commit
9a876a61e7
@ -34,3 +34,7 @@ mod 'r10k',
|
||||
mod 'gms',
|
||||
:git => 'https://github.com/npwalker/abrader-gms',
|
||||
:branch => 'gitlab_disable_ssl_verify_support'
|
||||
|
||||
mod 'pltraining-rbac',
|
||||
:git => 'https://github.com/puppetlabs/pltraining-rbac',
|
||||
:ref => '2f60e1789a721ce83f8df061e13f8bf81cd4e4ce'
|
||||
|
156
README.md
156
README.md
@ -1,10 +1,44 @@
|
||||
# Before Starting:
|
||||
Table of Contents
|
||||
=================
|
||||
|
||||
* [Before Starting](#before-starting)
|
||||
* [What You Get From This control\-repo](#what-you-get-from-this-control-repo)
|
||||
* [How To Set It All Up](#how-to-set-it-all-up)
|
||||
* [Setup a Trusted Fact On Your PE Master](#setup-a-trusted-fact-on-your-pe-master)
|
||||
* [If You Have Not Installed PE](#if-you-have-not-installed-pe)
|
||||
* [If You Have Already Installed PE](#if-you-have-already-installed-pe)
|
||||
* [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server)
|
||||
* [Gitlab](#gitlab)
|
||||
* [Stash](#stash)
|
||||
* [Github](#github)
|
||||
* [Configure PE to Use the Control\-Repo](#configure-pe-to-use-the-control-repo)
|
||||
* [Install PE](#install-pe)
|
||||
* [Get the Control\-Repo Deployed On Your Master](#get-the-control-repo-deployed-on-your-master)
|
||||
* [Test Code Manager](#test-code-manager)
|
||||
* [Updating From a Previous Version of PE](#updating-from-a-previous-version-of-pe)
|
||||
* [Upgrading to PE2015\.3\.z from PE 2015\.2\.z](#upgrading-to-pe20153z-from-pe-20152z)
|
||||
* [Appendix](#appendix)
|
||||
* [Test The Zack/r10k Webhook](#test-the-zackr10k-webhook)
|
||||
|
||||
# Before Starting
|
||||
|
||||
This control repo and the steps below are intended to be used during a new installation of PE.
|
||||
|
||||
This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested.
|
||||
The instructions are geared towards a new installation of PE2015.3.z. However, the control-repo should work just fine on [PE2015.2.z](#upgrading-to-pe20153z-from-pe-20152z)
|
||||
|
||||
If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.
|
||||
If you intend to use this control-repo on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.
|
||||
|
||||
# What You Get From This control-repo
|
||||
|
||||
As a result of following the instructions below you will receive at least the beginning of a best-practices installation of PE including...
|
||||
|
||||
- A git server
|
||||
- The ability to push code to your git server and have it automatically deployed to your PE Master
|
||||
- A config_version script to output the commit of code that your agent just applied
|
||||
- Optimal tuning of PE settings for this configuration
|
||||
- Working and example roles/profiles code
|
||||
|
||||
# How To Set It All Up
|
||||
|
||||
## Setup a Trusted Fact On Your PE Master
|
||||
|
||||
@ -17,15 +51,15 @@ extension_requests:
|
||||
1.3.6.1.4.1.34380.1.1.13: 'all_in_one_pe'
|
||||
```
|
||||
|
||||
### If You Have Not Installed PE
|
||||
### If You Have Not Installed PE
|
||||
|
||||
Good then you can proceed forward and the trusted fact will be used when you get to the install step.
|
||||
Good then you can proceed forward and the trusted fact will be used when you get to the install step.
|
||||
|
||||
### If You Have Already Installed PE
|
||||
|
||||
Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created.
|
||||
Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created.
|
||||
|
||||
Follow this document to regenerate the certificate on your master.
|
||||
Follow this document to regenerate the certificate on your master.
