From 63429fe9ec595df70a39de0944d893134899211e Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:52:20 -0800 Subject: [PATCH 01/17] Add custom functions for determining some PE settings Added a function to find the hostname and port of the classifier Added a fucntion to return all puppetdb hostnames --- .../functions/puppet_master_classifer_settings.rb | 5 +++++ .../lib/puppet/parser/functions/puppetdb_hostname.rb | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb create mode 100644 site/puppetdb_hostname_function/lib/puppet/parser/functions/puppetdb_hostname.rb diff --git a/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb b/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb new file mode 100644 index 0000000..5559849 --- /dev/null +++ b/site/puppet_master_classifer_settings_function/lib/puppet/parser/functions/puppet_master_classifer_settings.rb @@ -0,0 +1,5 @@ +module Puppet::Parser::Functions + newfunction(:puppet_master_classifer_settings, :type => :rvalue) do |args| + function_parseyaml([function_file([File.join(lookupvar('settings::confdir').to_s, 'classifier.yaml')])]) + end +end diff --git a/site/puppetdb_hostname_function/lib/puppet/parser/functions/puppetdb_hostname.rb b/site/puppetdb_hostname_function/lib/puppet/parser/functions/puppetdb_hostname.rb new file mode 100644 index 0000000..b43365f --- /dev/null +++ b/site/puppetdb_hostname_function/lib/puppet/parser/functions/puppetdb_hostname.rb @@ -0,0 +1,12 @@ +require 'puppet/util/puppetdb' + +module Puppet::Parser::Functions + newfunction(:puppetdb_hostnames, :type => :rvalue) do |args| + output = [] + Puppet::Util::Puppetdb.config.server_urls.each do | server_url | + output << server_url.hostname + end + + output + end +end From 8c71bd0b13160f13eeb27613031be167e94f7ade Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 9 Nov 2015 16:21:45 -0800 Subject: [PATCH 02/17] Enable code manager via param in common.yaml --- hieradata/common.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 191061c..c63e76e 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -3,6 +3,8 @@ message: "This node is using common data" #Puppet Server Tuning puppet_enterprise::master::puppetserver::jruby_max_requests_per_instance: 10000 +#Enable code manager +puppet_enterprise::profile::master::code_manager_auto_configure: true #pe-console-services tuning #https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period From 4c2be74083287516b72ab4f3ccaaf317ea7a2eb0 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:41:34 -0800 Subject: [PATCH 03/17] Add support for code manager which will replace zack r10k Add pltraing-rbac module Added a new profile for code_manager that: - creates a service users for code manager - creates a token for that service user - creates a hook on a git server using the token Turns out that the file function in puppet cannot read files in /root. The pe-puppet user needs read permissions on the file and traversal on the directory which giving to /root would probably be a bad idea. So, I just put the file containing the token in /etc/puppetlabs/puppetserver since I'm not sure where would be better. --- Puppetfile | 4 ++ site/profile/manifests/code_manager.pp | 66 +++++++++++++++++++ site/profile/manifests/puppetmaster.pp | 3 +- site/profile/manifests/zack_r10k_webhook.pp | 11 ++++ .../code_manager/create_rbac_token.epp | 7 ++ 5 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 site/profile/manifests/code_manager.pp create mode 100644 site/profile/templates/code_manager/create_rbac_token.epp diff --git a/Puppetfile b/Puppetfile index ac90e14..6bc31f8 100644 --- a/Puppetfile +++ b/Puppetfile @@ -34,3 +34,7 @@ mod 'r10k', mod 'gms', :git => 'https://github.com/npwalker/abrader-gms', :branch => 'gitlab_disable_ssl_verify_support' + +mod 'pltraining-rbac', + :git => 'https://github.com/puppetlabs/pltraining-rbac', + :ref => '2f60e1789a721ce83f8df061e13f8bf81cd4e4ce' diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp new file mode 100644 index 0000000..f244564 --- /dev/null +++ b/site/profile/manifests/code_manager.pp @@ -0,0 +1,66 @@ +class profile::code_manager { + + $code_manager_service_user = 'code_manager_service_user' + $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") + + #puppet_master_classifier_settings is a custom function + $classifier_settings = puppet_master_classifer_settings() + $classifier_hostname = $classifier_settings['server'] + $classifier_port = $classifier_settings['port'] + + $token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs' + $token_filename = "${token_directory}/${code_manager_service_user}_token" + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + + rbac_user { $code_manager_service_user : + ensure => 'present', + name => $code_manager_service_user, + email => "${code_manager_service_user}@example.com", + display_name => 'Code Manager Service Account', + password => $code_manager_service_user_password, + roles => [ 'Deploy Environments' ], + } + + file { $token_directory : + ensure => directory, + owner => 'pe-puppet', + group => 'pe-puppet', + } + + exec { "Generate Token for ${code_manager_service_user}" : + command => epp('profile/code_manager/create_rbac_token.epp', + { 'code_manager_service_user' => $code_manager_service_user, + 'code_manager_service_user_password' => $code_manager_service_user_password, + 'classifier_hostname' => $classifier_hostname, + 'classifier_port' => $classifier_port, + 'token_filename' => $token_filename + }), + creates => $token_filename, + require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], + } + + + if !empty($gms_api_token) { + + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + $rbac_token = parsejson(file($token_filename))['token'] + + $code_manager_webhook_type = $git_management_system ? { + 'gitlab' => 'github', + default => $git_management_system, + } + + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } +} diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 0954807..e63d819 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -25,7 +25,8 @@ class profile::puppetmaster ( #END - Generate an SSH key for r10k to connect to git #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', '') + $git_management_system = hiera('git_management_system', undef) + $gms_api_token = hiera('gms_api_token', undef) if $git_management_system in ['gitlab', 'github'] { diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index 7e0bd40..3dae9d7 