Adding webhook and eyaml management
This commit is contained in:
parent
a8dcc8ab06
commit
dafcf8e0ba
|
@ -32,3 +32,7 @@ mod 'stahnma/epel', '0.0.6'
|
|||
# <https://github.com/torrancew/puppet-account/pull/18>
|
||||
mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
|
||||
:ref => '03280b8'
|
||||
|
||||
mod 'jenkins_keys',
|
||||
:git => 'git@github.com:rtyler/jenkins-keys.git'
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
:backends:
|
||||
- yaml
|
||||
- eyaml
|
||||
|
||||
:hierarchy:
|
||||
- "clients/%{clientcert}"
|
||||
|
@ -14,3 +15,6 @@
|
|||
# When specifying a datadir, make sure the directory exists.
|
||||
:datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
|
||||
|
||||
:eyaml:
|
||||
:datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
|
||||
:extension: 'yaml'
|
||||
|
|
|
@ -12,23 +12,6 @@ class profile::puppetmaster {
|
|||
notify => Service['pe-httpd'],
|
||||
}
|
||||
|
||||
class { 'r10k':
|
||||
remote => 'https://github.com/jenkins-infra/jenkins-infra.git',
|
||||
version => '1.2.1',
|
||||
modulepath => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
|
||||
manage_modulepath => true,
|
||||
mcollective => true,
|
||||
}
|
||||
|
||||
ini_setting { 'Update manifest in puppet.conf':
|
||||
ensure => present,
|
||||
path => '/etc/puppetlabs/puppet/puppet.conf',
|
||||
section => 'main',
|
||||
setting => 'manifest',
|
||||
value => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
|
||||
}
|
||||
|
||||
|
||||
## Ensure we're setting the right SMTP server
|
||||
yaml_setting { 'console smtp server':
|
||||
target => '/etc/puppetlabs/console-auth/config.yml',
|
||||
|
@ -36,4 +19,7 @@ class profile::puppetmaster {
|
|||
value => 'smtp.osuosl.org',
|
||||
notify => Service['pe-httpd'],
|
||||
}
|
||||
|
||||
# pull in all our secret stuff, and install eyaml
|
||||
include ::jenkins_keys
|
||||
}
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
class profile::r10k {
|
||||
|
||||
# Here we get our config for r10k from hiera.
|
||||
# currently this hash is only used by the templates below
|
||||
$r10k_options = hiera('r10k_options')
|
||||
|
||||
class { '::r10k':
|
||||
remote => 'https://github.com/jenkins-infra/jenkins-infra.git',
|
||||
version => '1.2.1',
|
||||
modulepath => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
|
||||
manage_modulepath => true,
|
||||
mcollective => true,
|
||||
}
|
||||
|
||||
ini_setting { 'Update manifest in puppet.conf':
|
||||
ensure => present,
|
||||
path => '/etc/puppetlabs/puppet/puppet.conf',
|
||||
section => 'main',
|
||||
setting => 'manifest',
|
||||
value => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
|
||||
}
|
||||
|
||||
case $::osfamily {
|
||||
'redhat': {
|
||||
file { '/etc/init.d/r10k_deployhook.init':
|
||||
ensure => file,
|
||||
owner => root,
|
||||
group => root,
|
||||
mode => '0755',
|
||||
content => template("${module_name}/r10k_deployhook.init.erb"),
|
||||
alias => 'deployhook',
|
||||
}
|
||||
}
|
||||
|
||||
'debian': {
|
||||
file { '/etc/init/r10k_deployhook.conf':
|
||||
ensure => file,
|
||||
owner => root,
|
||||
group => root,
|
||||
mode => '0755',
|
||||
content => template("${module_name}/r10k_deployhook.upstart.erb"),
|
||||
alias => 'deployhook_init',
|
||||
}
|
||||
}
|
||||
|
||||
default: { fail("${module_name} is not supported on ${::osfamily}") }
|
||||
}
|
||||
|
||||
package { 'sinatra':
|
||||
ensure => present,
|
||||
provider => pe_gem,
