support for code manager which will replace zack r10k
Add pltraing-rbac module Added a new profile for code_manager that: - creates a service users for code manager - creates a token for that service user - creates a hook on a git server using the token Turns out that the file function in puppet cannot read files in /root. The pe-puppet user needs read permissions on the file and traversal on the directory which giving to /root would probably be a bad idea. So, I just put the file containing the token in /etc/puppetlabs/puppetserver since I'm not sure where would be better.
This commit is contained in:
parent
8c71bd0b13
commit
4c2be74083
@ -34,3 +34,7 @@ mod 'r10k',
|
|||||||
mod 'gms',
|
mod 'gms',
|
||||||
:git => 'https://github.com/npwalker/abrader-gms',
|
:git => 'https://github.com/npwalker/abrader-gms',
|
||||||
:branch => 'gitlab_disable_ssl_verify_support'
|
:branch => 'gitlab_disable_ssl_verify_support'
|
||||||
|
|
||||||
|
mod 'pltraining-rbac',
|
||||||
|
:git => 'https://github.com/puppetlabs/pltraining-rbac',
|
||||||
|
:ref => '2f60e1789a721ce83f8df061e13f8bf81cd4e4ce'
|
||||||
|
66
site/profile/manifests/code_manager.pp
Normal file
66
site/profile/manifests/code_manager.pp
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
class profile::code_manager {
|
||||||
|
|
||||||
|
$code_manager_service_user = 'code_manager_service_user'
|
||||||
|
$code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
|
||||||
|
|
||||||
|
#puppet_master_classifier_settings is a custom function
|
||||||
|
$classifier_settings = puppet_master_classifer_settings()
|
||||||
|
$classifier_hostname = $classifier_settings['server']
|
||||||
|
$classifier_port = $classifier_settings['port']
|
||||||
|
|
||||||
|
$token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs'
|
||||||
|
$token_filename = "${token_directory}/${code_manager_service_user}_token"
|
||||||
|
|
||||||
|
$gms_api_token = hiera('gms_api_token', undef)
|
||||||
|
$git_management_system = hiera('git_management_system', undef)
|
||||||
|
|
||||||
|
rbac_user { $code_manager_service_user :
|
||||||
|
ensure => 'present',
|
||||||
|
name => $code_manager_service_user,
|
||||||
|
email => "${code_manager_service_user}@example.com",
|
||||||
|
display_name => 'Code Manager Service Account',
|
||||||
|
password => $code_manager_service_user_password,
|
||||||
|
roles => [ 'Deploy Environments' ],
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $token_directory :
|
||||||
|
ensure => directory,
|
||||||
|
owner => 'pe-puppet',
|
||||||
|
group => 'pe-puppet',
|
||||||
|
}
|
||||||
|
|
||||||
|
exec { "Generate Token for ${code_manager_service_user}" :
|
||||||
|
command => epp('profile/code_manager/create_rbac_token.epp',
|
||||||
|
{ 'code_manager_service_user' => $code_manager_service_user,
|
||||||
|
'code_manager_service_user_password' => $code_manager_service_user_password,
|
||||||
|
'classifier_hostname' => $classifier_hostname,
|
||||||
|
'classifier_port' => $classifier_port,
|
||||||
|
'token_filename' => $token_filename
|
||||||
|
}),
|
||||||
|
creates => $token_filename,
|
||||||
|
require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if !empty($gms_api_token) {
|
||||||
|
|
||||||
|
#this file cannont be read until the next run after the above exec
|
||||||
|
#because the file function runs on the master not on the agent
|
||||||
|
$rbac_token = parsejson(file($token_filename))['token']
|
||||||
|
|
||||||
|
$code_manager_webhook_type = $git_management_system ? {
|
||||||
|
'gitlab' => 'github',
|
||||||
|
default => $git_management_system,
|
||||||
|
}
|
||||||
|
|
||||||
|
git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
|
||||||
|
ensure => present,
|
||||||
|
webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}",
|
||||||
|
token => $gms_api_token,
|
||||||
|
project_name => 'puppet/control-repo',
|
||||||
|
server_url => hiera('gms_server_url'),
|
||||||
|
provider => $git_management_system,
|
||||||
|
disable_ssl_verify => true,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -25,7 +25,8 @@ class profile::puppetmaster (
|
|||||||
#END - Generate an SSH key for r10k to connect to git
|
#END - Generate an SSH key for r10k to connect to git
|
||||||
|
|
||||||
#BEGIN - Add deploy key and webook to git management system
|
#BEGIN - Add deploy key and webook to git management system
|
||||||
$git_management_system = hiera('git_management_system', '')
|
$git_management_system = hiera('git_management_system', undef)
|
||||||
|
$gms_api_token = hiera('gms_api_token', undef)
|
||||||
|
|
||||||
if $git_management_system in ['gitlab', 'github'] {
|
if $git_management_system in ['gitlab', 'github'] {
|
||||||
|
|
||||||
|
@ -26,4 +26,15 @@ class profile::zack_r10k_webhook (
|
|||||||
require => Class['r10k::webhook::config'],
|
require => Class['r10k::webhook::config'],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !empty($gms_api_token) {
|
||||||
|
git_webhook { "web_post_receive_webhook-${::fqdn}" :
|
||||||
|
ensure => present,
|
||||||
|
webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload",
|
||||||
|
token => $gms_api_token,
|
||||||
|
project_name => 'puppet/control-repo',
|
||||||
|
server_url => hiera('gms_server_url'),
|
||||||
|
provider => $git_management_system,
|
||||||
|
disable_ssl_verify => true,
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
<%- | String $code_manager_service_user,
|
||||||
|
String $code_manager_service_user_password,
|
||||||
|
String $classifier_hostname,
|
||||||
|
Integer $classifier_port,
|
||||||
|
String $token_filename
|
||||||
|
| -%>
|
||||||
|
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %>
|
Loading…
Reference in New Issue
Block a user