Adding webhook and eyaml management

Puppetfile

@@ -32,3 +32,7 @@ mod 'stahnma/epel', '0.0.6'
 # <https://github.com/torrancew/puppet-account/pull/18>
 mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
                :ref => '03280b8'
+
+mod 'jenkins_keys', 
+  :git => 'git@github.com:rtyler/jenkins-keys.git'
+

dist/profile/files/hiera.yaml

@@ -1,6 +1,7 @@
 ---
 :backends:
   - yaml
+  - eyaml
 
 :hierarchy:
   - "clients/%{clientcert}"
@@ -14,3 +15,6 @@
 # When specifying a datadir, make sure the directory exists.
   :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
 
+:eyaml:
+  :datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
+  :extension: 'yaml'

dist/profile/manifests/puppetmaster.pp

@@ -12,23 +12,6 @@ class profile::puppetmaster {
     notify => Service['pe-httpd'],
   }
 
-  class { 'r10k':
-    remote            => 'https://github.com/jenkins-infra/jenkins-infra.git',
-    version           => '1.2.1',
-    modulepath        => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
-    manage_modulepath => true,
-    mcollective       => true,
-  }
-
-  ini_setting { 'Update manifest in puppet.conf':
-    ensure  => present,
-    path    => '/etc/puppetlabs/puppet/puppet.conf',
-    section => 'main',
-    setting => 'manifest',
-    value   => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
-  }
-
-
   ## Ensure we're setting the right SMTP server
   yaml_setting { 'console smtp server':
     target => '/etc/puppetlabs/console-auth/config.yml',
@@ -36,4 +19,7 @@ class profile::puppetmaster {
     value  => 'smtp.osuosl.org',
     notify => Service['pe-httpd'],
   }
+
+  # pull in all our secret stuff, and install eyaml
+  include ::jenkins_keys
 }

dist/profile/manifests/r10k.pp

@@ -0,0 +1,74 @@
+class profile::r10k {
+
+  # Here we get our config for r10k from hiera.
+  # currently this hash is only used by the templates below
+  $r10k_options = hiera('r10k_options')
+
+  class { '::r10k':
+    remote            => 'https://github.com/jenkins-infra/jenkins-infra.git',
+    version           => '1.2.1',
+    modulepath        => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
+    manage_modulepath => true,
+    mcollective       => true,
+  }
+
+  ini_setting { 'Update manifest in puppet.conf':
+    ensure  => present,
+    path    => '/etc/puppetlabs/puppet/puppet.conf',
+    section => 'main',
+    setting => 'manifest',
+    value   => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
+  }
+
+  case $::osfamily {
+    'redhat': {
+      file { '/etc/init.d/r10k_deployhook.init':
+        ensure  => file,
+        owner   => root,
+        group   => root,
+        mode    => '0755',
+        content => template("${module_name}/r10k_deployhook.init.erb"),
+        alias   => 'deployhook',
+      }
+    }
+
+    'debian': {
+      file { '/etc/init/r10k_deployhook.conf':
+        ensure  => file,
+        owner   => root,
+        group   => root,
+        mode    => '0755',
+        content => template("${module_name}/r10k_deployhook.upstart.erb"),
+        alias   => 'deployhook_init',
+      }
+    }
+
+    default: { fail("${module_name} is not supported on ${::osfamily}") }
+  }
+
+  package { 'sinatra':
+    ensure   => present,
+    provider => pe_gem,
+  }
+
+  package { 'webrick':
+    ensure   => present,
+    provider => pe_gem,
+  }
+
+
+  file { '/usr/local/bin/r10k_deployhook':
+    ensure  => file,
+    owner   => root,
+    group   => root,
+    mode    => '0755',
+    content => template("${module_name}/r10k_deployhook.erb"),
+    require => [ Package['sinatra'], Package['webrick'] ],
+  }
+
+  service { 'r10k_deployhook':
+    ensure    => running,
+    enable    => true,
+    subscribe => [File['deployhook'], File['deployhook_init']],
+  }
+}