|
||||
|
||||
http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html
|
||||
|
||||
@ -53,20 +87,20 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html
|
||||
- In the left hand pane, select memembers
|
||||
- Add the `r10k_api_user` with `master` permissions
|
||||
|
||||
7. Add your user to the `puppet` group as well
|
||||
7. Add your user to the `puppet` group as well
|
||||
|
||||
8. Create a project called `control-repo` and set the Namespace to be the `puppet` group
|
||||
|
||||
9. Logout of root and login as the `r10k_api_user`
|
||||
- Go to profile settings -> account ( https://<your_gitlab_server>/profile/account )
|
||||
- Copy the api token
|
||||
|
||||
|
||||
10. Clone this control repository to your laptop/workstation
|
||||
- `git clone <repository url>`
|
||||
- `cd control-repo`
|
||||
|
||||
11. `git mv hieradata/nodes/example-puppet-master.yaml hieradata/nodes/<fqdn_of_your_puppet_master>.yaml`
|
||||
- Open `hieradata/nodes/<fqdn_of_your_puppet_master>.yaml`
|
||||
- Open `hieradata/nodes/<fqdn_of_your_puppet_master>.yaml`
|
||||
- edit `gms_api_token` to be your api token
|
||||
- edit `git_management_system` to be 'gitlab'
|
||||
- edit the `gms_server_url`
|
||||
@ -99,7 +133,7 @@ Coming soon!
|
||||
###Install PE
|
||||
|
||||
1. Download the latest version of the PE installer for your platform and copy it to your master
|
||||
- https://puppetlabs.com/download-puppet-enterprise
|
||||
- https://puppetlabs.com/download-puppet-enterprise
|
||||
2. Expand the tarball and `cd` into the directory
|
||||
3. Run `puppet-enterprise-installer` to install
|
||||
|
||||
@ -109,70 +143,76 @@ http://docs.puppetlabs.com/pe/latest/install_basic.html
|
||||
|
||||
###Get the Control-Repo Deployed On Your Master
|
||||
|
||||
At this point you have my control-repo code deployed into your git server. However, we have one final challenge getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server.
|
||||
At this point you have our control-repo code deployed into your git server. However, we have one final challenge: getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server.
|
||||
|
||||
So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else.
|
||||
So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else.
|
||||
|
||||
1. On your puppet master, make an ssh key for r10k to connect to gitlab
|
||||
- `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f /root/.ssh/r10k_rsa -q -N ''`
|
||||
- `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f /etc/puppetlabs/puppetserver/code_manager.key -q -N ''`
|
||||
- http://doc.gitlab.com/ce/ssh/README.html
|
||||
- https://help.github.com/articles/generating-ssh-keys/
|
||||
2. Create a deploy key on the `control-repo` project in Gitlab
|
||||
- Paste in the public key from above
|
||||
- `cat /root/.ssh/r10k_rsa.pub`
|
||||
3. Follow https://docs.puppetlabs.com/pe/latest/r10k_config_console.html
|
||||
- The remote is on the front page of the project in the gitlab UI
|
||||
- git_settings should be:
|
||||
- `{"provider": "rugged",
|
||||
"private_key": "/root/.ssh/r10k_rsa"}`
|
||||
3. Run `puppet agent -t`
|
||||
- `cat /etc/puppetlabs/puppetserver/code_manager.key.pub`
|
||||
3. Login to the PE console
|
||||
7. Navigate to the Classification page
|
||||
- Click on the PE Master group
|
||||
- Click the Classes tab
|
||||
- Add the `puppet_enterprise::profile::master`
|
||||
- Set the `r10k_remote` to the ssh url from the front page of your gitlab repo
|
||||
- Set the `r10k_private_key` parameter to `/etc/puppetlabs/puppetserver/code_manager.key`
|
||||
- Commit your changes
|
||||
8. Run `puppet agent -t`
|
||||
- Expect to see changes to `r10k.yaml`
|
||||
3. Run `r10k deploy environment -pv`
|
||||
4. Run `puppet agent -t`
|
||||
9. Run `r10k deploy environment -pv`
|
||||
10. Run `puppet agent -t`
|
||||
- Expect to see code manager enabled
|
||||
10. `echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt`
|
||||
11. Run `puppet agent -t`
|
||||
- Now you should see many more changes
|
||||
- Your code has been deployed with code manager now
|
||||
|
||||
## Test Code Manager
|
||||
|
||||
One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to deploy branch you just pushed.