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -26,4 +26,15 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + if !empty($gms_api_token) { + git_webhook { "web_post_receive_webhook-${::fqdn}" : + ensure => present, + webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + disable_ssl_verify => true, + } + } } diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/code_manager/create_rbac_token.epp new file mode 100644 index 0000000..31bf00f --- /dev/null +++ b/site/profile/templates/code_manager/create_rbac_token.epp @@ -0,0 +1,7 @@ +<%- | String $code_manager_service_user, + String $code_manager_service_user_password, + String $classifier_hostname, + Integer $classifier_port, + String $token_filename +| -%> +/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' -d '{"login": "<%= $code_manager_service_user %>", "password": "<%= $code_manager_service_user_password %>", "lifetime": "0"}' https://<%= $classifier_hostname %>:<%= $classifier_port %>/rbac-api/v1/auth/token >> <%= $token_filename %> From 2d7a9a72e10526c07bdc77b2b8eefcc368db8b45 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 11 Nov 2015 13:43:57 -0800 Subject: [PATCH 04/17] Refactor puppetmaster and zack_r10k_webhook Moved the webhook resource out of puppetmaster and into zack_r10k to support exchaning code_manager in place of zack_r10k As a result I cleaned up some unnecessary parameters. Installing both the r10k webhook and the code_manager at this time for testing --- site/profile/manifests/puppetmaster.pp | 19 +++---------------- site/profile/manifests/zack_r10k_webhook.pp | 8 ++++++-- site/role/manifests/all_in_one_pe.pp | 15 +++------------ 3 files changed, 12 insertions(+), 30 deletions(-) diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index e63d819..d6a657f 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,7 +1,4 @@ -class profile::puppetmaster ( - $webhook_username, - $webhook_password -) { +class profile::puppetmaster { class { 'hiera': hierarchy => [ @@ -28,28 +25,18 @@ class profile::puppetmaster ( $git_management_system = hiera('git_management_system', undef) $gms_api_token = hiera('gms_api_token', undef) - if $git_management_system in ['gitlab', 'github'] { + if !empty($gms_api_token) { git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": ensure => present, name => $::fqdn, path => "${r10k_ssh_key_file}.pub", - token => hiera('gms_api_token'), + token => $gms_api_token, project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), provider => $git_management_system, } - git_webhook { "web_post_receive_webhook-${::fqdn}" : - ensure => present, - webhook_url => "https://${webhook_username}:${webhook_password}@${::fqdn}:8088/payload", - token => hiera('gms_api_token'), - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - disable_ssl_verify => true, - } - } #END - Add deploy key and webhook to git management system diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index 3dae9d7..f35f856 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -1,9 +1,13 @@ class profile::zack_r10k_webhook ( - $username, - $password, $use_mcollective = false, ) { + $username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) + $password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) + + $gms_api_token = hiera('gms_api_token', undef) + $git_management_system = hiera('git_management_system', undef) + if $use_mcollective { class { 'r10k::mcollective': diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 6bc2eb3..3807e46 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,16 +1,7 @@ class role::all_in_one_pe { - $webhook_username = hiera('webhook_username', fqdn_rand_string(10, '', 'username')) - $webhook_password = hiera('webhook_password', fqdn_rand_string(20, '', 'password')) - - class { 'profile::puppetmaster' : - webhook_username => $webhook_username, - webhook_password => $webhook_password, - } - - class { 'profile::zack_r10k_webhook' : - username => $webhook_username, - password => $webhook_password, - } + include profile::puppetmaster + include profile::zack_r10k_webhook + include profile::code_manager } From b71ab8d42eca09d24c4f0b4955b0779fcbb3a5bc Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Sun, 15 Nov 2015 10:44:53 -0800 Subject: [PATCH 05/17] Allow code_manager profile to not error out on first run Prior to this commit, the code manger profile could not complete on the first run because the file function would error out I implemented a new version of the file function that returns nothing when the file does not exist instead of erroring out which allows me to gate creating the webhook on whether there is content in the file. As a result this means that it takes 2 runs to get everything setup but this is preferable over having to manually intervene in some other way if the token file doesn't exist. --- .../puppet/parser/functions/no_fail_file.rb | 36 +++++++++++++++++++ site/profile/manifests/code_manager.pp | 11 +++--- 2 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb diff --git a/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb new file mode 100644 index 0000000..3819ebf --- /dev/null +++ b/site/no_fail_file/lib/puppet/parser/functions/no_fail_file.rb @@ -0,0 +1,36 @@ +require 'puppet/file_system' + +Puppet::Parser::Functions::newfunction( + :no_fail_file, :arity => -2, :type => :rvalue, + :doc => "Loads a file from a module and returns its contents as a string. + + This is a replacement to the file function that returns nothing + if the file specified cannot be found instead of erroring out. + + The argument to this function should be a `/` + reference, which will load `` from a module's `files` + directory. (For example, the reference `mysql/mysqltuner.pl` will load the + file `/mysql/files/mysqltuner.pl`.) + + This function can also accept: + + * An absolute path, which can load a file from anywhere on disk. + * Multiple arguments, which will return the contents of the **first** file + found, skipping any files that don't exist. + " +) do |vals| + path = nil + vals.each do |file| + found = Puppet::Parser::Files.find_file(file, compiler.environment) + if found && Puppet::FileSystem.exist?