dist/profile/templates/r10k_deployhook.erb

@@ -0,0 +1,80 @@
+#!/opt/puppet/bin/ruby
+# This mini-webserver is meant to be run as the peadmin user
+# so that it can call mcollective from a puppetmaster
+
+require 'rubygems'
+
+require 'sinatra/base'
+require 'webrick'
+require 'webrick/https'
+require 'openssl'
+
+require 'resolv'
+require 'json'
+
+DEPLOYCMD = '/opt/puppet/bin/mco r10k deploy_all --np >> <%= @r10k_options['r10k_deployhooks_logdir'] %>/mco 2>&1'
+LOGFILE   = '<%= @r10k_options['deployhooks_logdir'] %>/deployhooks'
+USER      = '<%= @r10k_options['deployhooks_user'] %>'
+PASS      = '<%= @r10k_options['deployhooks_pass'] %>'
+PORT      = '<%= @r10k_options['deployhooks_port'] %>'
+CERT_PATH = '/opt/puppet/share/puppet-dashboard/certs'
+CERT_NAME = 'pe-internal-dashboard'
+
+ENV['HOME'] = '/var/lib/peadmin'
+ENV['PATH'] = '/sbin:/usr/sbin:/bin:/usr/bin:/opt/puppet/bin'
+
+opts = {
+        :Port               => PORT,
+        :Logger             => WEBrick::Log::new(LOGFILE, WEBrick::Log::DEBUG),
+        :ServerType         => WEBrick::Daemon,
+        :SSLEnable          => true,
+        :SSLVerifyClient    => OpenSSL::SSL::VERIFY_NONE,
+        :SSLCertificate     => OpenSSL::X509::Certificate.new(  File.open(File.join(CERT_PATH, "#{CERT_NAME}.crt")).read),
+        :SSLPrivateKey      => OpenSSL::PKey::RSA.new(          File.open(File.join(CERT_PATH, "#{CERT_NAME}.key")).read),
+        :SSLCertName        => [ [ "CN",WEBrick::Utils::getservername ] ]
+}
+
+class Server  < Sinatra::Base
+  set :static, false
+
+  get '/' do
+    raise Sinatra::NotFound
+  end
+
+  post '/deploy' do
+    protected!
+    deploy()
+  end
+
+  not_found do
+    halt 404, 'You shall not pass! (page not found)'
+  end
+
+  helpers do
+    def deploy()
+      begin
+        Process.detach(fork{ exec "#{DEPLOYCMD} &"})
+        {:status => :success, :message => "Deploying environments."}.to_json
+      rescue
+        {:status => :fail, :message => "Deploy failed.", :trace => e.message}.to_json
+      end
+    end  #end deploy()
+
+    def protected!
+      unless authorized?
+        response['WWW-Authenticate'] = %(Basic realm="Restricted Area")
+        throw(:halt, [401, "Not authorized\n"])
+      end
+    end  #end protected!
+
+    def authorized?
+      @auth ||=  Rack::Auth::Basic::Request.new(request.env)
+      @auth.provided? && @auth.basic? && @auth.credentials && 
+      @auth.credentials == [USER, PASS]
+    end  #end authorized?
+  end  #end helpers
+end
+
+Rack::Handler::WEBrick.run(Server, opts) do |server|
+  [:INT, :TERM].each { |sig| trap(sig) { server.stop } }
+end

