ad00dd7a9a
Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again.
151 lines
6.8 KiB
Puppet
151 lines
6.8 KiB
Puppet
class profile::git_webhook::code_manager {
|
|
|
|
$authenticate_webhook = hiera('puppet_enterprise::master::code_manager::authenticate_webhook', true)
|
|
|
|
$code_manager_service_user = 'code_manager_service_user'
|
|
$code_manager_service_user_password = fqdn_rand_string(40, '', "${code_manager_service_user}_password")
|
|
|
|
#puppet_master_classifier_settings is a custom function
|
|
$classifier_settings = puppet_master_classifer_settings()
|
|
$classifier_hostname = $classifier_settings['server']
|
|
$classifier_port = $classifier_settings['port']
|
|
|
|
$token_directory = '/etc/puppetlabs/puppetserver/.puppetlabs'
|
|
$token_filename = "${token_directory}/${code_manager_service_user}_token"
|
|
|
|
$gms_api_token = hiera('gms_api_token', undef)
|
|
$git_management_system = hiera('git_management_system', undef)
|
|
|
|
$code_manager_ssh_key_file = '/etc/puppetlabs/puppetserver/code_manager.key'
|
|
exec { 'create code manager ssh key' :
|
|
command => "/usr/bin/ssh-keygen -t rsa -b 2048 -C 'code_manager' -f ${code_manager_ssh_key_file} -q -N ''",
|
|
creates => $code_manager_ssh_key_file,
|
|
}
|
|
|
|
file { $code_manager_ssh_key_file :
|
|
ensure => file,
|
|
owner => 'pe-puppet',
|
|
group => 'pe-puppet',
|
|
require => Exec['create code manager ssh key'],
|
|
}
|
|
|
|
#If files exist in the codedir code manager can't manage them unless pe-puppet can read them
|
|
exec { 'chown all environments to pe-puppet' :
|
|
command => "/bin/chown -R pe-puppet:pe-puppet ${::settings::codedir}",
|
|
unless => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
|
|
}
|
|
|
|
$code_manager_role_name = 'Deploy Environments'
|
|
$create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
|
|
$create_role_curl = @(EOT)
|
|
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
|
|
https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
|
|
-d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
|
|
{"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name %>", "description": ""}' \
|
|
--cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem \
|
|
--key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem \
|
|
--cacert <%= $::settings::certdir %>/ca.pem;
|
|
touch <%= $create_role_creates_file %>
|
|
| EOT
|
|
|
|
exec { 'create deploy environments role' :
|
|
command => inline_epp( $create_role_curl ),
|
|
creates => $create_role_creates_file,
|
|
logoutput => true,
|
|
path => $::path,
|
|
require => File[$token_directory],
|
|
}
|
|
|
|
rbac_user { $code_manager_service_user :
|
|
ensure => 'present',
|
|
name => $code_manager_service_user,
|
|
email => "${code_manager_service_user}@example.com",
|
|
display_name => 'Code Manager Service Account',
|
|
password => $code_manager_service_user_password,
|
|
roles => [ $code_manager_role_name ],
|
|
require => Exec['create deploy environments role'],
|
|
}
|
|
|
|
file { $token_directory :
|
|
ensure => directory,
|
|
owner => 'pe-puppet',
|
|
group => 'pe-puppet',
|
|
}
|
|
|
|
exec { "Generate Token for ${code_manager_service_user}" :
|
|
command => epp('profile/git_webhook/code_manager/create_rbac_token.epp',
|
|
{ 'code_manager_service_user' => $code_manager_service_user,
|
|
'code_manager_service_user_password' => $code_manager_service_user_password,
|
|
'classifier_hostname' => $classifier_hostname,
|
|
'classifier_port' => $classifier_port,
|
|
'token_filename' => $token_filename
|
|
}),
|
|
creates => $token_filename,
|
|
require => [ Rbac_user[$code_manager_service_user], File[$token_directory] ],
|
|
}
|
|
|
|
#this file cannont be read until the next run after the above exec
|
|
#because the file function runs on the master not on the agent
|
|
#so the file doesn't exist at the time the function is run
|
|
$rbac_token_file_contents = no_fail_file($token_filename)
|
|
|
|
#Only mv code if this is at least the 2nd run of puppet
|
|
#Code manager needs to be enabled and puppet server restarted
|
|
#before this exec can complete. Gating on the token file
|
|
#ensures at least one run has completed
|
|
if $::code_manager_mv_old_code and !empty($rbac_token_file_contents) {
|
|
|
|
$timestamp = chomp(generate('/bin/date', '+%Y%d%m_%H:%M:%S'))
|
|
|
|
exec { 'mv files out of $environmentpath' :
|
|
command => "mkdir /etc/puppetlabs/env_back_${timestamp};
|
|
mv ${::settings::codedir}/environments/* /etc/puppetlabs/env_back_${timestamp}/;
|
|
rm /opt/puppetlabs/facter/facts.d/code_manager_mv_old_code.txt;
|
|
TOKEN=`/opt/puppetlabs/puppet/bin/ruby -e \"require 'json'; puts JSON.parse(File.read('${token_filename}'))['token']\"`;
|
|
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"environments\": [\"${::environment}\"], \"wait\": true}';
|
|
/opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \"https://${::trusted['certname']}:8170/code-manager/v1/deploys?token=\$TOKEN\" -d '{\"deploy-all\": true, \"wait\": true}';
|
|
sleep 15",
|
|
path => $::path,
|
|
logoutput => true,
|
|
require => Exec["Generate Token for ${code_manager_service_user}"],
|
|
}
|
|
}
|
|
|
|
if !empty($gms_api_token) {
|
|
if $authenticate_webhook and !empty($rbac_token_file_contents) {
|
|
|
|
$rbac_token = parsejson($rbac_token_file_contents)['token']
|
|
|
|
$token_info = "&token=${rbac_token}"
|
|
}
|
|
else {
|
|
$token_info = ''
|
|
}
|
|
|
|
$code_manager_webhook_type = $git_management_system ? {
|
|
'gitlab' => 'github',
|
|
default => $git_management_system,
|
|
}
|
|
|
|
git_deploy_key { "add_deploy_key_to_puppet_control-${::fqdn}":
|
|
ensure => present,
|
|
name => $::fqdn,
|
|
path => "${code_manager_ssh_key_file}.pub",
|
|
token => $gms_api_token,
|
|
project_name => 'puppet/control-repo',
|
|
server_url => hiera('gms_server_url'),
|
|
provider => $git_management_system,
|
|
}
|
|
|
|
git_webhook { "code_manager_post_receive_webhook-${::fqdn}" :
|
|
ensure => present,
|
|
webhook_url => "https://${::fqdn}:8170/code-manager/v1/webhook?type=${code_manager_webhook_type}${token_info}",
|
|
token => $gms_api_token,
|
|
project_name => 'puppet/control-repo',
|
|
server_url => hiera('gms_server_url'),
|
|
provider => $git_management_system,
|
|
disable_ssl_verify => true,
|
|
}
|
|
}
|
|
}
|