diff --git a/README.md b/README.md index ed90d4f..9818554 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Table of Contents This control repo and the steps below are intended to be used during a new installation of PE. -This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested. +This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested. If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. @@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak - Paste in the public key from above - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` 3. Login to the PE console -4. Select Access Control in the left hand panel -5. On the User Roles page, add a new role called `Deploy Environments` - - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name -6. After creating the role click through and select the permissions tab - - Add Puppet Environment type, Deploy Code permission, and All object - - Add Tokens type, override default expiry permission -7. Still in the PE Console, navigate to the Classification page +7. Navigate to the Classification page - Click on the PE Master group - Click the Classes tab - Add the `puppet_enterprise::profile::master` diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp index 60cabf4..7470e1c 100644 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -35,13 +35,35 @@ class profile::git_webhook::code_manager { unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", } + $code_manager_role_name = 'Deploy Environments' + $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' + $create_role_curl = @(EOT) + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ + https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \ + -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, + {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ + --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ + --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ + --cacert <%= $::settings::certdir %>/ca.pem; + touch <%= $create_role_creates_file %> + | EOT + + exec { 'create deploy environments role' : + command => inline_epp( $create_role_curl ), + creates => $create_role_creates_file, + logoutput => true, + path => $::path, + require => File[$token_directory], + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, email => "${code_manager_service_user}@example.com", display_name => 'Code Manager Service Account', password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], + roles => [ $code_manager_role_name ], + require => Exec['create deploy environments role'], } file { $token_directory :