|
||||
}
|
||||
|
||||
package { 'webrick':
|
||||
ensure => present,
|
||||
provider => pe_gem,
|
||||
}
|
||||
|
||||
|
||||
file { '/usr/local/bin/r10k_deployhook':
|
||||
ensure => file,
|
||||
owner => root,
|
||||
group => root,
|
||||
mode => '0755',
|
||||
content => template("${module_name}/r10k_deployhook.erb"),
|
||||
require => [ Package['sinatra'], Package['webrick'] ],
|
||||
}
|
||||
|
||||
service { 'r10k_deployhook':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
subscribe => [File['deployhook'], File['deployhook_init']],
|
||||
}
|
||||
}
|
|
@ -0,0 +1,80 @@
|
|||
#!/opt/puppet/bin/ruby
|
||||
# This mini-webserver is meant to be run as the peadmin user
|
||||
# so that it can call mcollective from a puppetmaster
|
||||
|
||||
require 'rubygems'
|
||||
|
||||
require 'sinatra/base'
|
||||
require 'webrick'
|
||||
require 'webrick/https'
|
||||
require 'openssl'
|
||||
|
||||
require 'resolv'
|
||||
require 'json'
|
||||
|
||||
DEPLOYCMD = '/opt/puppet/bin/mco r10k deploy_all --np >> <%= @r10k_options['r10k_deployhooks_logdir'] %>/mco 2>&1'
|
||||
LOGFILE = '<%= @r10k_options['deployhooks_logdir'] %>/deployhooks'
|
||||
USER = '<%= @r10k_options['deployhooks_user'] %>'
|
||||
PASS = '<%= @r10k_options['deployhooks_pass'] %>'
|
||||
PORT = '<%= @r10k_options['deployhooks_port'] %>'
|
||||
CERT_PATH = '/opt/puppet/share/puppet-dashboard/certs'
|
||||
CERT_NAME = 'pe-internal-dashboard'
|
||||
|
||||
ENV['HOME'] = '/var/lib/peadmin'
|
||||
ENV['PATH'] = '/sbin:/usr/sbin:/bin:/usr/bin:/opt/puppet/bin'
|
||||
|
||||
opts = {
|
||||
:Port => PORT,
|
||||
:Logger => WEBrick::Log::new(LOGFILE, WEBrick::Log::DEBUG),
|
||||
:ServerType => WEBrick::Daemon,
|
||||
:SSLEnable => true,
|
||||
:SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
|
||||
:SSLCertificate => OpenSSL::X509::Certificate.new( File.open(File.join(CERT_PATH, "#{CERT_NAME}.crt")).read),
|
||||
:SSLPrivateKey => OpenSSL::PKey::RSA.new( File.open(File.join(CERT_PATH, "#{CERT_NAME}.key")).read),
|
||||
:SSLCertName => [ [ "CN",WEBrick::Utils::getservername ] ]
|
||||
}
|
||||
|
||||
class Server < Sinatra::Base
|
||||
set :static, false
|
||||
|
||||
get '/' do
|
||||
raise Sinatra::NotFound
|
||||
end
|
||||
|
||||
post '/deploy' do
|
||||
protected!
|
||||
deploy()
|
||||
end
|
||||
|
||||
not_found do
|
||||
halt 404, 'You shall not pass! (page not found)'
|
||||
end
|
||||
|
||||
helpers do
|
||||
def deploy()
|
||||
begin
|
||||
Process.detach(fork{ exec "#{DEPLOYCMD} &"})
|
||||
{:status => :success, :message => "Deploying environments."}.to_json
|
||||
rescue
|
||||
{:status => :fail, :message => "Deploy failed.", :trace => e.message}.to_json
|
||||
end
|
||||
end #end deploy()
|
||||
|
||||
def protected!
|
||||
unless authorized?
|
||||
response['WWW-Authenticate'] = %(Basic realm="Restricted Area")
|
||||
throw(:halt, [401, "Not authorized\n"])
|
||||
end
|
||||
end #end protected!
|
||||
|
||||
def authorized?
|
||||
@auth ||= Rack::Auth::Basic::Request.new(request.env)
|
||||
@auth.provided? && @auth.basic? && @auth.credentials &&
|
||||
@auth.credentials == [USER, PASS]
|
||||
end #end authorized?
|
||||
end #end helpers
|
||||
end
|
||||
|
||||
Rack::Handler::WEBrick.run(Server, opts) do |server|
|
||||
[:INT, :TERM].each { |sig| trap(sig) { server.stop } }
|
||||
end
|
|
@ -0,0 +1,104 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# r10k_deployhook Manage the r10k deploy hook