(found) + path = found + break + end + end + + if path + Puppet::FileSystem.read_preserve_line_endings(path) + else + nil + end +end diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index f244564..6416054 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -42,11 +42,14 @@ class profile::code_manager { } - if !empty($gms_api_token) { + #this file cannont be read until the next run after the above exec + #because the file function runs on the master not on the agent + #so the file doesn't exist at the time the function is run + $rbac_token_file_contents = no_fail_file($token_filename) - #this file cannont be read until the next run after the above exec - #because the file function runs on the master not on the agent - $rbac_token = parsejson(file($token_filename))['token'] + if !empty($gms_api_token) and !empty($rbac_token_file_contents) { + + $rbac_token = parsejson($rbac_token_file_contents)['token'] $code_manager_webhook_type = $git_management_system ? { 'gitlab' => 'github', From 947a5529a389a9f8d391fcfaa31db1e64b645705 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Wed, 18 Nov 2015 10:15:04 -0800 Subject: [PATCH 06/17] Disable code manager webhook authentication --- hieradata/common.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index c63e76e..8be38fe 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -5,6 +5,7 @@ message: "This node is using common data" puppet_enterprise::master::puppetserver::jruby_max_requests_per_instance: 10000 #Enable code manager puppet_enterprise::profile::master::code_manager_auto_configure: true +puppet_enterprise::master::code_manager::authenticate_webhook: false #pe-console-services tuning #https://docs.puppetlabs.com/pe/latest/console_config.html#tuning-the-classifier-synchronization-period From 6ac2b30b38ebe5c0ddef3a8da3721ff9114701ab Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 20 Nov 2015 10:37:10 -0800 Subject: [PATCH 07/17] Allow disabling authentication on code manager webhook --- site/profile/manifests/code_manager.pp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index 6416054..f660f54 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -1,5 +1,7 @@ class profile::code_manager { + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + $code_manager_service_user = 'code_manager_service_user' $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") @@ -47,9 +49,16 @@ class profile::code_manager { #so the file doesn't exist at the time the function is run $rbac_token_file_contents = no_fail_file($token_filename) - if !empty($gms_api_token) and !empty($rbac_token_file_contents) { + if !empty($gms_api_token) { + if $authenticate_webhook and !empty($rbac_token_file_contents) { - $rbac_token = parsejson($rbac_token_file_contents)['token'] + $rbac_token = parsejson($rbac_token_file_contents)['token'] + + $token_info = "&token=${rbac_token}" + } + else { + $token_info = '' + } $code_manager_webhook_type = $git_management_system ? { 'gitlab' => 'github', @@ -58,7 +67,7 @@ class profile::code_manager { git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : ensure => present, - webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}&token=${rbac_token}", + webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", token => $gms_api_token, project_name => 'puppet/control-repo', server_url => hiera('gms_server_url'), From 1b0f63be83464dc7bdc9561b3d5b3a937a4dfb39 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 20 Nov 2015 17:01:23 -0800 Subject: [PATCH 08/17] Chown files in codedir to pe-puppet --- site/profile/manifests/code_manager.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index f660f54..db1d901 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -16,6 +16,12 @@ class profile::code_manager { $gms_api_token = hiera('gms_api_token', undef) $git_management_system = hiera('git_management_system', undef) + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them + exec { 'chown all environments to pe-puppet' : + command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", + unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, From cc34e25fd54e60caf744130d90c14f8d839c7823 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 7 Dec 2015 07:55:32 -0800 Subject: [PATCH 09/17] Final steps to make Code Manager work - Moved ssh key generation and git deploy key out of the puppetmaster profile and into zack_r10k and code_manager - Swapped code manager into the all_in_one role - Made a 2015.2 all_in_one role if users prefer to use it - Conditionally move all existing code out of environmentpath to allow file sync to sync files - Update the README to compliment the new puppet code --- README.md | 73 ++++++++++++--------- site/profile/manifests/code_manager.pp | 50 +++++++++++++- site/profile/manifests/puppetmaster.pp | 27 -------- site/profile/manifests/zack_r10k_webhook.pp | 18 ++++- site/role/manifests/all_in_one_pe.pp | 1 - site/role/manifests/all_in_one_pe_2015_2.pp | 6 ++ 6 files changed, 111 insertions(+), 64 deletions(-) create mode 100644 site/role/manifests/all_in_one_pe_2015_2.pp diff --git a/README.md b/README.md index 837e5f0..8d14212 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Before Starting: +# Before Starting: This control repo and the steps below are intended to be used during a new installation of PE. @@ -17,15 +17,15 @@ extension_requests: 1.3.6.1.4.1.34380.1.1.13: 'all_in_one_pe' ``` -### If You Have Not Installed PE +### If You Have Not Installed PE -Good then you can proceed forward and the trusted fact will be used when you get to the install step. +Good then you can proceed forward and the trusted fact will be used when you get to the install step. ### If You Have Already Installed PE -Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created. +Trusted facts are created at the time a CSR is generated. So, we need to regenerate the certificate on the master for the above trusted fact to be created. -Follow this document to regenerate the certificate on your master. +Follow this document to regenerate the certificate on your master. http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html @@ -53,20 +53,20 @@ http://docs.puppetlabs.com/pe/latest/regenerate_certs_master.html - In the left hand pane, select memembers - Add the `r10k_api_user` with `master` permissions -7. Add your user to the `puppet` group as well +7. Add your user to the `puppet` group as well 8. Create a project called `control-repo` and set the Namespace to be the `puppet` group 9. Logout of root and login as the `r10k_api_user` - Go to profile settings -> account ( https:///profile/account ) - Copy the api token - + 10. Clone this control repository to your laptop/workstation - `git clone ` - `cd control-repo` 11. `git mv hieradata/nodes/example-puppet-master.yaml