From 884e828be586b7e845c0e1eb54d868048fec8899 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 13 Nov 2023 15:02:59 +0100 Subject: [PATCH 01/82] Remove params.pp prep --- data/common.yaml | 2 ++ data/os/RedHat.yaml | 2 ++ hiera.yaml | 11 ++++++++ manifests/init.pp | 16 +++++------ manifests/params.pp | 52 ------------------------------------ templates/jaas-auth.conf.erb | 17 ------------ 6 files changed, 23 insertions(+), 77 deletions(-) create mode 100644 data/common.yaml create mode 100644 data/os/RedHat.yaml create mode 100644 hiera.yaml delete mode 100644 templates/jaas-auth.conf.erb diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 000000000..e6b1b18f7 --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,2 @@ +--- +rundeck::acl_policies: diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml new file mode 100644 index 000000000..b227da0d2 --- /dev/null +++ b/data/os/RedHat.yaml @@ -0,0 +1,2 @@ +--- +prometheus::env_file_path: '/etc/sysconfig' diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 000000000..149fe6a0c --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,11 @@ +--- +version: 5 +defaults: + datadir: 'data' + data_hash: 'yaml_data' +hierarchy: + - name: 'OS family' + path: 'os/%{facts.os.family}.yaml' + + - name: 'common' + path: 'common.yaml' \ No newline at end of file diff --git a/manifests/init.pp b/manifests/init.pp index 456deaadf..9a7ad8a95 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -155,16 +155,16 @@ # https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins # class rundeck ( - Array[Hash] $acl_policies = $rundeck::params::acl_policies, - String $acl_template = $rundeck::params::acl_template, - Array[Hash] $api_policies = $rundeck::params::api_policies, - String $api_template = $rundeck::params::api_template, + Array[Hash] $acl_policies, + String $acl_template = 'rundeck/aclpolicy.erb', + Array[Hash] $api_policies = {}, + String $api_template = 'rundeck/aclpolicy.erb', Hash $auth_config = $rundeck::params::auth_config, - String $auth_template = $rundeck::params::auth_template, - Array $auth_types = $rundeck::params::auth_types, + String $auth_template = 'rundeck/jaas-auth.conf.epp', + Array $auth_types = ['file'], Boolean $clustermode_enabled = $rundeck::params::clustermode_enabled, Hash $database_config = $rundeck::params::database_config, - Optional[Enum['active', 'passive']] $execution_mode = undef, + Enum['active', 'passive'] $execution_mode = 'active', Stdlib::Absolutepath $file_keystorage_dir = $rundeck::params::file_keystorage_dir, Hash $file_keystorage_keys = $rundeck::params::file_keystorage_keys, Hash $framework_config = $rundeck::params::framework_config, @@ -231,7 +231,7 @@ Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, Array $security_roles_array = $rundeck::params::security_roles_array, Hash[String,String] $storage_encrypt_config = {}, -) inherits rundeck::params { +) { validate_rd_policy($acl_policies) contain rundeck::install diff --git a/manifests/params.pp b/manifests/params.pp index e26a72e65..ef51ae245 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -61,13 +61,9 @@ $auth_types = ['file'] $auth_users = {} - $auth_template = 'rundeck/jaas-auth.conf.epp' $log_properties_template = 'rundeck/log4j.properties.erb' - $acl_template = 'rundeck/aclpolicy.erb' - $api_template = 'rundeck/aclpolicy.erb' - $acl_policies = [ { 'description' => 'Admin, all access', @@ -114,54 +110,6 @@ } ] - $api_policies = [ - { - 'description' => 'API project level access control', - 'context' => { - 'project' => '.*', - }, - 'for' => { - 'resource' => [ - { 'equals' => { 'kind' => 'job' }, 'allow' => ['create','delete'] }, - { 'equals' => { 'kind' => 'node' }, 'allow' => ['read','create','update','refresh'] }, - { 'equals' => { 'kind' => 'event' }, 'allow' => ['read','create'] } - ], - 'adhoc' => [ - { 'allow' => ['read','run','kill'] } - ], - 'job' => [ - { 'allow' => ['create','read','update','delete','run','kill'] } - ], - 'node' => [ - { 'allow' => ['read','run'] } - ], - }, - 'by' => [{ - 'group' => ['api_token_group'] - }] - }, - { - 'description' => 'API Application level access control', - 'context' => { - 'application' => 'rundeck', - }, - 'for' => { - 'resource' => [ - { 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] } - ], - 'project' => [ - { 'match' => { 'name' => '.*' }, 'allow' => ['read'] } - ], - 'storage' => [ - { 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }, - ], - }, - 'by' => [{ - 'group' => ['api_token_group'] - }] - } - ] - $auth_config = { 'file' => { 'admin_user' => $framework_config['framework.server.username'], diff --git a/templates/jaas-auth.conf.erb b/templates/jaas-auth.conf.erb deleted file mode 100644 index 3e21a53e4..000000000 --- a/templates/jaas-auth.conf.erb +++ /dev/null @@ -1,17 +0,0 @@ -authentication { - - <%- @auth_types.each do |type| - case type - when 'ldap', 'ldap_shared' -%> - <%= scope.function_template(['rundeck/_auth_ldap.erb']) %> - <%- when 'active_directory', 'active_directory_shared' -%> - <%= scope.function_template(['rundeck/_auth_ad.erb']) %> - <%- when 'pam' -%> - <%= scope.function_template(['rundeck/_auth_pam.erb']) %> - <%- when 'file' -%> - <%= scope.function_template(['rundeck/_auth_file.erb']) %> - <%- else - end - end - -%> -}; From 4ca22d39c9b567eb891996130bbccc9bf16c9783 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 13 Nov 2023 16:19:04 +0100 Subject: [PATCH 02/82] Update params --- README.md | 32 +-- REFERENCE.md | 292 +++++++++++++++------- data/common.yaml | 137 ++++++++++ data/os/Debian.yaml | 2 + data/os/RedHat.yaml | 2 +- manifests/config.pp | 71 +----- manifests/config/global/rundeck_config.pp | 1 - manifests/config/global/web.pp | 9 +- manifests/config/securityroles.pp | 6 +- manifests/init.pp | 139 +++++----- manifests/params.pp | 281 --------------------- templates/rundeck-config.epp | 1 - 12 files changed, 433 insertions(+), 540 deletions(-) create mode 100644 data/os/Debian.yaml delete mode 100644 manifests/params.pp diff --git a/README.md b/README.md index 4d102d282..54c465899 100644 --- a/README.md +++ b/README.md @@ -25,34 +25,9 @@ The rundeck puppet module for installing and managing [Rundeck](http://rundeck.o | Rundeck Version | Rundeck Puppet module versions | | ---------------- | -------------------------------| -| 2.x - 3.0.X | v5.4.0 and older | -| 3.1 - up | v6.0.0 and newer | - -Since [Rundeck v3.1](https://docs.rundeck.com/docs/upgrading/upgrade-to-rundeck-3.1.html), -it is not required the installtion of `rundeck-config` package for RHEL based distributions anymore. - -Rundeck Team decided to mark this package _obsolete_, making it difficult to maintain -backwards compatibility with releases older than 3.1. - -Trying to install any version prior to 3.1.0 will throw the following error message: - -```console -Resolving Dependencies ---> Running transaction check ----> Package rundeck.noarch 0:2.11.5-1.56.GA will be installed ---> Processing Dependency: rundeck-config for package: rundeck-2.11.5-1.56.GA.noarch -Package rundeck-config is obsoleted by rundeck, but obsoleting package does not provide for requirements -... -``` - -If you need to downgrade and/or install a specific version of Rundeck older than 3.1.0, you can still use this module -to do it (v5.4.0 and prior), although you would need to [manually install the packages](https://github.com/rundeck/rundeck/issues/5168) disabling yum's obsoletes processing logic when performing updates. - -```console -yum reinstall --setopt=obsoletes=0 rundeck-config-3.0.24.20190719-1.201907192053 rundeck-3.0.24.20190719-1.201907192053 -``` - -The latest version of this puppet module only supports Rundeck 3.1 and up. +| 2.x - 3.0.X | v5.4.0 and older | +| 3.1.x - 3.3.x | v8.0.1 until v6.0.0 | +| 3.4.x - up | v9.0.0 and newer | ## Module Description @@ -93,7 +68,6 @@ class { 'rundeck': 'path' => '/', }, ], - projects_storage_type => 'db', database_config => { 'type' => 'mysql', 'url' => $db_url, diff --git a/REFERENCE.md b/REFERENCE.md index 596a0bbd1..724ed6d28 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,7 +10,6 @@ * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck. * [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml. -* [`rundeck::params`](#rundeck--params): == Class rundeck::params This class is meant to be called from `rundeck` It sets variables according to platform #### Private Classes @@ -69,13 +68,13 @@ The following parameters are available in the `rundeck` class: * [`java_home`](#-rundeck--java_home) * [`jvm_args`](#-rundeck--jvm_args) * [`kerberos_realms`](#-rundeck--kerberos_realms) -* [`key_password`](#-rundeck--key_password) * [`key_storage_config`](#-rundeck--key_storage_config) * [`keystore`](#-rundeck--keystore) * [`keystore_password`](#-rundeck--keystore_password) * [`log_properties_template`](#-rundeck--log_properties_template) * [`mail_config`](#-rundeck--mail_config) * [`sshkey_manage`](#-rundeck--sshkey_manage) +* [`key_password`](#-rundeck--key_password) * [`ssl_keyfile`](#-rundeck--ssl_keyfile) * [`ssl_certfile`](#-rundeck--ssl_certfile) * [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy) @@ -127,6 +126,19 @@ The following parameters are available in the `rundeck` class: * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) * [`storage_encrypt_config`](#-rundeck--storage_encrypt_config) +* [`file_copier_provider`](#-rundeck--file_copier_provider) +* [`node_executor_provider`](#-rundeck--node_executor_provider) +* [`resource_sources`](#-rundeck--resource_sources) +* [`resource_format`](#-rundeck--resource_format) +* [`include_server_node`](#-rundeck--include_server_node) +* [`default_source_type`](#-rundeck--default_source_type) +* [`default_resource_dir`](#-rundeck--default_resource_dir) +* [`default_http_proxy_port`](#-rundeck--default_http_proxy_port) +* [`default_refresh_interval`](#-rundeck--default_refresh_interval) +* [`url_cache`](#-rundeck--url_cache) +* [`url_timeout`](#-rundeck--url_timeout) +* [`script_args_quoted`](#-rundeck--script_args_quoted) +* [`script_interpreter`](#-rundeck--script_interpreter) ##### `acl_policies` @@ -134,15 +146,13 @@ Data type: `Array[Hash]` Admin acl policies. -Default value: `$rundeck::params::acl_policies` - ##### `acl_template` Data type: `String` The template used for admin acl policy. Default is rundeck/aclpolicy.erb. -Default value: `$rundeck::params::acl_template` +Default value: `'rundeck/aclpolicy.erb'` ##### `api_policies` @@ -150,7 +160,7 @@ Data type: `Array[Hash]` apitoken acl policies. -Default value: `$rundeck::params::api_policies` +Default value: `[]` ##### `api_template` @@ -158,7 +168,7 @@ Data type: `String` The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb. -Default value: `$rundeck::params::api_template` +Default value: `'rundeck/aclpolicy.erb'` ##### `auth_config` @@ -166,15 +176,13 @@ Data type: `Hash` Authentication configuration. -Default value: `$rundeck::params::auth_config` - ##### `auth_template` Data type: `String` The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. -Default value: `$rundeck::params::auth_template` +Default value: `'rundeck/jaas-auth.conf.epp'` ##### `auth_types` @@ -182,7 +190,7 @@ Data type: `Array` The method used to authenticate to rundeck. Default is file. -Default value: `$rundeck::params::auth_types` +Default value: `['file']` ##### `clustermode_enabled` @@ -190,7 +198,7 @@ Data type: `Boolean` Boolean value if set to true enables cluster mode -Default value: `$rundeck::params::clustermode_enabled` +Default value: `false` ##### `database_config` @@ -198,15 +206,13 @@ Data type: `Hash` Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) -Default value: `$rundeck::params::database_config` - ##### `execution_mode` -Data type: `Optional[Enum['active', 'passive']]` +Data type: `Enum['active', 'passive']` If set, allows setting the execution mode to 'active' or 'passive'. -Default value: `undef` +Default value: `'active'` ##### `file_keystorage_dir` @@ -214,15 +220,13 @@ Data type: `Stdlib::Absolutepath` Path to dir where the keystorage should be located. -Default value: `$rundeck::params::file_keystorage_dir` - ##### `file_keystorage_keys` Data type: `Hash` Add keys to file keystorage. -Default value: `$rundeck::params::file_keystorage_keys` +Default value: `{}` ##### `framework_config` @@ -230,15 +234,13 @@ Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -Default value: `$rundeck::params::framework_config` - ##### `grails_server_url` Data type: `Stdlib::HTTPUrl` Sets `grails.serverURL` so that Rundeck knows its external address. -Default value: `$rundeck::params::grails_server_url` +Default value: `"http://${facts['networking']['fqdn']}:4440"` ##### `gui_config` @@ -246,7 +248,7 @@ Data type: `Hash` Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) -Default value: `$rundeck::params::gui_config` +Default value: `{}` ##### `java_home` @@ -262,7 +264,7 @@ Data type: `String` Extra arguments for the JVM. -Default value: `$rundeck::params::jvm_args` +Default value: `'-Xmx1024m -Xms256m -server'` ##### `kerberos_realms` @@ -270,15 +272,7 @@ Data type: `Hash` A hash of mappings between Kerberos domain DNS names and realm names -Default value: `$rundeck::params::kerberos_realms` - -##### `key_password` - -Data type: `String` - -The default key password. - -Default value: `$rundeck::params::key_password` +Default value: `{}` ##### `key_storage_config` @@ -286,15 +280,13 @@ Data type: `Array[Hash]` An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) -Default value: `$rundeck::params::key_storage_config` - ##### `keystore` Data type: `Stdlib::Absolutepath` Full path to the java keystore to be used by Rundeck. -Default value: `$rundeck::params::keystore` +Default value: `'/etc/rundeck/ssl/keystore'` ##### `keystore_password` @@ -302,15 +294,13 @@ Data type: `String` The password for the given keystore. -Default value: `$rundeck::params::keystore_password` - ##### `log_properties_template` Data type: `String` The template used for log properties. Default is rundeck/log4j.properties.erb. -Default value: `$rundeck::params::log_properties_template` +Default value: `'rundeck/log4j.properties.erb'` ##### `mail_config` @@ -318,7 +308,7 @@ Data type: `Hash` A hash of the notification email configuraton. -Default value: `$rundeck::params::mail_config` +Default value: `{}` ##### `sshkey_manage` @@ -326,7 +316,15 @@ Data type: `Boolean` Should this module manage the sshkey used by rundeck at all. -Default value: `$rundeck::params::sshkey_manage` +Default value: `true` + +##### `key_password` + +Data type: `Optional[String]` + +The ssl key password. + +Default value: `undef` ##### `ssl_keyfile` @@ -334,7 +332,7 @@ Data type: `Stdlib::Absolutepath` Full path to the SSL private key to be used by Rundeck. -Default value: `$rundeck::params::ssl_keyfile` +Default value: `'/etc/rundeck/ssl/rundeck.key'` ##### `ssl_certfile` @@ -342,7 +340,7 @@ Data type: `Stdlib::Absolutepath` Full path to the SSL public key to be used by Rundeck. -Default value: `$rundeck::params::ssl_certfile` +Default value: `'/etc/rundeck/ssl/rundeck.crt'` ##### `manage_default_admin_policy` @@ -350,7 +348,7 @@ Data type: `Boolean` Boolean value if set to true enables default admin policy management -Default value: `$rundeck::params::manage_default_admin_policy` +Default value: `true` ##### `manage_default_api_policy` @@ -358,7 +356,7 @@ Data type: `Boolean` Boolean value if set to true enables default api policy management -Default value: `$rundeck::params::manage_default_api_policy` +Default value: `true` ##### `manage_repo` @@ -366,7 +364,7 @@ Data type: `Boolean` Whether to manage the package repository. Defaults to true. -Default value: `$rundeck::params::manage_repo` +Default value: `true` ##### `package_ensure` @@ -374,7 +372,7 @@ Data type: `String` Ensure the state of the rundeck package, either present, absent or a specific version -Default value: `$rundeck::params::package_ensure` +Default value: `'installed'` ##### `preauthenticated_config` @@ -382,15 +380,13 @@ Data type: `Hash` A hash of the rundeck preauthenticated config mode -Default value: `$rundeck::params::preauthenticated_config` - ##### `projects` Data type: `Hash` The hash of projects in your instance. -Default value: `$rundeck::params::projects` +Default value: `{}` ##### `projects_description` @@ -398,7 +394,7 @@ Data type: `String` The description that will be set by default for any projects. -Default value: `$rundeck::params::projects_default_desc` +Default value: `''` ##### `projects_organization` @@ -406,7 +402,7 @@ Data type: `String` The organization value that will be set by default for any projects. -Default value: `$rundeck::params::projects_default_org` +Default value: `''` ##### `projects_storage_type` @@ -414,7 +410,7 @@ Data type: `Enum['db', 'filesystem']` The storage type for any projects. Must be 'filesystem' or 'db' -Default value: `$rundeck::params::projects_storage_type` +Default value: `'filesystem'` ##### `quartz_job_threadcount` @@ -422,7 +418,7 @@ Data type: `Integer` The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. -Default value: `$rundeck::params::quartz_job_threadcount` +Default value: `10` ##### `rd_loglevel` @@ -430,7 +426,7 @@ Data type: `Rundeck::Loglevel` The log4j logging level to be set for the Rundeck application. -Default value: `$rundeck::params::loglevel` +Default value: `'INFO'` ##### `rd_auditlevel` @@ -438,7 +434,7 @@ Data type: `Rundeck::Loglevel` The log4j logging level to be set for the Rundeck application. -Default value: `$rundeck::params::loglevel` +Default value: `'INFO'` ##### `rdeck_config_template` @@ -446,7 +442,7 @@ Data type: `String` Allows you to override the rundeck-config template. -Default value: `$rundeck::params::rdeck_config_template` +Default value: `'rundeck/rundeck-config.epp'` ##### `rdeck_home` @@ -454,7 +450,7 @@ Data type: `Stdlib::Absolutepath` Directory under which the projects directories live. -Default value: `$rundeck::params::rdeck_home` +Default value: `'/var/lib/rundeck'` ##### `manage_home` @@ -462,7 +458,7 @@ Data type: `Boolean` Whether to manage rundeck home dir. Defaults to true. -Default value: `$rundeck::params::manage_home` +Default value: `true` ##### `rdeck_profile_template` @@ -486,7 +482,7 @@ Data type: `String` Allows you to use your own override template instead of the default from the package maintainer -Default value: `$rundeck::params::realm_template` +Default value: `'rundeck/realm.properties.erb'` ##### `repo_yum_source` @@ -494,7 +490,7 @@ Data type: `Stdlib::HTTPUrl` Baseurl for the yum repo -Default value: `$rundeck::params::repo_yum_source` +Default value: `'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch'` ##### `repo_yum_gpgkey` @@ -502,7 +498,7 @@ Data type: `String` URL or path for the GPG key for the rpm -Default value: `$rundeck::params::repo_yum_gpgkey` +Default value: `'https://packagecloud.io/pagerduty/rundeck/gpgkey'` ##### `repo_apt_source` @@ -510,7 +506,7 @@ Data type: `Stdlib::HTTPUrl` Baseurl for the apt repo -Default value: `$rundeck::params::repo_apt_source` +Default value: `'https://packagecloud.io/pagerduty/rundeck/any'` ##### `repo_apt_key_id` @@ -518,7 +514,7 @@ Data type: `String` Key ID for the GPG key for the Debian package -Default value: `$rundeck::params::repo_apt_key_id` +Default value: `'0DDD2FA79B15D736ECEA32B89B5206167C5C34C0'` ##### `repo_apt_gpgkey` @@ -526,7 +522,7 @@ Data type: `Stdlib::Httpsurl` Location where the GPG key can be found -Default value: `$rundeck::params::repo_apt_gpgkey` +Default value: `'https://packagecloud.io/pagerduty/rundeck/gpgkey'` ##### `repo_apt_keyserver` @@ -534,7 +530,7 @@ Data type: `String` Keysever for the GPG key for the Debian package -Default value: `$rundeck::params::repo_apt_keyserver` +Default value: `'keyserver.ubuntu.com'` ##### `rss_enabled` @@ -542,7 +538,7 @@ Data type: `Boolean` Boolean value if set to true enables RSS feeds that are public (non-authenticated) -Default value: `$rundeck::params::rss_enabled` +Default value: `false` ##### `security_config` @@ -550,15 +546,13 @@ Data type: `Hash` A hash of the rundeck security configuration. -Default value: `$rundeck::params::security_config` - ##### `security_role` Data type: `String` Name of the role that is required for all users to be allowed access. -Default value: `$rundeck::params::security_role` +Default value: `'user'` ##### `server_web_context` @@ -582,7 +576,7 @@ Data type: `Stdlib::Absolutepath` The path to the directory to store logs. -Default value: `$rundeck::params::service_logs_dir` +Default value: `'/var/log/rundeck'` ##### `service_name` @@ -590,7 +584,7 @@ Data type: `String` The name of the rundeck service. -Default value: `$rundeck::params::service_name` +Default value: `'rundeckd'` ##### `service_restart` @@ -614,7 +608,7 @@ Data type: `Enum['stopped', 'running']` State of the rundeck service (defaults to 'running') -Default value: `$rundeck::params::service_ensure` +Default value: `'running'` ##### `session_timeout` @@ -622,7 +616,7 @@ Data type: `Integer` Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. -Default value: `$rundeck::params::session_timeout` +Default value: `30` ##### `ssl_enabled` @@ -630,7 +624,7 @@ Data type: `Boolean` Enable ssl for the rundeck web application. -Default value: `$rundeck::params::ssl_enabled` +Default value: `false` ##### `ssl_port` @@ -638,7 +632,7 @@ Data type: `Stdlib::Port` Ssl port of the rundeck web application (default to '4443'). -Default value: `$rundeck::params::ssl_port` +Default value: `4443` ##### `truststore` @@ -646,7 +640,7 @@ Data type: `Stdlib::Absolutepath` The full path to the java truststore to be used by Rundeck. -Default value: `$rundeck::params::truststore` +Default value: `'/etc/rundeck/ssl/truststore'` ##### `truststore_password` @@ -654,15 +648,13 @@ Data type: `String` The password for the given truststore. -Default value: `$rundeck::params::truststore_password` - ##### `user` Data type: `String` The user that rundeck is installed as. -Default value: `$rundeck::params::user` +Default value: `'rundeck'` ##### `group` @@ -670,7 +662,7 @@ Data type: `String` The group permission that rundeck is installed as. -Default value: `$rundeck::params::group` +Default value: `'rundeck'` ##### `manage_user` @@ -678,7 +670,7 @@ Data type: `Boolean` Whether to manage `user` (and enforce `user_id` if set). Defaults to false. -Default value: `$rundeck::params::manage_user` +Default value: `false` ##### `manage_group` @@ -686,7 +678,7 @@ Data type: `Boolean` Whether to manage `group` (and enforce `group_id` if set). Defaults to false. -Default value: `$rundeck::params::manage_group` +Default value: `false` ##### `user_id` @@ -710,7 +702,7 @@ Data type: `String` Default file mode for managed files. Default to 0640 -Default value: `$rundeck::params::file_default_mode` +Default value: `'0640'` ##### `security_roles_array_enabled` @@ -718,7 +710,7 @@ Data type: `Boolean` Boolean value if you need more roles. false or true (default is false). -Default value: `$rundeck::params::security_roles_array_enabled` +Default value: `false` ##### `security_roles_array` @@ -726,7 +718,7 @@ Data type: `Array` Array value if you need more roles and you set true the "security_roles_array_enabled" value. -Default value: `$rundeck::params::security_roles_array` +Default value: `[]` ##### `storage_encrypt_config` @@ -737,6 +729,110 @@ https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.h Default value: `{}` +##### `file_copier_provider` + +Data type: `String` + + + +Default value: `'jsch-scp'` + +##### `node_executor_provider` + +Data type: `String` + + + +Default value: `'jsch-ssh'` + +##### `resource_sources` + +Data type: `Hash` + + + +Default value: `{}` + +##### `resource_format` + +Data type: `Enum['xml', 'yaml']` + + + +Default value: `'xml'` + +##### `include_server_node` + +Data type: `Boolean` + + + +Default value: `false` + +##### `default_source_type` + +Data type: `Enum['file']` + + + +Default value: `'file'` + +##### `default_resource_dir` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `'/'` + +##### `default_http_proxy_port` + +Data type: `Stdlib::Port` + + + +Default value: `80` + +##### `default_refresh_interval` + +Data type: `Integer` + + + +Default value: `30` + +##### `url_cache` + +Data type: `Boolean` + + + +Default value: `true` + +##### `url_timeout` + +Data type: `Integer` + + + +Default value: `30` + +##### `script_args_quoted` + +Data type: `Boolean` + + + +Default value: `true` + +##### `script_interpreter` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `'/bin/bash'` + ### `rundeck::config::global::web` Currently only manages the required for any user to login and session timout: @@ -751,6 +847,7 @@ The following parameters are available in the `rundeck::config::global::web` cla * [`session_timeout`](#-rundeck--config--global--web--session_timeout) * [`security_roles_array_enabled`](#-rundeck--config--global--web--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--config--global--web--security_roles_array) +* [`web_xml`](#-rundeck--config--global--web--web_xml) ##### `security_role` @@ -784,12 +881,13 @@ Array value if you set the value 'security_roles_array_enabled' to true. Default value: `$rundeck::params::security_roles_array` -### `rundeck::params` +##### `web_xml` -== Class rundeck::params +Data type: `Stdlib::Absolutepath` -This class is meant to be called from `rundeck` -It sets variables according to platform + + +Default value: `"${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml"` ## Defined types @@ -1486,6 +1584,20 @@ Default value: `undef` Author: Zoltan Lanyi Date : 03.06.2016 +#### Parameters + +The following parameters are available in the `rundeck::config::securityroles` defined type: + +* [`web_xml`](#-rundeck--config--securityroles--web_xml) + +##### `web_xml` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `"${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml"` + ## Functions ### `validate_rd_policy` diff --git a/data/common.yaml b/data/common.yaml index e6b1b18f7..9aaa978e5 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,2 +1,139 @@ --- rundeck::acl_policies: + - description: 'Admin, all access' + context: + project: '.*' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + - group: + - 'admin' + + - description: 'Admin, all access' + context: + application: 'rundeck' + for: + resource: + - allow: '*' + project: + - allow: '*' + storage: + - allow: '*' + by: + - group: + - 'admin' + +rundeck::framework_config: + framework.server.name: "%{facts.networking.fqdn}" + framework.server.hostname: "%{facts.networking.hostname}" + framework.server.port: '4440' + framework.server.url: "http://%{facts.networking.fqdn}:4440" + framework.server.username: 'admin' + framework.server.password: 'admin' + rdeck.base: '/var/lib/rundeck' + framework.projects.dir: '/var/lib/rundeck/projects' + framework.etc.dir: '/etc/rundeck' + framework.var.dir: '/var/lib/rundeck/var' + framework.tmp.dir: '/var/lib/rundeck/var/tmp' + framework.logs.dir: '/var/lib/rundeck/logs' + framework.libext.dir: '/var/lib/rundeck/libext' + framework.ssh.keypath: '/var/lib/rundeck/.ssh/id_rsa' + framework.ssh.user: 'rundeck' + framework.ssh.timeout: '0' + rundeck.server.uuid: "fqdn_uuid(%{facts.networking.fqdn})" + +rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" + +rundeck::auth_config: + file: + admin_user: "%{lookup('rundeck::framework_config.framework.server.username')}" + admin_password: "%{lookup('rundeck::framework_config.framework.server.password')}" + auth_users: {} + file: '/etc/rundeck/realm.properties' + pam: + service: 'sshd' + supplemental_roles: + - 'user' + store_pass: true + clear_pass: null + try_first_pass: null + use_first_pass: null + use_unix_groups: null + ldap: + server: null + port: '389' + force_binding: false + force_binding_use_root: false + bind_dn: null + bind_password: null + user_base_dn: null + user_rdn_attribute: 'uid' + user_id_attribute: 'uid' + user_password_attribute: 'userPassword' + user_object_class: 'user' + role_base_dn: null + role_name_attribute: 'cn' + role_member_attribute: 'memberUid' + role_object_class: 'group' + role_prefix: null + nested_groups: true + active_directory: + server: null + port: '389' + force_binding: true + force_binding_use_root: true + bind_dn: null + bind_password: null + user_base_dn: null + user_rdn_attribute: 'sAMAccountName' + user_id_attribute: 'sAMAccountName' + user_password_attribute: 'unicodePwd' + user_object_class: 'user' + role_base_dn: null + role_name_attribute: 'cn' + role_member_attribute: 'member' + role_object_class: 'group' + role_prefix: null + supplemental_roles: + - 'user' + nested_groups: true + +rundeck::security_config: + useHMacRequestTokens: true + apiCookieAccess: true + +rundeck::database_config: + type: 'h2' + dbCreate: 'update' + url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' + driverClassName: '' + username: '' + password: '' + dialect: '' + enable_h2_logs: 'on' + +rundeck::key_storage_config: + - type: 'file' + path: '/' + config: + baseDir: "%{lookup('file_keystorage_dir')}" + +rundeck::preauthenticated_config: + enabled: false + attributeName: 'REMOTE_USER_GROUPS' + delimiter: ':' + userNameHeader: 'X-Forwarded-Uuid' + userRolesHeader: 'X-Forwarded-Roles' + redirectLogout: false + redirectUrl: '/oauth2/sign_in' + +rundeck::keystore_password: 'adminadmin' +rundeck::truststore_password: 'adminadmin' +rundeck::rdeck_base: '/var/lib/rundeck' diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml new file mode 100644 index 000000000..c7acc3258 --- /dev/null +++ b/data/os/Debian.yaml @@ -0,0 +1,2 @@ +--- +rundeck::overrides_dir: '/etc/default' diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index b227da0d2..8b95becda 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,2 +1,2 @@ --- -prometheus::env_file_path: '/etc/sysconfig' +rundeck::overrides_dir: '/etc/sysconfig' diff --git a/manifests/config.pp b/manifests/config.pp index 5d08d042e..ed5a9a9ad 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -3,73 +3,10 @@ # @summary This private class is called from `rundeck` to manage the configuration. # class rundeck::config { - assert_private() - - $acl_policies = $rundeck::acl_policies - $acl_template = $rundeck::acl_template - $api_policies = $rundeck::api_policies - $api_template = $rundeck::api_template - $auth_template = $rundeck::auth_template - $auth_types = $rundeck::auth_types - $clustermode_enabled = $rundeck::clustermode_enabled - $database_config = $rundeck::database_config - $execution_mode = $rundeck::execution_mode - $file_default_mode = $rundeck::file_default_mode - $file_keystorage_dir = $rundeck::file_keystorage_dir - $file_keystorage_keys = $rundeck::file_keystorage_keys - $grails_server_url = $rundeck::grails_server_url - $group = $rundeck::group - $gui_config = $rundeck::gui_config - $java_home = $rundeck::java_home - $jvm_args = $rundeck::jvm_args - $kerberos_realms = $rundeck::kerberos_realms - $key_password = $rundeck::key_password - $key_storage_config = $rundeck::key_storage_config - $keystore = $rundeck::keystore - $keystore_password = $rundeck::keystore_password - $log_properties_template = $rundeck::log_properties_template - $mail_config = $rundeck::mail_config - $manage_default_admin_policy = $rundeck::manage_default_admin_policy - $manage_default_api_policy = $rundeck::manage_default_api_policy - $overrides_dir = $rundeck::overrides_dir - $package_ensure = $rundeck::package_ensure - $preauthenticated_config = $rundeck::preauthenticated_config - $projects = $rundeck::projects - $projects_description = $rundeck::projects_description - $projects_organization = $rundeck::projects_organization - $projects_storage_type = $rundeck::projects_storage_type - $quartz_job_threadcount = $rundeck::quartz_job_threadcount - $rd_loglevel = $rundeck::rd_loglevel - $rd_auditlevel = $rundeck::rd_auditlevel - $rdeck_config_template = $rundeck::rdeck_config_template - $rdeck_home = $rundeck::rdeck_home - $manage_home = $rundeck::manage_home - $rdeck_profile_template = $rundeck::rdeck_profile_template - $rdeck_override_template = $rundeck::rdeck_override_template - $realm_template = $rundeck::realm_template - $rss_enabled = $rundeck::rss_enabled - $security_config = $rundeck::security_config - $security_role = $rundeck::security_role - $server_web_context = $rundeck::server_web_context - $service_logs_dir = $rundeck::service_logs_dir - $service_name = $rundeck::service_name - $service_restart = $rundeck::service_restart - $session_timeout = $rundeck::session_timeout - $ssl_enabled = $rundeck::ssl_enabled - $ssl_port = $rundeck::ssl_port - $ssl_keyfile = $rundeck::ssl_keyfile - $ssl_certfile = $rundeck::ssl_certfile - $storage_encrypt_config = $rundeck::storage_encrypt_config - $truststore = $rundeck::truststore - $truststore_password = $rundeck::truststore_password - $user = $rundeck::user - $security_roles_array_enabled = $rundeck::security_roles_array_enabled - $security_roles_array = $rundeck::security_roles_array - File { - owner => $user, - group => $group, - mode => $file_default_mode, + owner => $rundeck::user, + group => $rundeck::group, + mode => $rundeck::file_default_mode, } $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config) @@ -81,7 +18,7 @@ $properties_dir = $framework_config['framework.etc.dir'] $plugin_dir = $framework_config['framework.libext.dir'] - File[$rdeck_home] ~> File[$framework_config['framework.ssh.keypath']] + File[$rundeck::rdeck_home] ~> File[$rundeck::framework_config['framework.ssh.keypath']] if $manage_home { file { $rdeck_home: diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp index 107cf6e03..401725820 100644 --- a/manifests/config/global/rundeck_config.pp +++ b/manifests/config/global/rundeck_config.pp @@ -14,7 +14,6 @@ $key_storage_config = $rundeck::config::key_storage_config $mail_config = $rundeck::config::mail_config $preauthenticated_config = $rundeck::config::preauthenticated_config - $projects_storage_type = $rundeck::config::projects_storage_type $properties_dir = $rundeck::config::properties_dir $quartz_job_threadcount = $rundeck::config::quartz_job_threadcount $rd_loglevel = $rundeck::config::rd_loglevel diff --git a/manifests/config/global/web.pp b/manifests/config/global/web.pp index 328e9e392..1b4aa7d8e 100644 --- a/manifests/config/global/web.pp +++ b/manifests/config/global/web.pp @@ -14,10 +14,11 @@ # Array value if you set the value 'security_roles_array_enabled' to true. # class rundeck::config::global::web ( - String[1] $security_role = $rundeck::params::security_role, - Integer[0] $session_timeout = $rundeck::params::session_timeout, - Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, - Array $security_roles_array = $rundeck::params::security_roles_array, + String[1] $security_role = $rundeck::params::security_role, + Integer[0] $session_timeout = $rundeck::params::session_timeout, + Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, + Array $security_roles_array = $rundeck::params::security_roles_array, + Stdlib::Absolutepath $web_xml = "${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml" ) inherits rundeck::params { if $security_roles_array_enabled { rundeck::config::securityroles { $security_roles_array: } diff --git a/manifests/config/securityroles.pp b/manifests/config/securityroles.pp index 820bc07c0..d6c8ef42f 100644 --- a/manifests/config/securityroles.pp +++ b/manifests/config/securityroles.pp @@ -2,10 +2,12 @@ # Author: Zoltan Lanyi # Date : 03.06.2016 # -define rundeck::config::securityroles { +define rundeck::config::securityroles ( + Stdlib::Absolutepath $web_xml = "${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml" +) { augeas { "rundeck/web.xml/security-role/role-name/${name}": lens => 'Xml.lns', - incl => $rundeck::params::web_xml, + incl => $web_xml, onlyif => "match web-app/security-role/role-name[#text = '${name}'] size == 0", changes => ["set web-app/security-role/#text[last()] '\t\t'", "set web-app/security-role/role-name[last()+1]/#text '${name}'", "set web-app/security-role/#text[last()+1] '\t'"], } diff --git a/manifests/init.pp b/manifests/init.pp index 9a7ad8a95..a33f5415c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,8 +36,6 @@ # Extra arguments for the JVM. # @param kerberos_realms # A hash of mappings between Kerberos domain DNS names and realm names -# @param key_password -# The default key password. # @param key_storage_config # An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) # @param keystore @@ -50,6 +48,8 @@ # A hash of the notification email configuraton. # @param sshkey_manage # Should this module manage the sshkey used by rundeck at all. +# @param key_password +# The ssl key password. # @param ssl_keyfile # Full path to the SSL private key to be used by Rundeck. # @param ssl_certfile @@ -70,8 +70,6 @@ # The description that will be set by default for any projects. # @param projects_organization # The organization value that will be set by default for any projects. -# @param projects_storage_type -# The storage type for any projects. Must be 'filesystem' or 'db' # @param quartz_job_threadcount # The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # @param rd_loglevel @@ -156,83 +154,96 @@ # class rundeck ( Array[Hash] $acl_policies, + Hash $framework_config, + Hash $auth_config, + Hash $database_config, + Array[Hash] $key_storage_config, + Hash $security_config, + Hash $preauthenticated_config, + String $keystore_password, + String $truststore_password, + Stdlib::Absolutepath $file_keystorage_dir, String $acl_template = 'rundeck/aclpolicy.erb', - Array[Hash] $api_policies = {}, + Array[Hash] $api_policies = [], String $api_template = 'rundeck/aclpolicy.erb', - Hash $auth_config = $rundeck::params::auth_config, String $auth_template = 'rundeck/jaas-auth.conf.epp', Array $auth_types = ['file'], - Boolean $clustermode_enabled = $rundeck::params::clustermode_enabled, - Hash $database_config = $rundeck::params::database_config, + Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', - Stdlib::Absolutepath $file_keystorage_dir = $rundeck::params::file_keystorage_dir, - Hash $file_keystorage_keys = $rundeck::params::file_keystorage_keys, - Hash $framework_config = $rundeck::params::framework_config, - Stdlib::HTTPUrl $grails_server_url = $rundeck::params::grails_server_url, - Hash $gui_config = $rundeck::params::gui_config, + Hash $file_keystorage_keys = {}, + Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", + Hash $gui_config = {}, Optional[Stdlib::Absolutepath] $java_home = undef, - String $jvm_args = $rundeck::params::jvm_args, - Hash $kerberos_realms = $rundeck::params::kerberos_realms, - String $key_password = $rundeck::params::key_password, - Array[Hash] $key_storage_config = $rundeck::params::key_storage_config, - Stdlib::Absolutepath $keystore = $rundeck::params::keystore, - String $keystore_password = $rundeck::params::keystore_password, - String $log_properties_template = $rundeck::params::log_properties_template, - Hash $mail_config = $rundeck::params::mail_config, - Boolean $sshkey_manage = $rundeck::params::sshkey_manage, - Stdlib::Absolutepath $ssl_keyfile = $rundeck::params::ssl_keyfile, - Stdlib::Absolutepath $ssl_certfile = $rundeck::params::ssl_certfile, - Boolean $manage_default_admin_policy = $rundeck::params::manage_default_admin_policy, - Boolean $manage_default_api_policy = $rundeck::params::manage_default_api_policy, - Boolean $manage_repo = $rundeck::params::manage_repo, - String $package_ensure = $rundeck::params::package_ensure, - Hash $preauthenticated_config = $rundeck::params::preauthenticated_config, - Hash $projects = $rundeck::params::projects, - String $projects_description = $rundeck::params::projects_default_desc, - String $projects_organization = $rundeck::params::projects_default_org, - Enum['db', 'filesystem'] $projects_storage_type = $rundeck::params::projects_storage_type, - Integer $quartz_job_threadcount = $rundeck::params::quartz_job_threadcount, - Rundeck::Loglevel $rd_loglevel = $rundeck::params::loglevel, - Rundeck::Loglevel $rd_auditlevel = $rundeck::params::loglevel, - String $rdeck_config_template = $rundeck::params::rdeck_config_template, - Stdlib::Absolutepath $rdeck_home = $rundeck::params::rdeck_home, - Boolean $manage_home = $rundeck::params::manage_home, + String $jvm_args = '-Xmx1024m -Xms256m -server', + Hash $kerberos_realms = {}, + Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', + String $log_properties_template = 'rundeck/log4j.properties.erb', + Hash $mail_config = {}, + Boolean $sshkey_manage = true, + Boolean $manage_default_admin_policy = true, + Boolean $manage_default_api_policy = true, + Boolean $manage_repo = true, + String $package_ensure = 'installed', + Hash $projects = {}, + String $projects_description = '', + String $projects_organization = '', + Integer $quartz_job_threadcount = 10, + Rundeck::Loglevel $rd_loglevel = 'INFO', + Rundeck::Loglevel $rd_auditlevel = 'INFO', + String $rdeck_config_template = 'rundeck/rundeck-config.epp', + Stdlib::Absolutepath $rdeck_home = '/var/lib/rundeck', + Boolean $manage_home = true, Optional[String] $rdeck_profile_template = undef, String $rdeck_override_template = 'rundeck/profile_overrides.erb', - String $realm_template = $rundeck::params::realm_template, - Stdlib::HTTPUrl $repo_yum_source = $rundeck::params::repo_yum_source, - String $repo_yum_gpgkey = $rundeck::params::repo_yum_gpgkey, - Stdlib::HTTPUrl $repo_apt_source = $rundeck::params::repo_apt_source, - String $repo_apt_key_id = $rundeck::params::repo_apt_key_id, - Stdlib::Httpsurl $repo_apt_gpgkey = $rundeck::params::repo_apt_gpgkey, - String $repo_apt_keyserver = $rundeck::params::repo_apt_keyserver, - Boolean $rss_enabled = $rundeck::params::rss_enabled, - Hash $security_config = $rundeck::params::security_config, - String $security_role = $rundeck::params::security_role, + String $realm_template = 'rundeck/realm.properties.erb', + Stdlib::HTTPUrl $repo_yum_source = 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', + String $repo_yum_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey', + Stdlib::HTTPUrl $repo_apt_source = 'https://packagecloud.io/pagerduty/rundeck/any', + String $repo_apt_key_id = '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0', + Stdlib::Httpsurl $repo_apt_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey', + String $repo_apt_keyserver = 'keyserver.ubuntu.com', + Boolean $rss_enabled = false, + String $security_role = 'user', Optional[String] $server_web_context = undef, Optional[String] $service_config = undef, - Stdlib::Absolutepath $service_logs_dir = $rundeck::params::service_logs_dir, - String $service_name = $rundeck::params::service_name, + Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', + String $service_name = 'rundeckd', Boolean $service_restart = true, Optional[String] $service_script = undef, - Enum['stopped', 'running'] $service_ensure = $rundeck::params::service_ensure, - Integer $session_timeout = $rundeck::params::session_timeout, - Boolean $ssl_enabled = $rundeck::params::ssl_enabled, - Stdlib::Port $ssl_port = $rundeck::params::ssl_port, - Stdlib::Absolutepath $truststore = $rundeck::params::truststore, - String $truststore_password = $rundeck::params::truststore_password, - String $user = $rundeck::params::user, - String $group = $rundeck::params::group, - Boolean $manage_user = $rundeck::params::manage_user, - Boolean $manage_group = $rundeck::params::manage_group, + Enum['stopped', 'running'] $service_ensure = 'running', + Integer $session_timeout = 30, + Boolean $ssl_enabled = false, + Stdlib::Port $ssl_port = 4443, + Optional[String] $key_password = undef, + Stdlib::Absolutepath $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key', + Stdlib::Absolutepath $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt', + Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + String $user = 'rundeck', + String $group = 'rundeck', + Boolean $manage_user = false, + Boolean $manage_group = false, Optional[Integer] $user_id = undef, Optional[Integer] $group_id = undef, - String $file_default_mode = $rundeck::params::file_default_mode, - Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, - Array $security_roles_array = $rundeck::params::security_roles_array, + String $file_default_mode = '0640', + Boolean $security_roles_array_enabled = false, + Array $security_roles_array = [], Hash[String,String] $storage_encrypt_config = {}, + String $file_copier_provider = 'jsch-scp', + String $node_executor_provider = 'jsch-ssh', + Hash $resource_sources = {}, + Enum['xml', 'yaml'] $resource_format = 'xml', + Boolean $include_server_node = false, + Enum['file'] $default_source_type = 'file', + Stdlib::Absolutepath $default_resource_dir = '/', + Stdlib::Port $default_http_proxy_port = 80, + Integer $default_refresh_interval = 30, + Boolean $url_cache = true, + Integer $url_timeout = 30, + Boolean $script_args_quoted = true, + Stdlib::Absolutepath $script_interpreter = '/bin/bash', ) { validate_rd_policy($acl_policies) + validate_rd_policy($api_policies) contain rundeck::install contain rundeck::config diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index ef51ae245..000000000 --- a/manifests/params.pp +++ /dev/null @@ -1,281 +0,0 @@ -# Author:: Liam Bennett (mailto:lbennett@opentable.com) -# Copyright:: Copyright (c) 2013 OpenTable Inc -# License:: MIT - -# == Class rundeck::params -# -# This class is meant to be called from `rundeck` -# It sets variables according to platform -# -class rundeck::params { - $package_name = 'rundeck' - $package_ensure = 'installed' - $service_name = 'rundeckd' - $manage_repo = true - $repo_yum_source = 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch' - $repo_yum_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey' - $repo_apt_source = 'https://packagecloud.io/pagerduty/rundeck/any' - $repo_apt_key_id = '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0' - $repo_apt_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey' - $repo_apt_keyserver = 'keyserver.ubuntu.com' - - case $facts['os']['family'] { - 'Debian': { - $overrides_dir = '/etc/default' - } - 'RedHat', 'Amazon': { - $overrides_dir = '/etc/sysconfig' - } - default: { - fail("${facts['os']['name']} not supported") - } - } - - $service_manage = false - $service_ensure = 'running' - - $rdeck_base = '/var/lib/rundeck' - $rdeck_home = '/var/lib/rundeck' - $manage_home = true - $service_logs_dir = '/var/log/rundeck' - - $framework_config = { - 'framework.server.name' => $facts['networking']['fqdn'], - 'framework.server.hostname' => $facts['networking']['fqdn'], - 'framework.server.port' => '4440', - 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", - 'framework.server.username' => 'admin', - 'framework.server.password' => 'admin', - 'rdeck.base' => '/var/lib/rundeck', - 'framework.projects.dir' => '/var/lib/rundeck/projects', - 'framework.etc.dir' => '/etc/rundeck', - 'framework.var.dir' => '/var/lib/rundeck/var', - 'framework.tmp.dir' => '/var/lib/rundeck/var/tmp', - 'framework.logs.dir' => '/var/lib/rundeck/logs', - 'framework.libext.dir' => '/var/lib/rundeck/libext', - 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', - 'framework.ssh.user' => 'rundeck', - 'framework.ssh.timeout' => '0', - 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), - } - - $auth_types = ['file'] - $auth_users = {} - - $log_properties_template = 'rundeck/log4j.properties.erb' - - $acl_policies = [ - { - 'description' => 'Admin, all access', - 'context' => { - 'project' => '.*', - }, - 'for' => { - 'resource' => [ - { 'allow' => '*' }, - ], - 'adhoc' => [ - { 'allow' => '*' }, - ], - 'job' => [ - { 'allow' => '*' }, - ], - 'node' => [ - { 'allow' => '*' }, - ], - }, - 'by' => [{ - 'group' => ['admin'] - }] - }, - { - 'description' => 'Admin, all access', - 'context' => { - 'application' => 'rundeck', - }, - 'for' => { - 'resource' => [ - { 'allow' => '*' }, - ], - 'project' => [ - { 'allow' => '*' }, - ], - 'storage' => [ - { 'allow' => '*' }, - ], - }, - 'by' => [{ - 'group' => ['admin'] - }] - } - ] - - $auth_config = { - 'file' => { - 'admin_user' => $framework_config['framework.server.username'], - 'admin_password' => $framework_config['framework.server.password'], - 'auth_users' => {}, - 'file' => '/etc/rundeck/realm.properties', - }, - 'pam' => { - 'service' => 'sshd', - 'supplemental_roles' => ['user'], - 'store_pass' => true, - 'clear_pass' => undef, - 'try_first_pass' => undef, - 'use_first_pass' => undef, - 'use_unix_groups' => undef, - }, - 'ldap' => { - 'server' => undef, - 'port' => '389', - 'force_binding' => false, - 'force_binding_use_root' => false, - 'bind_dn' => undef, - 'bind_password' => undef, - 'user_base_dn' => undef, - 'user_rdn_attribute' => 'uid', - 'user_id_attribute' => 'uid', - 'user_password_attribute' => 'userPassword', - 'user_object_class' => 'user', - 'role_base_dn' => undef, - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'memberUid', - 'role_object_class' => 'group', - 'role_prefix' => undef, - 'nested_groups' => true, - }, - 'active_directory' => { - 'server' => undef, - 'port' => '389', - 'force_binding' => true, - 'force_binding_use_root' => true, - 'bind_dn' => undef, - 'bind_password' => undef, - 'user_base_dn' => undef, - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => undef, - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'role_prefix' => undef, - 'supplemental_roles' => 'user', - 'nested_groups' => true, - }, - } - - $realm_template = 'rundeck/realm.properties.erb' - - $mail_config = {} - - $security_config = { - 'useHMacRequestTokens' => true, - 'apiCookieAccess' => true, - } - - $projects = {} - $projects_default_org = '' - $projects_default_desc = '' - - $file_copier_provider = 'jsch-scp' - $node_executor_provider = 'jsch-ssh' - - $url_cache = true - $url_timeout = 30 - - $resource_format = 'resourcexml' - $include_server_node = false - $default_source_type = 'file' - $default_resource_dir = '/' - $default_http_proxy_port = 80 - $default_refresh_interval = 30 - - $script_args_quoted = true - $script_interpreter = '/bin/bash' - - $manage_user = false - $manage_group = false - - $user = 'rundeck' - $group = 'rundeck' - $file_default_mode = '0640' - - $loglevel = 'INFO' - $rss_enabled = false - - $clustermode_enabled = false - - $grails_server_url = "http://${facts['networking']['fqdn']}:4440" - - $database_config = { - 'type' => 'h2', - 'dbCreate' => 'update', - 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb', - 'driverClassName' => '', - 'username' => '', - 'password' => Sensitive(''), - 'dialect' => '', - 'enable_h2_logs' => 'on', - } - - $kerberos_realms = {} - - $file_keystorage_keys = {} - $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage" - - $keystore = '/etc/rundeck/ssl/keystore' - $key_storage_config = [ - { - 'type' => 'file', - 'path' => '/', - 'config' => { - 'baseDir' => $file_keystorage_dir, - }, - }, - ] - $projects_storage_type = 'filesystem' - $keystore_password = 'adminadmin' - $key_password = 'adminadmin' - $truststore = '/etc/rundeck/ssl/truststore' - $truststore_password = 'adminadmin' - - $resource_sources = {} - $gui_config = {} - - $preauthenticated_config = { - 'enabled' => false, - 'attributeName' => 'REMOTE_USER_GROUPS', - 'delimiter' => ':', - 'userNameHeader' => 'X-Forwarded-Uuid', - 'userRolesHeader' => 'X-Forwarded-Roles', - 'redirectLogout' => false, - 'redirectUrl' => '/oauth2/sign_in', - } - - $quartz_job_threadcount = 10 - - $jvm_args = '-Xmx1024m -Xms256m -server' - - $sshkey_manage = true - - $ssl_enabled = false - $ssl_port = 4443 - - $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key' - $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt' - - $web_xml = "${rdeck_base}/exp/webapp/WEB-INF/web.xml" - $security_role = 'user' - $session_timeout = 30 - - $rdeck_config_template = 'rundeck/rundeck-config.epp' - - $manage_default_admin_policy = true - $manage_default_api_policy = true - - $security_roles_array_enabled = false - $security_roles_array = [] -} diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp index c769053cd..d0628f03e 100644 --- a/templates/rundeck-config.epp +++ b/templates/rundeck-config.epp @@ -66,7 +66,6 @@ rundeck.clusterMode.enabled = "<%= $rundeck::config::global::rundeck_config::clu rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution_mode %>" <%- } -%> -rundeck.projectsStorageType = "<%= $rundeck::config::global::rundeck_config::projects_storage_type %>" quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>" <%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%> From fd0b39df6caae36b7223c58e33827bf2c2b1fa10 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 14 Nov 2023 10:39:09 +0100 Subject: [PATCH 03/82] Update config.pp --- manifests/config.pp | 61 +++++++++++++++++++++++++++++++++++++++++++++ manifests/init.pp | 10 ++++---- 2 files changed, 66 insertions(+), 5 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index ed5a9a9ad..6232607b0 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -3,6 +3,67 @@ # @summary This private class is called from `rundeck` to manage the configuration. # class rundeck::config { + $acl_policies = $rundeck::acl_policies + $acl_template = $rundeck::acl_template + $api_policies = $rundeck::api_policies + $api_template = $rundeck::api_template + $auth_template = $rundeck::auth_template + $auth_types = $rundeck::auth_types + $clustermode_enabled = $rundeck::clustermode_enabled + $database_config = $rundeck::database_config + $execution_mode = $rundeck::execution_mode + $file_default_mode = $rundeck::file_default_mode + $file_keystorage_dir = $rundeck::file_keystorage_dir + $file_keystorage_keys = $rundeck::file_keystorage_keys + $grails_server_url = $rundeck::grails_server_url + $group = $rundeck::group + $gui_config = $rundeck::gui_config + $java_home = $rundeck::java_home + $jvm_args = $rundeck::jvm_args + $kerberos_realms = $rundeck::kerberos_realms + $key_password = $rundeck::key_password + $key_storage_config = $rundeck::key_storage_config + $keystore = $rundeck::keystore + $keystore_password = $rundeck::keystore_password + $log_properties_template = $rundeck::log_properties_template + $mail_config = $rundeck::mail_config + $manage_default_admin_policy = $rundeck::manage_default_admin_policy + $manage_default_api_policy = $rundeck::manage_default_api_policy + $overrides_dir = $rundeck::overrides_dir + $package_ensure = $rundeck::package_ensure + $preauthenticated_config = $rundeck::preauthenticated_config + $projects = $rundeck::projects + $projects_description = $rundeck::projects_description + $projects_organization = $rundeck::projects_organization + $projects_storage_type = $rundeck::projects_storage_type + $quartz_job_threadcount = $rundeck::quartz_job_threadcount + $rd_loglevel = $rundeck::rd_loglevel + $rd_auditlevel = $rundeck::rd_auditlevel + $rdeck_config_template = $rundeck::rdeck_config_template + $rdeck_home = $rundeck::rdeck_home + $manage_home = $rundeck::manage_home + $rdeck_profile_template = $rundeck::rdeck_profile_template + $rdeck_override_template = $rundeck::rdeck_override_template + $realm_template = $rundeck::realm_template + $rss_enabled = $rundeck::rss_enabled + $security_config = $rundeck::security_config + $security_role = $rundeck::security_role + $server_web_context = $rundeck::server_web_context + $service_logs_dir = $rundeck::service_logs_dir + $service_name = $rundeck::service_name + $service_restart = $rundeck::service_restart + $session_timeout = $rundeck::session_timeout + $ssl_enabled = $rundeck::ssl_enabled + $ssl_port = $rundeck::ssl_port + $ssl_keyfile = $rundeck::ssl_keyfile + $ssl_certfile = $rundeck::ssl_certfile + $storage_encrypt_config = $rundeck::storage_encrypt_config + $truststore = $rundeck::truststore + $truststore_password = $rundeck::truststore_password + $user = $rundeck::user + $security_roles_array_enabled = $rundeck::security_roles_array_enabled + $security_roles_array = $rundeck::security_roles_array + File { owner => $rundeck::user, group => $rundeck::group, diff --git a/manifests/init.pp b/manifests/init.pp index a33f5415c..f7b4a368f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -246,10 +246,10 @@ validate_rd_policy($api_policies) contain rundeck::install - contain rundeck::config - contain rundeck::service + # contain rundeck::config + # contain rundeck::service - Class['rundeck::install'] - -> Class['rundeck::config'] - ~> Class['rundeck::service'] + # Class['rundeck::install'] + # -> Class['rundeck::config'] + # ~> Class['rundeck::service'] } From df419956474a10afe76bed314a99d60482677462 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 14 Nov 2023 10:52:47 +0100 Subject: [PATCH 04/82] list params in a more sensible way --- manifests/init.pp | 2 +- manifests/install.pp | 18 ++++++++---------- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f7b4a368f..53cd7c8a2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -247,7 +247,7 @@ contain rundeck::install # contain rundeck::config - # contain rundeck::service + contain rundeck::service # Class['rundeck::install'] # -> Class['rundeck::config'] diff --git a/manifests/install.pp b/manifests/install.pp index 55ded96ce..d4829997a 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,23 +1,21 @@ -# @api private -# -# @summary This private class installs the rundeck package and its dependencies. +# @summary This class is called from rundeck for install. # class rundeck::install { assert_private() - $manage_repo = $rundeck::manage_repo - $package_ensure = $rundeck::package_ensure - $repo_yum_source = $rundeck::repo_yum_source - $repo_yum_gpgkey = $rundeck::repo_yum_gpgkey - $repo_apt_source = $rundeck::repo_apt_source - $repo_apt_key_id = $rundeck::repo_apt_key_id - $repo_apt_keyserver = $rundeck::repo_apt_keyserver $user = $rundeck::user $group = $rundeck::group $manage_user = $rundeck::manage_user $manage_group = $rundeck::manage_group $user_id = $rundeck::user_id $group_id = $rundeck::group_id + $package_ensure = $rundeck::package_ensure + $manage_repo = $rundeck::manage_repo + $repo_yum_source = $rundeck::repo_yum_source + $repo_yum_gpgkey = $rundeck::repo_yum_gpgkey + $repo_apt_source = $rundeck::repo_apt_source + $repo_apt_key_id = $rundeck::repo_apt_key_id + $repo_apt_keyserver = $rundeck::repo_apt_keyserver if $manage_group { group { $group: From ff672b64f59345b6f605cfeab1fbbcee867a4f97 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 14 Nov 2023 10:55:43 +0100 Subject: [PATCH 05/82] Add proper summary --- manifests/service.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/manifests/service.pp b/manifests/service.pp index 3669987b2..acd3fbb57 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,6 +1,4 @@ -# @api private -# -# @summary This class is meant to be called from `rundeck` and ensures the service is running. +# @summary This class is called from rundeck to manage service. # class rundeck::service { assert_private() From 10fa6d948c8ae30f2305fdee6498ee634bf4963e Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 14 Nov 2023 13:24:45 +0100 Subject: [PATCH 06/82] Update install.pp --- README.md | 1 - REFERENCE.md | 149 +++++++----------------- data/{common.yaml => defaults.yaml} | 54 +-------- data/os/Debian.yaml | 12 ++ data/os/RedHat.yaml | 10 ++ hiera.yaml | 4 +- manifests/config.pp | 8 +- manifests/init.pp | 82 +++++-------- manifests/install.pp | 80 +++---------- manifests/service.pp | 17 +-- spec/classes/config/global/auth_spec.rb | 6 - spec/classes/rundeck_spec.rb | 2 - templates/jaas-auth.conf.epp | 2 +- templates/realm.properties.erb | 44 ------- 14 files changed, 128 insertions(+), 343 deletions(-) rename data/{common.yaml => defaults.yaml} (59%) delete mode 100644 templates/realm.properties.erb diff --git a/README.md b/README.md index 54c465899..c00983349 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,6 @@ To perform LDAP authentication and file authorization following code can be used ```puppet class { 'rundeck': - auth_types => ['ldap_shared'], auth_config => { 'file' => { 'auth_users' => [ diff --git a/REFERENCE.md b/REFERENCE.md index 724ed6d28..d21d1e2bf 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -10,6 +10,8 @@ * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck. * [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml. +* [`rundeck::install`](#rundeck--install): This class is called from rundeck for install. +* [`rundeck::service`](#rundeck--service): This class is called from rundeck to manage service. #### Private Classes @@ -19,8 +21,6 @@ * `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties. * `rundeck::config::global::rundeck_config`: This private class is called from rundeck::config used to manage the rundeck-config properties. * `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. -* `rundeck::install`: This private class installs the rundeck package and its dependencies. -* `rundeck::service`: This class is meant to be called from `rundeck` and ensures the service is running. ### Defined types @@ -53,7 +53,6 @@ The following parameters are available in the `rundeck` class: * [`acl_policies`](#-rundeck--acl_policies) * [`acl_template`](#-rundeck--acl_template) * [`api_policies`](#-rundeck--api_policies) -* [`api_template`](#-rundeck--api_template) * [`auth_config`](#-rundeck--auth_config) * [`auth_template`](#-rundeck--auth_template) * [`auth_types`](#-rundeck--auth_types) @@ -79,13 +78,13 @@ The following parameters are available in the `rundeck` class: * [`ssl_certfile`](#-rundeck--ssl_certfile) * [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy) * [`manage_default_api_policy`](#-rundeck--manage_default_api_policy) +* [`repo_config`](#-rundeck--repo_config) * [`manage_repo`](#-rundeck--manage_repo) * [`package_ensure`](#-rundeck--package_ensure) * [`preauthenticated_config`](#-rundeck--preauthenticated_config) * [`projects`](#-rundeck--projects) * [`projects_description`](#-rundeck--projects_description) * [`projects_organization`](#-rundeck--projects_organization) -* [`projects_storage_type`](#-rundeck--projects_storage_type) * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`rd_loglevel`](#-rundeck--rd_loglevel) * [`rd_auditlevel`](#-rundeck--rd_auditlevel) @@ -95,22 +94,16 @@ The following parameters are available in the `rundeck` class: * [`rdeck_profile_template`](#-rundeck--rdeck_profile_template) * [`rdeck_override_template`](#-rundeck--rdeck_override_template) * [`realm_template`](#-rundeck--realm_template) -* [`repo_yum_source`](#-rundeck--repo_yum_source) -* [`repo_yum_gpgkey`](#-rundeck--repo_yum_gpgkey) -* [`repo_apt_source`](#-rundeck--repo_apt_source) -* [`repo_apt_key_id`](#-rundeck--repo_apt_key_id) -* [`repo_apt_gpgkey`](#-rundeck--repo_apt_gpgkey) -* [`repo_apt_keyserver`](#-rundeck--repo_apt_keyserver) * [`rss_enabled`](#-rundeck--rss_enabled) * [`security_config`](#-rundeck--security_config) * [`security_role`](#-rundeck--security_role) * [`server_web_context`](#-rundeck--server_web_context) -* [`service_config`](#-rundeck--service_config) -* [`service_logs_dir`](#-rundeck--service_logs_dir) * [`service_name`](#-rundeck--service_name) +* [`service_ensure`](#-rundeck--service_ensure) * [`service_restart`](#-rundeck--service_restart) +* [`service_logs_dir`](#-rundeck--service_logs_dir) +* [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) -* [`service_ensure`](#-rundeck--service_ensure) * [`session_timeout`](#-rundeck--session_timeout) * [`ssl_enabled`](#-rundeck--ssl_enabled) * [`ssl_port`](#-rundeck--ssl_port) @@ -122,7 +115,6 @@ The following parameters are available in the `rundeck` class: * [`manage_group`](#-rundeck--manage_group) * [`user_id`](#-rundeck--user_id) * [`group_id`](#-rundeck--group_id) -* [`file_default_mode`](#-rundeck--file_default_mode) * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) * [`storage_encrypt_config`](#-rundeck--storage_encrypt_config) @@ -162,14 +154,6 @@ apitoken acl policies. Default value: `[]` -##### `api_template` - -Data type: `String` - -The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb. - -Default value: `'rundeck/aclpolicy.erb'` - ##### `auth_config` Data type: `Hash` @@ -358,6 +342,13 @@ Boolean value if set to true enables default api policy management Default value: `true` +##### `repo_config` + +Data type: `Hash` + +A hash of repository types and attributes for configuring the rundeck package repositories. +Examples/defaults for yumrepo can be found at data/os/RedHat.yaml, and for apt at data/os/Debian.yaml + ##### `manage_repo` Data type: `Boolean` @@ -404,14 +395,6 @@ The organization value that will be set by default for any projects. Default value: `''` -##### `projects_storage_type` - -Data type: `Enum['db', 'filesystem']` - -The storage type for any projects. Must be 'filesystem' or 'db' - -Default value: `'filesystem'` - ##### `quartz_job_threadcount` Data type: `Integer` @@ -484,54 +467,6 @@ Allows you to use your own override template instead of the default from the pac Default value: `'rundeck/realm.properties.erb'` -##### `repo_yum_source` - -Data type: `Stdlib::HTTPUrl` - -Baseurl for the yum repo - -Default value: `'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch'` - -##### `repo_yum_gpgkey` - -Data type: `String` - -URL or path for the GPG key for the rpm - -Default value: `'https://packagecloud.io/pagerduty/rundeck/gpgkey'` - -##### `repo_apt_source` - -Data type: `Stdlib::HTTPUrl` - -Baseurl for the apt repo - -Default value: `'https://packagecloud.io/pagerduty/rundeck/any'` - -##### `repo_apt_key_id` - -Data type: `String` - -Key ID for the GPG key for the Debian package - -Default value: `'0DDD2FA79B15D736ECEA32B89B5206167C5C34C0'` - -##### `repo_apt_gpgkey` - -Data type: `Stdlib::Httpsurl` - -Location where the GPG key can be found - -Default value: `'https://packagecloud.io/pagerduty/rundeck/gpgkey'` - -##### `repo_apt_keyserver` - -Data type: `String` - -Keysever for the GPG key for the Debian package - -Default value: `'keyserver.ubuntu.com'` - ##### `rss_enabled` Data type: `Boolean` @@ -562,29 +497,21 @@ Web context path to use, such as "/rundeck". http://host.domain:port/server_web_ Default value: `undef` -##### `service_config` +##### `service_name` -Data type: `Optional[String]` +Data type: `String` The name of the rundeck service. -Default value: `undef` - -##### `service_logs_dir` - -Data type: `Stdlib::Absolutepath` - -The path to the directory to store logs. - -Default value: `'/var/log/rundeck'` +Default value: `'rundeckd'` -##### `service_name` +##### `service_ensure` -Data type: `String` +Data type: `Enum['stopped', 'running']` -The name of the rundeck service. +State of the rundeck service (defaults to 'running') -Default value: `'rundeckd'` +Default value: `'running'` ##### `service_restart` @@ -594,21 +521,29 @@ The restart of the rundeck service (default to true) Default value: `true` -##### `service_script` +##### `service_logs_dir` + +Data type: `Stdlib::Absolutepath` + +The path to the directory to store logs. + +Default value: `'/var/log/rundeck'` + +##### `service_config` Data type: `Optional[String]` -Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. +Allows you to use your own override template instead to config rundeckd init script. Default value: `undef` -##### `service_ensure` +##### `service_script` -Data type: `Enum['stopped', 'running']` +Data type: `Optional[String]` -State of the rundeck service (defaults to 'running') +Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. -Default value: `'running'` +Default value: `undef` ##### `session_timeout` @@ -696,14 +631,6 @@ If you want to have always the same group id. Eg. because of the NFS share. Default value: `undef` -##### `file_default_mode` - -Data type: `String` - -Default file mode for managed files. Default to 0640 - -Default value: `'0640'` - ##### `security_roles_array_enabled` Data type: `Boolean` @@ -889,6 +816,14 @@ Data type: `Stdlib::Absolutepath` Default value: `"${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml"` +### `rundeck::install` + +This class is called from rundeck for install. + +### `rundeck::service` + +This class is called from rundeck to manage service. + ## Defined types ### `rundeck::config::aclpolicyfile` diff --git a/data/common.yaml b/data/defaults.yaml similarity index 59% rename from data/common.yaml rename to data/defaults.yaml index 9aaa978e5..21efc3fc4 100644 --- a/data/common.yaml +++ b/data/defaults.yaml @@ -35,8 +35,6 @@ rundeck::framework_config: framework.server.hostname: "%{facts.networking.hostname}" framework.server.port: '4440' framework.server.url: "http://%{facts.networking.fqdn}:4440" - framework.server.username: 'admin' - framework.server.password: 'admin' rdeck.base: '/var/lib/rundeck' framework.projects.dir: '/var/lib/rundeck/projects' framework.etc.dir: '/etc/rundeck' @@ -53,57 +51,9 @@ rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var rundeck::auth_config: file: - admin_user: "%{lookup('rundeck::framework_config.framework.server.username')}" - admin_password: "%{lookup('rundeck::framework_config.framework.server.password')}" + admin_user: 'admin' + admin_password: 'admin' auth_users: {} - file: '/etc/rundeck/realm.properties' - pam: - service: 'sshd' - supplemental_roles: - - 'user' - store_pass: true - clear_pass: null - try_first_pass: null - use_first_pass: null - use_unix_groups: null - ldap: - server: null - port: '389' - force_binding: false - force_binding_use_root: false - bind_dn: null - bind_password: null - user_base_dn: null - user_rdn_attribute: 'uid' - user_id_attribute: 'uid' - user_password_attribute: 'userPassword' - user_object_class: 'user' - role_base_dn: null - role_name_attribute: 'cn' - role_member_attribute: 'memberUid' - role_object_class: 'group' - role_prefix: null - nested_groups: true - active_directory: - server: null - port: '389' - force_binding: true - force_binding_use_root: true - bind_dn: null - bind_password: null - user_base_dn: null - user_rdn_attribute: 'sAMAccountName' - user_id_attribute: 'sAMAccountName' - user_password_attribute: 'unicodePwd' - user_object_class: 'user' - role_base_dn: null - role_name_attribute: 'cn' - role_member_attribute: 'member' - role_object_class: 'group' - role_prefix: null - supplemental_roles: - - 'user' - nested_groups: true rundeck::security_config: useHMacRequestTokens: true diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml index c7acc3258..3aa208af0 100644 --- a/data/os/Debian.yaml +++ b/data/os/Debian.yaml @@ -1,2 +1,14 @@ --- rundeck::overrides_dir: '/etc/default' + +rundeck::repoconfig: + 'apt::source': + 'rundeck': + location: 'https://packagecloud.io/pagerduty/rundeck/any' + release: 'any' + repos: 'main' + comment: 'Official repository for Rundeck' + key: + id: '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0' + source: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' + server: 'keyserver.ubuntu.com' diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index 8b95becda..6d690d569 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,2 +1,12 @@ --- rundeck::overrides_dir: '/etc/sysconfig' + +rundeck::repo_config: + 'yumrepo': + 'rundeck': + baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch' + descr: 'Rundeck repository' + enabled: 1 + gpgcheck: 1 + gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' + repo_gpgcheck: 1 diff --git a/hiera.yaml b/hiera.yaml index 149fe6a0c..be2f64947 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -7,5 +7,5 @@ hierarchy: - name: 'OS family' path: 'os/%{facts.os.family}.yaml' - - name: 'common' - path: 'common.yaml' \ No newline at end of file + - name: 'defaults' + path: 'defaults.yaml' \ No newline at end of file diff --git a/manifests/config.pp b/manifests/config.pp index 6232607b0..3951f2c15 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,6 +1,4 @@ -# @api private -# -# @summary This private class is called from `rundeck` to manage the configuration. +# @summary This class is called from rundeck to manage the configuration. # class rundeck::config { $acl_policies = $rundeck::acl_policies @@ -8,11 +6,9 @@ $api_policies = $rundeck::api_policies $api_template = $rundeck::api_template $auth_template = $rundeck::auth_template - $auth_types = $rundeck::auth_types $clustermode_enabled = $rundeck::clustermode_enabled $database_config = $rundeck::database_config $execution_mode = $rundeck::execution_mode - $file_default_mode = $rundeck::file_default_mode $file_keystorage_dir = $rundeck::file_keystorage_dir $file_keystorage_keys = $rundeck::file_keystorage_keys $grails_server_url = $rundeck::grails_server_url @@ -67,7 +63,7 @@ File { owner => $rundeck::user, group => $rundeck::group, - mode => $rundeck::file_default_mode, + mode => '0640', } $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config) diff --git a/manifests/init.pp b/manifests/init.pp index 53cd7c8a2..ba622e04a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,14 +6,10 @@ # The template used for admin acl policy. Default is rundeck/aclpolicy.erb. # @param api_policies # apitoken acl policies. -# @param api_template -# The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb. # @param auth_config # Authentication configuration. # @param auth_template # The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. -# @param auth_types -# The method used to authenticate to rundeck. Default is file. # @param clustermode_enabled # Boolean value if set to true enables cluster mode # @param database_config @@ -58,6 +54,9 @@ # Boolean value if set to true enables default admin policy management # @param manage_default_api_policy # Boolean value if set to true enables default api policy management +# @param repo_config +# A hash of repository types and attributes for configuring the rundeck package repositories. +# Examples/defaults for yumrepo can be found at data/os/RedHat.yaml, and for apt at data/os/Debian.yaml # @param manage_repo # Whether to manage the package repository. Defaults to true. # @param package_ensure @@ -88,18 +87,6 @@ # Allows you to use your own override template instead of the default from the package maintainer # @param realm_template # Allows you to use your own override template instead of the default from the package maintainer -# @param repo_yum_source -# Baseurl for the yum repo -# @param repo_yum_gpgkey -# URL or path for the GPG key for the rpm -# @param repo_apt_source -# Baseurl for the apt repo -# @param repo_apt_key_id -# Key ID for the GPG key for the Debian package -# @param repo_apt_gpgkey -# Location where the GPG key can be found -# @param repo_apt_keyserver -# Keysever for the GPG key for the Debian package # @param rss_enabled # Boolean value if set to true enables RSS feeds that are public (non-authenticated) # @param security_config @@ -108,18 +95,18 @@ # Name of the role that is required for all users to be allowed access. # @param server_web_context # Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context -# @param service_config -# The name of the rundeck service. -# @param service_logs_dir -# The path to the directory to store logs. # @param service_name # The name of the rundeck service. +# @param service_ensure +# State of the rundeck service (defaults to 'running') # @param service_restart # The restart of the rundeck service (default to true) +# @param service_logs_dir +# The path to the directory to store logs. +# @param service_config +# Allows you to use your own override template instead to config rundeckd init script. # @param service_script # Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. -# @param service_ensure -# State of the rundeck service (defaults to 'running') # @param session_timeout # Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. # @param ssl_enabled @@ -142,8 +129,6 @@ # If you want to have always the same user id. Eg. because of the NFS share. # @param group_id # If you want to have always the same group id. Eg. because of the NFS share. -# @param file_default_mode -# Default file mode for managed files. Default to 0640 # @param security_roles_array_enabled # Boolean value if you need more roles. false or true (default is false). # @param security_roles_array @@ -155,7 +140,7 @@ class rundeck ( Array[Hash] $acl_policies, Hash $framework_config, - Hash $auth_config, + Array[Hash] $auth_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, @@ -163,11 +148,12 @@ String $keystore_password, String $truststore_password, Stdlib::Absolutepath $file_keystorage_dir, + Hash $repo_config, + Boolean $manage_repo = true, + String $package_ensure = 'installed', String $acl_template = 'rundeck/aclpolicy.erb', Array[Hash] $api_policies = [], - String $api_template = 'rundeck/aclpolicy.erb', String $auth_template = 'rundeck/jaas-auth.conf.epp', - Array $auth_types = ['file'], Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', Hash $file_keystorage_keys = {}, @@ -182,12 +168,7 @@ Boolean $sshkey_manage = true, Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, - Boolean $manage_repo = true, - String $package_ensure = 'installed', - Hash $projects = {}, - String $projects_description = '', - String $projects_organization = '', - Integer $quartz_job_threadcount = 10, + Rundeck::Loglevel $rd_loglevel = 'INFO', Rundeck::Loglevel $rd_auditlevel = 'INFO', String $rdeck_config_template = 'rundeck/rundeck-config.epp', @@ -195,22 +176,11 @@ Boolean $manage_home = true, Optional[String] $rdeck_profile_template = undef, String $rdeck_override_template = 'rundeck/profile_overrides.erb', - String $realm_template = 'rundeck/realm.properties.erb', - Stdlib::HTTPUrl $repo_yum_source = 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', - String $repo_yum_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey', - Stdlib::HTTPUrl $repo_apt_source = 'https://packagecloud.io/pagerduty/rundeck/any', - String $repo_apt_key_id = '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0', - Stdlib::Httpsurl $repo_apt_gpgkey = 'https://packagecloud.io/pagerduty/rundeck/gpgkey', - String $repo_apt_keyserver = 'keyserver.ubuntu.com', + String $realm_template = 'rundeck/realm.properties.epp', + Boolean $rss_enabled = false, String $security_role = 'user', Optional[String] $server_web_context = undef, - Optional[String] $service_config = undef, - Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', - String $service_name = 'rundeckd', - Boolean $service_restart = true, - Optional[String] $service_script = undef, - Enum['stopped', 'running'] $service_ensure = 'running', Integer $session_timeout = 30, Boolean $ssl_enabled = false, Stdlib::Port $ssl_port = 4443, @@ -218,16 +188,28 @@ Stdlib::Absolutepath $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key', Stdlib::Absolutepath $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt', Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + Boolean $security_roles_array_enabled = false, + Array $security_roles_array = [], + Hash[String,String] $storage_encrypt_config = {}, + # User config String $user = 'rundeck', String $group = 'rundeck', Boolean $manage_user = false, Boolean $manage_group = false, Optional[Integer] $user_id = undef, Optional[Integer] $group_id = undef, - String $file_default_mode = '0640', - Boolean $security_roles_array_enabled = false, - Array $security_roles_array = [], - Hash[String,String] $storage_encrypt_config = {}, + # Service config + String $service_name = 'rundeckd', + Enum['stopped', 'running'] $service_ensure = 'running', + Boolean $service_restart = true, + Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', + Optional[String] $service_config = undef, + Optional[String] $service_script = undef, + # Project management + Hash $projects = {}, + String $projects_description = '', + String $projects_organization = '', + Integer $quartz_job_threadcount = 10, String $file_copier_provider = 'jsch-scp', String $node_executor_provider = 'jsch-ssh', Hash $resource_sources = {}, diff --git a/manifests/install.pp b/manifests/install.pp index d4829997a..b8e0210da 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -3,95 +3,53 @@ class rundeck::install { assert_private() - $user = $rundeck::user - $group = $rundeck::group - $manage_user = $rundeck::manage_user - $manage_group = $rundeck::manage_group - $user_id = $rundeck::user_id - $group_id = $rundeck::group_id - $package_ensure = $rundeck::package_ensure - $manage_repo = $rundeck::manage_repo - $repo_yum_source = $rundeck::repo_yum_source - $repo_yum_gpgkey = $rundeck::repo_yum_gpgkey - $repo_apt_source = $rundeck::repo_apt_source - $repo_apt_key_id = $rundeck::repo_apt_key_id - $repo_apt_keyserver = $rundeck::repo_apt_keyserver - - if $manage_group { - group { $group: + if $rundeck::manage_group { + group { $rundeck::group: ensure => present, - gid => $group_id, + gid => $rundeck::group_id, system => true, } - if $group != 'rundeck' { + if $rundeck::group != 'rundeck' { group { 'rundeck': ensure => absent, } } } - if $manage_user { - user { $user: + if $rundeck::manage_user { + user { $rundeck::user: ensure => present, - groups => [$group], - uid => $user_id, - gid => $group_id, + groups => [$rundeck::group], + uid => $rundeck::user_id, + gid => $rundeck::group_id, system => true, before => File['/var/rundeck'], } - if $user != 'rundeck' { + if $rundeck::user != 'rundeck' { user { 'rundeck': ensure => absent, } } } - case $facts['os']['family'] { - 'RedHat': { - if $manage_repo { - yumrepo { 'rundeck': - baseurl => $repo_yum_source, - descr => 'rundeck repo', - enabled => '1', - gpgcheck => '0', - gpgkey => $repo_yum_gpgkey, - repo_gpgcheck => '1', - priority => '1', - before => Package['rundeck'], - } - } - - ensure_packages(['rundeck'], { 'ensure' => $package_ensure, notify => Class['rundeck::service'] }) - } - 'Debian': { - if $manage_repo { - include apt - apt::source { 'rundeck': - location => $repo_apt_source, - release => 'any', - repos => 'main', - key => { - id => $repo_apt_key_id, - source => $rundeck::repo_apt_gpgkey, - server => $repo_apt_keyserver, - }, - before => Package['rundeck'], - } + if $rundeck::manage_repo { + $rundeck::repo_config.each() | String $_resource_type, Hash $_resources | { + if downcase($_resource_type) == 'apt::source' { + Class['Apt::Update'] -> Package['rundeck'] } - ensure_packages(['rundeck'], { 'ensure' => $package_ensure, notify => Class['rundeck::service'], require => Class['apt::update'] }) - } - default: { - err("The osfamily: ${facts['os']['family']} is not supported") + create_resources($_resource_type, $_resources, { 'before' => Package['rundeck'] }) } } + ensure_packages(['rundeck'], { 'ensure' => $rundeck::package_ensure, notify => Class['rundeck::service'] }) + # Leave this one here, to avoid notifying service when permissions change file { '/var/rundeck': ensure => directory, - owner => $user, - group => $group, + owner => $rundeck::user, + group => $rundeck::group, mode => '0640', recurse => true, require => Package['rundeck'], diff --git a/manifests/service.pp b/manifests/service.pp index acd3fbb57..1f159105c 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -3,29 +3,24 @@ class rundeck::service { assert_private() - $service_config = $rundeck::service_config - $service_name = $rundeck::service_name - $service_script = $rundeck::service_script - $service_ensure = $rundeck::service_ensure - - if $service_config { + if $rundeck::service_config { file { '/etc/init/rundeckd.conf': ensure => file, mode => '0644', - content => template($service_config), + content => template($rundeck::service_config), } } - if $service_script { + if $rundeck::service_script { file { '/etc/init.d/rundeckd': ensure => file, mode => '0755', - content => template($service_script), + content => template($rundeck::service_script), } } - service { $service_name: - ensure => $service_ensure, + service { $rundeck::service_name: + ensure => $rundeck::service_ensure, enable => true, hasstatus => true, hasrestart => true, diff --git a/spec/classes/config/global/auth_spec.rb b/spec/classes/config/global/auth_spec.rb index b463f4e28..6dcd81349 100644 --- a/spec/classes/config/global/auth_spec.rb +++ b/spec/classes/config/global/auth_spec.rb @@ -87,7 +87,6 @@ describe 'with multiauth ldap and file auth users array' do let(:params) do { - auth_types: %w[ldap file], auth_config: { 'file' => { 'auth_users' => [ @@ -138,7 +137,6 @@ describe 'with ldap using ldap_sync' do let(:params) do { - auth_types: %w[ldap], auth_config: { 'ldap' => { 'debug' => 'true', @@ -180,7 +178,6 @@ describe 'with multiauth active_directory and file auth users array' do let(:params) do { - auth_types: %w[active_directory file], auth_config: { 'file' => { 'auth_users' => [ @@ -231,7 +228,6 @@ describe 'with active_directory using ldap_sync' do let(:params) do { - auth_types: %w[active_directory], auth_config: { 'active_directory' => { 'debug' => 'true', @@ -328,7 +324,6 @@ describe 'ldap with rolePrefix' do let(:params) do { - auth_types: %w[ldap], auth_config: { 'ldap' => { 'url' => 'localhost:389', @@ -347,7 +342,6 @@ describe 'active_directory with rolePrefix' do let(:params) do { - auth_types: %w[active_directory], auth_config: { 'active_directory' => { 'url' => 'localhost:389', diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb index db7674c0a..f00901a14 100644 --- a/spec/classes/rundeck_spec.rb +++ b/spec/classes/rundeck_spec.rb @@ -25,7 +25,6 @@ describe 'setting auth_config ldap roleUsernameMemberAttribute' do let(:params) do { - auth_types: ['ldap'], auth_config: { 'ldap' => { 'role_username_member_attribute' => 'memberUid' @@ -46,7 +45,6 @@ describe 'setting auth_config ldap url' do let(:params) do { - auth_types: ['ldap'], auth_config: { 'ldap' => { 'url' => 'ldaps://myrealldap.example.com', diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index e96054b93..15cbf47c0 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,5 +1,5 @@ authentication { -<%- $rundeck::config::auth_types.each |$type| { -%> +<%- $rundeck::config::auth_config.each |$_type| { -%> <%- if 'ldap' in $type or 'ldap_shared' in $type { -%> <%= epp('rundeck/_auth_ldap.epp') %> <%- } elsif 'active_directory' in $type or 'active_directory_shared' in $type { -%> diff --git a/templates/realm.properties.erb b/templates/realm.properties.erb deleted file mode 100644 index 4d00061b8..000000000 --- a/templates/realm.properties.erb +++ /dev/null @@ -1,44 +0,0 @@ -# -# This file defines users passwords and roles for a HashUserRealm -# -# The format is -# : [, ...] -# -# Passwords may be clear text, obfuscated or checksummed. The class -# org.mortbay.util.Password should be used to generate obfuscated -# passwords or password checksums -# -# If DIGEST Authentication is used, the password must be in a recoverable -# format, either plain text or OBF:. -# -#jetty: MD5:164c88b302622e17050af52c89945d44,user -#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin -#other: OBF:1xmk1w261u9r1w1c1xmq -#plain: plain -#user: password -# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password -#digest: MD5:6e120743ad67abfbc385bc2bb754e297 - -# -# This sets the default user accounts for the Rundeck app -# -<%= @auth_config['file']['admin_user'] %>:<%= @auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build -<%- if @auth_config['file']['auth_users'] -%> - <%- if @auth_config['file']['auth_users'].kind_of?(Array) -%> - <%- @auth_config['file']['auth_users'].each do |x| -%> - <%- if x['username'] and x['password'] -%> - <%= x['username'] -%>:<%= x.fetch('password', '-') -%> - <%- if x['roles'] -%> - <%- x['roles'].each do |v| -%>,<%= v -%><%- end %> - <%- end -%> - <%- end -%> - <%- end -%> - <%- else -%> - <%- if @auth_config['file']['auth_users']['username'] and @auth_config['file']['auth_users']['password'] -%> - <%= @auth_config['file']['auth_users']['username'] -%>:<%= @auth_config['file']['auth_users']['password'] -%> - <%- if @auth_config['file']['auth_users']['roles'] -%> - <%- @auth_config['file']['auth_users']['roles'].each do |v| -%>,<%= v -%><%- end %> - <%- end -%> - <%- end -%> - <%- end -%> -<%- end %> From 8406158885436c1539d8eb4d5bb2b3981bc2aeca Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 14 Nov 2023 16:52:36 +0100 Subject: [PATCH 07/82] Update more params and refs --- REFERENCE.md | 37 +++++------ data/defaults.yaml | 13 ++-- manifests/config.pp | 107 ++++++++++++++++-------------- manifests/config/aclpolicyfile.pp | 2 +- manifests/config/global/web.pp | 2 +- manifests/config/securityroles.pp | 2 +- manifests/init.pp | 21 +++--- templates/jaas-auth.conf.epp | 8 +-- 8 files changed, 97 insertions(+), 95 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d21d1e2bf..6adf73e9a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,13 +9,13 @@ #### Public Classes * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck. +* [`rundeck::config`](#rundeck--config): This class is called from rundeck to manage the configuration. * [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml. * [`rundeck::install`](#rundeck--install): This class is called from rundeck for install. * [`rundeck::service`](#rundeck--service): This class is called from rundeck to manage service. #### Private Classes -* `rundeck::config`: This private class is called from `rundeck` to manage the configuration. * `rundeck::config::global::file_keystore`: This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used. * `rundeck::config::global::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. * `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties. @@ -50,12 +50,11 @@ Class to manage installation and configuration of Rundeck. The following parameters are available in the `rundeck` class: -* [`acl_policies`](#-rundeck--acl_policies) +* [`admin_policies`](#-rundeck--admin_policies) * [`acl_template`](#-rundeck--acl_template) * [`api_policies`](#-rundeck--api_policies) * [`auth_config`](#-rundeck--auth_config) * [`auth_template`](#-rundeck--auth_template) -* [`auth_types`](#-rundeck--auth_types) * [`clustermode_enabled`](#-rundeck--clustermode_enabled) * [`database_config`](#-rundeck--database_config) * [`execution_mode`](#-rundeck--execution_mode) @@ -89,7 +88,7 @@ The following parameters are available in the `rundeck` class: * [`rd_loglevel`](#-rundeck--rd_loglevel) * [`rd_auditlevel`](#-rundeck--rd_auditlevel) * [`rdeck_config_template`](#-rundeck--rdeck_config_template) -* [`rdeck_home`](#-rundeck--rdeck_home) +* [`home_dir`](#-rundeck--home_dir) * [`manage_home`](#-rundeck--manage_home) * [`rdeck_profile_template`](#-rundeck--rdeck_profile_template) * [`rdeck_override_template`](#-rundeck--rdeck_override_template) @@ -132,7 +131,7 @@ The following parameters are available in the `rundeck` class: * [`script_args_quoted`](#-rundeck--script_args_quoted) * [`script_interpreter`](#-rundeck--script_interpreter) -##### `acl_policies` +##### `admin_policies` Data type: `Array[Hash]` @@ -150,13 +149,13 @@ Default value: `'rundeck/aclpolicy.erb'` Data type: `Array[Hash]` -apitoken acl policies. +Apitoken acl policies. Default value: `[]` ##### `auth_config` -Data type: `Hash` +Data type: `Array[Hash]` Authentication configuration. @@ -168,14 +167,6 @@ The template used for authentication config. Default is rundeck/jaas-auth.conf.e Default value: `'rundeck/jaas-auth.conf.epp'` -##### `auth_types` - -Data type: `Array` - -The method used to authenticate to rundeck. Default is file. - -Default value: `['file']` - ##### `clustermode_enabled` Data type: `Boolean` @@ -427,11 +418,11 @@ Allows you to override the rundeck-config template. Default value: `'rundeck/rundeck-config.epp'` -##### `rdeck_home` +##### `home_dir` Data type: `Stdlib::Absolutepath` -Directory under which the projects directories live. +Home/base directory under which rundeck is installed. Default value: `'/var/lib/rundeck'` @@ -465,7 +456,7 @@ Data type: `String` Allows you to use your own override template instead of the default from the package maintainer -Default value: `'rundeck/realm.properties.erb'` +Default value: `'rundeck/realm.properties.epp'` ##### `rss_enabled` @@ -760,6 +751,10 @@ Data type: `Stdlib::Absolutepath` Default value: `'/bin/bash'` +### `rundeck::config` + +This class is called from rundeck to manage the configuration. + ### `rundeck::config::global::web` Currently only manages the required for any user to login and session timout: @@ -814,7 +809,7 @@ Data type: `Stdlib::Absolutepath` -Default value: `"${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml"` +Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` ### `rundeck::install` @@ -886,7 +881,7 @@ The following parameters are available in the `rundeck::config::aclpolicyfile` d ##### `acl_policies` -Data type: `Array` +Data type: `Array[Hash]` An array of hashes containing acl policies. See example. @@ -1531,7 +1526,7 @@ Data type: `Stdlib::Absolutepath` -Default value: `"${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml"` +Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` ## Functions diff --git a/data/defaults.yaml b/data/defaults.yaml index 21efc3fc4..851b8d708 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -1,5 +1,5 @@ --- -rundeck::acl_policies: +rundeck::admin_policies: - description: 'Admin, all access' context: project: '.*' @@ -35,7 +35,6 @@ rundeck::framework_config: framework.server.hostname: "%{facts.networking.hostname}" framework.server.port: '4440' framework.server.url: "http://%{facts.networking.fqdn}:4440" - rdeck.base: '/var/lib/rundeck' framework.projects.dir: '/var/lib/rundeck/projects' framework.etc.dir: '/etc/rundeck' framework.var.dir: '/var/lib/rundeck/var' @@ -45,15 +44,17 @@ rundeck::framework_config: framework.ssh.keypath: '/var/lib/rundeck/.ssh/id_rsa' framework.ssh.user: 'rundeck' framework.ssh.timeout: '0' + rdeck.base: '/var/lib/rundeck' rundeck.server.uuid: "fqdn_uuid(%{facts.networking.fqdn})" rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" rundeck::auth_config: - file: - admin_user: 'admin' - admin_password: 'admin' - auth_users: {} + - type: 'file' + config: + admin_user: 'admin' + admin_password: 'admin' + auth_users: {} rundeck::security_config: useHMacRequestTokens: true diff --git a/manifests/config.pp b/manifests/config.pp index 3951f2c15..414a4b90a 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,7 +1,7 @@ # @summary This class is called from rundeck to manage the configuration. # class rundeck::config { - $acl_policies = $rundeck::acl_policies + $admin_policies = $rundeck::admin_policies $acl_template = $rundeck::acl_template $api_policies = $rundeck::api_policies $api_template = $rundeck::api_template @@ -36,7 +36,7 @@ $rd_loglevel = $rundeck::rd_loglevel $rd_auditlevel = $rundeck::rd_auditlevel $rdeck_config_template = $rundeck::rdeck_config_template - $rdeck_home = $rundeck::rdeck_home + $home_dir = $rundeck::home_dir $manage_home = $rundeck::manage_home $rdeck_profile_template = $rundeck::rdeck_profile_template $rdeck_override_template = $rundeck::rdeck_override_template @@ -63,41 +63,46 @@ File { owner => $rundeck::user, group => $rundeck::group, - mode => '0640', + mode => '0644', } - $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config) - $auth_config = deep_merge($rundeck::params::auth_config, $rundeck::auth_config) + $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) + $auth_config = deep_merge(lookup('rundeck::auth_config'), $rundeck::auth_config) $logs_dir = $framework_config['framework.logs.dir'] - $rdeck_base = $framework_config['rdeck.base'] $projects_dir = $framework_config['framework.projects.dir'] $properties_dir = $framework_config['framework.etc.dir'] $plugin_dir = $framework_config['framework.libext.dir'] - File[$rundeck::rdeck_home] ~> File[$rundeck::framework_config['framework.ssh.keypath']] + File[$rundeck::home_dir] ~> File[$rundeck::framework_config['framework.ssh.keypath']] if $manage_home { - file { $rdeck_home: - ensure => directory, + file { $home_dir: + ensure => directory, + mode => '0755', } - } elsif ! defined_with_params(File[$rdeck_home], { 'ensure' => 'directory' }) { - fail('when rundeck::manage_home = false a file definition for the home directory must be included outside of this module.') } if $rundeck::sshkey_manage { file { $framework_config['framework.ssh.keypath']: - mode => '0600', + mode => '0600', } } file { $rundeck::service_logs_dir: - ensure => directory, + ensure => directory, + mode => '0755', } ensure_resource(file, $projects_dir, { 'ensure' => 'directory' }) ensure_resource(file, $plugin_dir, { 'ensure' => 'directory' }) + $auth_types = $auth_config.map |$_config| { $_config['type'] } + + notify { 'auth_types_array': + message => $auth_types, + } + # Checking if we need to deploy realm file # ugly, I know. Fix it if you know better way to do that # @@ -152,7 +157,7 @@ if $manage_default_admin_policy { rundeck::config::aclpolicyfile { 'admin': - acl_policies => $acl_policies, + acl_policies => $admin_policies, owner => $user, group => $group, properties_dir => $properties_dir, @@ -183,41 +188,41 @@ } } - contain rundeck::config::global::framework - contain rundeck::config::global::project - contain rundeck::config::global::rundeck_config - contain rundeck::config::global::file_keystore - - Class['rundeck::config::global::framework'] - -> Class['rundeck::config::global::project'] - -> Class['rundeck::config::global::rundeck_config'] - -> Class['rundeck::config::global::file_keystore'] - - if $ssl_enabled { - contain rundeck::config::global::ssl - Class['rundeck::config::global::rundeck_config'] - -> Class['rundeck::config::global::ssl'] - } - - create_resources(rundeck::config::project, $projects) - - if versioncmp( $package_ensure, '3.0.0' ) < 0 { - class { 'rundeck::config::global::web': - security_role => $security_role, - session_timeout => $session_timeout, - security_roles_array_enabled => $security_roles_array_enabled, - security_roles_array => $security_roles_array, - require => Class['rundeck::install'], - } - } - - if !empty($kerberos_realms) { - file { "${properties_dir}/krb5.conf": - owner => $user, - group => $group, - mode => '0640', - content => template('rundeck/krb5.conf.erb'), - require => File[$properties_dir], - } - } + # contain rundeck::config::global::framework + # contain rundeck::config::global::project + # contain rundeck::config::global::rundeck_config + # contain rundeck::config::global::file_keystore + + # Class['rundeck::config::global::framework'] + # -> Class['rundeck::config::global::project'] + # -> Class['rundeck::config::global::rundeck_config'] + # -> Class['rundeck::config::global::file_keystore'] + + # if $ssl_enabled { + # contain rundeck::config::global::ssl + # Class['rundeck::config::global::rundeck_config'] + # -> Class['rundeck::config::global::ssl'] + # } + + # create_resources(rundeck::config::project, $projects) + + # if versioncmp( $package_ensure, '3.0.0' ) < 0 { + # class { 'rundeck::config::global::web': + # security_role => $security_role, + # session_timeout => $session_timeout, + # security_roles_array_enabled => $security_roles_array_enabled, + # security_roles_array => $security_roles_array, + # require => Class['rundeck::install'], + # } + # } + + # if !empty($kerberos_realms) { + # file { "${properties_dir}/krb5.conf": + # owner => $user, + # group => $group, + # mode => '0640', + # content => template('rundeck/krb5.conf.erb'), + # require => File[$properties_dir], + # } + # } } diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp index ccf15882e..e933b0558 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -51,7 +51,7 @@ # The template used for acl policy. Default is rundeck/aclpolicy.erb # define rundeck::config::aclpolicyfile ( - Array $acl_policies, + Array[Hash] $acl_policies, String $group = 'rundeck', String $owner = 'rundeck', Stdlib::Absolutepath $properties_dir = '/etc/rundeck', diff --git a/manifests/config/global/web.pp b/manifests/config/global/web.pp index 1b4aa7d8e..8577cabb0 100644 --- a/manifests/config/global/web.pp +++ b/manifests/config/global/web.pp @@ -18,7 +18,7 @@ Integer[0] $session_timeout = $rundeck::params::session_timeout, Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, Array $security_roles_array = $rundeck::params::security_roles_array, - Stdlib::Absolutepath $web_xml = "${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml" + Stdlib::Absolutepath $web_xml = "${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml" ) inherits rundeck::params { if $security_roles_array_enabled { rundeck::config::securityroles { $security_roles_array: } diff --git a/manifests/config/securityroles.pp b/manifests/config/securityroles.pp index d6c8ef42f..b27dd15de 100644 --- a/manifests/config/securityroles.pp +++ b/manifests/config/securityroles.pp @@ -3,7 +3,7 @@ # Date : 03.06.2016 # define rundeck::config::securityroles ( - Stdlib::Absolutepath $web_xml = "${rundeck::rdeck_home}/exp/webapp/WEB-INF/web.xml" + Stdlib::Absolutepath $web_xml = "${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml" ) { augeas { "rundeck/web.xml/security-role/role-name/${name}": lens => 'Xml.lns', diff --git a/manifests/init.pp b/manifests/init.pp index ba622e04a..f36beb772 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,11 +1,11 @@ # @summary Class to manage installation and configuration of Rundeck. # -# @param acl_policies +# @param admin_policies # Admin acl policies. # @param acl_template # The template used for admin acl policy. Default is rundeck/aclpolicy.erb. # @param api_policies -# apitoken acl policies. +# Apitoken acl policies. # @param auth_config # Authentication configuration. # @param auth_template @@ -77,8 +77,8 @@ # The log4j logging level to be set for the Rundeck application. # @param rdeck_config_template # Allows you to override the rundeck-config template. -# @param rdeck_home -# Directory under which the projects directories live. +# @param home_dir +# Home/base directory under which rundeck is installed. # @param manage_home # Whether to manage rundeck home dir. Defaults to true. # @param rdeck_profile_template @@ -138,7 +138,7 @@ # https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins # class rundeck ( - Array[Hash] $acl_policies, + Array[Hash] $admin_policies, Hash $framework_config, Array[Hash] $auth_config, Hash $database_config, @@ -172,8 +172,6 @@ Rundeck::Loglevel $rd_loglevel = 'INFO', Rundeck::Loglevel $rd_auditlevel = 'INFO', String $rdeck_config_template = 'rundeck/rundeck-config.epp', - Stdlib::Absolutepath $rdeck_home = '/var/lib/rundeck', - Boolean $manage_home = true, Optional[String] $rdeck_profile_template = undef, String $rdeck_override_template = 'rundeck/profile_overrides.erb', String $realm_template = 'rundeck/realm.properties.epp', @@ -205,7 +203,7 @@ Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, - # Project management + # Project config Hash $projects = {}, String $projects_description = '', String $projects_organization = '', @@ -223,12 +221,15 @@ Integer $url_timeout = 30, Boolean $script_args_quoted = true, Stdlib::Absolutepath $script_interpreter = '/bin/bash', + # Home config + Stdlib::Absolutepath $home_dir = '/var/lib/rundeck', + Boolean $manage_home = true, ) { - validate_rd_policy($acl_policies) + validate_rd_policy($admin_policies) validate_rd_policy($api_policies) contain rundeck::install - # contain rundeck::config + contain rundeck::config contain rundeck::service # Class['rundeck::install'] diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 15cbf47c0..5fc63ead1 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,12 +1,12 @@ authentication { <%- $rundeck::config::auth_config.each |$_type| { -%> - <%- if 'ldap' in $type or 'ldap_shared' in $type { -%> + <%- if $_type in ['ldap', 'ldap_shared'] { -%> <%= epp('rundeck/_auth_ldap.epp') %> - <%- } elsif 'active_directory' in $type or 'active_directory_shared' in $type { -%> + <%- } elsif ['active_directory', 'active_directory_shared'] { -%> <%= epp('rundeck/_auth_ad.epp') %> - <%- } elsif 'pam' in $type { -%> + <%- } elsif $_type == 'pam' { -%> <%= epp('rundeck/_auth_pam.epp') %> - <%- } elsif 'file' in $type { -%> + <%- } elsif $_type == 'file' { -%> <%= epp('rundeck/_auth_file.epp') %> <%- } -%> <%- } -%> From 424d4524183e41221df657a79f0416bd9a501599 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 16 Nov 2023 07:48:55 +0100 Subject: [PATCH 08/82] Add defaults --- manifests/init.