|
||||
|
||||
1. In one terminal window, `tail -f /var/log/puppetlabs/puppetserver/puppetserver.log`
|
||||
2. In a second terminal window
|
||||
- Add a new file, `touch test_file`
|
||||
- `git add test_file`
|
||||
- `git commit -m "adding a test_file"`
|
||||
- `git push origin production`
|
||||
3. Allow the push to complete and then wait a few seconds for everything to sync over
|
||||
- `ls -l /etc/puppetlabs/code/environments/production`
|
||||
- Confirm test_file is present
|
||||
4. In your first terminal window review the `puppetserver.log` to see the type of logging each sync will create
|
||||
|
||||
----
|
||||
# Updating From a Previous Version of PE
|
||||
|
||||
## Upgrading to PE2015.3.z from PE 2015.2.z
|
||||
|
||||
Remove `pe_r10k` from the PE master group in the console and instead add the following two parameters to the `puppet_enterprise::profile::master` class under the PE master group.
|
||||
|
||||
- `r10k_remote` = the ssh url for your internal repo
|
||||
- `r10k_private_key` = `/etc/puppetlabs/puppetserver/code_manager.key`
|
||||
|
||||
When upgrading the `puppet_enterprise::profile::master` class has the `file_sync_enabled` parameter set to `false`. This parameter should be removed so that code manager can configure file sync.
|
||||
|
||||
Finally, you’ll need to `echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt` so that my puppet code will redeploy all of your code with code manager.
|
||||
|
||||
# Appendix
|
||||
|
||||
## Test The Zack/r10k Webhook
|
||||
|
||||
One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`.
|
||||
If you are using PE2015.2.z or if you've forced the use of the zack/r10k webhook then you'll want to test that it works.
|
||||
|
||||
1. Edit README.md
|
||||
One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`.
|
||||
|
||||
1. Edit README.md
|
||||
- Just add something to it
|
||||
2. `git add README.md`
|
||||
3. `git commit -m "edit README"`
|
||||
4. `git push origin production`
|
||||
5. Allow the push to complete and then give it few seconds to complete
|
||||
- Open `/etc/puppetlabs/code/environments/production/README.md` and confirm your change is present
|
||||
|
||||
|
||||
|
||||
----
|
||||
#Miscellaneous
|
||||
|
||||
## If You Want to Install Pointing To This Repo on Github
|
||||
|
||||
### Setting Up Gitlab
|
||||
|
||||
1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script).
|
||||
|
||||
```
|
||||
---
|
||||
extension_requests:
|
||||
#pp_role
|
||||
1.3.6.1.4.1.34380.1.1.13: 'gitlab'
|
||||
```
|
||||
|
||||
### Setting up Github
|
||||
|
||||
Not yet completed.
|
||||
|
||||
### Setting up Stash
|
||||
|
||||
Not yet completed.
|
||||
|
||||
|
||||
#TODO
|
||||
Flush out generating an answer file and then appending extra answers onto the end of it.
|
||||
|
||||
|
||||
|
||||
|
@ -3,6 +3,9 @@ message: "This node is using common data"
