Adding webhook and eyaml management
This commit is contained in:
parent
a8dcc8ab06
commit
dafcf8e0ba
|
@ -32,3 +32,7 @@ mod 'stahnma/epel', '0.0.6'
|
||||||
# <https://github.com/torrancew/puppet-account/pull/18>
|
# <https://github.com/torrancew/puppet-account/pull/18>
|
||||||
mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
|
mod 'account', :git => 'git://github.com/jenkins-infra/puppet-account.git',
|
||||||
:ref => '03280b8'
|
:ref => '03280b8'
|
||||||
|
|
||||||
|
mod 'jenkins_keys',
|
||||||
|
:git => 'git@github.com:rtyler/jenkins-keys.git'
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
:backends:
|
:backends:
|
||||||
- yaml
|
- yaml
|
||||||
|
- eyaml
|
||||||
|
|
||||||
:hierarchy:
|
:hierarchy:
|
||||||
- "clients/%{clientcert}"
|
- "clients/%{clientcert}"
|
||||||
|
@ -14,3 +15,6 @@
|
||||||
# When specifying a datadir, make sure the directory exists.
|
# When specifying a datadir, make sure the directory exists.
|
||||||
:datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
|
:datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
|
||||||
|
|
||||||
|
:eyaml:
|
||||||
|
:datadir: "/etc/puppetlabs/puppet/environments/%{environment}/hieradata"
|
||||||
|
:extension: 'yaml'
|
||||||
|
|
|
@ -12,23 +12,6 @@ class profile::puppetmaster {
|
||||||
notify => Service['pe-httpd'],
|
notify => Service['pe-httpd'],
|
||||||
}
|
}
|
||||||
|
|
||||||
class { 'r10k':
|
|
||||||
remote => 'https://github.com/jenkins-infra/jenkins-infra.git',
|
|
||||||
version => '1.2.1',
|
|
||||||
modulepath => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
|
|
||||||
manage_modulepath => true,
|
|
||||||
mcollective => true,
|
|
||||||
}
|
|
||||||
|
|
||||||
ini_setting { 'Update manifest in puppet.conf':
|
|
||||||
ensure => present,
|
|
||||||
path => '/etc/puppetlabs/puppet/puppet.conf',
|
|
||||||
section => 'main',
|
|
||||||
setting => 'manifest',
|
|
||||||
value => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
## Ensure we're setting the right SMTP server
|
## Ensure we're setting the right SMTP server
|
||||||
yaml_setting { 'console smtp server':
|
yaml_setting { 'console smtp server':
|
||||||
target => '/etc/puppetlabs/console-auth/config.yml',
|
target => '/etc/puppetlabs/console-auth/config.yml',
|
||||||
|
@ -36,4 +19,7 @@ class profile::puppetmaster {
|
||||||
value => 'smtp.osuosl.org',
|
value => 'smtp.osuosl.org',
|
||||||
notify => Service['pe-httpd'],
|
notify => Service['pe-httpd'],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# pull in all our secret stuff, and install eyaml