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f36beb772..8c6f08659 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,7 +7,7 @@ # @param api_policies # Apitoken acl policies. # @param auth_config -# Authentication configuration. +# Authentication configuration. Default value is located in data/defaults.yaml. # @param auth_template # The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. # @param clustermode_enabled @@ -22,6 +22,7 @@ # Add keys to file keystorage. # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) +# Default value is located in data/defaults.yaml. # @param grails_server_url # Sets `grails.serverURL` so that Rundeck knows its external address. # @param gui_config @@ -139,8 +140,6 @@ # class rundeck ( Array[Hash] $admin_policies, - Hash $framework_config, - Array[Hash] $auth_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, @@ -153,7 +152,12 @@ String $package_ensure = 'installed', String $acl_template = 'rundeck/aclpolicy.erb', Array[Hash] $api_policies = [], + + Hash $framework_config = {}, + + Array[Hash] $auth_config = [], String $auth_template = 'rundeck/jaas-auth.conf.epp', + Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', Hash $file_keystorage_keys = {}, From c734e6c5269256ac4206eb28def9a41065b4dc2c Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 16 Nov 2023 09:29:59 +0100 Subject: [PATCH 09/82] Refactor config --- data/{defaults.yaml => common.yaml} | 14 +- hiera.yaml | 8 +- manifests/config.pp | 214 +++++++++------------------- manifests/init.pp | 8 +- manifests/install.pp | 32 ++--- manifests/service.pp | 2 + templates/jaas-auth.conf.epp | 2 +- templates/realm.properties.epp | 19 ++- 8 files changed, 109 insertions(+), 190 deletions(-) rename data/{defaults.yaml => common.yaml} (94%) diff --git a/data/defaults.yaml b/data/common.yaml similarity index 94% rename from data/defaults.yaml rename to data/common.yaml index 851b8d708..6b03b8764 100644 --- a/data/defaults.yaml +++ b/data/common.yaml @@ -30,6 +30,13 @@ rundeck::admin_policies: - group: - 'admin' +rundeck::auth_config: + file: + admin_user: 'admin' + admin_password: 'admin' + auth_users: {} + realm_file: '/etc/rundeck/realm.properties' + rundeck::framework_config: framework.server.name: "%{facts.networking.fqdn}" framework.server.hostname: "%{facts.networking.hostname}" @@ -49,13 +56,6 @@ rundeck::framework_config: rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" -rundeck::auth_config: - - type: 'file' - config: - admin_user: 'admin' - admin_password: 'admin' - auth_users: {} - rundeck::security_config: useHMacRequestTokens: true apiCookieAccess: true diff --git a/hiera.yaml b/hiera.yaml index be2f64947..d3634ee26 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -1,11 +1,13 @@ --- version: 5 + defaults: datadir: 'data' data_hash: 'yaml_data' + hierarchy: - - name: 'OS family' + - name: 'Operating System Family' path: 'os/%{facts.os.family}.yaml' - - name: 'defaults' - path: 'defaults.yaml' \ No newline at end of file + - name: 'common' + path: 'common.yaml' \ No newline at end of file diff --git a/manifests/config.pp b/manifests/config.pp index 414a4b90a..69dec51e3 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,64 +1,12 @@ +# @api private +# # @summary This class is called from rundeck to manage the configuration. # class rundeck::config { - $admin_policies = $rundeck::admin_policies - $acl_template = $rundeck::acl_template - $api_policies = $rundeck::api_policies - $api_template = $rundeck::api_template - $auth_template = $rundeck::auth_template - $clustermode_enabled = $rundeck::clustermode_enabled - $database_config = $rundeck::database_config - $execution_mode = $rundeck::execution_mode - $file_keystorage_dir = $rundeck::file_keystorage_dir - $file_keystorage_keys = $rundeck::file_keystorage_keys - $grails_server_url = $rundeck::grails_server_url - $group = $rundeck::group - $gui_config = $rundeck::gui_config - $java_home = $rundeck::java_home - $jvm_args = $rundeck::jvm_args - $kerberos_realms = $rundeck::kerberos_realms - $key_password = $rundeck::key_password - $key_storage_config = $rundeck::key_storage_config - $keystore = $rundeck::keystore - $keystore_password = $rundeck::keystore_password - $log_properties_template = $rundeck::log_properties_template - $mail_config = $rundeck::mail_config - $manage_default_admin_policy = $rundeck::manage_default_admin_policy - $manage_default_api_policy = $rundeck::manage_default_api_policy - $overrides_dir = $rundeck::overrides_dir - $package_ensure = $rundeck::package_ensure - $preauthenticated_config = $rundeck::preauthenticated_config - $projects = $rundeck::projects - $projects_description = $rundeck::projects_description - $projects_organization = $rundeck::projects_organization - $projects_storage_type = $rundeck::projects_storage_type - $quartz_job_threadcount = $rundeck::quartz_job_threadcount - $rd_loglevel = $rundeck::rd_loglevel - $rd_auditlevel = $rundeck::rd_auditlevel - $rdeck_config_template = $rundeck::rdeck_config_template - $home_dir = $rundeck::home_dir - $manage_home = $rundeck::manage_home - $rdeck_profile_template = $rundeck::rdeck_profile_template - $rdeck_override_template = $rundeck::rdeck_override_template - $realm_template = $rundeck::realm_template - $rss_enabled = $rundeck::rss_enabled - $security_config = $rundeck::security_config - $security_role = $rundeck::security_role - $server_web_context = $rundeck::server_web_context - $service_logs_dir = $rundeck::service_logs_dir - $service_name = $rundeck::service_name - $service_restart = $rundeck::service_restart - $session_timeout = $rundeck::session_timeout - $ssl_enabled = $rundeck::ssl_enabled - $ssl_port = $rundeck::ssl_port - $ssl_keyfile = $rundeck::ssl_keyfile - $ssl_certfile = $rundeck::ssl_certfile - $storage_encrypt_config = $rundeck::storage_encrypt_config - $truststore = $rundeck::truststore - $truststore_password = $rundeck::truststore_password - $user = $rundeck::user - $security_roles_array_enabled = $rundeck::security_roles_array_enabled - $security_roles_array = $rundeck::security_roles_array + assert_private() + + $auth_types = $rundeck::auth_config.keys.unique + $properties_dir = $rundeck::framework_config['framework.etc.dir'] File { owner => $rundeck::user, @@ -66,127 +14,101 @@ mode => '0644', } - $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) - $auth_config = deep_merge(lookup('rundeck::auth_config'), $rundeck::auth_config) - - $logs_dir = $framework_config['framework.logs.dir'] - $projects_dir = $framework_config['framework.projects.dir'] - $properties_dir = $framework_config['framework.etc.dir'] - $plugin_dir = $framework_config['framework.libext.dir'] - - File[$rundeck::home_dir] ~> File[$rundeck::framework_config['framework.ssh.keypath']] - - if $manage_home { - file { $home_dir: + if $rundeck::manage_home { + file { $rundeck::home_dir: ensure => directory, mode => '0755', } } - if $rundeck::sshkey_manage { - file { $framework_config['framework.ssh.keypath']: - mode => '0600', + [$rundeck::service_logs_dir, $properties_dir].each |$_path| { + file { $_path: + ensure => directory, + mode => '0755', } } - file { $rundeck::service_logs_dir: - ensure => directory, - mode => '0755', - } - - ensure_resource(file, $projects_dir, { 'ensure' => 'directory' }) - ensure_resource(file, $plugin_dir, { 'ensure' => 'directory' }) - - $auth_types = $auth_config.map |$_config| { $_config['type'] } - - notify { 'auth_types_array': - message => $auth_types, - } - - # Checking if we need to deploy realm file - # ugly, I know. Fix it if you know better way to do that - # - if 'file' in $auth_types or 'ldap_shared' in $auth_types or 'active_directory_shared' in $auth_types { - $_deploy_realm = true - } else { - $_deploy_realm = false - } - - if $_deploy_realm { + if any(['file', 'ldap_shared', 'active_directory_shared']) |$_type| { + $_type in $auth_types + } { file { "${properties_dir}/realm.properties": - content => template($realm_template), + content => Sensitive(epp($rundeck::realm_template, { auth_config => $rundeck::auth_config })), require => File[$properties_dir], } + } else { + file { "${properties_dir}/realm.properties": + ensure => absent, + } } - if 'file' in $auth_types { - $active_directory_auth_flag = 'sufficient' - $ldap_auth_flag = 'sufficient' - } else { - if 'active_directory' in $auth_types { + case $auth_types { + 'file': { + $active_directory_auth_flag = 'sufficient' + $ldap_auth_flag = 'sufficient' + } + 'active_directory': { $active_directory_auth_flag = 'required' $ldap_auth_flag = 'sufficient' + $ldap_login_module = 'JettyCachingLdapLoginModule' } - elsif 'active_directory_shared' in $auth_types { + 'active_directory_shared': { $active_directory_auth_flag = 'requisite' $ldap_auth_flag = 'sufficient' + $ldap_login_module = 'JettyCombinedLdapLoginModule' } - elsif 'ldap_shared' in $auth_types { + 'ldap_shared': { $ldap_auth_flag = 'requisite' + $ldap_login_module = 'JettyCombinedLdapLoginModule' } - elsif 'ldap' in $auth_types { + 'ldap': { $ldap_auth_flag = 'required' + $ldap_login_module = 'JettyCachingLdapLoginModule' } + default: {} } - if 'active_directory' in $auth_types or 'ldap' in $auth_types { - $ldap_login_module = 'JettyCachingLdapLoginModule' - } - elsif 'active_directory_shared' in $auth_types or 'ldap_shared' in $auth_types { - $ldap_login_module = 'JettyCombinedLdapLoginModule' - } file { "${properties_dir}/jaas-auth.conf": - content => epp($auth_template), + content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), require => File[$properties_dir], } - file { "${properties_dir}/log4j.properties": - content => template($log_properties_template), - require => File[$properties_dir], - } + # file { "${properties_dir}/log4j.properties": + # content => template($rundeck::log_properties_template), + # require => File[$properties_dir], + # } - if $manage_default_admin_policy { - rundeck::config::aclpolicyfile { 'admin': - acl_policies => $admin_policies, - owner => $user, - group => $group, - properties_dir => $properties_dir, - template_file => $acl_template, - } - } + # if $rundeck::manage_default_admin_policy { + # rundeck::config::aclpolicyfile { 'admin': + # acl_policies => $rundeck::admin_policies, + # owner => $rundeck::user, + # group => $rundeck::group, + # properties_dir => $properties_dir, + # template_file => $rundeck::acl_template, + # } + # } - if $manage_default_api_policy { - rundeck::config::aclpolicyfile { 'apitoken': - acl_policies => $api_policies, - owner => $user, - group => $group, - properties_dir => $properties_dir, - template_file => $api_template, - } - } + # if $rundeck::manage_default_api_policy { + # rundeck::config::aclpolicyfile { 'apitoken': + # acl_policies => $rundeck::api_policies, + # owner => $rundeck::user, + # group => $rundeck::group, + # properties_dir => $properties_dir, + # template_file => $rundeck::acl_template, + # } + # } - if ($rdeck_profile_template) { - file { "${properties_dir}/profile": - content => template($rdeck_profile_template), - require => File[$properties_dir], - } - } + # if ($rundeck::rdeck_profile_template) { + # file { "${properties_dir}/profile": + # content => template($rundeck::rdeck_profile_template), + # require => File[$properties_dir], + # } + # } - if ($rdeck_override_template) { - file { "${overrides_dir}/${service_name}": - content => template($rdeck_override_template), - } - } + # if ($rundeck::rdeck_override_template) { + # file { "${rundeck::overrides_dir}/${rundeck::service_name}": + # content => template($rundeck::rdeck_override_template), + # } + # } # contain rundeck::config::global::framework # contain rundeck::config::global::project diff --git a/manifests/init.pp b/manifests/init.pp index 8c6f08659..b28c799b5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,7 +7,7 @@ # @param api_policies # Apitoken acl policies. # @param auth_config -# Authentication configuration. Default value is located in data/defaults.yaml. +# Authentication configuration. Default value is located in data/common.yaml. # @param auth_template # The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. # @param clustermode_enabled @@ -22,7 +22,6 @@ # Add keys to file keystorage. # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -# Default value is located in data/defaults.yaml. # @param grails_server_url # Sets `grails.serverURL` so that Rundeck knows its external address. # @param gui_config @@ -43,8 +42,6 @@ # The template used for log properties. Default is rundeck/log4j.properties.erb. # @param mail_config # A hash of the notification email configuraton. -# @param sshkey_manage -# Should this module manage the sshkey used by rundeck at all. # @param key_password # The ssl key password. # @param ssl_keyfile @@ -140,6 +137,7 @@ # class rundeck ( Array[Hash] $admin_policies, + Hash $auth_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, @@ -155,7 +153,6 @@ Hash $framework_config = {}, - Array[Hash] $auth_config = [], String $auth_template = 'rundeck/jaas-auth.conf.epp', Boolean $clustermode_enabled = false, @@ -169,7 +166,6 @@ Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', String $log_properties_template = 'rundeck/log4j.properties.erb', Hash $mail_config = {}, - Boolean $sshkey_manage = true, Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, diff --git a/manifests/install.pp b/manifests/install.pp index b8e0210da..2fce99f77 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,3 +1,5 @@ +# @api private +# # @summary This class is called from rundeck for install. # class rundeck::install { @@ -34,24 +36,20 @@ } } - if $rundeck::manage_repo { - $rundeck::repo_config.each() | String $_resource_type, Hash $_resources | { - if downcase($_resource_type) == 'apt::source' { - Class['Apt::Update'] -> Package['rundeck'] + case $facts['os']['family'] { + /RedHat|Debian/: { + if $rundeck::manage_repo { + $rundeck::repo_config.each() | String $_resource_type, Hash $_resources | { + if downcase($_resource_type) == 'apt::source' { + Class['Apt::Update'] -> Package['rundeck'] + } + create_resources($_resource_type, $_resources, { 'before' => Package['rundeck'] }) + } } - create_resources($_resource_type, $_resources, { 'before' => Package['rundeck'] }) + ensure_packages(['rundeck'], { 'ensure' => $rundeck::package_ensure, notify => Class['rundeck::service'] }) + } + default: { + err("The osfamily: ${facts['os']['family']} is not supported") } - } - - ensure_packages(['rundeck'], { 'ensure' => $rundeck::package_ensure, notify => Class['rundeck::service'] }) - - # Leave this one here, to avoid notifying service when permissions change - file { '/var/rundeck': - ensure => directory, - owner => $rundeck::user, - group => $rundeck::group, - mode => '0640', - recurse => true, - require => Package['rundeck'], } } diff --git a/manifests/service.pp b/manifests/service.pp index 1f159105c..1cd40b847 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,3 +1,5 @@ +# @api private +# # @summary This class is called from rundeck to manage service. # class rundeck::service { diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 5fc63ead1..4b04d985c 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,5 +1,5 @@ authentication { -<%- $rundeck::config::auth_config.each |$_type| { -%> +<%- $auth_config.each |$_type| { -%> <%- if $_type in ['ldap', 'ldap_shared'] { -%> <%= epp('rundeck/_auth_ldap.epp') %> <%- } elsif ['active_directory', 'active_directory_shared'] { -%> diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp index ed42cac84..160d37c27 100644 --- a/templates/realm.properties.epp +++ b/templates/realm.properties.epp @@ -4,7 +4,7 @@ # The format is # : [, ...] # -# Passwords may be clear text, obfuscated or checksummed. The class +# Passwords may be clear text, obfuscated or checksummed. The class # org.mortbay.util.Password should be used to generate obfuscated # passwords or password checksums # @@ -18,14 +18,13 @@ #user: password # This entry is for digest auth. The credential is a MD5 hash of username:realmname:password #digest: MD5:6e120743ad67abfbc385bc2bb754e297 -#.fetch('password', '-') -%> #['password'] -%> #lookup($x['password'],'-') # # This sets the default user accounts for the Rundeck app # -<%= $rundeck::config::auth_config['file']['admin_user'] %>:<%= $rundeck::config::auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build -<%- if $rundeck::config::auth_config['file']['auth_users'] { -%> - <%- if is_array($rundeck::config::auth_config['file']['auth_users']) { -%> - <%- $rundeck::config::auth_config['file']['auth_users'].each |$x| { -%> +<%= $auth_config['file']['admin_user'] %>:<%= $auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build +<%- if $auth_config['file']['auth_users'] { -%> + <%- if is_array($auth_config['file']['auth_users']) { -%> + <%- $auth_config['file']['auth_users'].each |$x| { -%> <%- if $x['username'] { -%> <%= $x['username'] -%>:<%= get('x.password', '-') -%> <%- if $x['roles'] {-%> @@ -34,10 +33,10 @@ <%- } -%> <%- } -%> <%- } else { -%> - <%- if $rundeck::config::auth_config['file']['auth_users']['username'] and $rundeck::config::auth_config['file']['auth_users']['password'] { -%> - <%= $rundeck::config::auth_config['file']['auth_users']['username'] -%>:<%= $rundeck::config::auth_config['file']['auth_users']['password'] -%> - <%- if $rundeck::config::auth_config['file']['auth_users']['roles'] { -%> - <%- $rundeck::config::auth_config['file']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> + <%- if $auth_config['file']['auth_users']['username'] and $auth_config['file']['auth_users']['password'] { -%> + <%= $auth_config['file']['auth_users']['username'] -%>:<%= $auth_config['file']['auth_users']['password'] -%> + <%- if $auth_config['file']['auth_users']['roles'] { -%> + <%- $auth_config['file']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> <%- } -%> <%- } -%> <%- } -%> From fa17e12ab03ada627db723fe1e424bb510e684e9 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 08:03:36 +0100 Subject: [PATCH 10/82] Add authconfig type --- manifests/init.pp | 2 +- types/authconfig.pp | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 types/authconfig.pp diff --git a/manifests/init.pp b/manifests/init.pp index b28c799b5..942c8ae4d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -137,7 +137,7 @@ # class rundeck ( Array[Hash] $admin_policies, - Hash $auth_config, + Rundeck::Authconfig $auth_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, diff --git a/types/authconfig.pp b/types/authconfig.pp new file mode 100644 index 000000000..ad61301bc --- /dev/null +++ b/types/authconfig.pp @@ -0,0 +1,6 @@ +# Rundeck log level type. +type Rundeck::Authconfig = Struct[{ + Optional['file'] => Hash[String, Data], + Optional['ldap'] => Hash[String, Data], + Optional['active_directory'] => Hash[String, Data], +}] From 15b04fce1fe5906503214b239a5289b3a301034d Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 08:21:34 +0100 Subject: [PATCH 11/82] Add beter comment for type --- types/authconfig.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/authconfig.pp b/types/authconfig.pp index ad61301bc..12cc834bb 100644 --- a/types/authconfig.pp +++ b/types/authconfig.pp @@ -1,4 +1,4 @@ -# Rundeck log level type. +# Rundeck authentication config type. type Rundeck::Authconfig = Struct[{ Optional['file'] => Hash[String, Data], Optional['ldap'] => Hash[String, Data], From 650c46a78b0b003a8a973ebe7bb6c92640ab0470 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 08:29:14 +0100 Subject: [PATCH 12/82] Update documentation --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 942c8ae4d..58d154315 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,7 +7,8 @@ # @param api_policies # Apitoken acl policies. # @param auth_config -# Authentication configuration. Default value is located in data/common.yaml. +# Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) +# Default value is located in data/common.yaml. # @param auth_template # The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. # @param clustermode_enabled From e4f9056c7dd12dca20836c523a0868038c68a006 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 08:49:36 +0100 Subject: [PATCH 13/82] Update file auth --- data/common.yaml | 4 ++ manifests/config.pp | 81 +++++++++++++++++++++++------------- templates/_auth_ad.epp | 54 ++++++++++++------------ templates/_auth_file.epp | 2 +- templates/jaas-auth.conf.epp | 8 ++-- types/authconfig.pp | 3 +- 6 files changed, 89 insertions(+), 63 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 6b03b8764..96551da2a 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -36,6 +36,10 @@ rundeck::auth_config: admin_password: 'admin' auth_users: {} realm_file: '/etc/rundeck/realm.properties' + active_directory: + debug: true + pam: + debug: true rundeck::framework_config: framework.server.name: "%{facts.networking.fqdn}" diff --git a/manifests/config.pp b/manifests/config.pp index 69dec51e3..4f108a7f7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -28,9 +28,7 @@ } } - if any(['file', 'ldap_shared', 'active_directory_shared']) |$_type| { - $_type in $auth_types - } { + if 'file' in $auth_types { file { "${properties_dir}/realm.properties": content => Sensitive(epp($rundeck::realm_template, { auth_config => $rundeck::auth_config })), require => File[$properties_dir], @@ -41,36 +39,59 @@ } } - case $auth_types { - 'file': { - $active_directory_auth_flag = 'sufficient' - $ldap_auth_flag = 'sufficient' + $auth_types.each |$_type| { + if $_type == 'file' { + notify { 'file': + message => 'file enabled', + } + } elsif $_type == 'ldap' { + notify { 'ldap': + message => 'ldap enabled', + } + } elsif $_type == 'active_directory' { + notify { 'active_directory': + message => 'active_directory enabled', + } + } elsif $_type == 'pam' { + notify { 'pam': + message => 'pam enabled', + } + } else { + fail('Wrong auth type provided. Valid types are file, active_directory, ldap or pam') } - 'active_directory': { - $active_directory_auth_flag = 'required' - $ldap_auth_flag = 'sufficient' - $ldap_login_module = 'JettyCachingLdapLoginModule' - } - 'active_directory_shared': { - $active_directory_auth_flag = 'requisite' - $ldap_auth_flag = 'sufficient' - $ldap_login_module = 'JettyCombinedLdapLoginModule' - } - 'ldap_shared': { - $ldap_auth_flag = 'requisite' - $ldap_login_module = 'JettyCombinedLdapLoginModule' - } - 'ldap': { - $ldap_auth_flag = 'required' - $ldap_login_module = 'JettyCachingLdapLoginModule' - } - default: {} } - file { "${properties_dir}/jaas-auth.conf": - content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), - require => File[$properties_dir], - } + # if 'file' in $auth_types { + # $active_directory_auth_flag = 'sufficient' + # $ldap_auth_flag = 'sufficient' + # } else { + # if 'active_directory' in $auth_types { + # $active_directory_auth_flag = 'required' + # $ldap_auth_flag = 'sufficient' + # } + # elsif 'active_directory_shared' in $auth_types { + # $active_directory_auth_flag = 'requisite' + # $ldap_auth_flag = 'sufficient' + # } + # elsif 'ldap_shared' in $auth_types { + # $ldap_auth_flag = 'requisite' + # } + # elsif 'ldap' in $auth_types { + # $ldap_auth_flag = 'required' + # } + # } + + # if 'active_directory' in $auth_types or 'ldap' in $auth_types { + # $ldap_login_module = 'JettyCachingLdapLoginModule' + # } + # elsif 'active_directory_shared' in $auth_types or 'ldap_shared' in $auth_types { + # $ldap_login_module = 'JettyCombinedLdapLoginModule' + # } + + # file { "${properties_dir}/jaas-auth.conf": + # content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), + # require => File[$properties_dir], + # } # file { "${properties_dir}/log4j.properties": # content => template($rundeck::log_properties_template), diff --git a/templates/_auth_ad.epp b/templates/_auth_ad.epp index e66bb68f9..9f3a56df9 100644 --- a/templates/_auth_ad.epp +++ b/templates/_auth_ad.epp @@ -1,40 +1,40 @@ com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::config::active_directory_auth_flag -%> debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" -<%- if $rundeck::config::auth_config['active_directory']['url'] {-%> - providerUrl="<%= $rundeck::config::auth_config['active_directory']['url'] %>" +<%- if $auth_config['active_directory']['url'] {-%> + providerUrl="<%= $auth_config['active_directory']['url'] %>" <%-} else {-%> - providerUrl="ldap://<%= $rundeck::config::auth_config['active_directory']['server'] %>:<%= $rundeck::config::auth_config['active_directory']['port'] %>" + providerUrl="ldap://<%= $auth_config['active_directory']['server'] %>:<%= $auth_config['active_directory']['port'] %>" <%-}-%> authenticationMethod="simple" - forceBindingLogin="<%= $rundeck::config::auth_config['active_directory']['force_binding'] %>" - <%- if $rundeck::config::auth_config['active_directory']['bind_dn'] { -%> - forceBindingLoginUseRootContextForRoles="<%= $rundeck::config::auth_config['active_directory']['force_binding_use_root'] %>" - bindDn="<%= $rundeck::config::auth_config['active_directory']['bind_dn']%>" + forceBindingLogin="<%= $auth_config['active_directory']['force_binding'] %>" + <%- if $auth_config['active_directory']['bind_dn'] { -%> + forceBindingLoginUseRootContextForRoles="<%= $auth_config['active_directory']['force_binding_use_root'] %>" + bindDn="<%= $auth_config['active_directory']['bind_dn']%>" <%- } -%> - <%- if $rundeck::config::auth_config['active_directory']['bind_password'] { -%> - bindPassword="<%= $rundeck::config::auth_config['active_directory']['bind_password']%>" + <%- if $auth_config['active_directory']['bind_password'] { -%> + bindPassword="<%= $auth_config['active_directory']['bind_password']%>" <%- } -%> - userBaseDn="<%= $rundeck::config::auth_config['active_directory']['user_base_dn'] %>" - userRdnAttribute="<%= $rundeck::config::auth_config['active_directory']['user_rdn_attribute'] %>" - userIdAttribute="<%= $rundeck::config::auth_config['active_directory']['user_id_attribute'] %>" - userPasswordAttribute="<%= $rundeck::config::auth_config['active_directory']['user_password_attribute'] %>" + userBaseDn="<%= $auth_config['active_directory']['user_base_dn'] %>" + userRdnAttribute="<%= $auth_config['active_directory']['user_rdn_attribute'] %>" + userIdAttribute="<%= $auth_config['active_directory']['user_id_attribute'] %>" + userPasswordAttribute="<%= $auth_config['active_directory']['user_password_attribute'] %>" <%- if $rundeck::config::security_config['syncLdapUser'] == true {-%> - userFirstNameAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_first_name_attribute'] %>" - userLastNameAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_last_name_attribute'] %>" - userEmailAttribute="<%= $rundeck::config::auth_config['active_directory']['sync_email_attribute'] %>" + userFirstNameAttribute="<%= $auth_config['active_directory']['sync_first_name_attribute'] %>" + userLastNameAttribute="<%= $auth_config['active_directory']['sync_last_name_attribute'] %>" + userEmailAttribute="<%= $auth_config['active_directory']['sync_email_attribute'] %>" <%- } -%> - userObjectClass="<%= $rundeck::config::auth_config['active_directory']['user_object_class'] %>" - roleBaseDn="<%= $rundeck::config::auth_config['active_directory']['role_base_dn'] %>" - roleNameAttribute="<%= $rundeck::config::auth_config['active_directory']['role_name_attribute'] %>" - roleMemberAttribute="<%= $rundeck::config::auth_config['active_directory']['role_member_attribute'] %>" - roleObjectClass="<%= $rundeck::config::auth_config['active_directory']['role_object_class'] %>" - <%- if $rundeck::config::auth_config['active_directory']['role_prefix'] { -%> - rolePrefix="<%= $rundeck::config::auth_config['active_directory']['role_prefix'] %>" + userObjectClass="<%= $auth_config['active_directory']['user_object_class'] %>" + roleBaseDn="<%= $auth_config['active_directory']['role_base_dn'] %>" + roleNameAttribute="<%= $auth_config['active_directory']['role_name_attribute'] %>" + roleMemberAttribute="<%= $auth_config['active_directory']['role_member_attribute'] %>" + roleObjectClass="<%= $auth_config['active_directory']['role_object_class'] %>" + <%- if $auth_config['active_directory']['role_prefix'] { -%> + rolePrefix="<%= $auth_config['active_directory']['role_prefix'] %>" <%- } -%> - <%- if $rundeck::config::auth_config['active_directory']['supplemental_roles'] { -%> - supplementalRoles="<%= $rundeck::config::auth_config['active_directory']['supplemental_roles'] %>" + <%- if $auth_config['active_directory']['supplemental_roles'] { -%> + supplementalRoles="<%= $auth_config['active_directory']['supplemental_roles'] %>" <%- } -%> cacheDurationMillis="300000" reportStatistics="true" @@ -45,11 +45,11 @@ com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $r useFirstPass="false" tryFirstPass="false" <%- } -%> - nestedGroups="<%= $rundeck::config::auth_config['active_directory']['nested_groups'] %>"; + nestedGroups="<%= $auth_config['active_directory']['nested_groups'] %>"; <%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' { -%> org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required debug="true" useFirstPass="true" - file="<%= $rundeck::config::auth_config['file']['file'] %>"; + file="<%= $auth_config['file']['realm_file'] %>"; <%- } -%> diff --git a/templates/_auth_file.epp b/templates/_auth_file.epp index dfdeaea90..1de36dc88 100644 --- a/templates/_auth_file.epp +++ b/templates/_auth_file.epp @@ -1,3 +1,3 @@ org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient debug="true" - file="<%= $rundeck::config::auth_config['file']['file'] %>"; + file="<%= $rundeck::config::auth_config['file']['realm_file'] %>"; diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 4b04d985c..baeaf4d87 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,13 +1,13 @@ authentication { <%- $auth_config.each |$_type| { -%> <%- if $_type in ['ldap', 'ldap_shared'] { -%> - <%= epp('rundeck/_auth_ldap.epp') %> + <%= epp('rundeck/_auth_ldap.epp', { auth_config => $auth_config }) %> <%- } elsif ['active_directory', 'active_directory_shared'] { -%> - <%= epp('rundeck/_auth_ad.epp') %> + <%= epp('rundeck/_auth_ad.epp', { auth_config => $auth_config }) %> <%- } elsif $_type == 'pam' { -%> - <%= epp('rundeck/_auth_pam.epp') %> + <%= epp('rundeck/_auth_pam.epp', { auth_config => $auth_config }) %> <%- } elsif $_type == 'file' { -%> - <%= epp('rundeck/_auth_file.epp') %> + <%= epp('rundeck/_auth_file.epp', { auth_config => $auth_config }) %> <%- } -%> <%- } -%> }; diff --git a/types/authconfig.pp b/types/authconfig.pp index 12cc834bb..36e09e465 100644 --- a/types/authconfig.pp +++ b/types/authconfig.pp @@ -1,6 +1,7 @@ # Rundeck authentication config type. type Rundeck::Authconfig = Struct[{ + Optional['active_directory'] => Hash[String, Data], Optional['file'] => Hash[String, Data], Optional['ldap'] => Hash[String, Data], - Optional['active_directory'] => Hash[String, Data], + Optional['pam'] => Hash[String, Data], }] From 7f76cae5d1db84afc0bea04b1287c6ba982a786a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 12:35:27 +0100 Subject: [PATCH 14/82] Update templates and auth_config --- data/common.yaml | 16 ++++----- manifests/config.pp | 59 +++++----------------------------- templates/_auth_file.epp | 11 +++++-- templates/jaas-auth.conf.epp | 9 +++--- templates/realm.properties.epp | 18 +++++------ types/authconfig.pp | 1 - 6 files changed, 37 insertions(+), 77 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 96551da2a..501816a3b 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -32,14 +32,14 @@ rundeck::admin_policies: rundeck::auth_config: file: - admin_user: 'admin' - admin_password: 'admin' - auth_users: {} - realm_file: '/etc/rundeck/realm.properties' - active_directory: - debug: true - pam: - debug: true + auth_flag: 'required' + jaas_config: + debug: true + file: '/etc/rundeck/realm.properties' + realm_config: + admin_user: 'admin' + admin_password: 'admin' + auth_users: {} rundeck::framework_config: framework.server.name: "%{facts.networking.fqdn}" diff --git a/manifests/config.pp b/manifests/config.pp index 4f108a7f7..0ead2b11b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -39,59 +39,16 @@ } } - $auth_types.each |$_type| { - if $_type == 'file' { - notify { 'file': - message => 'file enabled', - } - } elsif $_type == 'ldap' { - notify { 'ldap': - message => 'ldap enabled', - } - } elsif $_type == 'active_directory' { - notify { 'active_directory': - message => 'active_directory enabled', - } - } elsif $_type == 'pam' { - notify { 'pam': - message => 'pam enabled', - } - } else { - fail('Wrong auth type provided. Valid types are file, active_directory, ldap or pam') - } + if 'file' in $auth_types and 'ldap' in $auth_types { + $ldap_login_module = 'JettyCombinedLdapLoginModule' + } else { + $ldap_login_module = 'JettyCachingLdapLoginModule' } - # if 'file' in $auth_types { - # $active_directory_auth_flag = 'sufficient' - # $ldap_auth_flag = 'sufficient' - # } else { - # if 'active_directory' in $auth_types { - # $active_directory_auth_flag = 'required' - # $ldap_auth_flag = 'sufficient' - # } - # elsif 'active_directory_shared' in $auth_types { - # $active_directory_auth_flag = 'requisite' - # $ldap_auth_flag = 'sufficient' - # } - # elsif 'ldap_shared' in $auth_types { - # $ldap_auth_flag = 'requisite' - # } - # elsif 'ldap' in $auth_types { - # $ldap_auth_flag = 'required' - # } - # } - - # if 'active_directory' in $auth_types or 'ldap' in $auth_types { - # $ldap_login_module = 'JettyCachingLdapLoginModule' - # } - # elsif 'active_directory_shared' in $auth_types or 'ldap_shared' in $auth_types { - # $ldap_login_module = 'JettyCombinedLdapLoginModule' - # } - - # file { "${properties_dir}/jaas-auth.conf": - # content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), - # require => File[$properties_dir], - # } + file { "${properties_dir}/jaas-auth.conf": + content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), + require => File[$properties_dir], + } # file { "${properties_dir}/log4j.properties": # content => template($rundeck::log_properties_template), diff --git a/templates/_auth_file.epp b/templates/_auth_file.epp index 1de36dc88..aac7f5215 100644 --- a/templates/_auth_file.epp +++ b/templates/_auth_file.epp @@ -1,3 +1,8 @@ -org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient - debug="true" - file="<%= $rundeck::config::auth_config['file']['realm_file'] %>"; +<%- if $auth_config['file']['auth_flag'] {-%> +org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $auth_config['file']['auth_flag'] %> +<%-} else {-%> +org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required +<%-}-%> +<%- $auth_config['file']['jaas_config'].each |$_key, $_value| {-%> +<%= $_key -%>="<%= $_value -%>" +<%-}-%>; diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index baeaf4d87..a9a85a340 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,10 +1,9 @@ authentication { -<%- $auth_config.each |$_type| { -%> - <%- if $_type in ['ldap', 'ldap_shared'] { -%> +<%- $auth_config.each |$_type| { -%> +type = "<%= $_type -%>" + <%- if $_type == 'ldap' { -%> <%= epp('rundeck/_auth_ldap.epp', { auth_config => $auth_config }) %> - <%- } elsif ['active_directory', 'active_directory_shared'] { -%> - <%= epp('rundeck/_auth_ad.epp', { auth_config => $auth_config }) %> - <%- } elsif $_type == 'pam' { -%> + <%- } elsif $_type == 'pam' { -%> <%= epp('rundeck/_auth_pam.epp', { auth_config => $auth_config }) %> <%- } elsif $_type == 'file' { -%> <%= epp('rundeck/_auth_file.epp', { auth_config => $auth_config }) %> diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp index 160d37c27..90b01343d 100644 --- a/templates/realm.properties.epp +++ b/templates/realm.properties.epp @@ -21,22 +21,22 @@ # # This sets the default user accounts for the Rundeck app # -<%= $auth_config['file']['admin_user'] %>:<%= $auth_config['file']['admin_password'] %>,user,admin,architect,deploy,build -<%- if $auth_config['file']['auth_users'] { -%> - <%- if is_array($auth_config['file']['auth_users']) { -%> - <%- $auth_config['file']['auth_users'].each |$x| { -%> +<%= $auth_config['file']['realm_config']['admin_user'] %>:<%= $auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build +<%- if $auth_config['file']['realm_config']['auth_users'] { -%> + <%- if is_array($auth_config['file']['realm_config']['auth_users']) { -%> + <%- $auth_config['file']['realm_config']['auth_users'].each |$x| { -%> <%- if $x['username'] { -%> - <%= $x['username'] -%>:<%= get('x.password', '-') -%> + <%= $x['username'] -%>:<%= $x['password'] -%> <%- if $x['roles'] {-%> <%- $x['roles'].each |$v| {-%>,<%= $v -%><%- } %> <%- } -%> <%- } -%> <%- } -%> <%- } else { -%> - <%- if $auth_config['file']['auth_users']['username'] and $auth_config['file']['auth_users']['password'] { -%> - <%= $auth_config['file']['auth_users']['username'] -%>:<%= $auth_config['file']['auth_users']['password'] -%> - <%- if $auth_config['file']['auth_users']['roles'] { -%> - <%- $auth_config['file']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> + <%- if $auth_config['file']['realm_config']['auth_users']['username'] and $auth_config['file']['realm_config']['auth_users']['password'] { -%> + <%= $auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $auth_config['file']['realm_config']['auth_users']['password'] -%> + <%- if $auth_config['file']['realm_config']['auth_users']['roles'] { -%> + <%- $auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> <%- } -%> <%- } -%> <%- } -%> diff --git a/types/authconfig.pp b/types/authconfig.pp index 36e09e465..915040998 100644 --- a/types/authconfig.pp +++ b/types/authconfig.pp @@ -1,6 +1,5 @@ # Rundeck authentication config type. type Rundeck::Authconfig = Struct[{ - Optional['active_directory'] => Hash[String, Data], Optional['file'] => Hash[String, Data], Optional['ldap'] => Hash[String, Data], Optional['pam'] => Hash[String, Data], From dfaa629b01db0b4efa3671d8d88e9013dfa40476 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 14:14:43 +0100 Subject: [PATCH 15/82] Update auth conf template --- manifests/config.pp | 9 +++++---- templates/_auth_file.epp | 8 ++++---- templates/jaas-auth.conf.epp | 17 ++++++++--------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 0ead2b11b..a80fcf06f 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -9,9 +9,8 @@ $properties_dir = $rundeck::framework_config['framework.etc.dir'] File { - owner => $rundeck::user, - group => $rundeck::group, - mode => '0644', + owner => $rundeck::user, + group => $rundeck::group, } if $rundeck::manage_home { @@ -31,6 +30,7 @@ if 'file' in $auth_types { file { "${properties_dir}/realm.properties": content => Sensitive(epp($rundeck::realm_template, { auth_config => $rundeck::auth_config })), + mode => '0600', require => File[$properties_dir], } } else { @@ -46,7 +46,8 @@ } file { "${properties_dir}/jaas-auth.conf": - content => epp($rundeck::auth_template, { auth_config => $rundeck::auth_config }), + content => Sensitive(epp($rundeck::auth_template, { auth_config => $rundeck::auth_config })), + mode => '0600', require => File[$properties_dir], } diff --git a/templates/_auth_file.epp b/templates/_auth_file.epp index aac7f5215..f0f21c3c2 100644 --- a/templates/_auth_file.epp +++ b/templates/_auth_file.epp @@ -1,8 +1,8 @@ <%- if $auth_config['file']['auth_flag'] {-%> -org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $auth_config['file']['auth_flag'] %> + org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $auth_config['file']['auth_flag'] %> <%-} else {-%> -org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required + org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required <%-}-%> <%- $auth_config['file']['jaas_config'].each |$_key, $_value| {-%> -<%= $_key -%>="<%= $_value -%>" -<%-}-%>; + <%= $_key -%>="<%= $_value %>" +<%} %>; diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index a9a85a340..fd81e130a 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,12 +1,11 @@ authentication { -<%- $auth_config.each |$_type| { -%> -type = "<%= $_type -%>" - <%- if $_type == 'ldap' { -%> - <%= epp('rundeck/_auth_ldap.epp', { auth_config => $auth_config }) %> - <%- } elsif $_type == 'pam' { -%> - <%= epp('rundeck/_auth_pam.epp', { auth_config => $auth_config }) %> - <%- } elsif $_type == 'file' { -%> - <%= epp('rundeck/_auth_file.epp', { auth_config => $auth_config }) %> - <%- } -%> +<%- $auth_config.keys.each |$_type| { -%> +<%- if $_type == 'ldap' { -%> +<%= epp('rundeck/_auth_ldap.epp', { auth_config => $auth_config }) %> +<%- } elsif $_type == 'pam' { -%> +<%= epp('rundeck/_auth_pam.epp', { auth_config => $auth_config }) %> +<%- } elsif $_type == 'file' { -%> +<%= epp('rundeck/_auth_file.epp', { auth_config => $auth_config }) %> +<%- } -%> <%- } -%> }; From 1cfc25ba31a5a33cfcca324c0afcd79edc1901cb Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 15:02:44 +0100 Subject: [PATCH 16/82] Update auth config template --- data/common.yaml | 8 ++++- manifests/config.pp | 6 ++-- templates/_auth_ad.epp | 55 ---------------------------- templates/_auth_file.epp | 8 ----- templates/_auth_ldap.epp | 65 ---------------------------------- templates/_auth_pam.epp | 17 --------- templates/jaas-auth.conf.epp | 36 +++++++++++++++---- templates/realm.properties.epp | 16 ++++----- types/authconfig.pp | 6 ++-- 9 files changed, 50 insertions(+), 167 deletions(-) delete mode 100644 templates/_auth_ad.epp delete mode 100644 templates/_auth_file.epp delete mode 100644 templates/_auth_ldap.epp delete mode 100644 templates/_auth_pam.epp diff --git a/data/common.yaml b/data/common.yaml