hieradata/nodes/.yaml` - - Open `hieradata/nodes/.yaml` + - Open `hieradata/nodes/.yaml` - edit `gms_api_token` to be your api token - edit `git_management_system` to be 'gitlab' - edit the `gms_server_url` @@ -99,7 +99,7 @@ Coming soon! ###Install PE 1. Download the latest version of the PE installer for your platform and copy it to your master - - https://puppetlabs.com/download-puppet-enterprise + - https://puppetlabs.com/download-puppet-enterprise 2. Expand the tarball and `cd` into the directory 3. Run `puppet-enterprise-installer` to install @@ -109,34 +109,50 @@ http://docs.puppetlabs.com/pe/latest/install_basic.html ###Get the Control-Repo Deployed On Your Master -At this point you have my control-repo code deployed into your git server. However, we have one final challenge getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server. +At this point you have our control-repo code deployed into your git server. However, we have one final challenge: getting that code onto your puppet master. In the end state the master will pull code from the git server via r10k, however, at this moment your puppet master doesn't have credentials to get code from the git server. -So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else. +So, we'll set up a deploy key in the git server that will allow a ssh-key we make to deploy the code and configure everything else. 1. On your puppet master, make an ssh key for r10k to connect to gitlab - - `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f /root/.ssh/r10k_rsa -q -N ''` + - `/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f /etc/puppetlabs/puppetserver/code_manager.key -q -N ''` - http://doc.gitlab.com/ce/ssh/README.html - https://help.github.com/articles/generating-ssh-keys/ 2. Create a deploy key on the `control-repo` project in Gitlab - Paste in the public key from above - - `cat /root/.ssh/r10k_rsa.pub` -3. Follow https://docs.puppetlabs.com/pe/latest/r10k_config_console.html - - The remote is on the front page of the project in the gitlab UI - - git_settings should be: - - `{"provider": "rugged", - "private_key": "/root/.ssh/r10k_rsa"}` -3. Run `puppet agent -t` + - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` +3. Login to the PE console +4. Select Access Control in the left hand panel +5. On the User Roles page, add a new role called `Deploy Environments` + - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name +6. After creating the role click through and select the permissions tab + - Add Puppet Environment type, Deploy Code permission, and All object + - Add Tokens type, override default expiry permission +7. Still in the PE Console, navigate to the Classification page + - Click on the PE Master group + - Click the Classes tab + - Add the `puppet_enterprise::profile::master` + - Set the `r10k_remote` to the ssh url from the front page of your gitlab repo + - Set the `r10k_private_key` parameter to `/etc/puppetlabs/puppetserver/code_manager.key` + - Commit your changes +8. Run `puppet agent -t` - Expect to see changes to `r10k.yaml` -3. Run `r10k deploy environment -pv` -4. Run `puppet agent -t` +9. Run `r10k deploy environment -pv` +10. Run `puppet agent -t` + - Expect to see code manager enabled +10. `echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt` +11. Run `puppet agent -t` - Now you should see many more changes + - Your code has been deployed with code manager now + +## Test Code Manager + ## Test The Zack/r10k Webhook -One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`. +One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`. -1. Edit README.md +1. Edit README.md - Just add something to it 2. `git add README.md` 3. `git commit -m "edit README"` @@ -144,16 +160,14 @@ One of the components setup by this control-repo is that when you "push" code to 5. Allow the push to complete and then give it few seconds to complete - Open `/etc/puppetlabs/code/environments/production/README.md` and confirm your change is present - - ---- #Miscellaneous ## If You Want to Install Pointing To This Repo on Github -### Setting Up Gitlab +### Setting Up Gitlab -1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script). +1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script). ``` --- @@ -164,7 +178,7 @@ One of the components setup by this control-repo is that when you "push" code to ### Setting up Github -Not yet completed. +Not yet completed. ### Setting up Stash @@ -173,6 +187,3 @@ Not yet completed. #TODO Flush out generating an answer file and then appending extra answers onto the end of it. - - - diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/code_manager.pp index db1d901..fc0eb8b 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/code_manager.pp @@ -1,10 +1,10 @@ class profile::code_manager { - $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) + $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) $code_manager_service_user = 'code_manager_service_user' $code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password") - + #puppet_master_classifier_settings is a custom function $classifier_settings = puppet_master_classifer_settings() $classifier_hostname = $classifier_settings['server'] @@ -16,6 +16,19 @@ class profile::code_manager { $gms_api_token = hiera('gms_api_token', undef) $git_management_system = hiera('git_management_system', undef) + $code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key' + exec { 'create code manager ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''", + creates => $code_manager_ssh_key_file, + } + + file { $code_manager_ssh_key_file : + ensure => file, + owner => 'pe-puppet', + group => 'pe-puppet', + require => Exec['create code manager ssh key'], + } + #If files exist in the codedir code manager can't manage them unless pe-puppet can read them exec { 'chown all environments to pe-puppet' : command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}", @@ -49,12 +62,33 @@ class profile::code_manager { require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ], } - #this file cannont be read until the next run after the above exec #because the file function runs on the master not on the agent #so the file doesn't exist at the time the function is run $rbac_token_file_contents = no_fail_file($token_filename) + #Only mv code if this is at least the 2nd run of puppet + #Code manager needs to be enabled and puppet server restarted + #before this exec can complete. Gating on the token file + #ensures at least one run has completed + if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) { + + $timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S')) + + exec { 'mv files out of $environmentpath' : + command => "mkdir /etc/puppetlabs/env_back_${timestamp}; + mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/; + rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt; + TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}'; + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}'; + sleep 15", + path => $::path, + logoutput => true, + require => Exec["Generate Token for ${code_manager_service_user}"], + } + } + if !empty($gms_api_token) { if $authenticate_webhook and !empty($rbac_token_file_contents) { @@ -71,6 +105,16 @@ class profile::code_manager { default => $git_management_system, } + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${code_manager_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "code_manager_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}", diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index d6a657f..28b3bdf 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -13,33 +13,6 @@ class profile::puppetmaster { notify => Service['pe-puppetserver'], } - #BEGIN - Generate an SSH key for r10k to connect to git - $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' - exec { 'create r10k ssh key' : - command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", - creates => $r10k_ssh_key_file, - } - #END - Generate an SSH key for r10k to connect to git - - #BEGIN - Add deploy key and webook to git management system - $git_management_system = hiera('git_management_system', undef) - $gms_api_token = hiera('gms_api_token', undef) - - if !empty($gms_api_token) { - - git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": - ensure => present, - name => $::fqdn, - path => "${r10k_ssh_key_file}.pub", - token => $gms_api_token, - project_name => 'puppet/control-repo', - server_url => hiera('gms_server_url'), - provider => $git_management_system, - } - - } - #END - Add deploy key and webhook to git management system - #Lay down update-classes.sh for use in r10k postrun_command #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/zack_r10k_webhook.pp index f35f856..0ab4da2 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/zack_r10k_webhook.pp @@ -9,11 +9,9 @@ class profile::zack_r10k_webhook ( $git_management_system = hiera('git_management_system', undef) if $use_mcollective { - class { 'r10k::mcollective': notify => Service['mcollective'], } - } class {'r10k::webhook::config': @@ -30,7 +28,23 @@ class profile::zack_r10k_webhook ( require => Class['r10k::webhook::config'], } + $r10k_ssh_key_file = '/root/.ssh/r10k_rsa' + exec { 'create r10k ssh key' : + command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'r10k' -f ${r10k_ssh_key_file} -q -N ''", + creates => $r10k_ssh_key_file, + } + if !empty($gms_api_token) { + git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}": + ensure => present, + name => $::fqdn, + path => "${r10k_ssh_key_file}.pub", + token => $gms_api_token, + project_name => 'puppet/control-repo', + server_url => hiera('gms_server_url'), + provider => $git_management_system, + } + git_webhook { "web_post_receive_webhook-${::fqdn}" : ensure => present, webhook_url => "https://${username}:${password}@${::fqdn}:8088/payload", diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index 3807e46..a8152b1 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,7 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::zack_r10k_webhook include profile::code_manager } diff --git a/site/role/manifests/all_in_one_pe_2015_2.pp b/site/role/manifests/all_in_one_pe_2015_2.pp new file mode 100644 index 0000000..01bf717 --- /dev/null +++ b/site/role/manifests/all_in_one_pe_2015_2.pp @@ -0,0 +1,6 @@ +class role::all_in_one_pe_2015_2 { + + include profile::puppetmaster + include profile::zack_r10k_webhook + +} From 2ed03892d9c9205cc3d5b624c648e4dca9e5b2b6 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 7 Dec 2015 08:03:13 -0800 Subject: [PATCH 10/17] Disable file bucket to match default PE2015.3 behavior --- manifests/site.pp | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/manifests/site.pp b/manifests/site.pp index 65650cf..04b3d6e 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -11,20 +11,9 @@ ## Active Configurations ## -# PRIMARY FILEBUCKET -# This configures puppet agent and puppet inspect to back up file contents when -# they run. The Puppet Enterprise console needs this to display file contents -# and differences. - -# Define filebucket 'main': -filebucket { 'main': - #server should point to one master that will be the file bucket - server => "${settings::server}", - path => false, -} - -# Make filebucket 'main' the default backup location for all File resources: -File { backup => 'main' } +# Disable filebucket by default for all File resources: +#http://docs.puppetlabs.com/pe/latest/release_notes.html#filebucket-resource-no-longer-created-by-default +File { backup => false } # DEFAULT NODE # Node definitions in this file are merged with node data from the console. See @@ -40,7 +29,7 @@ node default { #incude a role on any node that specifies it's role via a trusted fact at provision time #https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts #https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#aws-attributes-and-extensions-population-example - + if !empty( $trusted['extensions']['pp_role'] ) { include "role::${trusted['extensions']['pp_role']}" } From 5dcdf019634070e8f52b53f32074b3d14f4555f3 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Thu, 17 Dec 2015 10:33:25 -0800 Subject: [PATCH 11/17] Add instructions for testing code manager Also, add a table of contents to the README. I generated the table of contents using https://github.com/ekalinin/github-markdown-toc.go --- README.