#!/bin/bash
# This script automates the NC classification and environment group setup for many self-service provisioning workflows
# Run this as root on your master
# Note: this script does not randomize uuid for the classification group it creates, so it will create/replace the same group everytime instead of creating a new group
# This script assumes it is being run on a freshly installed master that is not using code manager.
#
# User configuration
#
echo Puppet Master Setup Script
echo --------------------------
echo This script expects to be run from puppet-starter_content directory. If run from a different directory, the script will fail.
echo This script also assumes it is being run on a freshly installed master that is not using code manager.
echo --------------------------
alternate_environment=dev
autosign_example_class=autosign_example
all_nodes_id='00000000-0000-4000-8000-000000000000'
roles_group_id='235a97b3-949b-48e0-8e8a-000000000666'
dev_env_group_id='235a97b3-949b-48e0-e8a-000000000888'
autosign_group_id='235a97b3-949b-48e0-8e8a-000000000999'
#
# Configuration we can detect
#
master_hostname=$(/opt/puppetlabs/bin/puppet config print certname)
key=$(/opt/puppetlabs/bin/puppet config print hostprivkey)
cert=$(/opt/puppetlabs/bin/puppet config print hostcert)
cacert=$(/opt/puppetlabs/bin/puppet config print localcacert)
#
# Do some error checking first before running the script
#
error_checking()
{
# Check to see if user running script has root privs
if (( $EUID != 0 )); then
echo "ERROR: This script should only be run by the root user or via sudo."
exit 1
fi
# Check to see if script is running from puppet-starter_content directory
if [[ $PWD != *"puppet-starter_content"* ]]
then
echo "ERROR: You must run 'bash scripts/nc_setup.sh' inside the 'puppet-starter_content' directory.";
exit 1
fi
# Check to see if script is being run on a puppet master
if [ ! -f /opt/puppetlabs/server/bin/puppetserver ]; then
echo "ERROR: This script should only be run on the Puppet master server."
exit 1
fi
#
# Check if code manager is being used
#
curl -s -X GET \ -H "Content-Type: application/json" \
--cert $cert \
--key $key \
--cacert $cacert \
"https://$master_hostname:4433/classifier-api/v1/groups" | grep -q code_manager_auto_configure
if [ $? -eq 0 ]; then
echo "ERROR: It appears that code manager is being used. This script cannot continue."
echo "Instead, use desired modules from the Puppetfile and use in your own control-repo's Puppetfile."
exit 1
fi
}
error_checking
#
# Determine the uuids for groups that are created during PE install but with randomly generated uuids
#
find_guid()
{
echo $(curl -s https://$master_hostname:4433/classifier-api/v1/groups --cert $cert --key $key --cacert $cacert | python -m json.tool |grep -C 2 "$1" | grep "id" | cut -d: -f2 | sed 's/[\", ]//g')
}
production_env_group_id=`find_guid "Production environment"`
echo "\"Production environment\" group uuid is $production_env_group_id"
agent_specified_env_group_id=`find_guid "Agent-specified environment"`
echo "\"Agent-specified environment\" group uuid is $agent_specified_env_group_id"
pemaster_group_id=`find_guid "PE Master"`
date_string=`date +%Y-%m-%d:%H:%M:%S`
echo "Backing up existing contents of /etc/puppetlabs/code to $date_string"
cp -R /etc/puppetlabs/code /etc/puppetlabs/code_backup_$date_string
#
# Copying starter content and create an alternate puppet environment in addition to production
#
echo 'Copying starter content repo into /etc/puppetlabs/code/environments'
mkdir -p /etc/puppetlabs/code/environments/$alternate_environment
rm -rf /etc/puppetlabs/code/environments/$alternate_environment/*
cp -R * /etc/puppetlabs/code/environments/$alternate_environment
r10k puppetfile install --moduledir /etc/puppetlabs/code/environments/$alternate_environment/modules --verbose
# Put a copy in production
echo "Duplicating $alternate_environment contents into production"
rm -rf /etc/puppetlabs/code/environments/production/
cp -R /etc/puppetlabs/code/environments/$alternate_environment /etc/puppetlabs/code/environments/production
#
# Tell the NC to refresh its cache so that the classes we just installed are available
#
echo "Refreshing NC class lists for production and $alternate_environment puppet environments"
curl -s -X POST -H "Content-Type: application/json" \
--key $key \
--cert $cert \
--cacert $cacert \
https://$master_hostname:4433/classifier-api/v1/update-classes?environment=production
[ "$?" = 0 ] && echo "Successful refresh of production environment."