index 501816a3b..4b5806217 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -34,12 +34,18 @@ rundeck::auth_config: file: auth_flag: 'required' jaas_config: - debug: true file: '/etc/rundeck/realm.properties' realm_config: admin_user: 'admin' admin_password: 'admin' auth_users: {} + ldap: + jaas_config: + blabla: 'dgdfg' + pam: + auth_flag: 'sufficient' + jaas_config: + service_account: 'ewrwer' rundeck::framework_config: framework.server.name: "%{facts.networking.fqdn}" diff --git a/manifests/config.pp b/manifests/config.pp index a80fcf06f..5a206aa63 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,7 +5,7 @@ class rundeck::config { assert_private() - $auth_types = $rundeck::auth_config.keys.unique + $auth_types = $rundeck::auth_config.keys $properties_dir = $rundeck::framework_config['framework.etc.dir'] File { @@ -29,7 +29,7 @@ if 'file' in $auth_types { file { "${properties_dir}/realm.properties": - content => Sensitive(epp($rundeck::realm_template, { auth_config => $rundeck::auth_config })), + content => Sensitive(epp($rundeck::realm_template)), mode => '0600', require => File[$properties_dir], } @@ -46,7 +46,7 @@ } file { "${properties_dir}/jaas-auth.conf": - content => Sensitive(epp($rundeck::auth_template, { auth_config => $rundeck::auth_config })), + content => Sensitive(epp($rundeck::auth_template)), mode => '0600', require => File[$properties_dir], } diff --git a/templates/_auth_ad.epp b/templates/_auth_ad.epp deleted file mode 100644 index 9f3a56df9..000000000 --- a/templates/_auth_ad.epp +++ /dev/null @@ -1,55 +0,0 @@ -com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::config::active_directory_auth_flag -%> - debug="true" - contextFactory="com.sun.jndi.ldap.LdapCtxFactory" -<%- if $auth_config['active_directory']['url'] {-%> - providerUrl="<%= $auth_config['active_directory']['url'] %>" -<%-} else {-%> - providerUrl="ldap://<%= $auth_config['active_directory']['server'] %>:<%= $auth_config['active_directory']['port'] %>" -<%-}-%> - authenticationMethod="simple" - forceBindingLogin="<%= $auth_config['active_directory']['force_binding'] %>" - <%- if $auth_config['active_directory']['bind_dn'] { -%> - forceBindingLoginUseRootContextForRoles="<%= $auth_config['active_directory']['force_binding_use_root'] %>" - bindDn="<%= $auth_config['active_directory']['bind_dn']%>" - <%- } -%> - <%- if $auth_config['active_directory']['bind_password'] { -%> - bindPassword="<%= $auth_config['active_directory']['bind_password']%>" - <%- } -%> - userBaseDn="<%= $auth_config['active_directory']['user_base_dn'] %>" - userRdnAttribute="<%= $auth_config['active_directory']['user_rdn_attribute'] %>" - userIdAttribute="<%= $auth_config['active_directory']['user_id_attribute'] %>" - userPasswordAttribute="<%= $auth_config['active_directory']['user_password_attribute'] %>" - <%- if $rundeck::config::security_config['syncLdapUser'] == true {-%> - userFirstNameAttribute="<%= $auth_config['active_directory']['sync_first_name_attribute'] %>" - userLastNameAttribute="<%= $auth_config['active_directory']['sync_last_name_attribute'] %>" - userEmailAttribute="<%= $auth_config['active_directory']['sync_email_attribute'] %>" - <%- } -%> - - userObjectClass="<%= $auth_config['active_directory']['user_object_class'] %>" - roleBaseDn="<%= $auth_config['active_directory']['role_base_dn'] %>" - roleNameAttribute="<%= $auth_config['active_directory']['role_name_attribute'] %>" - roleMemberAttribute="<%= $auth_config['active_directory']['role_member_attribute'] %>" - roleObjectClass="<%= $auth_config['active_directory']['role_object_class'] %>" - <%- if $auth_config['active_directory']['role_prefix'] { -%> - rolePrefix="<%= $auth_config['active_directory']['role_prefix'] %>" - <%- } -%> - <%- if $auth_config['active_directory']['supplemental_roles'] { -%> - supplementalRoles="<%= $auth_config['active_directory']['supplemental_roles'] %>" - <%- } -%> - cacheDurationMillis="300000" - reportStatistics="true" -<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' { -%> - ignoreRoles="true" - storePass="true" - clearPass="true" - useFirstPass="false" - tryFirstPass="false" -<%- } -%> - nestedGroups="<%= $auth_config['active_directory']['nested_groups'] %>"; - -<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' { -%> -org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required - debug="true" - useFirstPass="true" - file="<%= $auth_config['file']['realm_file'] %>"; -<%- } -%> diff --git a/templates/_auth_file.epp b/templates/_auth_file.epp deleted file mode 100644 index f0f21c3c2..000000000 --- a/templates/_auth_file.epp +++ /dev/null @@ -1,8 +0,0 @@ -<%- if $auth_config['file']['auth_flag'] {-%> - org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $auth_config['file']['auth_flag'] %> -<%-} else {-%> - org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required -<%-}-%> -<%- $auth_config['file']['jaas_config'].each |$_key, $_value| {-%> - <%= $_key -%>="<%= $_value %>" -<%} %>; diff --git a/templates/_auth_ldap.epp b/templates/_auth_ldap.epp deleted file mode 100644 index 489448fb8..000000000 --- a/templates/_auth_ldap.epp +++ /dev/null @@ -1,65 +0,0 @@ -com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::config::ldap_auth_flag -%> - debug="true" - contextFactory="com.sun.jndi.ldap.LdapCtxFactory" -<%- if $rundeck::config::auth_config['ldap']['url'] {-%> - providerUrl="<%= $rundeck::config::auth_config['ldap']['url'] %>" -<%-} else {-%> - providerUrl="ldap://<%= $rundeck::config::auth_config['ldap']['server'] %>:<%= $rundeck::config::auth_config['ldap']['port'] %>" -<%-}-%> - authenticationMethod="simple" - forceBindingLogin="<%= $rundeck::config::auth_config['ldap']['force_binding'] %>" -<%- if $rundeck::config::auth_config['ldap']['force_binding_use_root'] {-%> - forceBindingLoginUseRootContextForRoles="<%= $rundeck::config::auth_config['ldap']['force_binding_use_root'] %>" -<%- } -%> -<%- if $rundeck::config::auth_config['ldap']['bind_dn'] {-%> - bindDn="<%= $rundeck::config::auth_config['ldap']['bind_dn']%>" -<%- } -%> -<%- if $rundeck::config::auth_config['ldap']['bind_password'] {-%> - bindPassword="<%= $rundeck::config::auth_config['ldap']['bind_password']%>" -<%- } -%> - userBaseDn="<%= $rundeck::config::auth_config['ldap']['user_base_dn'] %>" - userRdnAttribute="<%= $rundeck::config::auth_config['ldap']['user_rdn_attribute'] %>" - userIdAttribute="<%= $rundeck::config::auth_config['ldap']['user_id_attribute'] %>" - userPasswordAttribute="<%= $rundeck::config::auth_config['ldap']['user_password_attribute'] %>" -<%- if $rundeck::config::security_config['syncLdapUser'] == true {-%> - userFirstNameAttribute="<%= $rundeck::config::auth_config['ldap']['sync_first_name_attribute'] %>" - userLastNameAttribute="<%= $rundeck::config::auth_config['ldap']['sync_last_name_attribute'] %>" - userEmailAttribute="<%= $rundeck::config::auth_config['ldap']['sync_email_attribute'] %>" -<%- } -%> - userObjectClass="<%= $rundeck::config::auth_config['ldap']['user_object_class'] %>" -<%- if $rundeck::config::auth_config['ldap']['role_prefix'] {-%> - rolePrefix="<%= $rundeck::config::auth_config['ldap']['role_prefix'] %>" -<%- } -%> - roleBaseDn="<%= $rundeck::config::auth_config['ldap']['role_base_dn'] %>" - roleNameAttribute="<%= $rundeck::config::auth_config['ldap']['role_name_attribute'] %>" -<%- if $rundeck::config::auth_config['ldap']['role_username_member_attribute'] {-%> - roleUsernameMemberAttribute="<%= $rundeck::config::auth_config['ldap']['role_username_member_attribute'] %>" -<%-} elsif $rundeck::config::auth_config['ldap']['role_member_attribute'] {-%> - roleMemberAttribute="<%= $rundeck::config::auth_config['ldap']['role_member_attribute'] %>" -<%- } -%> - roleObjectClass="<%= $rundeck::config::auth_config['ldap']['role_object_class'] %>" -<%- if $rundeck::config::auth_config['ldap']['supplemental_roles'] {-%> - supplementalRoles="<%= $rundeck::config::auth_config['ldap']['supplemental_roles'] %>" -<%- } -%> -<%- if $rundeck::config::auth_config['ldap']['cache_duration_millis'] {-%> - cacheDurationMillis="<%= $rundeck::config::auth_config['ldap']['cache_duration_millis'] %>" -<%- } else { -%> - cacheDurationMillis="300000" -<%- }-%> - cacheDurationMillis="<%= cache_duration_ms %>" - reportStatistics="true" -<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' {-%> - ignoreRoles="true" - storePass="true" - clearPass="true" - useFirstPass="false" - tryFirstPass="false" -<%- } -%> - nestedGroups="<%= $rundeck::config::auth_config['ldap']['nested_groups'] %>"; - -<%- if $rundeck::config::ldap_login_module == 'JettyCombinedLdapLoginModule' {-%> -org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required - debug="true" - useFirstPass="true" - file="<%= $rundeck::config::auth_config['file']['file'] %>"; -<%- } -%> diff --git a/templates/_auth_pam.epp b/templates/_auth_pam.epp deleted file mode 100644 index cfa9e0eb9..000000000 --- a/templates/_auth_pam.epp +++ /dev/null @@ -1,17 +0,0 @@ -org.rundeck.jaas.jetty.JettyPamLoginModule requisite - debug="true" - service="<%= $rundeck::config::auth_config['pam']['service'] %>" - supplementalRoles="<%= $rundeck::config::auth_config['pam']['supplemental_roles'].join(',') %>" -<%- if $rundeck::config::auth_config['pam']['clear_pass'] { -%> - clearPass="<%= $rundeck::config::auth_config['pam']['clear_pass'] %>" -<%- } -%> -<%- if $rundeck::config::auth_config['pam']['try_first_pass'] { -%> - tryFirstPass="<%= $rundeck::config::auth_config['pam']['try_first_pass'] %>" -<%- } -%> -<%- if $rundeck::config::auth_config['pam']['use_first_pass'] { -%> - useFirstPass="<%= $rundeck::config::auth_config['pam']['use_first_pass'] %>" -<%- } -%> -<%- if $rundeck::config::auth_config['pam']['use_unix_groups'] { -%> - useUnixGroups="<%= $rundeck::config::auth_config['pam']['use_unix_groups'] %>" -<%- } -%> - storePass="<%= $rundeck::config::auth_config['pam']['store_pass'] %>"; diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index fd81e130a..5f9c20d16 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,11 +1,33 @@ authentication { -<%- $auth_config.keys.each |$_type| { -%> -<%- if $_type == 'ldap' { -%> -<%= epp('rundeck/_auth_ldap.epp', { auth_config => $auth_config }) %> -<%- } elsif $_type == 'pam' { -%> -<%= epp('rundeck/_auth_pam.epp', { auth_config => $auth_config }) %> -<%- } elsif $_type == 'file' { -%> -<%= epp('rundeck/_auth_file.epp', { auth_config => $auth_config }) %> +<%- $rundeck::config::auth_types.each |$_type| { -%> +<%- if $_type == 'file' { -%> +<%- if $rundeck::auth_config['file']['auth_flag'] {-%> + org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $rundeck::auth_config['file']['auth_flag'] %> +<%-} else {-%> + org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required +<%-}-%> +<%- $rundeck::auth_config['file']['jaas_config'].each |$_key, $_value| {-%> + <%= $_key -%>="<%= $_value -%>" +<%-}-%>; +<%- } elsif $_type == 'ldap' { -%> +<%- if $rundeck::auth_config['ldap']['auth_flag'] {-%> + com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::auth_config['ldap']['auth_flag'] %> +<%-} else {-%> + com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> required +<%-}-%> + contextFactory="com.sun.jndi.ldap.LdapCtxFactory" +<%- $rundeck::auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> + <%= $_key -%>="<%= $_value -%>" +<%-}-%>; +<%- } elsif $_type == 'pam' { -%> +<%- if $rundeck::auth_config['pam']['auth_flag'] {-%> + org.rundeck.jaas.jetty.JettyPamLoginModule <%= $rundeck::auth_config['pam']['auth_flag'] %> +<%-} else {-%> + org.rundeck.jaas.jetty.JettyPamLoginModule required +<%-}-%> +<%- $rundeck::auth_config['pam']['jaas_config'].each |$_key, $_value| {-%> + <%= $_key -%>="<%= $_value -%>" +<%-}-%>; <%- } -%> <%- } -%> }; diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp index 90b01343d..058729015 100644 --- a/templates/realm.properties.epp +++ b/templates/realm.properties.epp @@ -21,10 +21,10 @@ # # This sets the default user accounts for the Rundeck app # -<%= $auth_config['file']['realm_config']['admin_user'] %>:<%= $auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build -<%- if $auth_config['file']['realm_config']['auth_users'] { -%> - <%- if is_array($auth_config['file']['realm_config']['auth_users']) { -%> - <%- $auth_config['file']['realm_config']['auth_users'].each |$x| { -%> +<%= $rundeck::auth_config['file']['realm_config']['admin_user'] %>:<%= $rundeck::auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build +<%- if $rundeck::auth_config['file']['realm_config']['auth_users'] { -%> + <%- if is_array($rundeck::auth_config['file']['realm_config']['auth_users']) { -%> + <%- $rundeck::auth_config['file']['realm_config']['auth_users'].each |$x| { -%> <%- if $x['username'] { -%> <%= $x['username'] -%>:<%= $x['password'] -%> <%- if $x['roles'] {-%> @@ -33,10 +33,10 @@ <%- } -%> <%- } -%> <%- } else { -%> - <%- if $auth_config['file']['realm_config']['auth_users']['username'] and $auth_config['file']['realm_config']['auth_users']['password'] { -%> - <%= $auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $auth_config['file']['realm_config']['auth_users']['password'] -%> - <%- if $auth_config['file']['realm_config']['auth_users']['roles'] { -%> - <%- $auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> + <%- if $rundeck::auth_config['file']['realm_config']['auth_users']['username'] and $rundeck::auth_config['file']['realm_config']['auth_users']['password'] { -%> + <%= $rundeck::auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $rundeck::auth_config['file']['realm_config']['auth_users']['password'] -%> + <%- if $rundeck::auth_config['file']['realm_config']['auth_users']['roles'] { -%> + <%- $rundeck::auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> <%- } -%> <%- } -%> <%- } -%> diff --git a/types/authconfig.pp b/types/authconfig.pp index 915040998..ab53a3ba4 100644 --- a/types/authconfig.pp +++ b/types/authconfig.pp @@ -1,6 +1,6 @@ # Rundeck authentication config type. type Rundeck::Authconfig = Struct[{ - Optional['file'] => Hash[String, Data], - Optional['ldap'] => Hash[String, Data], - Optional['pam'] => Hash[String, Data], + Optional['file'] => Hash[String, Data], + Optional['ldap'] => Hash[String, Data], + Optional['pam'] => Hash[String, Data], }] From b53833a1649a20d938a388fa1bd981b00a6c8861 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 16:49:32 +0100 Subject: [PATCH 17/82] Update log4j properties --- REFERENCE.md | 69 +++--- manifests/config.pp | 44 ++-- manifests/config/global/rundeck_config.pp | 2 +- manifests/init.pp | 14 +- templates/log4j.properties.erb | 158 ------------- templates/log4j2.properties.epp | 264 ++++++++++++++++++++++ templates/rundeck-config.epp | 2 +- types/loglevel.pp | 2 +- 8 files changed, 329 insertions(+), 226 deletions(-) delete mode 100644 templates/log4j.properties.erb create mode 100644 templates/log4j2.properties.epp diff --git a/REFERENCE.md b/REFERENCE.md index 6adf73e9a..4b2395751 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,18 +9,18 @@ #### Public Classes * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck. -* [`rundeck::config`](#rundeck--config): This class is called from rundeck to manage the configuration. * [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml. -* [`rundeck::install`](#rundeck--install): This class is called from rundeck for install. -* [`rundeck::service`](#rundeck--service): This class is called from rundeck to manage service. #### Private Classes +* `rundeck::config`: This class is called from rundeck to manage the configuration. * `rundeck::config::global::file_keystore`: This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used. * `rundeck::config::global::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. * `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties. * `rundeck::config::global::rundeck_config`: This private class is called from rundeck::config used to manage the rundeck-config properties. * `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. +* `rundeck::install`: This class is called from rundeck for install. +* `rundeck::service`: This class is called from rundeck to manage service. ### Defined types @@ -37,6 +37,7 @@ ### Data types +* [`Rundeck::Authconfig`](#Rundeck--Authconfig): Rundeck authentication config type. * [`Rundeck::Loglevel`](#Rundeck--Loglevel): Rundeck log level type. * [`Rundeck::Sourcetype`](#Rundeck--Sourcetype): Rundeck sourcetype type. @@ -71,7 +72,6 @@ The following parameters are available in the `rundeck` class: * [`keystore_password`](#-rundeck--keystore_password) * [`log_properties_template`](#-rundeck--log_properties_template) * [`mail_config`](#-rundeck--mail_config) -* [`sshkey_manage`](#-rundeck--sshkey_manage) * [`key_password`](#-rundeck--key_password) * [`ssl_keyfile`](#-rundeck--ssl_keyfile) * [`ssl_certfile`](#-rundeck--ssl_certfile) @@ -85,8 +85,8 @@ The following parameters are available in the `rundeck` class: * [`projects_description`](#-rundeck--projects_description) * [`projects_organization`](#-rundeck--projects_organization) * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) -* [`rd_loglevel`](#-rundeck--rd_loglevel) -* [`rd_auditlevel`](#-rundeck--rd_auditlevel) +* [`app_log_level`](#-rundeck--app_log_level) +* [`audit_log_level`](#-rundeck--audit_log_level) * [`rdeck_config_template`](#-rundeck--rdeck_config_template) * [`home_dir`](#-rundeck--home_dir) * [`manage_home`](#-rundeck--manage_home) @@ -155,9 +155,10 @@ Default value: `[]` ##### `auth_config` -Data type: `Array[Hash]` +Data type: `Rundeck::Authconfig` -Authentication configuration. +Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) +Default value is located in data/common.yaml. ##### `auth_template` @@ -209,6 +210,8 @@ Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) +Default value: `{}` + ##### `grails_server_url` Data type: `Stdlib::HTTPUrl` @@ -275,7 +278,7 @@ Data type: `String` The template used for log properties. Default is rundeck/log4j.properties.erb. -Default value: `'rundeck/log4j.properties.erb'` +Default value: `'rundeck/log4j2.properties.epp'` ##### `mail_config` @@ -285,14 +288,6 @@ A hash of the notification email configuraton. Default value: `{}` -##### `sshkey_manage` - -Data type: `Boolean` - -Should this module manage the sshkey used by rundeck at all. - -Default value: `true` - ##### `key_password` Data type: `Optional[String]` @@ -394,21 +389,21 @@ The maximum number of threads used by Rundeck for concurrent jobs by default is Default value: `10` -##### `rd_loglevel` +##### `app_log_level` Data type: `Rundeck::Loglevel` The log4j logging level to be set for the Rundeck application. -Default value: `'INFO'` +Default value: `'info'` -##### `rd_auditlevel` +##### `audit_log_level` Data type: `Rundeck::Loglevel` -The log4j logging level to be set for the Rundeck application. +The log4j logging level to be set for the Rundeck autorization. -Default value: `'INFO'` +Default value: `'info'` ##### `rdeck_config_template` @@ -516,7 +511,7 @@ Default value: `true` Data type: `Stdlib::Absolutepath` -The path to the directory to store logs. +The path to the directory to store service related logs. Default value: `'/var/log/rundeck'` @@ -751,10 +746,6 @@ Data type: `Stdlib::Absolutepath` Default value: `'/bin/bash'` -### `rundeck::config` - -This class is called from rundeck to manage the configuration. - ### `rundeck::config::global::web` Currently only manages the required for any user to login and session timout: @@ -811,14 +802,6 @@ Data type: `Stdlib::Absolutepath` Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` -### `rundeck::install` - -This class is called from rundeck for install. - -### `rundeck::service` - -This class is called from rundeck to manage service. - ## Defined types ### `rundeck::config::aclpolicyfile` @@ -1544,11 +1527,25 @@ Returns: `Any` ## Data types +### `Rundeck::Authconfig` + +Rundeck authentication config type. + +Alias of + +```puppet +Struct[{ + Optional['file'] => Hash[String, Data], + Optional['ldap'] => Hash[String, Data], + Optional['pam'] => Hash[String, Data], +}] +``` + ### `Rundeck::Loglevel` Rundeck log level type. -Alias of `Enum['ALL', 'DEBUG', 'ERROR', 'FATAL', 'INFO', 'OFF', 'TRACE', 'WARN']` +Alias of `Enum['all', 'debug', 'error', 'fatal', 'info', 'off', 'trace', 'warn']` ### `Rundeck::Sourcetype` diff --git a/manifests/config.pp b/manifests/config.pp index 5a206aa63..47b75cf97 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -51,30 +51,30 @@ require => File[$properties_dir], } - # file { "${properties_dir}/log4j.properties": - # content => template($rundeck::log_properties_template), - # require => File[$properties_dir], - # } + file { "${properties_dir}/log4j2.properties": + content => epp($rundeck::log_properties_template), + require => File[$properties_dir], + } - # if $rundeck::manage_default_admin_policy { - # rundeck::config::aclpolicyfile { 'admin': - # acl_policies => $rundeck::admin_policies, - # owner => $rundeck::user, - # group => $rundeck::group, - # properties_dir => $properties_dir, - # template_file => $rundeck::acl_template, - # } - # } + if $rundeck::manage_default_admin_policy { + rundeck::config::aclpolicyfile { 'admin': + acl_policies => $rundeck::admin_policies, + owner => $rundeck::user, + group => $rundeck::group, + properties_dir => $properties_dir, + template_file => $rundeck::acl_template, + } + } - # if $rundeck::manage_default_api_policy { - # rundeck::config::aclpolicyfile { 'apitoken': - # acl_policies => $rundeck::api_policies, - # owner => $rundeck::user, - # group => $rundeck::group, - # properties_dir => $properties_dir, - # template_file => $rundeck::acl_template, - # } - # } + if $rundeck::manage_default_api_policy { + rundeck::config::aclpolicyfile { 'apitoken': + acl_policies => $rundeck::api_policies, + owner => $rundeck::user, + group => $rundeck::group, + properties_dir => $properties_dir, + template_file => $rundeck::acl_template, + } + } # if ($rundeck::rdeck_profile_template) { # file { "${properties_dir}/profile": diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp index 401725820..47c2d1e38 100644 --- a/manifests/config/global/rundeck_config.pp +++ b/manifests/config/global/rundeck_config.pp @@ -16,7 +16,7 @@ $preauthenticated_config = $rundeck::config::preauthenticated_config $properties_dir = $rundeck::config::properties_dir $quartz_job_threadcount = $rundeck::config::quartz_job_threadcount - $rd_loglevel = $rundeck::config::rd_loglevel + $app_log_level = $rundeck::config::app_log_level $rdeck_base = $rundeck::config::rdeck_base $rdeck_config_template = $rundeck::config::rdeck_config_template $rss_enabled = $rundeck::config::rss_enabled diff --git a/manifests/init.pp b/manifests/init.pp index 58d154315..583655b2c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -70,10 +70,10 @@ # The organization value that will be set by default for any projects. # @param quartz_job_threadcount # The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. -# @param rd_loglevel -# The log4j logging level to be set for the Rundeck application. -# @param rd_auditlevel +# @param app_log_level # The log4j logging level to be set for the Rundeck application. +# @param audit_log_level +# The log4j logging level to be set for the Rundeck autorization. # @param rdeck_config_template # Allows you to override the rundeck-config template. # @param home_dir @@ -101,7 +101,7 @@ # @param service_restart # The restart of the rundeck service (default to true) # @param service_logs_dir -# The path to the directory to store logs. +# The path to the directory to store service related logs. # @param service_config # Allows you to use your own override template instead to config rundeckd init script. # @param service_script @@ -165,13 +165,13 @@ String $jvm_args = '-Xmx1024m -Xms256m -server', Hash $kerberos_realms = {}, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $log_properties_template = 'rundeck/log4j.properties.erb', + String $log_properties_template = 'rundeck/log4j2.properties.epp', Hash $mail_config = {}, Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, - Rundeck::Loglevel $rd_loglevel = 'INFO', - Rundeck::Loglevel $rd_auditlevel = 'INFO', + Rundeck::Loglevel $app_log_level = 'info', + Rundeck::Loglevel $audit_log_level = 'info', String $rdeck_config_template = 'rundeck/rundeck-config.epp', Optional[String] $rdeck_profile_template = undef, String $rdeck_override_template = 'rundeck/profile_overrides.erb', diff --git a/templates/log4j.properties.erb b/templates/log4j.properties.erb deleted file mode 100644 index bbbc9f9c8..000000000 --- a/templates/log4j.properties.erb +++ /dev/null @@ -1,158 +0,0 @@ -#################################################################################################### -# -# Log Levels -# -#################################################################################################### - -# Enable logging for everything. Rarely useful -log4j.rootLogger=warn, stdout, server-logger - -log4j.com.dtolabs.rundeck.core=INFO, cmd-logger - -#log4j.logger.org.codehaus.groovy.grails.plugins.quartz=debug,stdout -#log4j.additivity.org.codehaus.groovy.grails.plugins.quartz=false - -# Enable audit logging -log4j.logger.com.dtolabs.rundeck.core.authorization=<%= @rd_auditlevel %>, audit -log4j.additivity.com.dtolabs.rundeck.core.authorization=false - -# Enable options remote URL logging -log4j.logger.com.dtolabs.rundeck.remoteservice.http.options=INFO, options -log4j.additivity.com.dtolabs.rundeck.remoteservice.http.options=false - -# Enable Job changes logging -log4j.logger.com.dtolabs.rundeck.data.jobs.changes=INFO, jobchanges -log4j.additivity.com.dtolabs.rundeck.data.jobs.changes=false - -# Enable API request logging -log4j.logger.org.rundeck.api.requests=INFO,apirequests -log4j.additivity.org.rundeck.api.requests=false - -# Enable Web access logging -log4j.logger.org.rundeck.web.requests=INFO,access -log4j.additivity.org.rundeck.web.requests=false - - -# Enable this logger to log Hibernate output -# handy to see its database interaction activity -#log4j.logger.org.hibernate=debug,stdout -#log4j.additivity.org.hibernate=false - -# Enable this logger to see what Spring does, occasionally useful -#log4j.logger.org.springframework=info,stdout -#log4j.additivity.org.springframework=false - -# This logger covers all of Grails' internals -# Enable to see whats going on underneath. -log4j.logger.org.codehaus.groovy.grails=warn,stdout, server-logger -log4j.additivity.org.codehaus.groovy.grails=false - -# This logger is useful if you just want to see what Grails -# configures with Spring at runtime. Setting to debug will show -# each bean that is configured -log4j.logger.org.codehaus.groovy.grails.commons.spring=warn,stdout, server-logger -log4j.additivity.org.codehaus.groovy.grails.commons.spring=false - -# Interesting Logger to see what some of the Grails factory beans are doing -log4j.logger.org.codehaus.groovy.grails.beans.factory=warn,stdout, server-logger -log4j.additivity.org.codehaus.groovy.grails.beans.factory=false - -# This logger is for Grails' public APIs within the grails. package -log4j.logger.grails=info,stdout, server-logger -log4j.additivity.grails=false - -# Disable h2database logger if desired (value = on|off) -log4j.logger.h2database=<%= @database_config['enable_h2_logs'] %> - - -#################################################################################################### -# -# Appender Configuration (unlikely a change needs to be made, unless you have unique logging reqs.) -# -#################################################################################################### - -# -# stdout - ConsoleAppender -# -log4j.appender.stdout=org.apache.log4j.ConsoleAppender -log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -log4j.appender.stdout.layout.ConversionPattern=%-5p %c{1}: %m%n - -# -# cmd-logger - DailyRollingFileAppender -# -# Output of the RunDeck command line utilities -# -log4j.appender.cmd-logger=org.apache.log4j.DailyRollingFileAppender -log4j.appender.cmd-logger.file=<%= @service_logs_dir %>/command.log -log4j.appender.cmd-logger.datePattern='.'yyyy-MM-dd -log4j.appender.cmd-logger.append=true -log4j.appender.cmd-logger.layout=org.apache.log4j.PatternLayout -log4j.appender.cmd-logger.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c - %m%n - -# -# server-logger - DailyRollingFileAppender -# -# Captures all output from the rundeckd server. -# -log4j.appender.server-logger=org.apache.log4j.DailyRollingFileAppender -log4j.appender.server-logger.file=<%= @service_logs_dir %>/rundeck.log -log4j.appender.server-logger.datePattern='.'yyyy-MM-dd -log4j.appender.server-logger.append=true -log4j.appender.server-logger.layout=org.apache.log4j.PatternLayout -log4j.appender.server-logger.layout.ConversionPattern=%d{ISO8601} [%t] %-5p %c - %m%n - -# -# audit -# -# Captures all audit events. -# -log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender -log4j.appender.audit.file=<%= @service_logs_dir %>/rundeck.audit.log -log4j.appender.audit.append=true -log4j.appender.audit.layout=org.apache.log4j.PatternLayout -log4j.appender.audit.layout.ConversionPattern=%d{ISO8601} - %m%n - -# -# options log -# -# Logs remote HTTP requests for Options JSON data -# -log4j.appender.options=org.apache.log4j.DailyRollingFileAppender -log4j.appender.options.file=<%= @service_logs_dir %>/rundeck.options.log -log4j.appender.options.append=true -log4j.appender.options.layout=org.apache.log4j.PatternLayout -log4j.appender.options.layout.ConversionPattern=[%d{ISO8601}] %X{httpStatusCode} %X{contentLength}B %X{durationTime}ms %X{lastModifiedDateTime} [%X{jobName}] %X{url} %X{contentSHA1}%n - -# -# job changes log -# -# Logs all Job definition changes -# -log4j.appender.jobchanges=org.apache.log4j.DailyRollingFileAppender -log4j.appender.jobchanges.file=<%= @service_logs_dir %>/rundeck.jobs.log -log4j.appender.jobchanges.append=true -log4j.appender.jobchanges.layout=org.apache.log4j.PatternLayout -log4j.appender.jobchanges.layout.ConversionPattern=[%d{ISO8601}] %X{user} %X{change} [%X{id}] %X{project} "%X{groupPath}/%X{jobName}" (%X{method})%n - -# -# api request log -# -# Logs all API requests -# -log4j.appender.apirequests=org.apache.log4j.DailyRollingFileAppender -log4j.appender.apirequests.file=<%= @service_logs_dir %>/rundeck.api.log -log4j.appender.apirequests.append=true -log4j.appender.apirequests.layout=org.apache.log4j.PatternLayout -log4j.appender.apirequests.layout.ConversionPattern=[%d{ISO8601}] %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} "%X{method} %X{uri}" (%X{userAgent})%n - -# -# Web access log -# -# Logs all Web requests -# -log4j.appender.access=org.apache.log4j.DailyRollingFileAppender -log4j.appender.access.file=<%= @service_logs_dir %>/rundeck.access.log -log4j.appender.access.append=true -log4j.appender.access.layout=org.apache.log4j.PatternLayout -log4j.appender.access.layout.ConversionPattern=[%d{ISO8601}] "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} [%X{contentType}] (%X{userAgent})%n diff --git a/templates/log4j2.properties.epp b/templates/log4j2.properties.epp new file mode 100644 index 000000000..70ec09232 --- /dev/null +++ b/templates/log4j2.properties.epp @@ -0,0 +1,264 @@ + +name = Rundeck Logging Configuration + +property.baseDir = <%= $rundeck::service_logs_dir %> +property.classLength = 2 +property.noConsoleNoAnsi = true +property.prefix = [%style{%d{ISO8601}}{dim, noConsoleNoAnsi=${noConsoleNoAnsi}}] %highlight{%-5p}{noConsoleNoAnsi=${noConsoleNoAnsi}} %style{%c{${classLength}}}{cyan,noConsoleNoAnsi=${noConsoleNoAnsi}} + +appender.console.type = Console +appender.console.name = STDOUT +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = ${prefix} - %m%n + +appender.rundeck.type = RollingFile +appender.rundeck.name = rundeck +appender.rundeck.fileName = ${baseDir}/rundeck.log +appender.rundeck.append = true +appender.rundeck.bufferedIO = true +appender.rundeck.filePattern = ${baseDir}/rundeck.log.%d{yyyy-MM-dd}.gz +appender.rundeck.layout.type = PatternLayout +appender.rundeck.layout.pattern = ${prefix} [%t] - %m%n +appender.rundeck.policies.type = Policies +appender.rundeck.policies.time.type = TimeBasedTriggeringPolicy +appender.rundeck.policies.time.interval = 1 + +appender.audit.type = RollingFile +appender.audit.name = audit +appender.audit.fileName = ${baseDir}/rundeck.audit.log +appender.audit.append = true +appender.audit.bufferedIO = true +appender.audit.filePattern = ${baseDir}/rundeck.audit.log.%d{yyyy-MM-dd}.gz +appender.audit.layout.type = PatternLayout +appender.audit.layout.pattern = ${prefix} - %m%n +appender.audit.policies.type = Policies +appender.audit.policies.time.type = TimeBasedTriggeringPolicy +appender.audit.policies.time.interval = 1 + +appender.options.type = RollingFile +appender.options.name = options +appender.options.fileName = ${baseDir}/rundeck.options.log +appender.options.append = true +appender.options.bufferedIO = true +appender.options.filePattern = ${baseDir}/rundeck.options.log.%d{yyyy-MM-dd}.gz +appender.options.layout.type = PatternLayout +appender.options.layout.pattern = ${prefix} %X{httpStatusCode} %X{contentLength}B %X{durationTime}ms %X{lastModifiedDateTime} [%X{jobName}] %X{url} %X{contentSHA1}%n +appender.options.policies.type = Policies +appender.options.policies.time.type = TimeBasedTriggeringPolicy +appender.options.policies.time.interval = 1 + +appender.storage.type = RollingFile +appender.storage.name = storage +appender.storage.fileName = ${baseDir}/rundeck.storage.log +appender.storage.append = true +appender.storage.bufferedIO = true +appender.storage.filePattern = ${baseDir}/rundeck.storage.log.%d{yyyy-MM-dd}.gz +appender.storage.layout.type = PatternLayout +appender.storage.layout.pattern = ${prefix} %X{action} %X{type} %X{path} %X{status} %X{metadata}%n +appender.storage.policies.type = Policies +appender.storage.policies.time.type = TimeBasedTriggeringPolicy +appender.storage.policies.time.interval = 1 + +appender.jobchanges.type = RollingFile +appender.jobchanges.name = jobchanges +appender.jobchanges.fileName = ${baseDir}/rundeck.jobs.log +appender.jobchanges.append = true +appender.jobchanges.bufferedIO = true +appender.jobchanges.filePattern = ${baseDir}/rundeck.jobs.log.%d{yyyy-MM-dd}.gz +appender.jobchanges.layout.type = PatternLayout +appender.jobchanges.layout.pattern = ${prefix} %X{user} %X{change} [%X{id}] %X{project} "%X{groupPath}/%X{jobName}" (%X{method})%X{extraInfo}%n +appender.jobchanges.policies.type = Policies +appender.jobchanges.policies.time.type = TimeBasedTriggeringPolicy +appender.jobchanges.policies.time.interval = 1 + +appender.execevents.type = RollingFile +appender.execevents.name = execevents +appender.execevents.fileName = ${baseDir}/rundeck.executions.log +appender.execevents.append = true +appender.execevents.bufferedIO = true +appender.execevents.filePattern = ${baseDir}/rundeck.executions.log.%d{yyyy-MM-dd}.gz +appender.execevents.layout.type = PatternLayout +appender.execevents.layout.pattern = ${prefix} %X{eventUser} %X{event} [%X{id}:%X{state}] %X{project} %X{user}/%X{abortedby} "%X{groupPath}/%X{jobName}" %X{argString} [%X{uuid}]%n +appender.execevents.policies.type = Policies +appender.execevents.policies.time.type = TimeBasedTriggeringPolicy +appender.execevents.policies.time.interval = 1 + +appender.apirequests.type = RollingFile +appender.apirequests.name = apirequests +appender.apirequests.fileName = ${baseDir}/rundeck.api.log +appender.apirequests.append = true +appender.apirequests.bufferedIO = true +appender.apirequests.filePattern = ${baseDir}/rundeck.api.log.%d{yyyy-MM-dd}.gz +appender.apirequests.layout.type = PatternLayout +appender.apirequests.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} (%X{userAgent})%n +appender.apirequests.policies.type = Policies +appender.apirequests.policies.time.type = TimeBasedTriggeringPolicy +appender.apirequests.policies.time.interval = 1 + +appender.access.type = RollingFile +appender.access.name = access +appender.access.fileName = ${baseDir}/rundeck.access.log +appender.access.append = true +appender.access.bufferedIO = true +appender.access.filePattern = ${baseDir}/rundeck.access.log.