|
||||||
|
include ::jenkins_keys
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,74 @@
|
||||||
|
class profile::r10k {
|
||||||
|
|
||||||
|
# Here we get our config for r10k from hiera.
|
||||||
|
# currently this hash is only used by the templates below
|
||||||
|
$r10k_options = hiera('r10k_options')
|
||||||
|
|
||||||
|
class { '::r10k':
|
||||||
|
remote => 'https://github.com/jenkins-infra/jenkins-infra.git',
|
||||||
|
version => '1.2.1',
|
||||||
|
modulepath => '/etc/puppetlabs/puppet/environments/$environment/dist:/etc/puppetlabs/puppet/environments/$environment/modules:/opt/puppet/share/puppet/modules',
|
||||||
|
manage_modulepath => true,
|
||||||
|
mcollective => true,
|
||||||
|
}
|
||||||
|
|
||||||
|
ini_setting { 'Update manifest in puppet.conf':
|
||||||
|
ensure => present,
|
||||||
|
path => '/etc/puppetlabs/puppet/puppet.conf',
|
||||||
|
section => 'main',
|
||||||
|
setting => 'manifest',
|
||||||
|
value => '/etc/puppetlabs/puppet/environments/$environment/manifests/site.pp',
|
||||||
|
}
|
||||||
|
|
||||||
|
case $::osfamily {
|
||||||
|
'redhat': {
|
||||||
|
file { '/etc/init.d/r10k_deployhook.init':
|
||||||
|
ensure => file,
|
||||||
|
owner => root,
|
||||||
|
group => root,
|
||||||
|
mode => '0755',
|
||||||
|
content => template("${module_name}/r10k_deployhook.init.erb"),
|
||||||
|
alias => 'deployhook',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
'debian': {
|
||||||
|
file { '/etc/init/r10k_deployhook.conf':
|
||||||
|
ensure => file,
|
||||||
|
owner => root,
|
||||||
|
group => root,
|
||||||
|
mode => '0755',
|
||||||
|
content => template("${module_name}/r10k_deployhook.upstart.erb"),
|
||||||
|
alias => 'deployhook_init',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
default: { fail("${module_name} is not supported on ${::osfamily}") }
|
||||||
|
}
|
||||||
|
|
||||||
|
package { 'sinatra':
|
||||||
|
ensure => present,
|
||||||
|
provider => pe_gem,
|
||||||
|
}
|
||||||
|
|
||||||
|
package { 'webrick':
|
||||||
|
ensure => present,
|
||||||
|
provider => pe_gem,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
file { '/usr/local/bin/r10k_deployhook':
|
||||||
|
ensure => file,
|
||||||
|
owner => root,
|
||||||
|
group => root,
|
||||||
|
mode => '0755',
|
||||||
|
content => template("${module_name}/r10k_deployhook.erb"),
|
||||||
|
require => [ Package['sinatra'], Package['webrick'] ],
|
||||||
|
}
|
||||||
|
|
||||||
|
service { 'r10k_deployhook':
|
||||||
|
ensure => running,
|
||||||
|
enable => true,
|
||||||
|
subscribe => [File['deployhook'], File['deployhook_init']],
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,80 @@
|
||||||
|
#!/opt/puppet/bin/ruby
|
||||||
|
# This mini-webserver is meant to be run as the peadmin user
|
||||||
|
# so that it can call mcollective from a puppetmaster
|
||||||
|
|
||||||
|
require 'rubygems'
|
||||||
|
|
||||||
|
require 'sinatra/base'
|
||||||
|
require 'webrick'
|
||||||
|
require 'webrick/https'
|
||||||
|
require 'openssl'
|
||||||
|
|
||||||
|
require 'resolv'
|
||||||
|
require 'json'
|
||||||
|
|
||||||
|
DEPLOYCMD = '/opt/puppet/bin/mco r10k deploy_all --np >> <%= @r10k_options['r10k_deployhooks_logdir'] %>/mco 2>&1'
|
||||||
|
LOGFILE = '<%= @r10k_options['deployhooks_logdir'] %>/deployhooks'
|
||||||
|
USER = '<%= @r10k_options['deployhooks_user'] %>'
|
||||||
|
PASS = '<%= @r10k_options['deployhooks_pass'] %>'
|
||||||
|
PORT = '<%= @r10k_options['deployhooks_port'] %>'
|
||||||
|
CERT_PATH = '/opt/puppet/share/puppet-dashboard/certs'
|
||||||
|
CERT_NAME = 'pe-internal-dashboard'
|
||||||
|
|
||||||
|
ENV['HOME'] = '/var/lib/peadmin'
|
||||||
|
ENV['PATH'] = '/sbin:/usr/sbin:/bin:/usr/bin:/opt/puppet/bin'
|
||||||
|
|
||||||
|
opts = {
|
||||||
|
:Port => PORT,
|
||||||
|
:Logger => WEBrick::Log::new(LOGFILE, WEBrick::Log::DEBUG),
|
||||||
|
:ServerType => WEBrick::Daemon,
|
||||||
|
:SSLEnable => true,
|
||||||
|
:SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
|
||||||
|
:SSLCertificate => OpenSSL::X509::Certificate.new( File.open(File.join(CERT_PATH, "#{CERT_NAME}.crt")).read),
|
||||||
|
:SSLPrivateKey => OpenSSL::PKey::RSA.new( File.open(File.join(CERT_PATH, "#{CERT_NAME}.key")).read),
|
||||||
|
:SSLCertName => [ [ "CN",WEBrick::Utils::getservername ] ]
|
||||||
|
}
|
||||||
|
|
||||||
|
class Server < Sinatra::Base
|
||||||
|
set :static, false
|
||||||
|
|
||||||
|
get '/' do
|
||||||
|
raise Sinatra::NotFound
|
||||||
|
end
|
||||||
|
|
||||||
|
post '/deploy' do
|
||||||
|
protected!
