#!/bin/bash # This script automates the NC classification and environment group setup for many self-service provisioning workflows # Run this as root on your master # Note: this script does not randomize uuid for the classification group it creates, so it will create/replace the same group everytime instead of creating a new group # This script assumes it is being run on a freshly installed master that is not using code manager. # # User configuration # echo Puppet Master Setup Script echo -------------------------- echo This script expects to be run from puppet-starter_content directory. If run from a different directory, the script will fail. echo This script also assumes it is being run on a freshly installed master that is not using code manager. echo -------------------------- alternate_environment=dev autosign_example_class=autosign_example all_nodes_id='00000000-0000-4000-8000-000000000000' roles_group_id='235a97b3-949b-48e0-8e8a-000000000666' dev_env_group_id='235a97b3-949b-48e0-e8a-000000000888' autosign_group_id='235a97b3-949b-48e0-8e8a-000000000999' # # Configuration we can detect # master_hostname=$(/opt/puppetlabs/bin/puppet config print certname) key=$(/opt/puppetlabs/bin/puppet config print hostprivkey) cert=$(/opt/puppetlabs/bin/puppet config print hostcert) cacert=$(/opt/puppetlabs/bin/puppet config print localcacert) # # Do some error checking first before running the script # error_checking() { # Check to see if user running script has root privs if (( $EUID != 0 )); then echo "ERROR: This script should only be run by the root user or via sudo." exit 1 fi # Check to see if script is running from puppet-starter_content directory if [[ $PWD != *"puppet-starter_content"* ]] then echo "ERROR: You must run 'bash scripts/nc_setup.sh' inside the 'puppet-starter_content' directory."; exit 1 fi # Check to see if script is being run on a puppet master if [ ! -f /opt/puppetlabs/server/bin/puppetserver ]; then echo "ERROR: This script should only be run on the Puppet master server." exit 1 fi # # Check if code manager is being used # curl -s -X GET \ -H "Content-Type: application/json" \ --cert $cert \ --key $key \ --cacert $cacert \ "https://$master_hostname:4433/classifier-api/v1/groups" | grep -q code_manager_auto_configure if [ $? -eq 0 ]; then echo "ERROR: It appears that code manager is being used. This script cannot continue." echo "Instead, use desired modules from the Puppetfile and use in your own control-repo's Puppetfile." exit 1 fi } error_checking # # Determine the uuids for groups that are created during PE install but with randomly generated uuids # find_guid() { echo $(curl -s https://$master_hostname:4433/classifier-api/v1/groups --cert $cert --key $key --cacert $cacert | python -m json.tool |grep -C 2 "$1" | grep "id" | cut -d: -f2 | sed 's/[\", ]//g') } production_env_group_id=`find_guid "Production environment"` echo "\"Production environment\" group uuid is $production_env_group_id" agent_specified_env_group_id=`find_guid "Agent-specified environment"` echo "\"Agent-specified environment\" group uuid is $agent_specified_env_group_id" pemaster_group_id=`find_guid "PE Master"` date_string=`date +%Y-%m-%d:%H:%M:%S` echo "Backing up existing contents of /etc/puppetlabs/code to $date_string" cp -R /etc/puppetlabs/code /etc/puppetlabs/code_backup_$date_string # # Copying starter content and create an alternate puppet environment in addition to production # echo 'Copying starter content repo into /etc/puppetlabs/code/environments' mkdir -p /etc/puppetlabs/code/environments/$alternate_environment rm -rf /etc/puppetlabs/code/environments/$alternate_environment/* cp -R * /etc/puppetlabs/code/environments/$alternate_environment r10k puppetfile install --moduledir /etc/puppetlabs/code/environments/$alternate_environment/modules --verbose # Put a copy in production echo "Duplicating $alternate_environment contents into production" rm -rf /etc/puppetlabs/code/environments/production/ cp -R /etc/puppetlabs/code/environments/$alternate_environment /etc/puppetlabs/code/environments/production # # Tell the NC to refresh its cache so that the classes we just installed are available # echo "Refreshing NC class lists for production and $alternate_environment puppet environments" curl -s -X POST -H "Content-Type: application/json" \ --key $key \ --cert $cert \ --cacert $cacert \ https://$master_hostname:4433/classifier-api/v1/update-classes?environment=production [ "$?" = 0 ] && echo "Successful refresh of production environment." curl -s -X POST -H "Content-Type: application/json" \ --key $key \ --cert $cert \ --cacert $cacert \ https://$master_hostname:4433/classifier-api/v1/update-classes?environment=$alternate_environment [ "$?" = 0 ] && echo "Successful refresh of $alternate_environment environment." # # Create an "Autosign" classification group to set up autosign example # echo "Creating the Autosign group" curl -s -X PUT -H 'Content-Type: application/json' \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "name": "Autosign", "parent": "'$all_nodes_id'", "rule": [ "and", [ "=", [ "trusted", "certname" ], "'$master_hostname'" ] ], "classes": { "'$autosign_example_class'": {} } }' \ https://$master_hostname:4433/classifier-api/v1/groups/$autosign_group_id | python -m json.tool echo # # Add 64 bit Windows agent installer to pe_repo # echo "Adding 64 bit Windows agent installer to pe_repo in PE Master group" curl -s -X POST -H 'Content-Type: application/json' \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "classes": { "pe_repo::platform::windows_x86_64": {} } }' \ https://$master_hostname:4433/classifier-api/v1/groups/$pemaster_group_id | python -m json.tool echo # # Create a "Roles" classification group so that the integration role groups are organized more cleanly # echo "Creating the Roles group" curl -s -X PUT -H 'Content-Type: application/json' \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "name": "Roles", "parent": "'$all_nodes_id'", "classes": {} }' \ https://$master_hostname:4433/classifier-api/v1/groups/$roles_group_id | python -m json.tool echo # # Create an environment group for an alternative puppet environment, e.g. dev puppet environment # for file in /etc/puppetlabs/code/environments/$alternate_environment/site/role/manifests/*; do basefilename=$(basename "$file") role_class="role::${basefilename%.*}" echo "Creating the \"$role_class\" classification group" curl -s -X POST -H "Content-Type: application/json" \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "name": "'$role_class'", "parent": "'$roles_group_id'", "environment": "'$alternate_environment'", "rule": [ "and", [ "=", [ "trusted", "extensions", "pp_role" ], "'$role_class'" ] ], "classes": { "'$role_class'": {} } }' \ https://$master_hostname:4433/classifier-api/v1/groups done echo # # Create alternate_environment environment group # echo "Creating the \"$alternate_environment\" environment group" curl -s -X PUT -H "Content-Type: application/json" \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "name": "'$alternate_environment' environment", "parent": "'$production_env_group_id'", "environment_trumps": true, "environment": "'$alternate_environment'", "rule": [ "and", [ "=", [ "trusted", "extensions", "pp_environment" ], "'$alternate_environment'" ] ], "classes": {} }' \ https://$master_hostname:4433/classifier-api/v1/groups/$dev_env_group_id | python -m json.tool # # Update the "Agent-specified environment" group so that pp_environment=agent-specified works as expected # echo "Updating \"Agent-specified environment\" group to use pp_environment in its matching rules" curl -s -X PUT -H "Content-type: application/json" \ --key $key \ --cert $cert \ --cacert $cacert \ -d ' { "name": "Agent-specified environment", "parent": "'$production_env_group_id'", "environment_trumps": true, "rule": [ "and", [ "=", [ "trusted", "extensions", "pp_environment" ], "agent-specified" ] ], "environment": "agent-specified", "classes": {} }' \ https://$master_hostname:4433/classifier-api/v1/groups/$agent_specified_env_group_id | python -m json.tool echo