|
||||
|
||||
#Puppet Server Tuning
|
||||
puppet_enterprise::master::puppetserver::jruby_max_requests_per_instance: 10000
|
||||
#Enable code manager
|
||||
puppet_enterprise::profile::master::code_manager_auto_configure: true
|
||||
puppet_enterprise::master::code_manager::authenticate_webhook: false
|
||||
|
||||
#pe-console-services tuning
|
||||
#https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period
|
||||
|
@ -11,20 +11,9 @@
|
||||
|
||||
## Active Configurations ##
|
||||
|
||||
# PRIMARY FILEBUCKET
|
||||
# This configures puppet agent and puppet inspect to back up file contents when
|
||||
# they run. The Puppet Enterprise console needs this to display file contents
|
||||
# and differences.
|
||||
|
||||
# Define filebucket 'main':
|
||||
filebucket { 'main':
|
||||
#server should point to one master that will be the file bucket
|
||||
server => "${settings::server}",
|
||||
path => false,
|
||||
}
|
||||
|
||||
# Make filebucket 'main' the default backup location for all File resources:
|
||||
File { backup => 'main' }
|
||||
# Disable filebucket by default for all File resources:
|
||||
#http://docs.puppetlabs.com/pe/latest/release_notes.html#filebucket-resource-no-longer-created-by-default
|
||||
File { backup => false }
|
||||
|
||||
# DEFAULT NODE
|
||||
# Node definitions in this file are merged with node data from the console. See
|
||||
@ -40,7 +29,7 @@ node default {
|
||||
#incude a role on any node that specifies it's role via a trusted fact at provision time
|
||||
#https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts
|
||||
#https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#aws-attributes-and-extensions-population-example
|
||||
|
||||
|
||||
if !empty( $trusted['extensions']['pp_role'] ) {
|
||||
include "role::${trusted['extensions']['pp_role']}"
|
||||
}
|
||||
|
9
scripts/code_manager_config_version.rb
Normal file
9
scripts/code_manager_config_version.rb
Normal file
@ -0,0 +1,9 @@
|
||||
require 'json'
|
||||
|
||||
environmentpath = ARGV[0]
|
||||
environment = ARGV[1]
|
||||
|
||||
r10k_deploy_file_path = File.join(environmentpath, environment, '.r10k-deploy.json')
|
||||
|
||||
#output the sha1 from the control-repo
|
||||
puts JSON.parse(File.read(r10k_deploy_file_path))['signature']
|
@ -1,5 +1,8 @@
|
||||
#!/bin/bash
|
||||
if [ -e /opt/puppetlabs/server/pe_version ]
|
||||
if [ -e $1/$2/.r10k-deploy.json ]
|
||||
then
|
||||
/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2
|
||||
elif [ -e /opt/puppetlabs/server/pe_version ]
|
||||
then
|
||||
/opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2
|
||||
else
|
||||
|
@ -0,0 +1,36 @@
|
||||
require 'puppet/file_system'
|
||||
|
||||
Puppet::Parser::Functions::newfunction(
|
||||
:no_fail_file, :arity => -2, :type => :rvalue,
|
||||
:doc => "Loads a file from a module and returns its contents as a string.
|
||||
|
||||
This is a replacement to the file function that returns nothing
|
||||
if the file specified cannot be found instead of erroring out.
|
||||
|
||||
The argument to this function should be a `<MODULE NAME>/<FILE>`
|
||||
reference, which will load `<FILE>` from a module's `files`
|
||||
directory. (For example, the reference `mysql/mysqltuner.pl` will load the
|
||||
file `<MODULES DIRECTORY>/mysql/files/mysqltuner.pl`.)
|
||||
|
||||
This function can also accept:
|
||||
|
||||
* An absolute path, which can load a file from anywhere on disk.
|
||||
* Multiple arguments, which will return the contents of the **first** file
|
||||
found, skipping any files that don't exist.
|
||||
"
|
||||
) do |vals|
|
||||
path = nil
|
||||
vals.each do |file|
|
||||
found = Puppet::Parser::Files.find_file(file, compiler.environment)
|
||||
if found && Puppet::FileSystem.exist?(found)
|
||||
path = found
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
if path
|
||||
Puppet::FileSystem.read_preserve_line_endings(path)
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
12
site/profile/manifests/git_webhook.pp
Normal file
12
site/profile/manifests/git_webhook.pp
Normal file
@ -0,0 +1,12 @@
|
||||
class profile::git_webhook (
|
||||
$force_zack_r10k_webhook = false
|
||||
) {
|
||||
|
||||
if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook {
|
||||
include profile::git_webhook::zack_r10k_webhook
|
||||
} else {
|
||||
include profile::git_webhook::code_manager
|
||||
include profile::git_webhook::zack_r10k_webhook_disable