|
||||||
|
deploy()
|
||||||
|
end
|
||||||
|
|
||||||
|
not_found do
|
||||||
|
halt 404, 'You shall not pass! (page not found)'
|
||||||
|
end
|
||||||
|
|
||||||
|
helpers do
|
||||||
|
def deploy()
|
||||||
|
begin
|
||||||
|
Process.detach(fork{ exec "#{DEPLOYCMD} &"})
|
||||||
|
{:status => :success, :message => "Deploying environments."}.to_json
|
||||||
|
rescue
|
||||||
|
{:status => :fail, :message => "Deploy failed.", :trace => e.message}.to_json
|
||||||
|
end
|
||||||
|
end #end deploy()
|
||||||
|
|
||||||
|
def protected!
|
||||||
|
unless authorized?
|
||||||
|
response['WWW-Authenticate'] = %(Basic realm="Restricted Area")
|
||||||
|
throw(:halt, [401, "Not authorized\n"])
|
||||||
|
end
|
||||||
|
end #end protected!
|
||||||
|
|
||||||
|
def authorized?
|
||||||
|
@auth ||= Rack::Auth::Basic::Request.new(request.env)
|
||||||
|
@auth.provided? && @auth.basic? && @auth.credentials &&
|
||||||
|
@auth.credentials == [USER, PASS]
|
||||||
|
end #end authorized?
|
||||||
|
end #end helpers
|
||||||
|
end
|
||||||
|
|
||||||
|
Rack::Handler::WEBrick.run(Server, opts) do |server|
|
||||||
|
[:INT, :TERM].each { |sig| trap(sig) { server.stop } }
|
||||||
|
end
|
|
@ -0,0 +1,104 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# r10k_deployhook Manage the r10k deploy hook
|
||||||
|
#
|
||||||
|
# chkconfig: - 55 25
|
||||||
|
# description: Stupidsimple webhooks implementation.
|
||||||
|
#
|
||||||
|
# pidfile: /var/run/r10k_deployhook.pid
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: r10k_deployhook
|
||||||
|
# Required-Start: $local_fs $network
|
||||||
|
# Required-Stop: $local_fs $network
|
||||||
|
# Should-Start:
|
||||||
|
# Should-Stop:
|
||||||
|
# Default-Start:
|
||||||
|
# Default-Stop:
|
||||||
|
# Short-Description: start and stop r10k_deployhook daemon
|
||||||
|
# Description: Simple deployhook receiver for starting r10k runs
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# source function library
|
||||||
|
. /etc/init.d/functions
|
||||||
|
|
||||||
|
PATH=$PATH:/opt/puppet/bin
|
||||||
|
|
||||||
|
OPTIONS=""
|
||||||
|
if [ -e /etc/sysconfig/r10k_deployhook ]; then
|
||||||
|
. /etc/sysconfig/r10k_deployhook
|
||||||
|
fi
|
||||||
|
|
||||||
|
RETVAL=0
|
||||||
|
prog="r10k_deployhook"
|
||||||
|
binary=/usr/local/bin/r10k_deployhook
|
||||||
|
pidfile=/var/run/r10k_deployhook.pid
|
||||||
|
user="peadmin"
|
||||||
|
|
||||||
|
start() {
|
||||||
|
[ -x $binary ] || exit 5
|
||||||
|
echo -n $"Starting $prog: "
|
||||||
|
|
||||||
|
if [ $UID -ne 0 ]; then
|
||||||
|
RETVAL=1
|
||||||
|
failure
|
||||||
|
else
|
||||||
|
daemon --user=$user --pidfile=$pidfile $binary $OPTIONS
|
||||||
|
RETVAL=$?
|
||||||
|
[ $RETVAL -eq 0 ] &&
|
||||||
|
touch /var/lock/subsys/r10k_deployhook &&
|
||||||
|
pgrep -f -u $user $binary > $pidfile
|
||||||
|
fi;
|
||||||
|
echo
|
||||||
|
return $RETVAL
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
echo -n $"Stopping $prog: "
|
||||||
|
if [ $UID -ne 0 ]; then
|
||||||
|
RETVAL=1
|
||||||
|
failure
|
||||||
|
else
|
||||||
|
killproc -p $pidfile $binary
|
||||||
|
RETVAL=$?