%d{yyyy-MM-dd}.gz +appender.access.layout.type = PatternLayout +appender.access.layout.pattern = ${prefix} "%X{method} %X{uri}" %X{remoteHost} %X{secure} %X{remoteUser} %X{authToken} %X{duration} %X{project} [%X{contentType}] (%X{userAgent})%n +appender.access.policies.type = Policies +appender.access.policies.time.type = TimeBasedTriggeringPolicy +appender.access.policies.time.interval = 1 + +appender.project.type = RollingFile +appender.project.name = project +appender.project.fileName = ${baseDir}/rundeck.project.log +appender.project.append = true +appender.project.bufferedIO = true +appender.project.filePattern = ${baseDir}/rundeck.project.log.%d{yyyy-MM-dd}.gz +appender.project.layout.type = PatternLayout +appender.project.layout.pattern = ${prefix} - %m%n +appender.project.policies.type = Policies +appender.project.policies.time.type = TimeBasedTriggeringPolicy +appender.project.policies.time.interval = 1 + +appender.cleanup.type = RollingFile +appender.cleanup.name = cleanup +appender.cleanup.fileName = ${baseDir}/rundeck.cleanup.log +appender.cleanup.append = true +appender.cleanup.bufferedIO = true +appender.cleanup.filePattern = ${baseDir}/rundeck.cleanup.log.%d{yyyy-MM-dd}.gz +appender.cleanup.layout.type = PatternLayout +appender.cleanup.layout.pattern = ${prefix} - %m%n +appender.cleanup.policies.type = Policies +appender.cleanup.policies.time.type = TimeBasedTriggeringPolicy +appender.cleanup.policies.time.interval = 1 + +appender.webhooks.type = RollingFile +appender.webhooks.name = webhooks +appender.webhooks.fileName = ${baseDir}/rundeck.webhooks.log +appender.webhooks.append = true +appender.webhooks.bufferedIO = true +appender.webhooks.filePattern = ${baseDir}/rundeck.webhooks.log.%d{yyyy-MM-dd}.gz +appender.webhooks.layout.type = PatternLayout +appender.webhooks.layout.pattern = ${prefix} - %m%n +appender.webhooks.policies.type = Policies +appender.webhooks.policies.time.type = TimeBasedTriggeringPolicy +appender.webhooks.policies.time.interval = 1 + +rootLogger.level = warn +rootLogger.appenderRef.stdout.ref = STDOUT +rootLogger.appenderRef.rundeck.ref = rundeck + +logger.interceptors.name = rundeck.interceptors +logger.interceptors.level = info +logger.interceptors.additivity = false +logger.interceptors.appenderRef.stdout.ref = STDOUT + +logger.rundeckapp.name = rundeckapp +logger.rundeckapp.level = <%= $rundeck::app_log_level %> +logger.rundeckapp.additivity = false +logger.rundeckapp.appenderRef.stdout.ref = STDOUT + +logger.bootstrap.name = rundeckapp.BootStrap +logger.bootstrap.level = info +logger.bootstrap.additivity = false +logger.bootstrap.appenderRef.stdout.ref = STDOUT + +logger.grails.name = grails +logger.grails.level = warn +logger.grails.additivity = false +logger.grails.appenderRef.stdout.ref = STDOUT + +logger.grails_env.name = grails.util.Environment +logger.grails_env.level = error +logger.grails_env.additivity = false +logger.grails_env.appenderRef.stdout.ref = STDOUT + +logger.prjmanager.name = grails.app.services.rundeck.services.ProjectManagerService +logger.prjmanager.level = info +logger.prjmanager.additivity = false +logger.prjmanager.appenderRef.stdout.ref = STDOUT + +logger.authorization.name = com.dtolabs.rundeck.core.authorization +logger.authorization.level = <%= $rundeck::audit_log_level %> +logger.authorization.additivity = false +logger.authorization.appenderRef.stdout.ref = audit + +logger.options.name = com.dtolabs.rundeck.remoteservice.http.options +logger.options.level = info +logger.options.additivity = false +logger.options.appenderRef.stdout.ref = options + +logger.jobchanges.name = com.dtolabs.rundeck.data.jobs.changes +logger.jobchanges.level = info +logger.jobchanges.additivity = false +logger.jobchanges.appenderRef.stdout.ref = jobchanges + +logger.execevents.name = org.rundeck.execution.status +logger.execevents.level = info +logger.execevents.additivity = false +logger.execevents.appenderRef.stdout.ref = execevents + +logger.apirequests.name = org.rundeck.api.requests +logger.apirequests.level = info +logger.apirequests.additivity = false +logger.apirequests.appenderRef.stdout.ref = apirequests + +logger.access.name = org.rundeck.web.requests +logger.access.level = info +logger.access.additivity = false +logger.access.appenderRef.access.ref = access + +logger.project.name = org.rundeck.project.events +logger.project.level = info +logger.project.additivity = false +logger.project.appenderRef.stdout.ref = project + +logger.storage.name = org.rundeck.storage.events +logger.storage.level = info +logger.storage.additivity = false +logger.storage.appenderRef.storage.ref = storage + +logger.webhook_events.name = org.rundeck.webhook.events +logger.webhook_events.level = info +logger.webhook_events.additivity = false +logger.webhook_events.appenderRef.webhooks.ref = webhooks + +logger.webhook_plugins.name = org.rundeck.plugin.webhook +logger.webhook_plugins.level = debug +logger.webhook_plugins.additivity = false +logger.webhook_plugins.appenderRef.webhooks.ref = webhooks + +logger.cleanup.name = rundeck.quartzjobs.ExecutionsCleanUp +logger.cleanup.level = debug +logger.cleanup.additivity = false +logger.cleanup.appenderRef.cleanup.ref = cleanup + +logger.jetty.name = org.mortbay.log +logger.jetty.level = warn +logger.jetty.additivity = false +logger.jetty.appenderRef.stdout.ref = STDOUT + +logger.hibernate.name = org.hibernate.orm.deprecation +logger.hibernate.level = error +logger.hibernate.additivity = false +logger.hibernate.appenderRef.stdout.ref = STDOUT + +logger.rundeck_jaas.name = com.dtolabs.rundeck.jetty.jaas +logger.rundeck_jaas.level = debug +logger.rundeck_jaas.additivity = false +logger.rundeck_jaas.appenderRef.stdout.ref = STDOUT + +logger.spring_security.name = grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter +logger.spring_security.level = debug +logger.spring_security.additivity = false +logger.spring_security.appenderRef.stdout.ref = STDOUT + +logger.jaas.name = org.rundeck.jaas +logger.jaas.level = debug +logger.jaas.additivity = false +logger.jaas.appenderRef.stdout.ref = STDOUT + +#Quell a noisy WARN from this class +logger.springBeanPropertyDescriptor.name = org.springframework.beans.GenericTypeAwarePropertyDescriptor +logger.springBeanPropertyDescriptor.level = error +logger.springBeanPropertyDescriptor.additivity = false +logger.springBeanPropertyDescriptor.appenderRef.stdout.ref = STDOUT diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp index d0628f03e..cac5cbd6b 100644 --- a/templates/rundeck-config.epp +++ b/templates/rundeck-config.epp @@ -1,4 +1,4 @@ -loglevel.default = "<%= $rundeck::config::global::rundeck_config::rd_loglevel %>" +loglevel.default = "<%= $rundeck::app_log_level %>" rdeck.base = "<%= $rundeck::config::global::rundeck_config::rdeck_base %>" rss.enabled = "<%= $rundeck::config::global::rundeck_config::rss_enabled %>" rundeck.log4j.config.file = "<%= $rundeck::config::global::rundeck_config::properties_dir %>/log4j.properties" diff --git a/types/loglevel.pp b/types/loglevel.pp index e0e1de698..edfa9085c 100644 --- a/types/loglevel.pp +++ b/types/loglevel.pp @@ -1,2 +1,2 @@ # Rundeck log level type. -type Rundeck::Loglevel = Enum['ALL', 'DEBUG', 'ERROR', 'FATAL', 'INFO', 'OFF', 'TRACE', 'WARN'] +type Rundeck::Loglevel = Enum['all', 'debug', 'error', 'fatal', 'info', 'off', 'trace', 'warn'] From 918a30c68b273c5bd1eabb1a44f1af6a46108d19 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 17 Nov 2023 17:09:39 +0100 Subject: [PATCH 18/82] Update params --- REFERENCE.md | 39 ++++++++++++++++++--------------------- data/common.yaml | 31 +++++++++++++++++++++++++++++++ manifests/init.pp | 20 ++++++++++---------- 3 files changed, 59 insertions(+), 31 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4b2395751..3991e9191 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -51,11 +51,11 @@ Class to manage installation and configuration of Rundeck. The following parameters are available in the `rundeck` class: -* [`admin_policies`](#-rundeck--admin_policies) * [`acl_template`](#-rundeck--acl_template) +* [`admin_policies`](#-rundeck--admin_policies) * [`api_policies`](#-rundeck--api_policies) -* [`auth_config`](#-rundeck--auth_config) * [`auth_template`](#-rundeck--auth_template) +* [`auth_config`](#-rundeck--auth_config) * [`clustermode_enabled`](#-rundeck--clustermode_enabled) * [`database_config`](#-rundeck--database_config) * [`execution_mode`](#-rundeck--execution_mode) @@ -131,43 +131,41 @@ The following parameters are available in the `rundeck` class: * [`script_args_quoted`](#-rundeck--script_args_quoted) * [`script_interpreter`](#-rundeck--script_interpreter) -##### `admin_policies` - -Data type: `Array[Hash]` - -Admin acl policies. - ##### `acl_template` Data type: `String` -The template used for admin acl policy. Default is rundeck/aclpolicy.erb. +The template used for acl policy. Needs to be in epp format. Default value: `'rundeck/aclpolicy.erb'` -##### `api_policies` +##### `admin_policies` Data type: `Array[Hash]` -Apitoken acl policies. +Admin acl policies. Default value is located in data/common.yaml. -Default value: `[]` - -##### `auth_config` +##### `api_policies` -Data type: `Rundeck::Authconfig` +Data type: `Array[Hash]` -Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) -Default value is located in data/common.yaml. +Apitoken acl policies. Default value is located in data/common.yaml. ##### `auth_template` Data type: `String` -The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. +The template used for authentication config. Needs to be in epp format. Default value: `'rundeck/jaas-auth.conf.epp'` +##### `auth_config` + +Data type: `Rundeck::Authconfig` + +Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) +Default value is located in data/common.yaml. + ##### `clustermode_enabled` Data type: `Boolean` @@ -209,8 +207,7 @@ Default value: `{}` Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) - -Default value: `{}` +Default value is located in data/common.yaml. ##### `grails_server_url` @@ -276,7 +273,7 @@ The password for the given keystore. Data type: `String` -The template used for log properties. Default is rundeck/log4j.properties.erb. +The template used for log properties. Needs to be in epp format. Default value: `'rundeck/log4j2.properties.epp'` diff --git a/data/common.yaml b/data/common.yaml index 4b5806217..611a9b5d1 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -30,6 +30,37 @@ rundeck::admin_policies: - group: - 'admin' +rundeck::api_policies: + - description: 'Admin, all access' + context: + project: '.*' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + - group: + - 'admin' + + - description: 'Admin, all access' + context: + application: 'rundeck' + for: + resource: + - allow: '*' + project: + - allow: '*' + storage: + - allow: '*' + by: + - group: + - 'admin' + rundeck::auth_config: file: auth_flag: 'required' diff --git a/manifests/init.pp b/manifests/init.pp index 583655b2c..10e5184d9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,16 +1,16 @@ # @summary Class to manage installation and configuration of Rundeck. # -# @param admin_policies -# Admin acl policies. # @param acl_template -# The template used for admin acl policy. Default is rundeck/aclpolicy.erb. +# The template used for acl policy. Needs to be in epp format. +# @param admin_policies +# Admin acl policies. Default value is located in data/common.yaml. # @param api_policies -# Apitoken acl policies. +# Apitoken acl policies. Default value is located in data/common.yaml. +# @param auth_template +# The template used for authentication config. Needs to be in epp format. # @param auth_config # Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) # Default value is located in data/common.yaml. -# @param auth_template -# The template used for authentication config. Default is rundeck/jaas-auth.conf.epp. # @param clustermode_enabled # Boolean value if set to true enables cluster mode # @param database_config @@ -23,6 +23,7 @@ # Add keys to file keystorage. # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) +# Default value is located in data/common.yaml. # @param grails_server_url # Sets `grails.serverURL` so that Rundeck knows its external address. # @param gui_config @@ -40,7 +41,7 @@ # @param keystore_password # The password for the given keystore. # @param log_properties_template -# The template used for log properties. Default is rundeck/log4j.properties.erb. +# The template used for log properties. Needs to be in epp format. # @param mail_config # A hash of the notification email configuraton. # @param key_password @@ -138,7 +139,9 @@ # class rundeck ( Array[Hash] $admin_policies, + Array[Hash] $api_policies, Rundeck::Authconfig $auth_config, + Hash $framework_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, @@ -150,9 +153,6 @@ Boolean $manage_repo = true, String $package_ensure = 'installed', String $acl_template = 'rundeck/aclpolicy.erb', - Array[Hash] $api_policies = [], - - Hash $framework_config = {}, String $auth_template = 'rundeck/jaas-auth.conf.epp', From 8c2ebbfcefad73c6ee8a079f46ad7a878d6d5679 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 07:48:48 +0100 Subject: [PATCH 19/82] Update default api policies --- data/common.yaml | 57 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 611a9b5d1..1842e003b 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -31,35 +31,70 @@ rundeck::admin_policies: - 'admin' rundeck::api_policies: - - description: 'Admin, all access' + - description: 'API project level access control' context: project: '.*' for: resource: - - allow: '*' + - equals: + kind: 'job' + allow: + - 'create' + - 'delete' + - equals: + kind: 'node' + allow: + - 'read' + - 'create' + - 'update' + - 'refresh' + - equals: + kind: 'event' + allow: + - 'read' + - 'create' adhoc: - - allow: '*' + - allow: + - 'read' + - 'run' + - 'kill' job: - - allow: '*' + - allow: + - 'create' + - 'read' + - 'update' + - 'delete' + - 'run' + - 'kill' node: - - allow: '*' + - allow: + - 'read' + - 'run' by: - group: - - 'admin' + - 'api_token_group' - - description: 'Admin, all access' + - description: 'API Application level access control' context: application: 'rundeck' for: resource: - - allow: '*' + - equals: + kind: 'system' + allow: + - 'read' project: - - allow: '*' + - match: + name: '.*' + allow: + - 'read' storage: - - allow: '*' + - match: + path: '(keys|keys/.*)' + allow: '*' by: - group: - - 'admin' + - 'api_token_group' rundeck::auth_config: file: From f6d671b255f7d88a774dad76a4047d916f580e90 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 07:56:51 +0100 Subject: [PATCH 20/82] Update init.pp --- manifests/init.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 10e5184d9..376862b37 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -152,9 +152,6 @@ Hash $repo_config, Boolean $manage_repo = true, String $package_ensure = 'installed', - String $acl_template = 'rundeck/aclpolicy.erb', - - String $auth_template = 'rundeck/jaas-auth.conf.epp', Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', @@ -165,17 +162,20 @@ String $jvm_args = '-Xmx1024m -Xms256m -server', Hash $kerberos_realms = {}, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $log_properties_template = 'rundeck/log4j2.properties.epp', Hash $mail_config = {}, Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, - + # Log config Rundeck::Loglevel $app_log_level = 'info', Rundeck::Loglevel $audit_log_level = 'info', - String $rdeck_config_template = 'rundeck/rundeck-config.epp', - Optional[String] $rdeck_profile_template = undef, - String $rdeck_override_template = 'rundeck/profile_overrides.erb', + # Template config + String $config_template = 'rundeck/rundeck-config.epp', + Optional[String] $profile_template = undef, + String $override_template = 'rundeck/profile_overrides.erb', String $realm_template = 'rundeck/realm.properties.epp', + String $acl_template = 'rundeck/aclpolicy.erb', + String $auth_template = 'rundeck/jaas-auth.conf.epp', + String $log_properties_template = 'rundeck/log4j2.properties.epp', Boolean $rss_enabled = false, String $security_role = 'user', From ccecd7bf195fbb08309bec69f7488cf736c1ee9b Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 08:25:56 +0100 Subject: [PATCH 21/82] Update profile overrides --- data/os/Debian.yaml | 2 +- data/os/RedHat.yaml | 2 +- manifests/config.pp | 17 +++++------------ manifests/init.pp | 14 ++++++-------- templates/profile_overrides.epp | 24 ++++++++++++++++++++++++ templates/profile_overrides.erb | 24 ------------------------ 6 files changed, 37 insertions(+), 46 deletions(-) create mode 100644 templates/profile_overrides.epp delete mode 100644 templates/profile_overrides.erb diff --git a/data/os/Debian.yaml b/data/os/Debian.yaml index 3aa208af0..ff12a6521 100644 --- a/data/os/Debian.yaml +++ b/data/os/Debian.yaml @@ -1,5 +1,5 @@ --- -rundeck::overrides_dir: '/etc/default' +rundeck::override_dir: '/etc/default' rundeck::repoconfig: 'apt::source': diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml index 6d690d569..32c4a76e9 100644 --- a/data/os/RedHat.yaml +++ b/data/os/RedHat.yaml @@ -1,5 +1,5 @@ --- -rundeck::overrides_dir: '/etc/sysconfig' +rundeck::override_dir: '/etc/sysconfig' rundeck::repo_config: 'yumrepo': diff --git a/manifests/config.pp b/manifests/config.pp index 47b75cf97..d800be89d 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -76,18 +76,11 @@ } } - # if ($rundeck::rdeck_profile_template) { - # file { "${properties_dir}/profile": - # content => template($rundeck::rdeck_profile_template), - # require => File[$properties_dir], - # } - # } - - # if ($rundeck::rdeck_override_template) { - # file { "${rundeck::overrides_dir}/${rundeck::service_name}": - # content => template($rundeck::rdeck_override_template), - # } - # } + if ($rundeck::override_template) { + file { "${rundeck::override_dir}/${rundeck::service_name}": + content => epp($rundeck::override_template), + } + } # contain rundeck::config::global::framework # contain rundeck::config::global::project diff --git a/manifests/init.pp b/manifests/init.pp index 376862b37..032f5944b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -81,12 +81,10 @@ # Home/base directory under which rundeck is installed. # @param manage_home # Whether to manage rundeck home dir. Defaults to true. -# @param rdeck_profile_template -# Allows you to use your own profile template instead of the default from the package maintainer -# @param rdeck_override_template -# Allows you to use your own override template instead of the default from the package maintainer +# @param override_template +# Allows you to use your own override template for rundeck profile instead of the default from the package maintainer # @param realm_template -# Allows you to use your own override template instead of the default from the package maintainer +# Allows you to use your own override template for realm properties instead of the default from the package maintainer # @param rss_enabled # Boolean value if set to true enables RSS feeds that are public (non-authenticated) # @param security_config @@ -149,6 +147,7 @@ String $keystore_password, String $truststore_password, Stdlib::Absolutepath $file_keystorage_dir, + Stdlib::Absolutepath $override_dir, Hash $repo_config, Boolean $manage_repo = true, String $package_ensure = 'installed', @@ -160,7 +159,7 @@ Hash $gui_config = {}, Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', - Hash $kerberos_realms = {}, + Optional[Hash] $kerberos_realms = undef, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', Hash $mail_config = {}, Boolean $manage_default_admin_policy = true, @@ -170,8 +169,7 @@ Rundeck::Loglevel $audit_log_level = 'info', # Template config String $config_template = 'rundeck/rundeck-config.epp', - Optional[String] $profile_template = undef, - String $override_template = 'rundeck/profile_overrides.erb', + String $override_template = 'rundeck/profile_overrides.epp', String $realm_template = 'rundeck/realm.properties.epp', String $acl_template = 'rundeck/aclpolicy.erb', String $auth_template = 'rundeck/jaas-auth.conf.epp', diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp new file mode 100644 index 000000000..7479ec09c --- /dev/null +++ b/templates/profile_overrides.epp @@ -0,0 +1,24 @@ +RDECK_BASE=<%= $rdeck_base %> +RDECK_CONFIG=<%= $properties_dir %> +RDECK_CONFIG_FILE="<%= $properties_dir %>/rundeck-config.groovy" +RDECK_INSTALL=<%= $rdeck_base %> +JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf +LOGIN_MODULE=authentication +JAVA_CMD=java +RDECK_JVM_SETTINGS="<%= $jvm_args %>" + +<% if $server_web_context { -%> +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $server_web_context %>" +<% } -%> + +<% if $kerberos_realms { -%> +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/krb5.conf" +<% } -%> + +<% if $java_home { %> +JAVA_HOME=<%= $java_home %> +<% } %> + +<% if $ssl_enabled { -%> +RUNDECK_WITH_SSL=true +<% } -%> diff --git a/templates/profile_overrides.erb b/templates/profile_overrides.erb deleted file mode 100644 index 939e68d89..000000000 --- a/templates/profile_overrides.erb +++ /dev/null @@ -1,24 +0,0 @@ -RDECK_BASE=<%= @rdeck_base %> -RDECK_CONFIG=<%= @properties_dir %> -RDECK_CONFIG_FILE=<%= @properties_dir %>/rundeck-config.groovy -RDECK_INSTALL=<%= @rdeck_base %> -JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf -LOGIN_MODULE=authentication -JAVA_CMD=java -RDECK_JVM_SETTINGS="<%= @jvm_args %>" - -<%- if @server_web_context -%> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= @server_web_context %>" -<%- end -%> - -<%- if !(@kerberos_realms.empty?) -%> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/krb5.conf" -<%- end -%> - -<% if @java_home %> -JAVA_HOME=<%= @java_home %> -<% end %> - -<%- if @ssl_enabled -%> -RUNDECK_WITH_SSL=true -<%- end -%> From 08dfff7abb8a9753beb8f898d5c2bf6142a1bf72 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 08:37:04 +0100 Subject: [PATCH 22/82] Update profiles template --- templates/profile_overrides.epp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 7479ec09c..d7302da47 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -1,24 +1,24 @@ -RDECK_BASE=<%= $rdeck_base %> -RDECK_CONFIG=<%= $properties_dir %> -RDECK_CONFIG_FILE="<%= $properties_dir %>/rundeck-config.groovy" -RDECK_INSTALL=<%= $rdeck_base %> +RDECK_BASE=<%= $rundeck::home_dir %> +RDECK_CONFIG=<%= $rundeck::config::properties_dir %> +RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.groovy" +RDECK_INSTALL=<%= $rundeck::home_dir %> JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf LOGIN_MODULE=authentication JAVA_CMD=java -RDECK_JVM_SETTINGS="<%= $jvm_args %>" +RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" -<% if $server_web_context { -%> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $server_web_context %>" +<% if $rundeck::server_web_context { -%> +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $rundeck::server_web_context %>" <% } -%> -<% if $kerberos_realms { -%> +<% if $rundeck::kerberos_realms { -%> RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/krb5.conf" <% } -%> -<% if $java_home { %> -JAVA_HOME=<%= $java_home %> +<% if $rundeck::java_home { %> +JAVA_HOME=<%= $rundeck::java_home %> <% } %> -<% if $ssl_enabled { -%> +<% if $rundeck::ssl_enabled { -%> RUNDECK_WITH_SSL=true <% } -%> From 23b0a0326dbb4cb40bd9b422dabee471f1c1e6b2 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 09:25:05 +0100 Subject: [PATCH 23/82] Update config structure --- manifests/config.pp | 32 ++------------ manifests/config/framework.pp | 24 ++++++++++ manifests/config/global/framework.pp | 44 ------------------- manifests/config/jaas_auth.pp | 31 +++++++++++++ .../config/{ => resource}/aclpolicyfile.pp | 4 +- .../config/{ => resource}/file_keystore.pp | 4 +- manifests/config/{ => resource}/plugin.pp | 4 +- manifests/config/{ => resource}/project.pp | 4 +- .../config/{ => resource}/resource_source.pp | 4 +- .../config/{ => resource}/securityroles.pp | 2 +- 10 files changed, 70 insertions(+), 83 deletions(-) create mode 100644 manifests/config/framework.pp delete mode 100644 manifests/config/global/framework.pp create mode 100644 manifests/config/jaas_auth.pp rename manifests/config/{ => resource}/aclpolicyfile.pp (95%) rename manifests/config/{ => resource}/file_keystore.pp (96%) rename manifests/config/{ => resource}/plugin.pp (91%) rename manifests/config/{ => resource}/project.pp (98%) rename manifests/config/{ => resource}/resource_source.pp (99%) rename manifests/config/{ => resource}/securityroles.pp (91%) diff --git a/manifests/config.pp b/manifests/config.pp index d800be89d..c2903478d 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,7 +5,6 @@ class rundeck::config { assert_private() - $auth_types = $rundeck::auth_config.keys $properties_dir = $rundeck::framework_config['framework.etc.dir'] File { @@ -27,37 +26,13 @@ } } - if 'file' in $auth_types { - file { "${properties_dir}/realm.properties": - content => Sensitive(epp($rundeck::realm_template)), - mode => '0600', - require => File[$properties_dir], - } - } else { - file { "${properties_dir}/realm.properties": - ensure => absent, - } - } - - if 'file' in $auth_types and 'ldap' in $auth_types { - $ldap_login_module = 'JettyCombinedLdapLoginModule' - } else { - $ldap_login_module = 'JettyCachingLdapLoginModule' - } - - file { "${properties_dir}/jaas-auth.conf": - content => Sensitive(epp($rundeck::auth_template)), - mode => '0600', - require => File[$properties_dir], - } - file { "${properties_dir}/log4j2.properties": content => epp($rundeck::log_properties_template), require => File[$properties_dir], } if $rundeck::manage_default_admin_policy { - rundeck::config::aclpolicyfile { 'admin': + rundeck::config::resource::aclpolicyfile { 'admin': acl_policies => $rundeck::admin_policies, owner => $rundeck::user, group => $rundeck::group, @@ -67,7 +42,7 @@ } if $rundeck::manage_default_api_policy { - rundeck::config::aclpolicyfile { 'apitoken': + rundeck::config::resource::aclpolicyfile { 'apitoken': acl_policies => $rundeck::api_policies, owner => $rundeck::user, group => $rundeck::group, @@ -82,7 +57,8 @@ } } - # contain rundeck::config::global::framework + contain rundeck::config::jaas_auth + contain rundeck::config::framework # contain rundeck::config::global::project # contain rundeck::config::global::rundeck_config # contain rundeck::config::global::file_keystore diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp new file mode 100644 index 000000000..e3b32bfb1 --- /dev/null +++ b/manifests/config/framework.pp @@ -0,0 +1,24 @@ +# @api private +# +# @summary This private class is called from rundeck::config used to manage the framework properties of rundeck. +# +class rundeck::config::framework { + if $rundeck::ssl_enabled { + $_ssl_conig = { + 'framework.server.port' => $rundeck::ssl_port, + 'framework.server.url' => "https://${rundeck::framework_config['framework.server.name']}:${rundeck::ssl_port}", + } + } else { + $_ssl_config = {} + } + + $_framework_config = merge($rundeck::framework_config, $_ssl_config) + + file { "${rundeck::properties_dir}/framework.properties": + ensure => file, + content => epp('rundeck/framework.properties.epp'), + owner => $rundeck::user, + group => $rundeck::group, + require => File[$rundeck::properties_dir], + } +} diff --git a/manifests/config/global/framework.pp b/manifests/config/global/framework.pp deleted file mode 100644 index 26d819718..000000000 --- a/manifests/config/global/framework.pp +++ /dev/null @@ -1,44 +0,0 @@ -# @api private -# -# @summary This private class is called from rundeck::config used to manage the framework properties of rundeck. -# -class rundeck::config::global::framework { - $group = $rundeck::config::group - $properties_dir = $rundeck::config::properties_dir - $user = $rundeck::config::user - $ssl_enabled = $rundeck::config::ssl_enabled - $ssl_port = $rundeck::config::ssl_port - - $_framework_config = merge($rundeck::params::framework_config, $rundeck::framework_config) - - # Make sure that we use framework.server.hostname when using non-standard - # port, rather than hard-coding to fqdn - $rundeck_hostname = $_framework_config['framework.server.hostname'] - $rundeck_port = $_framework_config['framework.server.port'] - - if $ssl_enabled { - $framework_config_port = { 'framework.server.port' => $ssl_port } - $framework_config_url = { 'framework.server.url' => "https://${rundeck_hostname}:${ssl_port}" } - } elsif $rundeck_hostname != $rundeck::params::framework_config['framework.server.hostname'] { - $framework_config_port = undef - $framework_config_url = { 'framework.server.url' => "http://${rundeck_hostname}:${rundeck_port}" } - } else { - $framework_config_port = undef - $framework_config_url = undef - } - - $properties_file = "${properties_dir}/framework.properties" - - ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group }) - - $framework_config = merge($_framework_config, $framework_config_url, $framework_config_port) - - file { $properties_file: - ensure => file, - content => epp('rundeck/framework.properties.epp'), - owner => $user, - group => $group, - mode => '0640', - require => File[$properties_dir], - } -} diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp new file mode 100644 index 000000000..adf82f9e9 --- /dev/null +++ b/manifests/config/jaas_auth.pp @@ -0,0 +1,31 @@ +# @api private +# +# @summary This private class is called from rundeck::config used to manage jaas authentication for rundeck. +# +class rundeck::config::jaas_auth { + $auth_types = $rundeck::auth_config.keys + + if 'file' in $auth_types { + file { "${rundeck::config::properties_dir}/realm.properties": + content => Sensitive(epp($rundeck::realm_template)), + mode => '0600', + require => File[$rundeck::config::properties_dir], + } + } else { + file { "${rundeck::config::properties_dir}/realm.properties": + ensure => absent, + } + } + + if 'file' in $auth_types and 'ldap' in $auth_types { + $ldap_login_module = 'JettyCombinedLdapLoginModule' + } else { + $ldap_login_module = 'JettyCachingLdapLoginModule' + } + + file { "${rundeck::config::properties_dir}/jaas-auth.conf": + content => Sensitive(epp($rundeck::auth_template)), + mode => '0600', + require => File[$rundeck::config::properties_dir], + } +} diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/resource/aclpolicyfile.pp similarity index 95% rename from manifests/config/aclpolicyfile.pp rename to manifests/config/resource/aclpolicyfile.pp index e933b0558..08174c986 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/resource/aclpolicyfile.pp @@ -1,7 +1,7 @@ # @summary This define will create a custom acl policy file. # # @example Admin access. -# rundeck::config::aclpolicyfile { 'myPolicyFile': +# rundeck::config::resource::aclpolicyfile { 'myPolicyFile': # acl_policies => [ # { # 'description' => 'Admin, all access', @@ -50,7 +50,7 @@ # @param template_file # The template used for acl policy. Default is rundeck/aclpolicy.erb # -define rundeck::config::aclpolicyfile ( +define rundeck::config::resource::aclpolicyfile ( Array[Hash] $acl_policies, String $group = 'rundeck', String $owner = 'rundeck', diff --git a/manifests/config/file_keystore.pp b/manifests/config/resource/file_keystore.pp similarity index 96% rename from manifests/config/file_keystore.pp rename to manifests/config/resource/file_keystore.pp index 80a656e56..ca68673da 100644 --- a/manifests/config/file_keystore.pp +++ b/manifests/config/resource/file_keystore.pp @@ -5,7 +5,7 @@ # without the proper security policies for the private key data in place. # # @example Basic usage. -# rundeck::config::file_keystore { 'mypassword': +# rundeck::config::resource::file_keystore { 'mypassword': # path => 'myproject/mypassword', # value => 'secret', # content_type => 'application/x-rundeck-data-password', @@ -39,7 +39,7 @@ # @param user # Default system user for the Rundeck framework # -define rundeck::config::file_keystore ( +define rundeck::config::resource::file_keystore ( Enum[ 'application/x-rundeck-data-password', 'application/pgp-keys', diff --git a/manifests/config/plugin.pp b/manifests/config/resource/plugin.pp similarity index 91% rename from manifests/config/plugin.pp rename to manifests/config/resource/plugin.pp index 9b25539cb..78ee31651 100644 --- a/manifests/config/plugin.pp +++ b/manifests/config/resource/plugin.pp @@ -1,7 +1,7 @@ # @summary This define will install a rundeck plugin. # # @example Basic usage. -# rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': +# rundeck::config::resource::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': # source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar', # } # @@ -10,7 +10,7 @@ # @param source # The http source or local path from which to get the plugin. # -define rundeck::config::plugin ( +define rundeck::config::resource::plugin ( String $source, Enum['present', 'absent'] $ensure = 'present', ) { diff --git a/manifests/config/project.pp b/manifests/config/resource/project.pp similarity index 98% rename from manifests/config/project.pp rename to manifests/config/resource/project.pp index c852bbb1e..cc51fb513 100644 --- a/manifests/config/project.pp +++ b/manifests/config/resource/project.pp @@ -1,7 +1,7 @@ # @summary This define can be used to configure rundeck projects. # # @example Basic usage. -# rundeck::config::project { 'test project': +# rundeck::config::resource::project { 'test project': # ssh_keypath => '/var/lib/rundeck/.ssh/id_rsa', # file_copier_provider => 'jsch-scp', # node_executor_provider => 'jsch-ssh', @@ -32,7 +32,7 @@ # @param ssh_keypath # The path to the ssh key that will be used by the ssh/scp providers # -define rundeck::config::project ( +define rundeck::config::resource::project ( String $file_copier_provider = $rundeck::file_copier_provider, Hash $framework_config = $rundeck::framework_config, String $group = $rundeck::group, diff --git a/manifests/config/resource_source.pp b/manifests/config/resource/resource_source.pp similarity index 99% rename from manifests/config/resource_source.pp rename to manifests/config/resource/resource_source.pp index 90f5f4b49..77b0d82a4 100644 --- a/manifests/config/resource_source.pp +++ b/manifests/config/resource/resource_source.pp @@ -1,7 +1,7 @@ # @summary This define will create a resource source that gathers node information. # # @example Basic usage. -# rundeck::config::resource_source { 'myresource': +# rundeck::config::resource::resource_source { 'myresource': # project_name => 'myproject', # number => '1', # source_type => 'file', @@ -71,7 +71,7 @@ # @param puppet_enterprise_tag_source # The Puppet Enterprise tag source. # -define rundeck::config::resource_source ( +define rundeck::config::resource::resource_source ( Stdlib::Absolutepath $directory = $rundeck::params::default_resource_dir, Boolean $include_server_node = $rundeck::params::include_server_node, String $mapping_params = '', # lint:ignore:params_empty_string_assignment diff --git a/manifests/config/securityroles.pp b/manifests/config/resource/securityroles.pp similarity index 91% rename from manifests/config/securityroles.pp rename to manifests/config/resource/securityroles.pp index b27dd15de..7d774bf8e 100644 --- a/manifests/config/securityroles.pp +++ b/manifests/config/resource/securityroles.pp @@ -2,7 +2,7 @@ # Author: Zoltan Lanyi # Date : 03.06.2016 # -define rundeck::config::securityroles ( +define rundeck::config::resource::securityroles ( Stdlib::Absolutepath $web_xml = "${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml" ) { augeas { "rundeck/web.xml/security-role/role-name/${name}": From 5d23b5cde9448de193f679baf25a780085ba616f Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 09:43:31 +0100 Subject: [PATCH 24/82] Fix jaas auth template --- data/common.yaml | 2 +- manifests/config/framework.pp | 6 +++--- manifests/config/jaas_auth.pp | 13 +++++++------ templates/framework.properties.epp | 4 ++-- templates/jaas-auth.conf.epp | 6 +++--- 5 files changed, 16 insertions(+), 15 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 1842e003b..5fcdb8371 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -128,7 +128,7 @@ rundeck::framework_config: framework.ssh.user: 'rundeck' framework.ssh.timeout: '0' rdeck.base: '/var/lib/rundeck' - rundeck.server.uuid: "fqdn_uuid(%{facts.networking.fqdn})" + rundeck.server.uuid: "%{fqdn_uuid(facts.networking.fqdn)}" # Fix function rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index e3b32bfb1..3fe7bd3dd 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -14,11 +14,11 @@ $_framework_config = merge($rundeck::framework_config, $_ssl_config) - file { "${rundeck::properties_dir}/framework.properties": + file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, - content => epp('rundeck/framework.properties.epp'), + content => epp('rundeck/framework.properties.epp', { framework_config => $_framework_config }), owner => $rundeck::user, group => $rundeck::group, - require => File[$rundeck::properties_dir], + require => File[$rundeck::config::properties_dir], } } diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index adf82f9e9..d4792f408 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -3,9 +3,10 @@ # @summary This private class is called from rundeck::config used to manage jaas authentication for rundeck. # class rundeck::config::jaas_auth { - $auth_types = $rundeck::auth_config.keys + $_auth_config = deep_merge(lookup('rundeck::auth_config'), $rundeck::auth_config) + $_auth_types = $_auth_config.keys - if 'file' in $auth_types { + if 'file' in $_auth_types { file { "${rundeck::config::properties_dir}/realm.properties": content => Sensitive(epp($rundeck::realm_template)), mode => '0600', @@ -17,14 +18,14 @@ } } - if 'file' in $auth_types and 'ldap' in $auth_types { - $ldap_login_module = 'JettyCombinedLdapLoginModule' + if 'file' in $_auth_types and 'ldap' in $_auth_types { + $_ldap_login_module = 'JettyCombinedLdapLoginModule' } else { - $ldap_login_module = 'JettyCachingLdapLoginModule' + $_ldap_login_module = 'JettyCachingLdapLoginModule' } file { "${rundeck::config::properties_dir}/jaas-auth.conf": - content => Sensitive(epp($rundeck::auth_template)), + content => Sensitive(epp($rundeck::auth_template, { auth_config => $_auth_config, ldap_login_module => $_ldap_login_module })), mode => '0600', require => File[$rundeck::config::properties_dir], } diff --git a/templates/framework.properties.epp b/templates/framework.properties.epp index 08dccdfd1..b327ddcb6 100644 --- a/templates/framework.properties.epp +++ b/templates/framework.properties.epp @@ -1,3 +1,3 @@ -<%- $rundeck::config::global::framework::framework_config.keys.sort.each |$k| { -%> -<%= $k %> = <%= $rundeck::config::global::framework::framework_config[$k] %> +<%- $framework_config.keys.unique.sort.each |$k| { -%> +<%= $k %> = <%= $framework_config[$k] %> <%- } -%> diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 5f9c20d16..04e0a4bb9 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,5 +1,5 @@ authentication { -<%- $rundeck::config::auth_types.each |$_type| { -%> +<%- $auth_config.keys.each |$_type| { -%> <%- if $_type == 'file' { -%> <%- if $rundeck::auth_config['file']['auth_flag'] {-%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $rundeck::auth_config['file']['auth_flag'] %> @@ -11,9 +11,9 @@ authentication { <%-}-%>; <%- } elsif $_type == 'ldap' { -%> <%- if $rundeck::auth_config['ldap']['auth_flag'] {-%> - com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> <%= $rundeck::auth_config['ldap']['auth_flag'] %> + com.dtolabs.rundeck.jetty.jaas.