|
||||
}
|
||||
|
||||
}
|
150
site/profile/manifests/git_webhook/code_manager.pp
Normal file
150
site/profile/manifests/git_webhook/code_manager.pp
Normal file
@ -0,0 +1,150 @@
|
||||
class profile::git_webhook::code_manager {
|
||||
|
||||
$authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true)
|
||||
|
||||
$code_manager_service_user = 'code_manager_service_user'
|
||||
$code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
|
||||
|
||||
#puppet_master_classifier_settings is a custom function
|
||||
$classifier_settings = puppet_master_classifer_settings()
|
||||
$classifier_hostname = $classifier_settings['server']
|
||||
$classifier_port = $classifier_settings['port']
|
||||
|
||||
$token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs'
|
||||
$token_filename = "${token_directory}/${code_manager_service_user}_token"
|
||||
|
||||
$gms_api_token = hiera('gms_api_token', undef)
|
||||
$git_management_system = hiera('git_management_system', undef)
|
||||
|
||||
$code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key'
|
||||
exec { 'create code manager ssh key' :
|
||||
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''",
|
||||
creates => $code_manager_ssh_key_file,
|
||||
}
|
||||
|
||||
file { $code_manager_ssh_key_file :
|
||||
ensure => file,
|
||||
owner => 'pe-puppet',
|
||||
group => 'pe-puppet',
|
||||
require => Exec['create code manager ssh key'],
|
||||
}
|
||||
|
||||
#If files exist in the codedir code manager can't manage them unless pe-puppet can read them
|
||||
exec { 'chown all environments to pe-puppet' :
|
||||
command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}",
|
||||
unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
|
||||
}
|
||||
|
||||
$code_manager_role_name = 'Deploy Environments'
|
||||
$create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
|
||||
$create_role_curl = @(EOT)
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
|
||||
https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
|
||||
-d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
|
||||
{"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \
|
||||
--cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \
|
||||
--key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \
|
||||
--cacert <%= $::settings::certdir %>/ca.pem;
|
||||
touch <%= $create_role_creates_file %>
|
||||
| EOT
|
||||
|
||||
exec { 'create deploy environments role' :
|
||||
command => inline_epp( $create_role_curl ),
|
||||
creates => $create_role_creates_file,
|
||||
logoutput => true,
|
||||
path => $::path,
|
||||
require => File[$token_directory],
|
||||
}
|
||||
|
||||
rbac_user { $code_manager_service_user :
|
||||
ensure => 'present',
|
||||
name => $code_manager_service_user,
|
||||
email => "${code_manager_service_user}@example.com",
|
||||
display_name => 'Code Manager Service Account',
|
||||
password => $code_manager_service_user_password,
|
||||
roles => [ $code_manager_role_name ],
|
||||
require => Exec['create deploy environments role'],
|
||||
}
|
||||
|
||||
file { $token_directory :
|
||||
ensure => directory,
|
||||
owner => 'pe-puppet',
|
||||
group => 'pe-puppet',
|
||||
}
|
||||
|
||||
exec { "Generate Token for ${code_manager_service_user}" :
|
||||
command => epp('profile/git_webhook/code_manager/create_rbac_token.epp',
|
||||
{ 'code_manager_service_user' => $code_manager_service_user,
|
||||
'code_manager_service_user_password' => $code_manager_service_user_password,
|
||||
'classifier_hostname' => $classifier_hostname,
|
||||
'classifier_port' => $classifier_port,
|
||||
'token_filename' => $token_filename
|
||||
}),
|
||||
creates => $token_filename,
|
||||
require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
|
||||
}
|
||||
|
||||
#this file cannont be read until the next run after the above exec
|
||||
#because the file function runs on the master not on the agent
|
||||
#so the file doesn't exist at the time the function is run
|
||||
$rbac_token_file_contents = no_fail_file($token_filename)
|
||||
|
||||
#Only mv code if this is at least the 2nd run of puppet
|
||||
#Code manager needs to be enabled and puppet server restarted
|
||||
#before this exec can complete. Gating on the token file
|
||||
#ensures at least one run has completed
|
||||
if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) {
|
||||
|
||||
$timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S'))
