From 00d3aa1f4f835a78e14827d5ac1ae9e94bc3f924 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 25 Feb 2016 15:23:12 -0800 Subject: [PATCH 1/4] Move profile::git_webhook into seperate module pe_code_manager_webhook Prior to this commit the functionality to setup the either code manager or zack/r10k was tightly coupled to this control-repo. In an effort to make that functionality useful to more people we're splitting it into a dedicated module. After this commit, the pe_code_manager_webhook module will contain all logic around setting up the webhook while this control-repo will still gloss over the details needed to get everything in PE setup correctly to use that module. This commit removes the files associated with the profile including some custom functions that were only there to make it work. This commit removes the all_in_one_pe_2015_2 role as it was exactly the same as the all_in_one_pe role. This commit modifies all_in_one_pe to use the pe_code_manager_webhook module instead of the profile. --- Puppetfile | 4 + .../puppet/parser/functions/no_fail_file.rb | 36 ----- site/profile/manifests/git_webhook.pp | 12 -- .../manifests/git_webhook/code_manager.pp | 150 ------------------ .../git_webhook/zack_r10k_webhook.pp | 58 ------- .../git_webhook/zack_r10k_webhook_disable.pp | 14 -- .../puppet_master_classifer_settings.rb | 5 - site/role/manifests/all_in_one_pe.pp | 2 +- site/role/manifests/all_in_one_pe_2015_2.pp | 6 - 9 files changed, 5 insertions(+), 282 deletions(-) delete mode 100644 site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb delete mode 100644 site/profile/manifests/git_webhook.pp delete mode 100644 site/profile/manifests/git_webhook/code_manager.pp delete mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook.pp delete mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp delete mode 100644 site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb delete mode 100644 site/role/manifests/all_in_one_pe_2015_2.pp diff --git a/Puppetfile b/Puppetfile index 61013d8..d06dd21 100644 --- a/Puppetfile +++ b/Puppetfile @@ -28,6 +28,10 @@ mod 'r10k', :git => 'https://github.com/acidprime/r10k', :tag => 'v3.1.1' +mod 'pe_code_manager_webhook', + :git => 'https://github.com/npwalker/pe_code_manager_webhook', + :ref => '20d9f2e274325edaa10d8ec3b4f98a62ad726335' + mod 'gms', :git => 'https://github.com/npwalker/abrader-gms', :branch => 'gitlab_disable_ssl_verify_support' diff --git a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb deleted file mode 100644 index 3819ebf..0000000 --- a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb +++ /dev/null @@ -1,36 +0,0 @@ -require 'puppet/file_system' - -Puppet::Parser::Functions::newfunction( - :no_fail_file, :arity => -2, :type => :rvalue, - :doc => "Loads a file from a module and returns its contents as a string. - - This is a replacement to the file function that returns nothing - if the file specified cannot be found instead of erroring out. - - The argument to this function should be a `/` - reference, which will load `` from a module's `files` - directory. (For example, the reference `mysql/mysqltuner.pl` will load the - file `/mysql/files/mysqltuner.pl`.) - - This function can also accept: - - * An absolute path, which can load a file from anywhere on disk. - * Multiple arguments, which will return the contents of the **first** file - found, skipping any files that don't exist. - " -) do |vals| - path = nil - vals.each do |file| - found = Puppet::Parser::Files.find_file(file, compiler.environment) - if found && Puppet::FileSystem.exist?(found) - path = found - break - end - end - - if path - Puppet::FileSystem.read_preserve_line_endings(path) - else - nil - end -end diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp deleted file mode 100644 index 12ef786..0000000 --- a/site/profile/manifests/git_webhook.pp +++ /dev/null @@ -1,12 +0,0 @@ -class profile::git_webhook ( - $force_zack_r10k_webhook = false -) { - - if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook { - include profile::git_webhook::zack_r10k_webhook - } else { - include profile::git_webhook::code_manager - include profile::git_webhook::zack_r10k_webhook_disable - } - -} diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp deleted file mode 100644 index 41c9e16..0000000 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ /dev/null @@ -1,150 +0,0 @@ -class profile::git_webhook::code_manager { - - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) - - $code_manager_service_user = 'code_manager_service_user' - $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - - #puppet_master_classifier_settings is a custom function - $classifier_settings = puppet_master_classifer_settings() - $classifier_hostname = $classifier_settings['server'] - $classifier_port = $classifier_settings['port'] - - $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' - $token_filename = "${token_directory}/${code_manager_service_user}_token" - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' - exec { 'create code manager ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", - creates => $code_manager_ssh_key_file, - } - - file { $code_manager_ssh_key_file : - ensure => file, - owner => 'pe-puppet', - group => 'pe-puppet', - require => Exec['create code manager ssh key'], - } - - #If files exist in the codedir code manager can't manage them unless pe-puppet can read them - exec { 'chown all environments to pe-puppet' : - command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", - unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", - } - - $code_manager_role_name = 'Deploy Environments' - $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' - $create_role_curl = @(EOT) - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ - https://<%= $classifier_hostname %>:4433/rbac-api/v1/roles \ - -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, - {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ - --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ - --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ - --cacert <%= $::settings::certdir %>/ca.pem; - touch <%= $create_role_creates_file %> - | EOT - - exec { 'create deploy environments role' : - command => inline_epp( $create_role_curl ), - creates => $create_role_creates_file, - logoutput => true, - path => $::path, - require => File[$token_directory], - } - - rbac_user { $code_manager_service_user : - ensure => 'present', - name => $code_manager_service_user, - email => "${code_manager_service_user}@example.com", - display_name => 'Code Manager Service Account', - password => $code_manager_service_user_password, - roles => [ $code_manager_role_name ], - require => Exec['create deploy environments role'], - } - - file { $token_directory : - ensure => directory, - owner => 'pe-puppet', - group => 'pe-puppet', - } - - exec { "Generate Token for ${code_manager_service_user}" : - command => epp('profile/git_webhook/code_manager/create_rbac_token.epp', - { 'code_manager_service_user' => $code_manager_service_user, - 'code_manager_service_user_password' => $code_manager_service_user_password, - 'classifier_hostname' => $classifier_hostname, - 'classifier_port' => $classifier_port, - 'token_filename' => $token_filename - }), - creates => $token_filename, - require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], - } - - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - #so the file doesn't exist at the time the function is run - $rbac_token_file_contents = no_fail_file($token_filename) - - #Only mv code if this is at least the 2nd run of puppet - #Code manager needs to be enabled and puppet server restarted - #before this exec can complete. Gating on the token file - #ensures at least one run has completed - if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { - - $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) - - exec { 'mv files out of $environmentpath' : - command => "mkdir /etc/puppetlabs/env_back_${timestamp}; - mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; - rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; - TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; - /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; - sleep 15", - path => $::path, - logoutput => true, - require => Exec["Generate Token for ${code_manager_service_user}"], - } - } - - if !empty($gms_api_token) { - if $authenticate_webhook and !empty($rbac_token_file_contents) { - - $rbac_token = parsejson($rbac_token_file_contents)['token'] - - $token_info = "&token=${rbac_token}" - } - else { - $token_info = '' - } - - $code_manager_webhook_type = $git_management_system ? { - 'gitlab' => 'github', - default => $git_management_system, - } - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${code_manager_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp deleted file mode 100644 index ed05282..0000000 --- a/site/profile/manifests/git_webhook/zack_r10k_webhook.pp +++ /dev/null @@ -1,58 +0,0 @@ -class profile::git_webhook::zack_r10k_webhook ( - $use_mcollective = false, -) { - - $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - $gms_api_token = hiera('gms_api_token', undef) - $git_management_system = hiera('git_management_system', undef) - - if $use_mcollective { - class { 'r10k::mcollective': - notify => Service['mcollective'], - } - } - - class {'r10k::webhook::config': - enable_ssl => true, - protected => true, - user => $username, - pass => $password, - use_mcollective => $use_mcollective, - } - - class {'r10k::webhook': - user => 'root', - group => '0', - require => Class['r10k::webhook::config'], - } - - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - - if !empty($gms_api_token) { - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } -} diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp deleted file mode 100644 index ec54fc6..0000000 --- a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp +++ /dev/null @@ -1,14 +0,0 @@ -class profile::git_webhook::zack_r10k_webhook_disable { - - file { '/etc/webhook.yaml' : - ensure => absent, - notify => Exec['stop and disable webhook service'], - } - - exec { 'stop and disable webhook service' : - command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false', - logoutput => true, - refreshonly => true, - } - -} diff --git a/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb b/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb deleted file mode 100644 index 5559849..0000000 --- a/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb +++ /dev/null @@ -1,5 +0,0 @@ -module Puppet::Parser::Functions - newfunction(:puppet_master_classifer_settings, :type => :rvalue) do |args| - function_parseyaml([function_file([File.join(lookupvar('settings::confdir').to_s, 'classifier.yaml')])]) - end -end diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 9e93155..5f72a30 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::git_webhook + include pe_code_manager_webhook } diff --git a/site/role/manifests/all_in_one_pe_2015_2.pp b/site/role/manifests/all_in_one_pe_2015_2.pp deleted file mode 100644 index 337ca45..0000000 --- a/site/role/manifests/all_in_one_pe_2015_2.pp +++ /dev/null @@ -1,6 +0,0 @@ -class role::all_in_one_pe_2015_2 { - - include profile::puppetmaster - include profile::git_webhook - -} From bd13252916c62374e36d7d4a31cc32c15d3737f8 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Tue, 8 Mar 2016 09:53:02 -0800 Subject: [PATCH 2/4] Update to pe_code_manager_webhook v1.0.0 Prior to this commit, we were using a pre-release version of the pe_code_manager_webhook module in order to test that simply re-namespacing the module form a profile to a module worked as expected. After this commit, we use the official 1.0.0 relase of the module that includes a few changes that make it more versatile. --- Puppetfile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/Puppetfile b/Puppetfile index d06dd21..3c85887 100644 --- a/Puppetfile +++ b/Puppetfile @@ -4,14 +4,15 @@ forge "http://forge.puppetlabs.com" # Note the versions are all set to :latest but after you've # installed you should change them to the exact version you want mod "hunner/hiera", '2.0.1' -mod "puppetlabs/inifile", :latest -mod "puppetlabs/stdlib", :latest -mod "puppetlabs/concat", :latest -mod "puppetlabs/ntp", :latest -mod "saz/ssh", :latest +mod "puppetlabs/inifile", :latest +mod "puppetlabs/stdlib", :latest +mod "puppetlabs/concat", :latest +mod "puppetlabs/ntp", :latest +mod "saz/ssh", :latest mod "puppetlabs/postgresql", '4.5.0' mod "puppet/stash", '1.3.0' mod "puppetlabs/java", '1.4.1' +mod "npwalker/pe_code_manager_webhook", '1.0.0' #An example of using a specific forge module version instead of latest #Notice the addition of single quotes @@ -28,9 +29,9 @@ mod 'r10k', :git => 'https://github.com/acidprime/r10k', :tag => 'v3.1.1' -mod 'pe_code_manager_webhook', - :git => 'https://github.com/npwalker/pe_code_manager_webhook', - :ref => '20d9f2e274325edaa10d8ec3b4f98a62ad726335' +#mod 'pe_code_manager_webhook', +# :git => 'https://github.com/npwalker/pe_code_manager_webhook', +# :ref => '6957aa67e376ca7dcc9a60a58c247ed3e7b66c16' mod 'gms', :git => 'https://github.com/npwalker/abrader-gms', From 182f9474180dea6093406c727a0d26a684ef08ab Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 11 Mar 2016 10:49:46 -0800 Subject: [PATCH 3/4] Update to pe_code_manager_wehbook v1.0.1 --- Puppetfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 3c85887..dce3bf9 100644 --- a/Puppetfile +++ b/Puppetfile @@ -12,7 +12,7 @@ mod "saz/ssh", :latest mod "puppetlabs/postgresql", '4.5.0' mod "puppet/stash", '1.3.0' mod "puppetlabs/java", '1.4.1' -mod "npwalker/pe_code_manager_webhook", '1.0.0' +mod "npwalker/pe_code_manager_webhook", '1.0.1' #An example of using a specific forge module version instead of latest #Notice the addition of single quotes From 4978905d9b66aad5497c29aefb7229f58bee7785 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 11 Mar 2016 11:35:00 -0800 Subject: [PATCH 4/4] Update to pe_code_manager_webhook v1.0.2 --- Puppetfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index dce3bf9..c17da66 100644 --- a/Puppetfile +++ b/Puppetfile @@ -12,7 +12,7 @@ mod "saz/ssh", :latest mod "puppetlabs/postgresql", '4.5.0' mod "puppet/stash", '1.3.0' mod "puppetlabs/java", '1.4.1' -mod "npwalker/pe_code_manager_webhook", '1.0.1' +mod "npwalker/pe_code_manager_webhook", '1.0.2' #An example of using a specific forge module version instead of latest #Notice the addition of single quotes