<%= $ldap_login_module %> <%= $rundeck::auth_config['ldap']['auth_flag'] %> <%-} else {-%> - com.dtolabs.rundeck.jetty.jaas.<%= $rundeck::config::ldap_login_module %> required + com.dtolabs.rundeck.jetty.jaas.<%= $ldap_login_module %> required <%-}-%> contextFactory="com.sun.jndi.ldap.LdapCtxFactory" <%- $rundeck::auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> From 798dd72230248e82915629b3339af351d5271c2f Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 20 Nov 2023 12:19:38 +0100 Subject: [PATCH 25/82] Update jaas auth template --- REFERENCE.md | 353 ++++++++++++++--------------- manifests/config.pp | 6 +- manifests/config/framework.pp | 6 +- manifests/config/jaas_auth.pp | 2 +- manifests/init.pp | 10 +- templates/framework.properties.epp | 4 +- templates/jaas-auth.conf.epp | 22 +- templates/profile_overrides.epp | 4 +- 8 files changed, 192 insertions(+), 215 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 3991e9191..b391a7047 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -14,22 +14,23 @@ #### Private Classes * `rundeck::config`: This class is called from rundeck to manage the configuration. +* `rundeck::config::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. * `rundeck::config::global::file_keystore`: This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used. -* `rundeck::config::global::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. * `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties. * `rundeck::config::global::rundeck_config`: This private class is called from rundeck::config used to manage the rundeck-config properties. * `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. +* `rundeck::config::jaas_auth`: This private class is called from rundeck::config used to manage jaas authentication for rundeck. * `rundeck::install`: This class is called from rundeck for install. * `rundeck::service`: This class is called from rundeck to manage service. ### Defined types -* [`rundeck::config::aclpolicyfile`](#rundeck--config--aclpolicyfile): This define will create a custom acl policy file. -* [`rundeck::config::file_keystore`](#rundeck--config--file_keystore): This define will create the 'content' and 'meta' components for the key to be stored. -* [`rundeck::config::plugin`](#rundeck--config--plugin): This define will install a rundeck plugin. -* [`rundeck::config::project`](#rundeck--config--project): This define can be used to configure rundeck projects. -* [`rundeck::config::resource_source`](#rundeck--config--resource_source): This define will create a resource source that gathers node information. -* [`rundeck::config::securityroles`](#rundeck--config--securityroles): Author: Zoltan Lanyi Date : 03.06.2016 +* [`rundeck::config::resource::aclpolicyfile`](#rundeck--config--resource--aclpolicyfile): This define will create a custom acl policy file. +* [`rundeck::config::resource::file_keystore`](#rundeck--config--resource--file_keystore): This define will create the 'content' and 'meta' components for the key to be stored. +* [`rundeck::config::resource::plugin`](#rundeck--config--resource--plugin): This define will install a rundeck plugin. +* [`rundeck::config::resource::project`](#rundeck--config--resource--project): This define can be used to configure rundeck projects. +* [`rundeck::config::resource::resource_source`](#rundeck--config--resource--resource_source): This define will create a resource source that gathers node information. +* [`rundeck::config::resource::securityroles`](#rundeck--config--resource--securityroles): Author: Zoltan Lanyi Date : 03.06.2016 ### Functions @@ -54,7 +55,6 @@ The following parameters are available in the `rundeck` class: * [`acl_template`](#-rundeck--acl_template) * [`admin_policies`](#-rundeck--admin_policies) * [`api_policies`](#-rundeck--api_policies) -* [`auth_template`](#-rundeck--auth_template) * [`auth_config`](#-rundeck--auth_config) * [`clustermode_enabled`](#-rundeck--clustermode_enabled) * [`database_config`](#-rundeck--database_config) @@ -87,11 +87,9 @@ The following parameters are available in the `rundeck` class: * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`app_log_level`](#-rundeck--app_log_level) * [`audit_log_level`](#-rundeck--audit_log_level) -* [`rdeck_config_template`](#-rundeck--rdeck_config_template) -* [`home_dir`](#-rundeck--home_dir) +* [`config_template`](#-rundeck--config_template) * [`manage_home`](#-rundeck--manage_home) -* [`rdeck_profile_template`](#-rundeck--rdeck_profile_template) -* [`rdeck_override_template`](#-rundeck--rdeck_override_template) +* [`override_template`](#-rundeck--override_template) * [`realm_template`](#-rundeck--realm_template) * [`rss_enabled`](#-rundeck--rss_enabled) * [`security_config`](#-rundeck--security_config) @@ -117,6 +115,7 @@ The following parameters are available in the `rundeck` class: * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) * [`storage_encrypt_config`](#-rundeck--storage_encrypt_config) +* [`override_dir`](#-rundeck--override_dir) * [`file_copier_provider`](#-rundeck--file_copier_provider) * [`node_executor_provider`](#-rundeck--node_executor_provider) * [`resource_sources`](#-rundeck--resource_sources) @@ -151,14 +150,6 @@ Data type: `Array[Hash]` Apitoken acl policies. Default value is located in data/common.yaml. -##### `auth_template` - -Data type: `String` - -The template used for authentication config. Needs to be in epp format. - -Default value: `'rundeck/jaas-auth.conf.epp'` - ##### `auth_config` Data type: `Rundeck::Authconfig` @@ -243,11 +234,11 @@ Default value: `'-Xmx1024m -Xms256m -server'` ##### `kerberos_realms` -Data type: `Hash` +Data type: `Optional[Hash]` A hash of mappings between Kerberos domain DNS names and realm names -Default value: `{}` +Default value: `undef` ##### `key_storage_config` @@ -402,7 +393,7 @@ The log4j logging level to be set for the Rundeck autorization. Default value: `'info'` -##### `rdeck_config_template` +##### `config_template` Data type: `String` @@ -410,14 +401,6 @@ Allows you to override the rundeck-config template. Default value: `'rundeck/rundeck-config.epp'` -##### `home_dir` - -Data type: `Stdlib::Absolutepath` - -Home/base directory under which rundeck is installed. - -Default value: `'/var/lib/rundeck'` - ##### `manage_home` Data type: `Boolean` @@ -426,27 +409,19 @@ Whether to manage rundeck home dir. Defaults to true. Default value: `true` -##### `rdeck_profile_template` - -Data type: `Optional[String]` - -Allows you to use your own profile template instead of the default from the package maintainer - -Default value: `undef` - -##### `rdeck_override_template` +##### `override_template` Data type: `String` -Allows you to use your own override template instead of the default from the package maintainer +Allows you to use your own override template for rundeck profile instead of the default from the package maintainer -Default value: `'rundeck/profile_overrides.erb'` +Default value: `'rundeck/profile_overrides.epp'` ##### `realm_template` Data type: `String` -Allows you to use your own override template instead of the default from the package maintainer +Allows you to use your own override template for realm properties instead of the default from the package maintainer Default value: `'rundeck/realm.properties.epp'` @@ -639,6 +614,12 @@ https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.h Default value: `{}` +##### `override_dir` + +Data type: `Stdlib::Absolutepath` + + + ##### `file_copier_provider` Data type: `String` @@ -801,7 +782,7 @@ Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` ## Defined types -### `rundeck::config::aclpolicyfile` +### `rundeck::config::resource::aclpolicyfile` This define will create a custom acl policy file. @@ -810,7 +791,7 @@ This define will create a custom acl policy file. ##### Admin access. ```puppet -rundeck::config::aclpolicyfile { 'myPolicyFile': +rundeck::config::resource::aclpolicyfile { 'myPolicyFile': acl_policies => [ { 'description' => 'Admin, all access', @@ -851,21 +832,21 @@ rundeck::config::aclpolicyfile { 'myPolicyFile': #### Parameters -The following parameters are available in the `rundeck::config::aclpolicyfile` defined type: +The following parameters are available in the `rundeck::config::resource::aclpolicyfile` defined type: -* [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies) -* [`group`](#-rundeck--config--aclpolicyfile--group) -* [`owner`](#-rundeck--config--aclpolicyfile--owner) -* [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir) -* [`template_file`](#-rundeck--config--aclpolicyfile--template_file) +* [`acl_policies`](#-rundeck--config--resource--aclpolicyfile--acl_policies) +* [`group`](#-rundeck--config--resource--aclpolicyfile--group) +* [`owner`](#-rundeck--config--resource--aclpolicyfile--owner) +* [`properties_dir`](#-rundeck--config--resource--aclpolicyfile--properties_dir) +* [`template_file`](#-rundeck--config--resource--aclpolicyfile--template_file) -##### `acl_policies` +##### `acl_policies` Data type: `Array[Hash]` An array of hashes containing acl policies. See example. -##### `group` +##### `group` Data type: `String` @@ -873,7 +854,7 @@ The group permission that rundeck is installed as. Default value: `'rundeck'` -##### `owner` +##### `owner` Data type: `String` @@ -881,7 +862,7 @@ The user that rundeck is installed as. Default value: `'rundeck'` -##### `properties_dir` +##### `properties_dir` Data type: `Stdlib::Absolutepath` @@ -889,7 +870,7 @@ The rundeck configuration directory. Default value: `'/etc/rundeck'` -##### `template_file` +##### `template_file` Data type: `String` @@ -897,7 +878,7 @@ The template used for acl policy. Default is rundeck/aclpolicy.erb Default value: `"${module_name}/aclpolicy.erb"` -### `rundeck::config::file_keystore` +### `rundeck::config::resource::file_keystore` Currently supports password-based public keys. Private keys are also supported, but not recommended to be privisioned via this mechanism @@ -908,7 +889,7 @@ without the proper security policies for the private key data in place. ##### Basic usage. ```puppet -rundeck::config::file_keystore { 'mypassword': +rundeck::config::resource::file_keystore { 'mypassword': path => 'myproject/mypassword', value => 'secret', content_type => 'application/x-rundeck-data-password', @@ -918,23 +899,23 @@ rundeck::config::file_keystore { 'mypassword': #### Parameters -The following parameters are available in the `rundeck::config::file_keystore` defined type: +The following parameters are available in the `rundeck::config::resource::file_keystore` defined type: -* [`content_type`](#-rundeck--config--file_keystore--content_type) -* [`data_type`](#-rundeck--config--file_keystore--data_type) -* [`path`](#-rundeck--config--file_keystore--path) -* [`value`](#-rundeck--config--file_keystore--value) -* [`auth_created_username`](#-rundeck--config--file_keystore--auth_created_username) -* [`auth_modified_username`](#-rundeck--config--file_keystore--auth_modified_username) -* [`content_creation_time`](#-rundeck--config--file_keystore--content_creation_time) -* [`content_mask`](#-rundeck--config--file_keystore--content_mask) -* [`content_modify_time`](#-rundeck--config--file_keystore--content_modify_time) -* [`content_size`](#-rundeck--config--file_keystore--content_size) -* [`file_keystorage_dir`](#-rundeck--config--file_keystore--file_keystorage_dir) -* [`group`](#-rundeck--config--file_keystore--group) -* [`user`](#-rundeck--config--file_keystore--user) +* [`content_type`](#-rundeck--config--resource--file_keystore--content_type) +* [`data_type`](#-rundeck--config--resource--file_keystore--data_type) +* [`path`](#-rundeck--config--resource--file_keystore--path) +* [`value`](#-rundeck--config--resource--file_keystore--value) +* [`auth_created_username`](#-rundeck--config--resource--file_keystore--auth_created_username) +* [`auth_modified_username`](#-rundeck--config--resource--file_keystore--auth_modified_username) +* [`content_creation_time`](#-rundeck--config--resource--file_keystore--content_creation_time) +* [`content_mask`](#-rundeck--config--resource--file_keystore--content_mask) +* [`content_modify_time`](#-rundeck--config--resource--file_keystore--content_modify_time) +* [`content_size`](#-rundeck--config--resource--file_keystore--content_size) +* [`file_keystorage_dir`](#-rundeck--config--resource--file_keystore--file_keystorage_dir) +* [`group`](#-rundeck--config--resource--file_keystore--group) +* [`user`](#-rundeck--config--resource--file_keystore--user) -##### `content_type` +##### `content_type` Data type: @@ -948,25 +929,25 @@ Enum[ MIME type of the content -##### `data_type` +##### `data_type` Data type: `Enum['password', 'public', 'private']` Data type (password, public-key or private-key) -##### `path` +##### `path` Data type: `String` The path of the named key -##### `value` +##### `value` Data type: `String` The actual value (password) of the named key -##### `auth_created_username` +##### `auth_created_username` Data type: `String` @@ -974,7 +955,7 @@ User who created the key Default value: `$rundeck::framework_config['framework.ssh.user']` -##### `auth_modified_username` +##### `auth_modified_username` Data type: `String` @@ -982,7 +963,7 @@ User who last modified the key Default value: `$rundeck::framework_config['framework.ssh.user']` -##### `content_creation_time` +##### `content_creation_time` Data type: `String` @@ -990,7 +971,7 @@ When the key was first created Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))` -##### `content_mask` +##### `content_mask` Data type: `String` @@ -998,7 +979,7 @@ Content mask (default is 'content') Default value: `'content'` -##### `content_modify_time` +##### `content_modify_time` Data type: `String` @@ -1006,7 +987,7 @@ When the key was modified Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))` -##### `content_size` +##### `content_size` Data type: `Optional[Integer]` @@ -1014,7 +995,7 @@ Size of the content string in bytes Default value: `undef` -##### `file_keystorage_dir` +##### `file_keystorage_dir` Data type: `Stdlib::Absolutepath` @@ -1022,7 +1003,7 @@ Base directory for file-based key storage (defaulted to /var/lib/rundeck/var/sto Default value: `$rundeck::file_keystorage_dir` -##### `group` +##### `group` Data type: `String` @@ -1030,7 +1011,7 @@ Default system group for the Rundeck framework Default value: `$rundeck::config::group` -##### `user` +##### `user` Data type: `String` @@ -1038,7 +1019,7 @@ Default system user for the Rundeck framework Default value: `$rundeck::config::user` -### `rundeck::config::plugin` +### `rundeck::config::resource::plugin` This define will install a rundeck plugin. @@ -1047,19 +1028,19 @@ This define will install a rundeck plugin. ##### Basic usage. ```puppet -rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': +rundeck::config::resource::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar', } ``` #### Parameters -The following parameters are available in the `rundeck::config::plugin` defined type: +The following parameters are available in the `rundeck::config::resource::plugin` defined type: -* [`ensure`](#-rundeck--config--plugin--ensure) -* [`source`](#-rundeck--config--plugin--source) +* [`ensure`](#-rundeck--config--resource--plugin--ensure) +* [`source`](#-rundeck--config--resource--plugin--source) -##### `ensure` +##### `ensure` Data type: `Enum['present', 'absent']` @@ -1067,13 +1048,13 @@ Set present or absent to add or remove the plugin Default value: `'present'` -##### `source` +##### `source` Data type: `String` The http source or local path from which to get the plugin. -### `rundeck::config::project` +### `rundeck::config::resource::project` This define can be used to configure rundeck projects. @@ -1082,7 +1063,7 @@ This define can be used to configure rundeck projects. ##### Basic usage. ```puppet -rundeck::config::project { 'test project': +rundeck::config::resource::project { 'test project': ssh_keypath => '/var/lib/rundeck/.ssh/id_rsa', file_copier_provider => 'jsch-scp', node_executor_provider => 'jsch-ssh', @@ -1093,21 +1074,21 @@ rundeck::config::project { 'test project': #### Parameters -The following parameters are available in the `rundeck::config::project` defined type: +The following parameters are available in the `rundeck::config::resource::project` defined type: -* [`file_copier_provider`](#-rundeck--config--project--file_copier_provider) -* [`framework_config`](#-rundeck--config--project--framework_config) -* [`group`](#-rundeck--config--project--group) -* [`user`](#-rundeck--config--project--user) -* [`node_executor_provider`](#-rundeck--config--project--node_executor_provider) -* [`node_executor_settings`](#-rundeck--config--project--node_executor_settings) -* [`projects_dir`](#-rundeck--config--project--projects_dir) -* [`resource_sources`](#-rundeck--config--project--resource_sources) -* [`scm_import_properties`](#-rundeck--config--project--scm_import_properties) -* [`scm_export_properties`](#-rundeck--config--project--scm_export_properties) -* [`ssh_keypath`](#-rundeck--config--project--ssh_keypath) +* [`file_copier_provider`](#-rundeck--config--resource--project--file_copier_provider) +* [`framework_config`](#-rundeck--config--resource--project--framework_config) +* [`group`](#-rundeck--config--resource--project--group) +* [`user`](#-rundeck--config--resource--project--user) +* [`node_executor_provider`](#-rundeck--config--resource--project--node_executor_provider) +* [`node_executor_settings`](#-rundeck--config--resource--project--node_executor_settings) +* [`projects_dir`](#-rundeck--config--resource--project--projects_dir) +* [`resource_sources`](#-rundeck--config--resource--project--resource_sources) +* [`scm_import_properties`](#-rundeck--config--resource--project--scm_import_properties) +* [`scm_export_properties`](#-rundeck--config--resource--project--scm_export_properties) +* [`ssh_keypath`](#-rundeck--config--resource--project--ssh_keypath) -##### `file_copier_provider` +##### `file_copier_provider` Data type: `String` @@ -1115,7 +1096,7 @@ The type of proivder that will be used for copying files to each of the nodes Default value: `$rundeck::file_copier_provider` -##### `framework_config` +##### `framework_config` Data type: `Hash` @@ -1123,7 +1104,7 @@ Rundeck framework config Default value: `$rundeck::framework_config` -##### `group` +##### `group` Data type: `String` @@ -1131,7 +1112,7 @@ Rundeck group Default value: `$rundeck::group` -##### `user` +##### `user` Data type: `String` @@ -1139,7 +1120,7 @@ Rundeck user Default value: `$rundeck::user` -##### `node_executor_provider` +##### `node_executor_provider` Data type: `String` @@ -1147,7 +1128,7 @@ The type of provider that will be used to gather node resources Default value: `$rundeck::node_executor_provider` -##### `node_executor_settings` +##### `node_executor_settings` Data type: `Hash` @@ -1155,7 +1136,7 @@ Node executor settings Default value: `{}` -##### `projects_dir` +##### `projects_dir` Data type: `Optional[Stdlib::Absolutepath]` @@ -1163,7 +1144,7 @@ The directory where rundeck is configured to store project information Default value: `undef` -##### `resource_sources` +##### `resource_sources` Data type: `Hash` @@ -1171,7 +1152,7 @@ A hash of rundeck::config::resource_source that will be used to specify the node Default value: `$rundeck::resource_sources` -##### `scm_import_properties` +##### `scm_import_properties` Data type: `Hash` @@ -1179,7 +1160,7 @@ A hash of name value pairs representing properties for the scm-import.properties Default value: `{}` -##### `scm_export_properties` +##### `scm_export_properties` Data type: `Hash` @@ -1187,7 +1168,7 @@ A hash of name value pairs representing properties for the scm-export.properties Default value: `{}` -##### `ssh_keypath` +##### `ssh_keypath` Data type: `Optional[Stdlib::Absolutepath]` @@ -1195,7 +1176,7 @@ The path to the ssh key that will be used by the ssh/scp providers Default value: `undef` -### `rundeck::config::resource_source` +### `rundeck::config::resource::resource_source` This define will create a resource source that gathers node information. @@ -1204,7 +1185,7 @@ This define will create a resource source that gathers node information. ##### Basic usage. ```puppet -rundeck::config::resource_source { 'myresource': +rundeck::config::resource::resource_source { 'myresource': project_name => 'myproject', number => '1', source_type => 'file', @@ -1215,40 +1196,40 @@ rundeck::config::resource_source { 'myresource': #### Parameters -The following parameters are available in the `rundeck::config::resource_source` defined type: - -* [`directory`](#-rundeck--config--resource_source--directory) -* [`include_server_node`](#-rundeck--config--resource_source--include_server_node) -* [`mapping_params`](#-rundeck--config--resource_source--mapping_params) -* [`number`](#-rundeck--config--resource_source--number) -* [`project_name`](#-rundeck--config--resource_source--project_name) -* [`resource_format`](#-rundeck--config--resource_source--resource_format) -* [`running_only`](#-rundeck--config--resource_source--running_only) -* [`script_args`](#-rundeck--config--resource_source--script_args) -* [`script_args_quoted`](#-rundeck--config--resource_source--script_args_quoted) -* [`script_file`](#-rundeck--config--resource_source--script_file) -* [`script_interpreter`](#-rundeck--config--resource_source--script_interpreter) -* [`source_type`](#-rundeck--config--resource_source--source_type) -* [`url`](#-rundeck--config--resource_source--url) -* [`url_cache`](#-rundeck--config--resource_source--url_cache) -* [`url_timeout`](#-rundeck--config--resource_source--url_timeout) -* [`use_default_mapping`](#-rundeck--config--resource_source--use_default_mapping) -* [`endpoint_url`](#-rundeck--config--resource_source--endpoint_url) -* [`assume_role_arn`](#-rundeck--config--resource_source--assume_role_arn) -* [`filter_tag`](#-rundeck--config--resource_source--filter_tag) -* [`http_proxy_port`](#-rundeck--config--resource_source--http_proxy_port) -* [`refresh_interval`](#-rundeck--config--resource_source--refresh_interval) -* [`puppet_enterprise_host`](#-rundeck--config--resource_source--puppet_enterprise_host) -* [`puppet_enterprise_port`](#-rundeck--config--resource_source--puppet_enterprise_port) -* [`puppet_enterprise_ssl_dir`](#-rundeck--config--resource_source--puppet_enterprise_ssl_dir) -* [`puppet_enterprise_certificate_name`](#-rundeck--config--resource_source--puppet_enterprise_certificate_name) -* [`puppet_enterprise_mapping_file`](#-rundeck--config--resource_source--puppet_enterprise_mapping_file) -* [`puppet_enterprise_metrics_interval`](#-rundeck--config--resource_source--puppet_enterprise_metrics_interval) -* [`puppet_enterprise_node_query`](#-rundeck--config--resource_source--puppet_enterprise_node_query) -* [`puppet_enterprise_default_node_tag`](#-rundeck--config--resource_source--puppet_enterprise_default_node_tag) -* [`puppet_enterprise_tag_source`](#-rundeck--config--resource_source--puppet_enterprise_tag_source) - -##### `directory` +The following parameters are available in the `rundeck::config::resource::resource_source` defined type: + +* [`directory`](#-rundeck--config--resource--resource_source--directory) +* [`include_server_node`](#-rundeck--config--resource--resource_source--include_server_node) +* [`mapping_params`](#-rundeck--config--resource--resource_source--mapping_params) +* [`number`](#-rundeck--config--resource--resource_source--number) +* [`project_name`](#-rundeck--config--resource--resource_source--project_name) +* [`resource_format`](#-rundeck--config--resource--resource_source--resource_format) +* [`running_only`](#-rundeck--config--resource--resource_source--running_only) +* [`script_args`](#-rundeck--config--resource--resource_source--script_args) +* [`script_args_quoted`](#-rundeck--config--resource--resource_source--script_args_quoted) +* [`script_file`](#-rundeck--config--resource--resource_source--script_file) +* [`script_interpreter`](#-rundeck--config--resource--resource_source--script_interpreter) +* [`source_type`](#-rundeck--config--resource--resource_source--source_type) +* [`url`](#-rundeck--config--resource--resource_source--url) +* [`url_cache`](#-rundeck--config--resource--resource_source--url_cache) +* [`url_timeout`](#-rundeck--config--resource--resource_source--url_timeout) +* [`use_default_mapping`](#-rundeck--config--resource--resource_source--use_default_mapping) +* [`endpoint_url`](#-rundeck--config--resource--resource_source--endpoint_url) +* [`assume_role_arn`](#-rundeck--config--resource--resource_source--assume_role_arn) +* [`filter_tag`](#-rundeck--config--resource--resource_source--filter_tag) +* [`http_proxy_port`](#-rundeck--config--resource--resource_source--http_proxy_port) +* [`refresh_interval`](#-rundeck--config--resource--resource_source--refresh_interval) +* [`puppet_enterprise_host`](#-rundeck--config--resource--resource_source--puppet_enterprise_host) +* [`puppet_enterprise_port`](#-rundeck--config--resource--resource_source--puppet_enterprise_port) +* [`puppet_enterprise_ssl_dir`](#-rundeck--config--resource--resource_source--puppet_enterprise_ssl_dir) +* [`puppet_enterprise_certificate_name`](#-rundeck--config--resource--resource_source--puppet_enterprise_certificate_name) +* [`puppet_enterprise_mapping_file`](#-rundeck--config--resource--resource_source--puppet_enterprise_mapping_file) +* [`puppet_enterprise_metrics_interval`](#-rundeck--config--resource--resource_source--puppet_enterprise_metrics_interval) +* [`puppet_enterprise_node_query`](#-rundeck--config--resource--resource_source--puppet_enterprise_node_query) +* [`puppet_enterprise_default_node_tag`](#-rundeck--config--resource--resource_source--puppet_enterprise_default_node_tag) +* [`puppet_enterprise_tag_source`](#-rundeck--config--resource--resource_source--puppet_enterprise_tag_source) + +##### `directory` Data type: `Stdlib::Absolutepath` @@ -1256,7 +1237,7 @@ When the directory source_type is specified this is the path to that directory. Default value: `$rundeck::params::default_resource_dir` -##### `include_server_node` +##### `include_server_node` Data type: `Boolean` @@ -1264,7 +1245,7 @@ Boolean value to decide whether or not to include the server node in your list o Default value: `$rundeck::params::include_server_node` -##### `mapping_params` +##### `mapping_params` Data type: `String` @@ -1273,7 +1254,7 @@ and what their values will be set to using a "selector" on properties of the EC2 Default value: `''` -##### `number` +##### `number` Data type: `Integer` @@ -1281,7 +1262,7 @@ The sequential number of the resource within the project. Default value: `1` -##### `project_name` +##### `project_name` Data type: `Optional[String]` @@ -1289,7 +1270,7 @@ The name of the project for which this resource in intended to be a part. Default value: `undef` -##### `resource_format` +##### `resource_format` Data type: `Enum['resourcexml', 'resourceyaml']` @@ -1297,7 +1278,7 @@ The format of the resource that will procesed, either resourcexml or resourceyam Default value: `$rundeck::params::resource_format` -##### `running_only` +##### `running_only` Data type: `Boolean` @@ -1305,7 +1286,7 @@ Boolean to retrieve only running AWS EC2 instances. Default value: `true` -##### `script_args` +##### `script_args` Data type: `String` @@ -1313,7 +1294,7 @@ A string of the full arguments to pass the the specified script. Default value: `''` -##### `script_args_quoted` +##### `script_args_quoted` Data type: `Boolean` @@ -1321,7 +1302,7 @@ Boolean value. Quote the arguments of the script. Default value: `$rundeck::params::script_args_quoted` -##### `script_file` +##### `script_file` Data type: `Optional[Stdlib::Absolutepath]` @@ -1329,7 +1310,7 @@ When the script source_type is specified this is the path that that script. Default value: `undef` -##### `script_interpreter` +##### `script_interpreter` Data type: `String` @@ -1337,7 +1318,7 @@ The interpreter to use in executing the script. Defaults to: '/bin/bash' Default value: `$rundeck::params::script_interpreter` -##### `source_type` +##### `source_type` Data type: `Rundeck::Sourcetype` @@ -1345,7 +1326,7 @@ The source type where resources will come from: file, directory, url or script. Default value: `$rundeck::params::default_source_type` -##### `url` +##### `url` Data type: `String` @@ -1353,7 +1334,7 @@ When the url source_type is specified this is the path to that url. Default value: `''` -##### `url_cache` +##### `url_cache` Data type: `Boolean` @@ -1361,7 +1342,7 @@ Boolean value. Keep a local cache of the resources pulled from the url. Default value: `$rundeck::params::url_cache` -##### `url_timeout` +##### `url_timeout` Data type: `Integer` @@ -1369,7 +1350,7 @@ An integer value in seconds that rundeck will wait for resources from the url be Default value: `$rundeck::params::url_timeout` -##### `use_default_mapping` +##### `use_default_mapping` Data type: `Boolean` @@ -1377,7 +1358,7 @@ When using the aws-ec2 source_type,this specifies wheter to use the default mapp Default value: `true` -##### `endpoint_url` +##### `endpoint_url` Data type: `Optional[String]` @@ -1385,7 +1366,7 @@ The API AWS endpoint. Default value: `undef` -##### `assume_role_arn` +##### `assume_role_arn` Data type: `Optional[String[1]]` @@ -1393,7 +1374,7 @@ When using the aws-ec2 source_type, this specifies the assume role ARN parameter Default value: `undef` -##### `filter_tag` +##### `filter_tag` Data type: `String` @@ -1401,7 +1382,7 @@ String value for using tags. Default value: `''` -##### `http_proxy_port` +##### `http_proxy_port` Data type: `Stdlib::Port` @@ -1409,7 +1390,7 @@ An integer value that defines the http proxy port. Default value: `$rundeck::params::default_http_proxy_port` -##### `refresh_interval` +##### `refresh_interval` Data type: `Integer` @@ -1417,7 +1398,7 @@ How often the data will be updated. Default value: `$rundeck::params::default_refresh_interval` -##### `puppet_enterprise_host` +##### `puppet_enterprise_host` Data type: `Optional[String]` @@ -1425,7 +1406,7 @@ The Puppet Enterprise host. Default value: `undef` -##### `puppet_enterprise_port` +##### `puppet_enterprise_port` Data type: `Optional[Stdlib::Port]` @@ -1433,7 +1414,7 @@ The Puppet Enterprise port. Default value: `undef` -##### `puppet_enterprise_ssl_dir` +##### `puppet_enterprise_ssl_dir` Data type: `Optional[Stdlib::Absolutepath]` @@ -1441,7 +1422,7 @@ The Puppet Enterprise ssl directory. Default value: `undef` -##### `puppet_enterprise_certificate_name` +##### `puppet_enterprise_certificate_name` Data type: `Optional[String]` @@ -1449,7 +1430,7 @@ The Puppet Enterprise certificate name. Default value: `undef` -##### `puppet_enterprise_mapping_file` +##### `puppet_enterprise_mapping_file` Data type: `Optional[Stdlib::Absolutepath]` @@ -1457,7 +1438,7 @@ The Puppet Enterprise mapping file. Default value: `undef` -##### `puppet_enterprise_metrics_interval` +##### `puppet_enterprise_metrics_interval` Data type: `Optional[Integer]` @@ -1465,7 +1446,7 @@ The Puppet Enterprise metrics interval. Default value: `undef` -##### `puppet_enterprise_node_query` +##### `puppet_enterprise_node_query` Data type: `Optional[String]` @@ -1473,7 +1454,7 @@ The Puppet Enterprise node query. Default value: `undef` -##### `puppet_enterprise_default_node_tag` +##### `puppet_enterprise_default_node_tag` Data type: `Optional[String]` @@ -1481,7 +1462,7 @@ The Puppet Enterprise default node tag. Default value: `undef` -##### `puppet_enterprise_tag_source` +##### `puppet_enterprise_tag_source` Data type: `Optional[String]` @@ -1489,18 +1470,18 @@ The Puppet Enterprise tag source. Default value: `undef` -### `rundeck::config::securityroles` +### `rundeck::config::resource::securityroles` Author: Zoltan Lanyi Date : 03.06.2016 #### Parameters -The following parameters are available in the `rundeck::config::securityroles` defined type: +The following parameters are available in the `rundeck::config::resource::securityroles` defined type: -* [`web_xml`](#-rundeck--config--securityroles--web_xml) +* [`web_xml`](#-rundeck--config--resource--securityroles--web_xml) -##### `web_xml` +##### `web_xml` Data type: `Stdlib::Absolutepath` diff --git a/manifests/config.pp b/manifests/config.pp index c2903478d..2787f23c8 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,7 +5,9 @@ class rundeck::config { assert_private() - $properties_dir = $rundeck::framework_config['framework.etc.dir'] + $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) + $properties_dir = $framework_config['framework.etc.dir'] + $base_dir = $framework_config['rdeck.base'] File { owner => $rundeck::user, @@ -13,7 +15,7 @@ } if $rundeck::manage_home { - file { $rundeck::home_dir: + file { $base_dir: ensure => directory, mode => '0755', } diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 3fe7bd3dd..fa07db995 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -6,17 +6,17 @@ if $rundeck::ssl_enabled { $_ssl_conig = { 'framework.server.port' => $rundeck::ssl_port, - 'framework.server.url' => "https://${rundeck::framework_config['framework.server.name']}:${rundeck::ssl_port}", + 'framework.server.url' => "https://${rundeck::config::framework_config['framework.server.name']}:${rundeck::ssl_port}", } } else { $_ssl_config = {} } - $_framework_config = merge($rundeck::framework_config, $_ssl_config) + $_framework_config = deep_merge($rundeck::config::framework_config, $_ssl_config) file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, - content => epp('rundeck/framework.properties.epp', { framework_config => $_framework_config }), + content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), owner => $rundeck::user, group => $rundeck::group, require => File[$rundeck::config::properties_dir], diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index d4792f408..1feb36bcb 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -25,7 +25,7 @@ } file { "${rundeck::config::properties_dir}/jaas-auth.conf": - content => Sensitive(epp($rundeck::auth_template, { auth_config => $_auth_config, ldap_login_module => $_ldap_login_module })), + content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), mode => '0600', require => File[$rundeck::config::properties_dir], } diff --git a/manifests/init.pp b/manifests/init.pp index 032f5944b..4853fa9ea 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -6,8 +6,6 @@ # Admin acl policies. Default value is located in data/common.yaml. # @param api_policies # Apitoken acl policies. Default value is located in data/common.yaml. -# @param auth_template -# The template used for authentication config. Needs to be in epp format. # @param auth_config # Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) # Default value is located in data/common.yaml. @@ -75,10 +73,8 @@ # The log4j logging level to be set for the Rundeck application. # @param audit_log_level # The log4j logging level to be set for the Rundeck autorization. -# @param rdeck_config_template +# @param config_template # Allows you to override the rundeck-config template. -# @param home_dir -# Home/base directory under which rundeck is installed. # @param manage_home # Whether to manage rundeck home dir. Defaults to true. # @param override_template @@ -172,7 +168,6 @@ String $override_template = 'rundeck/profile_overrides.epp', String $realm_template = 'rundeck/realm.properties.epp', String $acl_template = 'rundeck/aclpolicy.erb', - String $auth_template = 'rundeck/jaas-auth.conf.epp', String $log_properties_template = 'rundeck/log4j2.properties.epp', Boolean $rss_enabled = false, @@ -220,8 +215,7 @@ Integer $url_timeout = 30, Boolean $script_args_quoted = true, Stdlib::Absolutepath $script_interpreter = '/bin/bash', - # Home config - Stdlib::Absolutepath $home_dir = '/var/lib/rundeck', + Boolean $manage_home = true, ) { validate_rd_policy($admin_policies) diff --git a/templates/framework.properties.epp b/templates/framework.properties.epp index b327ddcb6..188aa4caa 100644 --- a/templates/framework.properties.epp +++ b/templates/framework.properties.epp @@ -1,3 +1,3 @@ -<%- $framework_config.keys.unique.sort.each |$k| { -%> -<%= $k %> = <%= $framework_config[$k] %> +<%- $_framework_config.keys.unique.sort.each |$k| { -%> +<%= $k %> = <%= $_framework_config[$k] %> <%- } -%> diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 04e0a4bb9..4d71665db 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,31 +1,31 @@ authentication { -<%- $auth_config.keys.each |$_type| { -%> +<%- $_auth_config.keys.each |$_type| { -%> <%- if $_type == 'file' { -%> -<%- if $rundeck::auth_config['file']['auth_flag'] {-%> - org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $rundeck::auth_config['file']['auth_flag'] %> +<%- if $_auth_config['file']['auth_flag'] {-%> + org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $_auth_config['file']['auth_flag'] %> <%-} else {-%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required <%-}-%> -<%- $rundeck::auth_config['file']['jaas_config'].each |$_key, $_value| {-%> +<%- $_auth_config['file']['jaas_config'].each |$_key, $_value| {-%> <%= $_key -%>="<%= $_value -%>" <%-}-%>; <%- } elsif $_type == 'ldap' { -%> -<%- if $rundeck::auth_config['ldap']['auth_flag'] {-%> - com.dtolabs.rundeck.jetty.jaas.