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d14212..ed90d4f 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,26 @@ +Table of Contents +================= + + * [Before Starting:](#before-starting) + * [Setup a Trusted Fact On Your PE Master](#setup-a-trusted-fact-on-your-pe-master) + * [If You Have Not Installed PE](#if-you-have-not-installed-pe) + * [If You Have Already Installed PE](#if-you-have-already-installed-pe) + * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) + * [Gitlab](#gitlab) + * [Stash](#stash) + * [Github](#github) + * [Configure PE to Use the Control\-Repo](#configure-pe-to-use-the-control-repo) + * [Install PE](#install-pe) + * [Get the Control\-Repo Deployed On Your Master](#get-the-control-repo-deployed-on-your-master) + * [Test Code Manager](#test-code-manager) + * [Test The Zack/r10k Webhook](#test-the-zackr10k-webhook) + * [Miscellaneous](#miscellaneous) + * [If You Want to Install Pointing To This Repo on Github](#if-you-want-to-install-pointing-to-this-repo-on-github) + * [Setting Up Gitlab](#setting-up-gitlab) + * [Setting up Github](#setting-up-github) + * [Setting up Stash](#setting-up-stash) + * [TODO](#todo) + # Before Starting: This control repo and the steps below are intended to be used during a new installation of PE. @@ -146,7 +169,18 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak ## Test Code Manager +One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to deploy branch you just pushed. +1. In one terminal window, `tail -f /var/log/puppetlabs/puppetserver/puppetserver.log` +2. In a second terminal window + - Add a new file, `touch test_file` + - `git add test_file` + - `git commit -m "adding a test_file"` + - `git push origin production` +3. Allow the push to complete and then wait a few seconds for everything to sync over + - `ls -l /etc/puppetlabs/code/environments/production` + - Confirm test_file is present +4. In your first terminal window review the `puppetserver.log` to see the type of logging each sync will create ## Test The Zack/r10k Webhook @@ -184,6 +218,5 @@ Not yet completed. Not yet completed. - #TODO Flush out generating an answer file and then appending extra answers onto the end of it. From b8d4980f86eecda72928de0e9f28c32e9078d117 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Fri, 11 Dec 2015 18:22:22 -0800 Subject: [PATCH 12/17] Move hiera.yaml to avoid file-sync overwriting it File sync appears to sync everything in the $codedir which inlcudes hiera.yaml. When managing hiera.yaml with puppet code you don't want file sync to overwrite its contents. So, I'm moving it out of $codedir and removing the original hiera.yaml to avoid confusion for users investigating later. --- site/profile/manifests/puppetmaster.pp | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/puppetmaster.pp b/site/profile/manifests/puppetmaster.pp index 28b3bdf..d73236f 100644 --- a/site/profile/manifests/puppetmaster.pp +++ b/site/profile/manifests/puppetmaster.pp @@ -1,18 +1,36 @@ class profile::puppetmaster { + $hiera_yaml = "${::settings::confdir}/hiera.yaml" + class { 'hiera': hierarchy => [ 'virtual/%{::virtual}', 'nodes/%{::trusted.certname}', 'common', ], - hiera_yaml => '/etc/puppetlabs/code/hiera.yaml', + hiera_yaml => $hiera_yaml, datadir => '/etc/puppetlabs/code/environments/%{environment}/hieradata', owner => 'pe-puppet', group => 'pe-puppet', notify => Service['pe-puppetserver'], } + ini_setting { 'puppet.conf hiera_config' : + ensure => present, + path => "${::settings::confdir}/puppet.conf", + section => 'master', + setting => 'hiera_config', + value => $hiera_yaml, + notify => Service['pe-puppetserver'], + } + + #remove the default hiera.yaml from the code-staging directory + #after the next code manager deployment it should be removed + #from the live codedir + file { '/etc/puppetlabs/code-staging/hiera.yaml' : + ensure => absent, + } + #Lay down update-classes.sh for use in r10k postrun_command #This is configured via the pe_r10k::postrun key in hiera file { '/usr/local/bin/update-classes.sh' : From 56d0908db2919fc9734a7722ece4adaa9d7b9bdc Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 14 Dec 2015 16:28:13 -0800 Subject: [PATCH 13/17] Update config_version to read r10k_deploy.json file Update config_version.sh to read the r10k_deploy.json file if it exists. If it does not exist it will fall back to the existing logic --- scripts/code_manager_config_version.rb | 9 +++++++++ scripts/config_version.sh | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 scripts/code_manager_config_version.rb diff --git a/scripts/code_manager_config_version.rb b/scripts/code_manager_config_version.rb new file mode 100644 index 0000000..7ed5680 --- /dev/null +++ b/scripts/code_manager_config_version.rb @@ -0,0 +1,9 @@ +require 'json' + +environmentpath = ARGV[0] +environment = ARGV[1] + +r10k_deploy_file_path = File.join(environmentpath, environment, '.r10k-deploy.json') + +#output the sha1 from the control-repo +puts JSON.parse(File.read(r10k_deploy_file_path))['signature'] diff --git a/scripts/config_version.sh b/scripts/config_version.sh index b4e6556..bc77213 100755 --- a/scripts/config_version.sh +++ b/scripts/config_version.sh @@ -1,5 +1,8 @@ #!/bin/bash -if [ -e /opt/puppetlabs/server/pe_version ] +if [ -e $1/$2/.r10k-deploy.json ] +then + /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/code_manager_config_version.rb $1 $2 +elif [ -e /opt/puppetlabs/server/pe_version ] then /opt/puppetlabs/puppet/bin/ruby $1/$2/scripts/config_version.rb $1 $2 else From d2db2750284dfeee15f375ce06bbcbc301738b84 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 15:19:38 -0800 Subject: [PATCH 14/17] Create profile::git_webhook to abstract away the details Prior to this commit there were two possible webhooks - zack/r10k webhook - code manager I moved these two profiles under git_webhook and choose the correct one based on the version of PE being used. As a safety hatch, I provide the $force_zack_r10k_webhook param on profile::git_webhook in case someone needs to continue using it instead of code manager. --- site/profile/manifests/git_webhook.pp | 11 +++++++++++ .../manifests/{ => git_webhook}/code_manager.pp | 4 ++-- .../manifests/{ => git_webhook}/zack_r10k_webhook.pp | 2 +- .../code_manager/create_rbac_token.epp | 0 site/role/manifests/all_in_one_pe.pp | 2 +- 5 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 site/profile/manifests/git_webhook.pp rename site/profile/manifests/{ => git_webhook}/code_manager.pp (97%) rename site/profile/manifests/{ => git_webhook}/zack_r10k_webhook.pp (97%) rename site/profile/templates/{ => git_webhook}/code_manager/create_rbac_token.epp (100%) diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp new file mode 100644 index 0000000..a46d4ea --- /dev/null +++ b/site/profile/manifests/git_webhook.pp @@ -0,0 +1,11 @@ +class profile::git_webhook ( + $force_zack_r10k_webhook = false +) { + + if versioncmp( $::pe_server_version, '2015.2.99' ) <= 0 or $force_zack_r10k_webhook { + include