curl -s -X POST -H "Content-Type: application/json" \
--key $key \
--cert $cert \
--cacert $cacert \
https://$master_hostname:4433/classifier-api/v1/update-classes?environment=$alternate_environment
[ "$?" = 0 ] && echo "Successful refresh of $alternate_environment environment."
#
# Create an "Autosign" classification group to set up autosign example
#
echo "Creating the Autosign group"
curl -s -X PUT -H 'Content-Type: application/json' \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"name": "Autosign",
"parent": "'$all_nodes_id'",
"rule":
[ "and",
[ "=",
[ "trusted", "certname" ],
"'$master_hostname'"
]
],
"classes": { "'$autosign_example_class'": {} }
}' \
https://$master_hostname:4433/classifier-api/v1/groups/$autosign_group_id | python -m json.tool
echo
#
# Add 64 bit Windows agent installer to pe_repo
#
echo "Adding 64 bit Windows agent installer to pe_repo in PE Master group"
curl -s -X POST -H 'Content-Type: application/json' \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"classes": { "pe_repo::platform::windows_x86_64": {} }
}' \
https://$master_hostname:4433/classifier-api/v1/groups/$pemaster_group_id | python -m json.tool
echo
#
# Create a "Roles" classification group so that the integration role groups are organized more cleanly
#
echo "Creating the Roles group"
curl -s -X PUT -H 'Content-Type: application/json' \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"name": "Roles",
"parent": "'$all_nodes_id'",
"classes": {}
}' \
https://$master_hostname:4433/classifier-api/v1/groups/$roles_group_id | python -m json.tool
echo
#
# Create an environment group for an alternative puppet environment, e.g. dev puppet environment
#
for file in /etc/puppetlabs/code/environments/$alternate_environment/site/role/manifests/*; do
basefilename=$(basename "$file")
role_class="role::${basefilename%.*}"
echo "Creating the \"$role_class\" classification group"
curl -s -X POST -H "Content-Type: application/json" \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"name": "'$role_class'",
"parent": "'$roles_group_id'",
"environment": "'$alternate_environment'",
"rule":
[ "and",
[ "=",
[ "trusted", "extensions", "pp_role" ],
"'$role_class'"
]
],
"classes": { "'$role_class'": {} }
}' \
https://$master_hostname:4433/classifier-api/v1/groups
done
echo
#
# Create alternate_environment environment group
#
echo "Creating the \"$alternate_environment\" environment group"
curl -s -X PUT -H "Content-Type: application/json" \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"name": "'$alternate_environment' environment",
"parent": "'$production_env_group_id'",
"environment_trumps": true,
"environment": "'$alternate_environment'",
"rule":
[ "and",
[ "=",
[ "trusted", "extensions", "pp_environment" ],
"'$alternate_environment'"
]
],
"classes": {}
}' \
https://$master_hostname:4433/classifier-api/v1/groups/$dev_env_group_id | python -m json.tool
#
# Update the "Agent-specified environment" group so that pp_environment=agent-specified works as expected
#
echo "Updating \"Agent-specified environment\" group to use pp_environment in its matching rules"
curl -s -X PUT -H "Content-type: application/json" \
--key $key \
--cert $cert \
--cacert $cacert \
-d '
{
"name": "Agent-specified environment",
"parent": "'$production_env_group_id'",
"environment_trumps": true,
"rule":
[ "and",
[ "=",
[ "trusted", "extensions", "pp_environment" ],
"agent-specified"
]
],
"environment": "agent-specified",
"classes": {}
}' \
https://$master_hostname:4433/classifier-api/v1/groups/$agent_specified_env_group_id | python -m json.tool
echo