|
||||||
|
[ $RETVAL -eq 0 ] &&
|
||||||
|
rm -f /var/lock/subsys/r10k_deployhook &&
|
||||||
|
rm -f $pidfile
|
||||||
|
fi;
|
||||||
|
echo
|
||||||
|
return $RETVAL
|
||||||
|
}
|
||||||
|
|
||||||
|
restart(){
|
||||||
|
stop
|
||||||
|
start
|
||||||
|
}
|
||||||
|
|
||||||
|
condrestart(){
|
||||||
|
[ -e /var/lock/subsys/r10k_deployhook ] && restart
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
start
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
stop
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
restart
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status -p $pidfile r10k_deployhook
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo $"Usage: $0 {start|stop|restart|status}"
|
||||||
|
RETVAL=2
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $RETVAL
|
|
@ -0,0 +1,14 @@
|
||||||
|
description "Deployhook for r10k"
|
||||||
|
author "Adam Crews <adam@puppetlabs.com>"
|
||||||
|
|
||||||
|
start on filesystem or runlevel [2345]
|
||||||
|
stop on runlevel [!2345]
|
||||||
|
|
||||||
|
respawn
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
setuid 'peadmin'
|
||||||
|
setgid 'peadmin'
|
||||||
|
|
||||||
|
console log
|
||||||
|
exec /usr/local/bin/r10k_deployhook
|
|
@ -3,4 +3,5 @@
|
||||||
class role::puppetmaster {
|
class role::puppetmaster {
|
||||||
include profile::account
|
include profile::account
|
||||||
include profile::puppetmaster
|
include profile::puppetmaster
|
||||||
|
include profile::r10k
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,4 +23,10 @@ accounts:
|
||||||
groups:
|
groups:
|
||||||
- sudo
|
- sudo
|
||||||
|
|
||||||
# vim: ft=yaml ts=2 sw=2 et
|
r10k_options:
|
||||||
|
deployhooks_logdir: /var/log
|
||||||
|
deployhooks_user: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMgXgW7v2mcAlhyW4BCGaKqywOv2wA67aiiplA0iisxD5fGNY7dgjUMq6tGEFsSAKJl25BYo7AspCk3ZQMae15NwVne8CztljTYZU6pf9rHCpqnhA1UFUo0oo44OpJUocmTbBP/MwLMTCi9kJGAYsPIt/l4BeeYmPAj+ZsPUCHQ2Me45uqWmSfI363kOKXb42t5/VQAPsQXncCD/rlXD0djyYYbNb1KAMKA2owOBqgDRV/9eElm3oj8UKfZORyhecfD4U30GzpsuXawhyCKH25AEv14faEWEwHW/n78VcOuItS2rXLKC+zSZKmfmIPzRCjyxo/MSE1hjSxLQ7Tkig9DA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAI+hpqZ+yO1u4CDCGodxGygBA3l8ovLuqjFypUL0SPKeUL]
|
||||||
|
deployhooks_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAy3DB+0f5EW1aY5ZeesQN/t/dUqKGgvI4JczSKXHIgRwm6NUL4+PAdYKtIeZR+leBhMFA0a0/7RdOwfxM0Y76LOcxbLGaaQD7s8H5CYIozXukE73g8nsnKKamGM54LUWKnmzhcq/zgoaLRa1fqQ1ibG/5TNFYn77n2AsHJu0lsuExeM62nja6Vg0b6GDrQLqKOEXEXy9jeN9e0zBMbenrGTy8nnbO0SVg8V9xDDzWHNUlmhJ0cXl8MTbLVtREGLzF/5RMAutnb6esM+7l8OonEp09vunJPgRM0jgsr77zBKb73ptSGPVnsE204+uTKv2oTUxn0pHbmjo2VcaOVRnnSDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCz+AkCvq0Wu+yjDdos5TvYgDCRaM7GhWQ+mtk+x+Z9uHSkRUSa4ELu689pwkYnd2gl5Mv7U/o+pEpuUhe71sG4Lu0=]
|
||||||
|
deployhooks_port: 9013
|
||||||
|
|
||||||
|
# vim: ft=yaml ts=2 sw=2 nowrap et
|
||||||
|
|
Loading…
Reference in New Issue