profile::git_webhook::zack_r10k_webhook + } else { + include profile::git_webhook::code_manager + } + +} diff --git a/site/profile/manifests/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp similarity index 97% rename from site/profile/manifests/code_manager.pp rename to site/profile/manifests/git_webhook/code_manager.pp index fc0eb8b..60cabf4 100644 --- a/site/profile/manifests/code_manager.pp +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -1,4 +1,4 @@ -class profile::code_manager { +class profile::git_webhook::code_manager { $authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true) @@ -51,7 +51,7 @@ class profile::code_manager { } exec { "Generate Token for ${code_manager_service_user}" : - command => epp('profile/code_manager/create_rbac_token.epp', + command => epp('profile/git_webhook/code_manager/create_rbac_token.epp', { 'code_manager_service_user' => $code_manager_service_user, 'code_manager_service_user_password' => $code_manager_service_user_password, 'classifier_hostname' => $classifier_hostname, diff --git a/site/profile/manifests/zack_r10k_webhook.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp similarity index 97% rename from site/profile/manifests/zack_r10k_webhook.pp rename to site/profile/manifests/git_webhook/zack_r10k_webhook.pp index 0ab4da2..ed05282 100644 --- a/site/profile/manifests/zack_r10k_webhook.pp +++ b/site/profile/manifests/git_webhook/zack_r10k_webhook.pp @@ -1,4 +1,4 @@ -class profile::zack_r10k_webhook ( +class profile::git_webhook::zack_r10k_webhook ( $use_mcollective = false, ) { diff --git a/site/profile/templates/code_manager/create_rbac_token.epp b/site/profile/templates/git_webhook/code_manager/create_rbac_token.epp similarity index 100% rename from site/profile/templates/code_manager/create_rbac_token.epp rename to site/profile/templates/git_webhook/code_manager/create_rbac_token.epp diff --git a/site/role/manifests/all_in_one_pe.pp b/site/role/manifests/all_in_one_pe.pp index a8152b1..9e93155 100644 --- a/site/role/manifests/all_in_one_pe.pp +++ b/site/role/manifests/all_in_one_pe.pp @@ -1,6 +1,6 @@ class role::all_in_one_pe { include profile::puppetmaster - include profile::code_manager + include profile::git_webhook } From ec7a8d81a65051503e9f27e142f29b187327959b Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 15:52:15 -0800 Subject: [PATCH 15/17] Add functionality to disable the zack/r10k webhook Prior to this commit, if you upgraded from a previous version of the control-repo both code manager and zack/r10k webhook would be running and ready to receive data. This can present problems if the webhook isn't disbled in the git management system is sending data to both receivers. This commit adds rudimentary ability to break the zack/r10k webhook so it can't receive data. --- site/profile/manifests/git_webhook.pp | 1 + .../git_webhook/zack_r10k_webhook_disable.pp | 14 ++++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp diff --git a/site/profile/manifests/git_webhook.pp b/site/profile/manifests/git_webhook.pp index a46d4ea..12ef786 100644 --- a/site/profile/manifests/git_webhook.pp +++ b/site/profile/manifests/git_webhook.pp @@ -6,6 +6,7 @@ class profile::git_webhook ( include profile::git_webhook::zack_r10k_webhook } else { include profile::git_webhook::code_manager + include profile::git_webhook::zack_r10k_webhook_disable } } diff --git a/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp new file mode 100644 index 0000000..ec54fc6 --- /dev/null +++ b/site/profile/manifests/git_webhook/zack_r10k_webhook_disable.pp @@ -0,0 +1,14 @@ +class profile::git_webhook::zack_r10k_webhook_disable { + + file { '/etc/webhook.yaml' : + ensure => absent, + notify => Exec['stop and disable webhook service'], + } + + exec { 'stop and disable webhook service' : + command => '/opt/puppetlabs/puppet/bin/puppet resource service webhook ensure=stopped enable=false', + logoutput => true, + refreshonly => true, + } + +} From ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 17:47:05 -0800 Subject: [PATCH 16/17] Add an exec to create the Deploy Environments RBAC Role Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again. --- README.md | 10 ++------ .../manifests/git_webhook/code_manager.pp | 24 ++++++++++++++++++- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ed90d4f..9818554 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Table of Contents This control repo and the steps below are intended to be used during a new installation of PE. -This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested. +This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested. If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. @@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak - Paste in the public key from above - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` 3. Login to the PE console -4. Select Access Control in the left hand panel -5. On the User Roles page, add a new role called `Deploy Environments` - - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name -6. After creating the role click through and select the permissions tab - - Add Puppet Environment type, Deploy Code permission, and All object - - Add Tokens type, override default expiry permission -7. Still in the PE Console, navigate to the Classification page +7. Navigate to the Classification page - Click on the PE Master group - Click the Classes tab - Add the `puppet_enterprise::profile::master` diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp index 60cabf4..7470e1c 100644 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -35,13 +35,35 @@ class profile::git_webhook::code_manager { unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", } + $code_manager_role_name = 'Deploy Environments' + $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' + $create_role_curl = @(EOT) + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ + https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \ + -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, + {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ + --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ + --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ + --cacert <%= $::settings::certdir %>/ca.pem; + touch <%= $create_role_creates_file %> + | EOT + + exec { 'create deploy environments role' : + command => inline_epp( $create_role_curl ), + creates => $create_role_creates_file, + logoutput => true, + path => $::path, + require => File[$token_directory], + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, email => "${code_manager_service_user}@example.com", display_name => 'Code Manager Service Account', password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], + roles => [ $code_manager_role_name ], + require => Exec['create deploy environments role'], } file { $token_directory : From 752f2ef87bb56895f5a63c89fd01fe0ed0c623be Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 4 Jan 2016 20:22:06 -0800 Subject: [PATCH 17/17] Update README with info on how to upgrade from 2015.2 Mostly reorganized the README to be 2015.3 first and then have some extra info at the bottom about upgrading from 2015.2. Added a blurb about what the control-repo provides. --- README.md | 100 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 9818554..24eb30f 100644 --- a/README.md +++ b/README.md @@ -1,33 +1,44 @@ Table of Contents ================= - * [Before Starting:](#before-starting) - * [Setup a Trusted Fact On Your PE Master](#setup-a-trusted-fact-on-your-pe-master) - * [If You Have Not Installed PE](#if-you-have-not-installed-pe) - * [If You Have Already Installed PE](#if-you-have-already-installed-pe) - * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) - * [Gitlab](#gitlab) - * [Stash](#stash) - * [Github](#github) - * [Configure PE to Use the Control\-Repo](#configure-pe-to-use-the-control-repo) - * [Install PE](#install-pe) - * [Get the Control\-Repo Deployed On Your Master](#get-the-control-repo-deployed-on-your-master) - * [Test Code Manager](#test-code-manager) - * [Test The Zack/r10k Webhook](#test-the-zackr10k-webhook) - * [Miscellaneous](#miscellaneous) - * [If You Want to Install Pointing To This Repo on Github](#if-you-want-to-install-pointing-to-this-repo-on-github) - * [Setting Up Gitlab](#setting-up-gitlab) - * [Setting up Github](#setting-up-github) - * [Setting up Stash](#setting-up-stash) - * [TODO](#todo) +* [Before Starting](#before-starting) +* [What You Get From This control\-repo](#what-you-get-from-this-control-repo) +* [How To Set It All Up](#how-to-set-it-all-up) + * [Setup a Trusted Fact On Your PE Master](#setup-a-trusted-fact-on-your-pe-master) + * [If You Have Not Installed PE](#if-you-have-not-installed-pe) + * [If You Have Already Installed PE](#if-you-have-already-installed-pe) + * [Copy This Repo Into Your Own Git Server](#copy-this-repo-into-your-own-git-server) + * [Gitlab](#gitlab) + * [Stash](#stash) + * [Github](#github) + * [Configure PE to Use the Control\-Repo](#configure-pe-to-use-the-control-repo) + * [Install PE](#install-pe) + * [Get the Control\-Repo Deployed On Your Master](#get-the-control-repo-deployed-on-your-master) + * [Test Code Manager](#test-code-manager) +* [Updating From a Previous Version of PE](#updating-from-a-previous-version-of-pe) + * [Upgrading to PE2015\.3\.z from PE 2015\.2\.z](#upgrading-to-pe20153z-from-pe-20152z) +* [Appendix](#appendix) + * [Test The Zack/r10k Webhook](#test-the-zackr10k-webhook) -# Before Starting: +# Before Starting This control repo and the steps below are intended to be used during a new installation of PE. -This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested. +The instructions are geared towards a new installation of PE2015.3.z. However, the control-repo should work just fine on [PE2015.2.z](#upgrading-to-pe20153z-from-pe-20152z) -If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. +If you intend to use this control-repo on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. + +# What You Get From This control-repo + +As a result of following the instructions below you will receive at least the beginning of a best-practices installation of PE including... + + - A git server + - The ability to push code to your git server and have it automatically deployed to your PE Master + - A config_version script to output the commit of code that your agent just applied + - Optimal tuning of PE settings for this configuration + - Working and example roles/profiles code + +# How To Set It All Up ## Setup a Trusted Fact On Your PE Master @@ -176,8 +187,26 @@ One of the components setup by this control-repo is that when you "push" code to - Confirm test_file is present 4. In your first terminal window review the `puppetserver.log` to see the type of logging each sync will create +---- +# Updating From a Previous Version of PE + +## Upgrading to PE2015.3.z from PE 2015.2.z + +Remove `pe_r10k` from the PE master group in the console and instead add the following two parameters to the `puppet_enterprise::profile::master` class under the PE master group. + +- `r10k_remote` = the ssh url for your internal repo +- `r10k_private_key` = `/etc/puppetlabs/puppetserver/code_manager.key` + +When upgrading the `puppet_enterprise::profile::master` class has the `file_sync_enabled` parameter set to `false`. This parameter should be removed so that code manager can configure file sync. + +Finally, you’ll need to `echo 'code_manager_mv_old_code=true' > /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt` so that my puppet code will redeploy all of your code with code manager. + +# Appendix + ## Test The Zack/r10k Webhook +If you are using PE2015.2.z or if you've forced the use of the zack/r10k webhook then you'll want to test that it works. + One of the components setup by this control-repo is that when you "push" code to your git server, the git server will inform the puppet master to run `r10k deploy environment -p`. 1. Edit README.md @@ -187,30 +216,3 @@ One of the components setup by this control-repo is that when you "push" code to 4. `git push origin production` 5. Allow the push to complete and then give it few seconds to complete - Open `/etc/puppetlabs/code/environments/production/README.md` and confirm your change is present - ----- -#Miscellaneous - -## If You Want to Install Pointing To This Repo on Github - -### Setting Up Gitlab - -1. Install Gitlab on a server by specifying the following trusted fact on the soon-to-be Gitlab server and then [install the PE agent](http://docs.puppetlabs.com/pe/latest/install_agents.html#using-the-puppet-agent-package-installation-script). - - ``` - --- - extension_requests: - #pp_role - 1.3.6.1.4.1.34380.1.1.13: 'gitlab' - ``` - -### Setting up Github - -Not yet completed. - -### Setting up Stash - -Not yet completed. - -#TODO -Flush out generating an answer file and then appending extra answers onto the end of it.