|
||||
#
|
||||
# chkconfig: - 55 25
|
||||
# description: Stupidsimple webhooks implementation.
|
||||
#
|
||||
# pidfile: /var/run/r10k_deployhook.pid
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: r10k_deployhook
|
||||
# Required-Start: $local_fs $network
|
||||
# Required-Stop: $local_fs $network
|
||||
# Should-Start:
|
||||
# Should-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop:
|
||||
# Short-Description: start and stop r10k_deployhook daemon
|
||||
# Description: Simple deployhook receiver for starting r10k runs
|
||||
### END INIT INFO
|
||||
|
||||
# source function library
|
||||
. /etc/init.d/functions
|
||||
|
||||
PATH=$PATH:/opt/puppet/bin
|
||||
|
||||
OPTIONS=""
|
||||
if [ -e /etc/sysconfig/r10k_deployhook ]; then
|
||||
. /etc/sysconfig/r10k_deployhook
|
||||
fi
|
||||
|
||||
RETVAL=0
|
||||
prog="r10k_deployhook"
|
||||
binary=/usr/local/bin/r10k_deployhook
|
||||
pidfile=/var/run/r10k_deployhook.pid
|
||||
user="peadmin"
|
||||
|
||||
start() {
|
||||
[ -x $binary ] || exit 5
|
||||
echo -n $"Starting $prog: "
|
||||
|
||||
if [ $UID -ne 0 ]; then
|
||||
RETVAL=1
|
||||
failure
|
||||
else
|
||||
daemon --user=$user --pidfile=$pidfile $binary $OPTIONS
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] &&
|
||||
touch /var/lock/subsys/r10k_deployhook &&
|
||||
pgrep -f -u $user $binary > $pidfile
|
||||
fi;
|
||||
echo
|
||||
return $RETVAL
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
if [ $UID -ne 0 ]; then
|
||||
RETVAL=1
|
||||
failure
|
||||
else
|
||||
killproc -p $pidfile $binary
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] &&
|
||||
rm -f /var/lock/subsys/r10k_deployhook &&
|
||||
rm -f $pidfile
|
||||
fi;
|
||||
echo
|
||||
return $RETVAL
|
||||
}
|
||||
|
||||
restart(){
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
condrestart(){
|
||||
[ -e /var/lock/subsys/r10k_deployhook ] && restart
|
||||
return 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
RETVAL=$?
|
||||
;;
|
||||
restart)
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
status)
|
||||
status -p $pidfile r10k_deployhook
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|restart|status}"
|
||||
RETVAL=2
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
|
@ -0,0 +1,14 @@
|
|||
description "Deployhook for r10k"
|
||||
author "Adam Crews <adam@puppetlabs.com>"
|
||||
|
||||
start on filesystem or runlevel [2345]
|
||||
stop on runlevel [!2345]
|
||||
|
||||
respawn
|
||||
umask 022
|
||||
|
||||
setuid 'peadmin'
|
||||
setgid 'peadmin'
|
||||
|
||||
console log
|
||||
exec /usr/local/bin/r10k_deployhook
|
|
@ -3,4 +3,5 @@
|
|||
class role::puppetmaster {
|
||||
include profile::account
|
||||
include profile::puppetmaster
|
||||
include profile::r10k
|
||||
}
|
||||
|
|
|
@ -23,4 +23,10 @@ accounts:
|
|||
groups:
|
||||
- sudo
|
||||
|
||||
# vim: ft=yaml ts=2 sw=2 et
|
||||
r10k_options:
|
||||
deployhooks_logdir: /var/log
|
||||
deployhooks_user: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMgXgW7v2mcAlhyW4BCGaKqywOv2wA67aiiplA0iisxD5fGNY7dgjUMq6tGEFsSAKJl25BYo7AspCk3ZQMae15NwVne8CztljTYZU6pf9rHCpqnhA1UFUo0oo44OpJUocmTbBP/MwLMTCi9kJGAYsPIt/l4BeeYmPAj+ZsPUCHQ2Me45uqWmSfI363kOKXb42t5/VQAPsQXncCD/rlXD0djyYYbNb1KAMKA2owOBqgDRV/9eElm3oj8UKfZORyhecfD4U30GzpsuXawhyCKH25AEv14faEWEwHW/n78VcOuItS2rXLKC+zSZKmfmIPzRCjyxo/MSE1hjSxLQ7Tkig9DA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAI+hpqZ+yO1u4CDCGodxGygBA3l8ovLuqjFypUL0SPKeUL]
|
||||
deployhooks_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAy3DB+0f5EW1aY5ZeesQN/t/dUqKGgvI4JczSKXHIgRwm6NUL4+PAdYKtIeZR+leBhMFA0a0/7RdOwfxM0Y76LOcxbLGaaQD7s8H5CYIozXukE73g8nsnKKamGM54LUWKnmzhcq/zgoaLRa1fqQ1ibG/5TNFYn77n2AsHJu0lsuExeM62nja6Vg0b6GDrQLqKOEXEXy9jeN9e0zBMbenrGTy8nnbO0SVg8V9xDDzWHNUlmhJ0cXl8MTbLVtREGLzF/5RMAutnb6esM+7l8OonEp09vunJPgRM0jgsr77zBKb73ptSGPVnsE204+uTKv2oTUxn0pHbmjo2VcaOVRnnSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCz+AkCvq0Wu+yjDdos5TvYgDCRaM7GhWQ+mtk+x+Z9uHSkRUSa4ELu689pwkYnd2gl5Mv7U/o+pEpuUhe71sG4Lu0=]
|
||||
deployhooks_port: 9013
|
||||
|
||||
# vim: ft=yaml ts=2 sw=2 nowrap et
|
||||
|
|
Loading…
Reference in New Issue