dist/profile/templates/r10k_deployhook.init.erb

@@ -0,0 +1,104 @@
+#!/bin/bash
+#
+# r10k_deployhook Manage the r10k deploy hook
+#
+# chkconfig: - 55 25
+# description: Stupidsimple webhooks implementation.
+#
+# pidfile: /var/run/r10k_deployhook.pid
+
+### BEGIN INIT INFO
+# Provides: r10k_deployhook
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Should-Start:
+# Should-Stop:
+# Default-Start:
+# Default-Stop:
+# Short-Description: start and stop r10k_deployhook daemon
+# Description: Simple deployhook receiver for starting r10k runs
+### END INIT INFO
+
+# source function library
+. /etc/init.d/functions
+
+PATH=$PATH:/opt/puppet/bin
+
+OPTIONS=""
+if [ -e /etc/sysconfig/r10k_deployhook ]; then
+ . /etc/sysconfig/r10k_deployhook
+fi
+
+RETVAL=0
+prog="r10k_deployhook"
+binary=/usr/local/bin/r10k_deployhook
+pidfile=/var/run/r10k_deployhook.pid
+user="peadmin"
+
+start() {
+	[ -x $binary ] || exit 5
+	echo -n $"Starting $prog: "
+
+	if [ $UID -ne 0 ]; then
+		RETVAL=1
+		failure
+	else
+		daemon --user=$user --pidfile=$pidfile $binary $OPTIONS
+		RETVAL=$?
+		[ $RETVAL -eq 0 ] && 
+			touch /var/lock/subsys/r10k_deployhook &&
+			pgrep -f -u $user $binary > $pidfile
+	fi;
+	echo
+	return $RETVAL
+}
+
+stop() {
+	echo -n $"Stopping $prog: "
+	if [ $UID -ne 0 ]; then
+		RETVAL=1
+		failure
+	else
+		killproc -p $pidfile $binary
+		RETVAL=$?
+		[ $RETVAL -eq 0 ] && 
+			rm -f /var/lock/subsys/r10k_deployhook &&
+			rm -f $pidfile
+	fi;
+	echo
+	return $RETVAL
+}
+
+restart(){
+	stop
+	start
+}
+
+condrestart(){
+	[ -e /var/lock/subsys/r10k_deployhook ] && restart
+	return 0
+}
+
+case "$1" in
+	start)
+		start
+		RETVAL=$?
+		;;
+	stop)
+		stop
+		RETVAL=$?
+		;;
+	restart)
+		restart
+		RETVAL=$?
+		;;
+	status)
+		status -p $pidfile r10k_deployhook
+		RETVAL=$?
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|restart|status}"
+		RETVAL=2
+esac
+
+exit $RETVAL

dist/profile/templates/r10k_deployhook.upstart.erb

@@ -0,0 +1,14 @@
+description "Deployhook for r10k"
+author "Adam Crews <adam@puppetlabs.com>"
+
+start on filesystem or runlevel [2345]
+stop on runlevel [!2345]
+
+respawn
+umask 022
+
+setuid 'peadmin'
+setgid 'peadmin'
+
+console log
+exec /usr/local/bin/r10k_deployhook

dist/role/manifests/puppetmaster.pp

@@ -3,4 +3,5 @@
 class role::puppetmaster {
   include profile::account
   include profile::puppetmaster
+  include profile::r10k
 }

hieradata/common.yaml

@@ -23,4 +23,10 @@ accounts:
     groups:
       - sudo
 
-# vim: ft=yaml ts=2 sw=2 et
+r10k_options:
+  deployhooks_logdir: /var/log
+  deployhooks_user: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMgXgW7v2mcAlhyW4BCGaKqywOv2wA67aiiplA0iisxD5fGNY7dgjUMq6tGEFsSAKJl25BYo7AspCk3ZQMae15NwVne8CztljTYZU6pf9rHCpqnhA1UFUo0oo44OpJUocmTbBP/MwLMTCi9kJGAYsPIt/l4BeeYmPAj+ZsPUCHQ2Me45uqWmSfI363kOKXb42t5/VQAPsQXncCD/rlXD0djyYYbNb1KAMKA2owOBqgDRV/9eElm3oj8UKfZORyhecfD4U30GzpsuXawhyCKH25AEv14faEWEwHW/n78VcOuItS2rXLKC+zSZKmfmIPzRCjyxo/MSE1hjSxLQ7Tkig9DA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAI+hpqZ+yO1u4CDCGodxGygBA3l8ovLuqjFypUL0SPKeUL]
+  deployhooks_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAy3DB+0f5EW1aY5ZeesQN/t/dUqKGgvI4JczSKXHIgRwm6NUL4+PAdYKtIeZR+leBhMFA0a0/7RdOwfxM0Y76LOcxbLGaaQD7s8H5CYIozXukE73g8nsnKKamGM54LUWKnmzhcq/zgoaLRa1fqQ1ibG/5TNFYn77n2AsHJu0lsuExeM62nja6Vg0b6GDrQLqKOEXEXy9jeN9e0zBMbenrGTy8nnbO0SVg8V9xDDzWHNUlmhJ0cXl8MTbLVtREGLzF/5RMAutnb6esM+7l8OonEp09vunJPgRM0jgsr77zBKb73ptSGPVnsE204+uTKv2oTUxn0pHbmjo2VcaOVRnnSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCz+AkCvq0Wu+yjDdos5TvYgDCRaM7GhWQ+mtk+x+Z9uHSkRUSa4ELu689pwkYnd2gl5Mv7U/o+pEpuUhe71sG4Lu0=]
+  deployhooks_port: 9013
+
+# vim: ft=yaml ts=2 sw=2 nowrap et