|
||||
|
||||
exec { 'mv files out of $environmentpath' :
|
||||
command => "mkdir /etc/puppetlabs/env_back_${timestamp};
|
||||
mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/;
|
||||
rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt;
|
||||
TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`;
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}';
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}';
|
||||
sleep 15",
|
||||
path => $::path,
|
||||
logoutput => true,
|
||||
require => Exec["Generate Token for ${code_manager_service_user}"],
|
||||
}
|
||||
}
|
||||
|
||||
if !empty($gms_api_token) {
|
||||
if $authenticate_webhook and !empty($rbac_token_file_contents) {
|
||||
|
||||
$rbac_token = parsejson($rbac_token_file_contents)['token']
|
||||
|
||||
$token_info = "&token=${rbac_token}"
|
||||
}
|
||||
else {
|
||||
$token_info = ''
|
||||
}
|
||||
|
||||
$code_manager_webhook_type = $git_management_system ? {
|
||||
'gitlab' => 'github',
|
||||
default => $git_management_system,
|
||||
}
|
||||
|
||||
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
||||
ensure => present,
|
||||
name => $::fqdn,
|
||||
path => "${code_manager_ssh_key_file}.pub",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
}
|
||||
|
||||
git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
|
||||
ensure => present,
|
||||
webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
disable_ssl_verify => true,
|
||||
}
|
||||
}
|
||||
}
|
58
site/profile/manifests/git_webhook/zack_r10k_webhook.pp
Normal file
58
site/profile/manifests/git_webhook/zack_r10k_webhook.pp
Normal file
@ -0,0 +1,58 @@
|
||||
class profile::git_webhook::zack_r10k_webhook (
|
||||
$use_mcollective = false,
|
||||
) {
|
||||
|
||||
$username = hiera('webhook_username', fqdn_rand_string(10, '', 'username'))
|
||||
$password = hiera('webhook_password', fqdn_rand_string(20, '', 'password'))
|
||||
|
||||
$gms_api_token = hiera('gms_api_token', undef)
|
||||
$git_management_system = hiera('git_management_system', undef)
|
||||
|
||||
if $use_mcollective {
|
||||
class { 'r10k::mcollective':
|
||||
notify => Service['mcollective'],
|
||||
}
|
||||
}
|
||||
|
||||
class {'r10k::webhook::config':
|
||||
enable_ssl => true,
|
||||
protected => true,
|
||||
user => $username,
|
||||
pass => $password,
|
||||
use_mcollective => $use_mcollective,
|
||||
}
|
||||
|
||||
class {'r10k::webhook':
|
||||
user => 'root',
|
||||
group => '0',
|
||||
require => Class['r10k::webhook::config'],
|
||||
}
|
||||
|
||||
$r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
|
||||
exec { 'create r10k ssh key' :
|
||||
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
|
||||
creates => $r10k_ssh_key_file,
|
||||
}
|
||||
|
||||
if !empty($gms_api_token) {
|
||||
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
||||
ensure => present,
|
||||
name => $::fqdn,
|
||||
path => "${r10k_ssh_key_file}.pub",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
}
|
||||
|
||||
git_webhook { "web_post_receive_webhook-${::fqdn}" :
|
||||
ensure => present,
|
||||
webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload",
|
||||
token => $gms_api_token,
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
disable_ssl_verify => true,
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,14 @@
|
||||
class profile::git_webhook::zack_r10k_webhook_disable {
|
||||
|
||||
file { '/etc/webhook.yaml' :
|
||||
ensure => absent,
|
||||
notify => Exec['stop and disable webhook service'],
|
||||
}
|
||||
|
||||
exec { 'stop and disable webhook service' :
|
||||
command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false',
|
||||
logoutput => true,
|
||||
refreshonly => true,
|
||||
}
|
||||
|
||||
}
|
@ -1,7 +1,6 @@
|
||||
class profile::puppetmaster (
|
||||
$webhook_username,
|
||||
$webhook_password
|
||||
) {
|
||||
class profile::puppetmaster {
|
||||
|
||||
$hiera_yaml = "${::settings::confdir}/hiera.yaml"
|
||||
|
||||
class { 'hiera':
|
||||
hierarchy => [
|
||||
@ -9,48 +8,28 @@ class profile::puppetmaster (
|
||||
'nodes/%{::trusted.certname}',
|
||||
'common',
|
||||
],
|
||||
hiera_yaml => '/etc/puppetlabs/code/hiera.yaml',
|
||||
hiera_yaml => $hiera_yaml,
|
||||
datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata',
|
||||
owner => 'pe-puppet',
|
||||
group => 'pe-puppet',
|
||||
notify => Service['pe-puppetserver'],
|
||||
}
|
||||
|
||||
#BEGIN - Generate an SSH key for r10k to connect to git
