Add an exec to create the Deploy Environments RBAC Role
Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again.
This commit is contained in:
parent
ec7a8d81a6
commit
ad00dd7a9a
10
README.md
10
README.md
@ -25,7 +25,7 @@ Table of Contents
|
|||||||
|
|
||||||
This control repo and the steps below are intended to be used during a new installation of PE.
|
This control repo and the steps below are intended to be used during a new installation of PE.
|
||||||
|
|
||||||
This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested.
|
This control repo has only been tested against PE2015.2.z and PE2015.3.z. It is likely close to working on PE3.8.z but has not been tested.
|
||||||
|
|
||||||
If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.
|
If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile. Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.
|
||||||
|
|
||||||
@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak
|
|||||||
- Paste in the public key from above
|
- Paste in the public key from above
|
||||||
- `cat /etc/puppetlabs/puppetserver/code_manager.key.pub`
|
- `cat /etc/puppetlabs/puppetserver/code_manager.key.pub`
|
||||||
3. Login to the PE console
|
3. Login to the PE console
|
||||||
4. Select Access Control in the left hand panel
|
7. Navigate to the Classification page
|
||||||
5. On the User Roles page, add a new role called `Deploy Environments`
|
|
||||||
- NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name
|
|
||||||
6. After creating the role click through and select the permissions tab
|
|
||||||
- Add Puppet Environment type, Deploy Code permission, and All object
|
|
||||||
- Add Tokens type, override default expiry permission
|
|
||||||
7. Still in the PE Console, navigate to the Classification page
|
|
||||||
- Click on the PE Master group
|
- Click on the PE Master group
|
||||||
- Click the Classes tab
|
- Click the Classes tab
|
||||||
- Add the `puppet_enterprise::profile::master`
|
- Add the `puppet_enterprise::profile::master`
|
||||||
|
@ -35,13 +35,35 @@ class profile::git_webhook::code_manager {
|
|||||||
unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
|
unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$code_manager_role_name = 'Deploy Environments'
|
||||||
|
$create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
|
||||||
|
$create_role_curl = @(EOT)
|
||||||
|
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
|
||||||
|
https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
|
||||||
|
-d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
|
||||||
|
{"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \
|
||||||
|
--cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \
|
||||||
|
--key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \
|
||||||
|
--cacert <%= $::settings::certdir %>/ca.pem;
|
||||||
|
touch <%= $create_role_creates_file %>
|
||||||
|
| EOT
|
||||||
|
|
||||||
|
exec { 'create deploy environments role' :
|
||||||
|
command => inline_epp( $create_role_curl ),
|
||||||
|
creates => $create_role_creates_file,
|
||||||
|
logoutput => true,
|
||||||
|
path => $::path,
|
||||||
|
require => File[$token_directory],
|
||||||
|
}
|
||||||
|
|
||||||
rbac_user { $code_manager_service_user :
|
rbac_user { $code_manager_service_user :
|
||||||
ensure => 'present',
|
ensure => 'present',
|
||||||
name => $code_manager_service_user,
|
name => $code_manager_service_user,
|
||||||
email => "${code_manager_service_user}@example.com",
|
email => "${code_manager_service_user}@example.com",
|
||||||
display_name => 'Code Manager Service Account',
|
display_name => 'Code Manager Service Account',
|
||||||
password => $code_manager_service_user_password,
|
password => $code_manager_service_user_password,
|
||||||
roles => [ 'Deploy Environments' ],
|
roles => [ $code_manager_role_name ],
|
||||||
|
require => Exec['create deploy environments role'],
|
||||||
}
|
}
|
||||||
|
|
||||||
file { $token_directory :
|
file { $token_directory :
|
||||||
|
Loading…
Reference in New Issue
Block a user