From ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 Mon Sep 17 00:00:00 2001 From: Nick Walker Date: Mon, 21 Dec 2015 17:47:05 -0800 Subject: [PATCH] Add an exec to create the Deploy Environments RBAC Role Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again. --- README.md | 10 ++------ .../manifests/git_webhook/code_manager.pp | 24 ++++++++++++++++++- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ed90d4f..9818554 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Table of Contents This control repo and the steps below are intended to be used during a new installation of PE. -This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested. +This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested. If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started. @@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak - Paste in the public key from above - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub` 3. Login to the PE console -4. Select Access Control in the left hand panel -5. On the User Roles page, add a new role called `Deploy Environments` - - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name -6. After creating the role click through and select the permissions tab - - Add Puppet Environment type, Deploy Code permission, and All object - - Add Tokens type, override default expiry permission -7. Still in the PE Console, navigate to the Classification page +7. Navigate to the Classification page - Click on the PE Master group - Click the Classes tab - Add the `puppet_enterprise::profile::master` diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp index 60cabf4..7470e1c 100644 --- a/site/profile/manifests/git_webhook/code_manager.pp +++ b/site/profile/manifests/git_webhook/code_manager.pp @@ -35,13 +35,35 @@ class profile::git_webhook::code_manager { unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'", } + $code_manager_role_name = 'Deploy Environments' + $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created' + $create_role_curl = @(EOT) + /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \ + https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \ + -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"}, + {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \ + --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \ + --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \ + --cacert <%= $::settings::certdir %>/ca.pem; + touch <%= $create_role_creates_file %> + | EOT + + exec { 'create deploy environments role' : + command => inline_epp( $create_role_curl ), + creates => $create_role_creates_file, + logoutput => true, + path => $::path, + require => File[$token_directory], + } + rbac_user { $code_manager_service_user : ensure => 'present', name => $code_manager_service_user, email => "${code_manager_service_user}@example.com", display_name => 'Code Manager Service Account', password => $code_manager_service_user_password, - roles => [ 'Deploy Environments' ], + roles => [ $code_manager_role_name ], + require => Exec['create deploy environments role'], } file { $token_directory :