|
||||
$r10k_ssh_key_file = '/root/.ssh/r10k_rsa'
|
||||
exec { 'create r10k ssh key' :
|
||||
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''",
|
||||
creates => $r10k_ssh_key_file,
|
||||
ini_setting { 'puppet.conf hiera_config' :
|
||||
ensure => present,
|
||||
path => "${::settings::confdir}/puppet.conf",
|
||||
section => 'master',
|
||||
setting => 'hiera_config',
|
||||
value => $hiera_yaml,
|
||||
notify => Service['pe-puppetserver'],
|
||||
}
|
||||
#END - Generate an SSH key for r10k to connect to git
|
||||
|
||||
#BEGIN - Add deploy key and webook to git management system
|
||||
$git_management_system = hiera('git_management_system', '')
|
||||
|
||||
if $git_management_system in ['gitlab', 'github'] {
|
||||
|
||||
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
||||
ensure => present,
|
||||
name => $::fqdn,
|
||||
path => "${r10k_ssh_key_file}.pub",
|
||||
token => hiera('gms_api_token'),
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
}
|
||||
|
||||
git_webhook { "web_post_receive_webhook-${::fqdn}" :
|
||||
ensure => present,
|
||||
webhook_url => "https://${webhook_username}:${webhook_password}@${::fqdn}:8088/payload",
|
||||
token => hiera('gms_api_token'),
|
||||
project_name => 'puppet/control-repo',
|
||||
server_url => hiera('gms_server_url'),
|
||||
provider => $git_management_system,
|
||||
disable_ssl_verify => true,
|
||||
}
|
||||
|
||||
#remove the default hiera.yaml from the code-staging directory
|
||||
#after the next code manager deployment it should be removed
|
||||
#from the live codedir
|
||||
file { '/etc/puppetlabs/code-staging/hiera.yaml' :
|
||||
ensure => absent,
|
||||
}
|
||||
#END - Add deploy key and webhook to git management system
|
||||
|
||||
#Lay down update-classes.sh for use in r10k postrun_command
|
||||
#This is configured via the pe_r10k::postrun key in hiera
|
||||
|
@ -1,29 +0,0 @@
|
||||
class profile::zack_r10k_webhook (
|
||||
$username,
|
||||
$password,
|
||||
$use_mcollective = false,
|
||||
) {
|
||||
|
||||
if $use_mcollective {
|
||||
|
||||
class { 'r10k::mcollective':
|
||||
notify => Service['mcollective'],
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
class {'r10k::webhook::config':
|
||||
enable_ssl => true,
|
||||
protected => true,
|
||||
user => $username,
|
||||
pass => $password,
|
||||
use_mcollective => $use_mcollective,
|
||||
}
|
||||
|
||||
class {'r10k::webhook':
|
||||
user => 'root',
|
||||
group => '0',
|
||||
require => Class['r10k::webhook::config'],
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
<%- | String $code_manager_service_user,
|
||||
String $code_manager_service_user_password,
|
||||
String $classifier_hostname,
|
||||
Integer $classifier_port,
|
||||
String $token_filename
|
||||
| -%>
|
||||
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %>
|
@ -0,0 +1,5 @@
|
||||
module Puppet::Parser::Functions
|
||||
newfunction(:puppet_master_classifer_settings, :type => :rvalue) do |args|
|
||||
function_parseyaml([function_file([File.join(lookupvar('settings::confdir').to_s, 'classifier.yaml')])])
|
||||
end
|
||||
end
|
@ -0,0 +1,12 @@
|
||||
require 'puppet/util/puppetdb'
|
||||
|
||||
module Puppet::Parser::Functions
|
||||
newfunction(:puppetdb_hostnames, :type => :rvalue) do |args|
|
||||
output = []
|
||||
Puppet::Util::Puppetdb.config.server_urls.each do | server_url |
|
||||
output << server_url.hostname
|
||||
end
|
||||
|
||||
output
|
||||
end
|
||||
end
|
@ -1,16 +1,6 @@
|
||||
class role::all_in_one_pe {
|
||||
|
||||
$webhook_username = hiera('webhook_username', fqdn_rand_string(10, '', 'username'))
|
||||
$webhook_password = hiera('webhook_password', fqdn_rand_string(20, '', 'password'))
|
||||
|
||||
class { 'profile::puppetmaster' :
|
||||
webhook_username => $webhook_username,
|
||||
webhook_password => $webhook_password,
|
||||
}
|
||||
|
||||
class { 'profile::zack_r10k_webhook' :
|
||||
username => $webhook_username,
|
||||
password => $webhook_password,
|
||||
}
|
||||
include profile::puppetmaster
|
||||
include profile::git_webhook
|
||||
|
||||
}
|
||||
|
6
site/role/manifests/all_in_one_pe_2015_2.pp
Normal file
6
site/role/manifests/all_in_one_pe_2015_2.pp
Normal file
@ -0,0 +1,6 @@
|
||||
class role::all_in_one_pe_2015_2 {
|
||||
|
||||
include profile::puppetmaster
|
||||
include profile::zack_r10k_webhook
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user