<%= $ldap_login_module %> <%= $rundeck::auth_config['ldap']['auth_flag'] %> +<%- if $_auth_config['ldap']['auth_flag'] {-%> + com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> <%= $_auth_config['ldap']['auth_flag'] %> <%-} else {-%> - com.dtolabs.rundeck.jetty.jaas.<%= $ldap_login_module %> required + com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> required <%-}-%> contextFactory="com.sun.jndi.ldap.LdapCtxFactory" -<%- $rundeck::auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> +<%- $_auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> <%= $_key -%>="<%= $_value -%>" <%-}-%>; <%- } elsif $_type == 'pam' { -%> -<%- if $rundeck::auth_config['pam']['auth_flag'] {-%> - org.rundeck.jaas.jetty.JettyPamLoginModule <%= $rundeck::auth_config['pam']['auth_flag'] %> +<%- if $_auth_config['pam']['auth_flag'] {-%> + org.rundeck.jaas.jetty.JettyPamLoginModule <%= $_auth_config['pam']['auth_flag'] %> <%-} else {-%> org.rundeck.jaas.jetty.JettyPamLoginModule required <%-}-%> -<%- $rundeck::auth_config['pam']['jaas_config'].each |$_key, $_value| {-%> +<%- $_auth_config['pam']['jaas_config'].each |$_key, $_value| {-%> <%= $_key -%>="<%= $_value -%>" <%-}-%>; <%- } -%> diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index d7302da47..42cd0fec9 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -1,7 +1,7 @@ -RDECK_BASE=<%= $rundeck::home_dir %> +RDECK_BASE=<%= $rundeck::config::base_dir %> RDECK_CONFIG=<%= $rundeck::config::properties_dir %> RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.groovy" -RDECK_INSTALL=<%= $rundeck::home_dir %> +RDECK_INSTALL=<%= $rundeck::config::base_dir %> JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf LOGIN_MODULE=authentication JAVA_CMD=java From 126629536f47acf99f35d8403df9b48ca26831b9 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 07:27:33 +0100 Subject: [PATCH 26/82] Allow empty auth config --- data/common.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 5fcdb8371..f804f2c51 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -105,13 +105,6 @@ rundeck::auth_config: admin_user: 'admin' admin_password: 'admin' auth_users: {} - ldap: - jaas_config: - blabla: 'dgdfg' - pam: - auth_flag: 'sufficient' - jaas_config: - service_account: 'ewrwer' rundeck::framework_config: framework.server.name: "%{facts.networking.fqdn}" From 7ee7b02fe33a1d1f10133663183279769319de61 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 07:41:24 +0100 Subject: [PATCH 27/82] Update jaas auth config --- data/{common.yaml => defaults.yaml} | 6 ++- hiera.yaml | 4 +- manifests/config.pp | 2 +- manifests/config/framework.pp | 6 +-- manifests/config/global/project.pp | 66 +++-------------------------- manifests/config/jaas_auth.pp | 4 +- manifests/init.pp | 4 +- templates/project.properties.epp | 3 ++ templates/realm.properties.epp | 16 +++---- 9 files changed, 32 insertions(+), 79 deletions(-) rename data/{common.yaml => defaults.yaml} (91%) create mode 100644 templates/project.properties.epp diff --git a/data/common.yaml b/data/defaults.yaml similarity index 91% rename from data/common.yaml rename to data/defaults.yaml index f804f2c51..16d9be44c 100644 --- a/data/common.yaml +++ b/data/defaults.yaml @@ -121,7 +121,11 @@ rundeck::framework_config: framework.ssh.user: 'rundeck' framework.ssh.timeout: '0' rdeck.base: '/var/lib/rundeck' - rundeck.server.uuid: "%{fqdn_uuid(facts.networking.fqdn)}" # Fix function + +rundeck::project_config: + project.dir: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}" + project.etc.dir: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}/etc" + project.resources.file: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}/etc/resources.xml" rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" diff --git a/hiera.yaml b/hiera.yaml index d3634ee26..08842e39c 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -9,5 +9,5 @@ hierarchy: - name: 'Operating System Family' path: 'os/%{facts.os.family}.yaml' - - name: 'common' - path: 'common.yaml' \ No newline at end of file + - name: 'Rundeck defaults' + path: 'defaults.yaml' diff --git a/manifests/config.pp b/manifests/config.pp index 2787f23c8..e2fe332e7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -61,7 +61,7 @@ contain rundeck::config::jaas_auth contain rundeck::config::framework - # contain rundeck::config::global::project + contain rundeck::config::project # contain rundeck::config::global::rundeck_config # contain rundeck::config::global::file_keystore diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index fa07db995..3290bcae5 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -12,13 +12,13 @@ $_ssl_config = {} } - $_framework_config = deep_merge($rundeck::config::framework_config, $_ssl_config) + $_server_uuid = { 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']) } + + $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid, $_ssl_config) file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), - owner => $rundeck::user, - group => $rundeck::group, require => File[$rundeck::config::properties_dir], } } diff --git a/manifests/config/global/project.pp b/manifests/config/global/project.pp index 2c8e8a280..9d55ab188 100644 --- a/manifests/config/global/project.pp +++ b/manifests/config/global/project.pp @@ -2,70 +2,14 @@ # # @summary This private class is called from rundeck::config used to manage the default project properties. # -class rundeck::config::global::project { +class rundeck::config::project { assert_private() - $group = $rundeck::config::group - $projects_description = $rundeck::config::projects_description - $projects_dir = $rundeck::config::projects_dir - $projects_organization = $rundeck::config::projects_organization - $properties_dir = $rundeck::config::properties_dir - $user = $rundeck::config::user + $_project_config = deep_merge(lookup('rundeck::project_config'), $rundeck::project_config) - $properties_file = "${properties_dir}/project.properties" - - ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group }) - - file { $properties_file: + file { "${rundeck::config::properties_dir}/project.properties": ensure => file, - owner => $user, - group => $group, - mode => '0640', - require => File[$properties_dir], - } - - ini_setting { 'project.dir': - ensure => present, - path => $properties_file, - section => '', - setting => 'project.dir', - value => "${projects_dir}/\${project.name}", - require => File[$properties_file], - } - - ini_setting { 'project.etc.dir': - ensure => present, - path => $properties_file, - section => '', - setting => 'project.etc.dir', - value => "${projects_dir}/\${project.name}/etc", - require => File[$properties_file], - } - - ini_setting { 'project.resources.file': - ensure => present, - path => $properties_file, - section => '', - setting => 'project.resources.file', - value => "${projects_dir}/\${project.name}/etc/resources.xml", - require => File[$properties_file], - } - - ini_setting { 'project.description': - ensure => present, - path => $properties_file, - section => '', - setting => 'project.description', - value => $projects_description, - require => File[$properties_file], - } - - ini_setting { 'project.organization': - ensure => present, - path => $properties_file, - section => '', - setting => 'project.organization', - value => $projects_organization, - require => File[$properties_file], + content => epp('rundeck/project.properties.epp', { _project_config => $_project_config }), + require => File[$rundeck::config::properties_dir], } } diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 1feb36bcb..660d097e0 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -3,12 +3,14 @@ # @summary This private class is called from rundeck::config used to manage jaas authentication for rundeck. # class rundeck::config::jaas_auth { + assert_private() + $_auth_config = deep_merge(lookup('rundeck::auth_config'), $rundeck::auth_config) $_auth_types = $_auth_config.keys if 'file' in $_auth_types { file { "${rundeck::config::properties_dir}/realm.properties": - content => Sensitive(epp($rundeck::realm_template)), + content => Sensitive(epp($rundeck::realm_template, { _auth_config => $_auth_config })), mode => '0600', require => File[$rundeck::config::properties_dir], } diff --git a/manifests/init.pp b/manifests/init.pp index 4853fa9ea..8f30ca74b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -136,6 +136,7 @@ Array[Hash] $api_policies, Rundeck::Authconfig $auth_config, Hash $framework_config, + Hash $project_config, Hash $database_config, Array[Hash] $key_storage_config, Hash $security_config, @@ -199,8 +200,7 @@ Optional[String] $service_script = undef, # Project config Hash $projects = {}, - String $projects_description = '', - String $projects_organization = '', + Integer $quartz_job_threadcount = 10, String $file_copier_provider = 'jsch-scp', String $node_executor_provider = 'jsch-ssh', diff --git a/templates/project.properties.epp b/templates/project.properties.epp new file mode 100644 index 000000000..80a811700 --- /dev/null +++ b/templates/project.properties.epp @@ -0,0 +1,3 @@ +<%- $_project_config.keys.unique.sort.each |$k| { -%> +<%= $k %> = <%= $_project_config[$k] %> +<%- } -%> diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp index 058729015..0500e1f6a 100644 --- a/templates/realm.properties.epp +++ b/templates/realm.properties.epp @@ -21,10 +21,10 @@ # # This sets the default user accounts for the Rundeck app # -<%= $rundeck::auth_config['file']['realm_config']['admin_user'] %>:<%= $rundeck::auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build -<%- if $rundeck::auth_config['file']['realm_config']['auth_users'] { -%> - <%- if is_array($rundeck::auth_config['file']['realm_config']['auth_users']) { -%> - <%- $rundeck::auth_config['file']['realm_config']['auth_users'].each |$x| { -%> +<%= $_auth_config['file']['realm_config']['admin_user'] %>:<%= $_auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build +<%- if $_auth_config['file']['realm_config']['auth_users'] { -%> + <%- if is_array($_auth_config['file']['realm_config']['auth_users']) { -%> + <%- $_auth_config['file']['realm_config']['auth_users'].each |$x| { -%> <%- if $x['username'] { -%> <%= $x['username'] -%>:<%= $x['password'] -%> <%- if $x['roles'] {-%> @@ -33,10 +33,10 @@ <%- } -%> <%- } -%> <%- } else { -%> - <%- if $rundeck::auth_config['file']['realm_config']['auth_users']['username'] and $rundeck::auth_config['file']['realm_config']['auth_users']['password'] { -%> - <%= $rundeck::auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $rundeck::auth_config['file']['realm_config']['auth_users']['password'] -%> - <%- if $rundeck::auth_config['file']['realm_config']['auth_users']['roles'] { -%> - <%- $rundeck::auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> + <%- if $_auth_config['file']['realm_config']['auth_users']['username'] and $_auth_config['file']['realm_config']['auth_users']['password'] { -%> + <%= $_auth_config['file']['realm_config']['auth_users']['username'] -%>:<%= $_auth_config['file']['realm_config']['auth_users']['password'] -%> + <%- if $_auth_config['file']['realm_config']['auth_users']['roles'] { -%> + <%- $_auth_config['file']['realm_config']['auth_users']['roles'].each |$v| {-%>,<%=$v -%><%- } %> <%- } -%> <%- } -%> <%- } -%> From 5b93390ca0813a2f4693cc53ae075e1f22af03f7 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 08:36:20 +0100 Subject: [PATCH 28/82] Move global project config --- data/defaults.yaml | 6 +++--- manifests/config.pp | 22 +++++++++++++++------- manifests/config/{global => }/project.pp | 0 3 files changed, 18 insertions(+), 10 deletions(-) rename manifests/config/{global => }/project.pp (100%) diff --git a/data/defaults.yaml b/data/defaults.yaml index 16d9be44c..2b2334600 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -123,9 +123,9 @@ rundeck::framework_config: rdeck.base: '/var/lib/rundeck' rundeck::project_config: - project.dir: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}" - project.etc.dir: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}/etc" - project.resources.file: "%{lookup('rundeck::framework_config.framework.projects.dir')}/${project.name}/etc/resources.xml" + project.dir: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}" + project.etc.dir: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}/etc" + project.resources.file: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}/etc/resources.xml" rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" diff --git a/manifests/config.pp b/manifests/config.pp index e2fe332e7..fa4ada2ab 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -21,16 +21,24 @@ } } - [$rundeck::service_logs_dir, $properties_dir].each |$_path| { - file { $_path: - ensure => directory, - mode => '0755', + $framework_config.each |$_key, $_value| { + if $_key =~ '.dir' { + file { $_value: + ensure => directory, + mode => '0755', + } } } - file { "${properties_dir}/log4j2.properties": - content => epp($rundeck::log_properties_template), - require => File[$properties_dir], + file { + $rundeck::service_logs_dir: + ensure => directory, + mode => '0755', + ; + "${properties_dir}/log4j2.properties": + content => epp($rundeck::log_properties_template), + require => File[$properties_dir, $rundeck::service_logs_dir], + ; } if $rundeck::manage_default_admin_policy { diff --git a/manifests/config/global/project.pp b/manifests/config/project.pp similarity index 100% rename from manifests/config/global/project.pp rename to manifests/config/project.pp From d7ab47007f7abfbf19bfc700619d31a184121a20 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 12:01:12 +0100 Subject: [PATCH 29/82] Update config --- data/defaults.yaml | 27 ++----- manifests/config/global/rundeck_config.pp | 50 ------------ manifests/config/rundeck.pp | 19 +++++ manifests/init.pp | 13 ++- templates/rundeck-config.epp | 97 ----------------------- templates/rundeck-config.properties.epp | 49 ++++++++++++ types/{authconfig.pp => auth_config.pp} | 2 +- types/db_config.pp | 9 +++ types/mail_config.pp | 11 +++ 9 files changed, 102 insertions(+), 175 deletions(-) delete mode 100644 manifests/config/global/rundeck_config.pp create mode 100644 manifests/config/rundeck.pp delete mode 100644 templates/rundeck-config.epp create mode 100644 templates/rundeck-config.properties.epp rename types/{authconfig.pp => auth_config.pp} (82%) create mode 100644 types/db_config.pp create mode 100644 types/mail_config.pp diff --git a/data/defaults.yaml b/data/defaults.yaml index 2b2334600..b4ebdd5df 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -123,31 +123,18 @@ rundeck::framework_config: rdeck.base: '/var/lib/rundeck' rundeck::project_config: - project.dir: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}" - project.etc.dir: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}/etc" - project.resources.file: "%{lookup('rundeck::framework_config.\"framework.projects.dir\"')}/${project.name}/etc/resources.xml" + project.dir: '/var/lib/rundeck/projects/${project.name}' + project.etc.dir: '/var/lib/rundeck/projects/${project.name}/etc' + project.resources.file: '/var/lib/rundeck/projects/${project.name}/etc/resources.xml' -rundeck::file_keystorage_dir: "%{lookup('rundeck::framework_config.framework.var.dir')}/storage" - -rundeck::security_config: - useHMacRequestTokens: true - apiCookieAccess: true +rundeck::file_keystorage_dir: '/var/lib/rundeck/var/storage' rundeck::database_config: - type: 'h2' - dbCreate: 'update' - url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' - driverClassName: '' - username: '' - password: '' - dialect: '' - enable_h2_logs: 'on' + url: "jdbc:h2:file:/var/lib/rundeck/data/rundeckdb;MVCC=true" rundeck::key_storage_config: - - type: 'file' - path: '/' - config: - baseDir: "%{lookup('file_keystorage_dir')}" + - type: 'db' + path: 'keys' rundeck::preauthenticated_config: enabled: false diff --git a/manifests/config/global/rundeck_config.pp b/manifests/config/global/rundeck_config.pp deleted file mode 100644 index 47c2d1e38..000000000 --- a/manifests/config/global/rundeck_config.pp +++ /dev/null @@ -1,50 +0,0 @@ -# @api private -# -# @summary This private class is called from rundeck::config used to manage the rundeck-config properties. -# -class rundeck::config::global::rundeck_config { - assert_private() - - $clustermode_enabled = $rundeck::config::clustermode_enabled - $execution_mode = $rundeck::config::execution_mode - $file_keystorage_dir = $rundeck::config::file_keystorage_dir - $grails_server_url = $rundeck::config::grails_server_url - $group = $rundeck::config::group - $gui_config = $rundeck::config::gui_config - $key_storage_config = $rundeck::config::key_storage_config - $mail_config = $rundeck::config::mail_config - $preauthenticated_config = $rundeck::config::preauthenticated_config - $properties_dir = $rundeck::config::properties_dir - $quartz_job_threadcount = $rundeck::config::quartz_job_threadcount - $app_log_level = $rundeck::config::app_log_level - $rdeck_base = $rundeck::config::rdeck_base - $rdeck_config_template = $rundeck::config::rdeck_config_template - $rss_enabled = $rundeck::config::rss_enabled - $security_config = $rundeck::config::security_config - $storage_encrypt_config = $rundeck::config::storage_encrypt_config - $user = $rundeck::config::user - - $properties_file = "${properties_dir}/rundeck-config.groovy" - - ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $user, 'group' => $group }) - - $database_config = merge($rundeck::params::database_config, $rundeck::config::database_config) - - file { "${properties_dir}/rundeck-config.properties": - ensure => absent, - } - - $_service_notify = $rundeck::config::service_restart ? { - false => undef, - default => Service[$rundeck::config::service_name] - } - file { $properties_file: - ensure => file, - content => epp($rdeck_config_template), - owner => $user, - group => $group, - mode => '0640', - require => File[$properties_dir], - notify => $_service_notify, - } -} diff --git a/manifests/config/rundeck.pp b/manifests/config/rundeck.pp new file mode 100644 index 000000000..9a5d611c7 --- /dev/null +++ b/manifests/config/rundeck.pp @@ -0,0 +1,19 @@ +# @api private +# +# @summary This private class is called from rundeck::config used to manage the rundeck-config properties. +# +class rundeck::config::rundeck { + assert_private() + + $_service_notify = $rundeck::service_notify ? { + false => undef, + default => Service[$rundeck::service_name] + } + + file { "${rundeck::config::properties_dir}/rundeck-config.properties": + ensure => file, + content => epp($rundeck::config_template), + require => File[$rundeck::config::properties_dir], + notify => $_service_notify, + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 8f30ca74b..4d7d9e88c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -134,13 +134,13 @@ class rundeck ( Array[Hash] $admin_policies, Array[Hash] $api_policies, - Rundeck::Authconfig $auth_config, + Rundeck::Auth_config $auth_config, + Rundeck::Db_config $database_config, Hash $framework_config, + Array[Hash] $key_storage_config, # Create type? + Hash $preauthenticated_config, Hash $project_config, - Hash $database_config, - Array[Hash] $key_storage_config, Hash $security_config, - Hash $preauthenticated_config, String $keystore_password, String $truststore_password, Stdlib::Absolutepath $file_keystorage_dir, @@ -152,13 +152,12 @@ Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', Hash $file_keystorage_keys = {}, - Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", Hash $gui_config = {}, Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', Optional[Hash] $kerberos_realms = undef, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - Hash $mail_config = {}, + Rundeck::Mail_config $mail_config = {}, Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, # Log config @@ -194,7 +193,7 @@ # Service config String $service_name = 'rundeckd', Enum['stopped', 'running'] $service_ensure = 'running', - Boolean $service_restart = true, + Boolean $service_notify = true, Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, diff --git a/templates/rundeck-config.epp b/templates/rundeck-config.epp deleted file mode 100644 index cac5cbd6b..000000000 --- a/templates/rundeck-config.epp +++ /dev/null @@ -1,97 +0,0 @@ -loglevel.default = "<%= $rundeck::app_log_level %>" -rdeck.base = "<%= $rundeck::config::global::rundeck_config::rdeck_base %>" -rss.enabled = "<%= $rundeck::config::global::rundeck_config::rss_enabled %>" -rundeck.log4j.config.file = "<%= $rundeck::config::global::rundeck_config::properties_dir %>/log4j.properties" - -<%- if 'useHMacRequestTokens' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.security.useHMacRequestTokens = <%= $rundeck::config::global::rundeck_config::security_config['useHMacRequestTokens'] %> -<%- } -%> -<%- if 'apiCookieAccess' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.security.apiCookieAccess.enabled = <%= $rundeck::config::global::rundeck_config::security_config['apiCookieAccess'] %> -<%- } -%> -<%- if 'apiTokensDuration' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.api.tokens.duration.max = "<%= $rundeck::config::global::rundeck_config::security_config['apiTokensDuration'] %>" -<%- } -%> -<%- if 'csrfRefererFilterMethod' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.security.csrf.referer.filterMethod = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererFilterMethod'] %> -<%- } -%> -<%- if 'csrfRefererAllowApi' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.security.csrf.referer.allowApi = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererAllowApi'] %> -<%- } -%> -<%- if 'csrfRefererRequireHttps' in $rundeck::config::global::rundeck_config::security_config.keys { -%> -rundeck.security.csrf.referer.requireHttps = <%= $rundeck::config::global::rundeck_config::security_config['csrfRefererRequireHttps'] %> -<%- } -%> -<%- if $rundeck::config::global::rundeck_config::security_config['syncLdapUser'] { -%> -rundeck.security.syncLdapUser = <%= $rundeck::config::global::rundeck_config::security_config['syncLdapUser'] %> -<%- } -%> - -dataSource { - dbCreate = "<%= $rundeck::config::global::rundeck_config::database_config['dbCreate'] %>" - url = "<%= $rundeck::config::global::rundeck_config::database_config['url'] %>" - <%- if $rundeck::config::global::rundeck_config::database_config['type'] != 'h2' { -%> - driverClassName = "<%= $rundeck::config::global::rundeck_config::database_config['driverClassName'] %>" - username = "<%= $rundeck::config::global::rundeck_config::database_config['username'] %>" - password = "<%= $rundeck::config::global::rundeck_config::database_config['password'] %>" - dialect = "<%= $rundeck::config::global::rundeck_config::database_config['dialect'] %>" - <%- } -%> -} - -<%- if !$rundeck::config::global::rundeck_config::mail_config.empty and $rundeck::config::global::rundeck_config::mail_config.keys != ['defaults.from'] { %> -grails { - mail { - <%- if $rundeck::config::global::rundeck_config::mail_config['host'] { -%> - host = "<%= $rundeck::config::global::rundeck_config::mail_config['host'] %>" - <%- } -%> - <%- if $rundeck::config::global::rundeck_config::mail_config['username'] { -%> - username = "<%= $rundeck::config::global::rundeck_config::mail_config['username'] %>" - <%- } -%> - <%- if $rundeck::config::global::rundeck_config::mail_config['port'] { -%> - port = <%= $rundeck::config::global::rundeck_config::mail_config['port'] %> - <%- } -%> - <%- if $rundeck::config::global::rundeck_config::mail_config['password'] { -%> - password = "<%= $rundeck::config::global::rundeck_config::mail_config['password'] %>" - <%- } -%> - <%- if $rundeck::config::global::rundeck_config::mail_config['props'] { -%> - props = [<% $rundeck::config::global::rundeck_config::mail_config['props'].each |$k,$v| {-%>"<%= $k %>":"<%= $v %>",<%} %>] - <%- } -%> - } -} -<%- } -%> -<%- if $rundeck::config::global::rundeck_config::mail_config['defaults.from'] { -%> -grails.mail.default.from = "<%= $rundeck::config::global::rundeck_config::mail_config['defaults.from'] %>" -<%- } -%> -grails.serverURL = "<%= $rundeck::config::global::rundeck_config::grails_server_url %>" -rundeck.clusterMode.enabled = "<%= $rundeck::config::global::rundeck_config::clustermode_enabled %>" -<%- if $rundeck::config::global::rundeck_config::execution_mode { -%> -rundeck.executionMode = "<%= $rundeck::config::global::rundeck_config::execution_mode %>" -<%- } -%> - -quartz.threadPool.threadCount = "<%= $rundeck::config::global::rundeck_config::quartz_job_threadcount %>" - -<%- $rundeck::config::global::rundeck_config::key_storage_config.each |$i, $cfg| { -%> -rundeck.storage.provider."<%= $i+1 %>".type = "<%= $cfg['type'] %>" -rundeck.storage.provider."<%= $i+1 %>".path = "<%= $cfg['path'] %>" -<%- if $cfg['removePathPrefix'] { -%> -rundeck.storage.provider."<%= $i+1 %>".removePathPrefix = <%= $cfg['removePathPrefix'] %> -<%- } -%> -<%- if $cfg['config'] { -%> -<%- $cfg['config'].each |$k, $v| { -%> -rundeck.storage.provider."<%= $i+1 %>".config.<%= $k %> = "<%= $v %>" -<%- } -%> -<%- } -%> -<%- } -%> - -<%- if !$rundeck::config::global::rundeck_config::storage_encrypt_config.empty { -%> - - <%- $rundeck::config::global::rundeck_config::storage_encrypt_config.keys.sort.each |$k| { -%> -rundeck.storage.converter."1".<%= $k %> = "<%= $rundeck::config::global::rundeck_config::storage_encrypt_config[$k] %>" - <%- } -%> -<%- } -%> - -<%- $rundeck::config::global::rundeck_config::preauthenticated_config.each |$k,$v| { -%> -rundeck.security.authorization.preauthenticated.<%= $k %> = "<%= $v %>" -<%- } -%> - -<%- $rundeck::config::global::rundeck_config::gui_config.keys.sort.each |$k| {-%> -<%= $k %> = "<%= $rundeck::config::global::rundeck_config::gui_config[$k] %>" -<%- } -%> diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp new file mode 100644 index 000000000..262c11e68 --- /dev/null +++ b/templates/rundeck-config.properties.epp @@ -0,0 +1,49 @@ +loglevel.default = "<%= $rundeck::app_log_level %>" +rdeck.base = "<%= $rundeck::config::base_dir %>" + +rss.enabled = "<%= $rundeck::rss_enabled %>" + +grails.serverURL = "<%= $rundeck::config::framework_config['framework.server.url'] %>" + +rundeck.clusterMode.enabled = "<%= $rundeck::clustermode_enabled %>" +rundeck.executionMode = "<%= $rundeck::execution_mode %>" + +quartz.threadPool.threadCount = "<%= $rundeck::quartz_job_threadcount %>" + +dataSource.dbCreate = update +<%- $rundeck::database_config.each |$_k, $_v| {-%> +dataSource.<%= $_k %> = "<%= $_v %>" +<%- } -%> + +<%- $rundeck::mail_config.each |$_k, $_v| {-%> +grails.mail.<%= $_k %> = "<%= $_v %>" +<%- } -%> + +<%- $rundeck::security_config.each |$_k, $_v| {-%> +<%= $k %> = "<%= $rundeck::security_config[$k] %>" +<%- } -%> + +<%- $rundeck::key_storage_config.each |$_i, $_cfg| { -%> +rundeck.storage.provider."<%= $_i+1 %>".type = "<%= $_cfg['type'] %>" +rundeck.storage.provider."<%= $_i+1 %>".path = "<%= $_cfg['path'] %>" +<%- if $_cfg['removePathPrefix'] { -%> +rundeck.storage.provider."<%= $_i+1 %>".removePathPrefix = <%= $_cfg['removePathPrefix'] %> +<%- } -%> +<%- if $_cfg['config'] { -%> +<%- $_cfg['config'].each |$_k, $_v| { -%> +rundeck.storage.provider."<%= $_i+1 %>".config.<%= $_k %> = "<%= $_v %>" +<%- } -%> +<%- } -%> +<%- } -%> + +<%- $rundeck::key_storage_encrypt_config.keys.each |$k| { -%> +rundeck.storage.converter."1".<%= $k %> = "<%= $rundeck::config::global::rundeck_config::storage_encrypt_config[$k] %>" +<%- } -%> + +<%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> +rundeck.security.authorization.preauthenticated.<%= $_k %> = "<%= $_v %>" +<%- } -%> + +<%- $rundeck::gui_config.each |$_k, $_v| {-%> +<%= $_k %> = "<%= $_v %>" +<%- } -%> diff --git a/types/authconfig.pp b/types/auth_config.pp similarity index 82% rename from types/authconfig.pp rename to types/auth_config.pp index ab53a3ba4..bc9f7de4a 100644 --- a/types/authconfig.pp +++ b/types/auth_config.pp @@ -1,5 +1,5 @@ # Rundeck authentication config type. -type Rundeck::Authconfig = Struct[{ +type Rundeck::Auth_config = Struct[{ Optional['file'] => Hash[String, Data], Optional['ldap'] => Hash[String, Data], Optional['pam'] => Hash[String, Data], diff --git a/types/db_config.pp b/types/db_config.pp new file mode 100644 index 000000000..628a5652d --- /dev/null +++ b/types/db_config.pp @@ -0,0 +1,9 @@ +# Rundeck database config type. +type Rundeck::Db_config = Struct[{ + ['url'] => String, + Optional['driverClassName'] => String, + Optional['username'] => String, + Optional['password'] => String, + Optional['dialect'] => String, + Optional['properties.validationQuery'] => String, +}] diff --git a/types/mail_config.pp b/types/mail_config.pp new file mode 100644 index 000000000..a5a6155e1 --- /dev/null +++ b/types/mail_config.pp @@ -0,0 +1,11 @@ +# Rundeck mail config type. +type Rundeck::Mail_config = Struct[{ + Optional['host'] => String, + Optional['port'] => Integer, + Optional['username'] => String, + Optional['password'] => String, + Optional['props'] => Array[Hash], + Optional['default.from'] => String, + Optional['default.to'] => String, + Optional['disabled'] => Boolean, +}] From 451935509eb8272d0a539000ba9a6535d4e0f437 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 12:46:29 +0100 Subject: [PATCH 30/82] Update defaults --- data/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/defaults.yaml b/data/defaults.yaml index b4ebdd5df..189a3ab83 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -130,7 +130,7 @@ rundeck::project_config: rundeck::file_keystorage_dir: '/var/lib/rundeck/var/storage' rundeck::database_config: - url: "jdbc:h2:file:/var/lib/rundeck/data/rundeckdb;MVCC=true" + url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' rundeck::key_storage_config: - type: 'db' From 8a5c6082cd38be6a6d788d2f509267fb2c7f9438 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 12:49:33 +0100 Subject: [PATCH 31/82] Fix db_config type --- data/defaults.yaml | 9 --------- manifests/config/jaas_auth.pp | 2 +- manifests/init.pp | 5 +++-- types/db_config.pp | 2 +- 4 files changed, 5 insertions(+), 13 deletions(-) diff --git a/data/defaults.yaml b/data/defaults.yaml index 189a3ab83..40a9ad615 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -136,15 +136,6 @@ rundeck::key_storage_config: - type: 'db' path: 'keys' -rundeck::preauthenticated_config: - enabled: false - attributeName: 'REMOTE_USER_GROUPS' - delimiter: ':' - userNameHeader: 'X-Forwarded-Uuid' - userRolesHeader: 'X-Forwarded-Roles' - redirectLogout: false - redirectUrl: '/oauth2/sign_in' - rundeck::keystore_password: 'adminadmin' rundeck::truststore_password: 'adminadmin' rundeck::rdeck_base: '/var/lib/rundeck' diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 660d097e0..603a74556 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -5,7 +5,7 @@ class rundeck::config::jaas_auth { assert_private() - $_auth_config = deep_merge(lookup('rundeck::auth_config'), $rundeck::auth_config) + $_auth_config = $rundeck::auth_config $_auth_types = $_auth_config.keys if 'file' in $_auth_types { diff --git a/manifests/init.pp b/manifests/init.pp index 4d7d9e88c..0d40bd0d1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -138,9 +138,7 @@ Rundeck::Db_config $database_config, Hash $framework_config, Array[Hash] $key_storage_config, # Create type? - Hash $preauthenticated_config, Hash $project_config, - Hash $security_config, String $keystore_password, String $truststore_password, Stdlib::Absolutepath $file_keystorage_dir, @@ -158,6 +156,9 @@ Optional[Hash] $kerberos_realms = undef, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', Rundeck::Mail_config $mail_config = {}, + Hash $security_config = {}, + Hash $preauthenticated_config = {}, + Boolean $manage_default_admin_policy = true, Boolean $manage_default_api_policy = true, # Log config diff --git a/types/db_config.pp b/types/db_config.pp index 628a5652d..374ac1b6c 100644 --- a/types/db_config.pp +++ b/types/db_config.pp @@ -1,6 +1,6 @@ # Rundeck database config type. type Rundeck::Db_config = Struct[{ - ['url'] => String, + 'url' => String, Optional['driverClassName'] => String, Optional['username'] => String, Optional['password'] => String, From c1786f92a9c508a2f5eacd433a015c68aa846dac Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:05:58 +0100 Subject: [PATCH 32/82] Update jaas auth path --- manifests/config.pp | 26 +++++++++++++++++++++---- manifests/config/framework.pp | 2 +- manifests/config/jaas_auth.pp | 6 +++--- manifests/config/project.pp | 15 -------------- manifests/config/rundeck.pp | 19 ------------------ manifests/init.pp | 8 ++++---- templates/rundeck-config.properties.epp | 4 ++-- 7 files changed, 32 insertions(+), 48 deletions(-) delete mode 100644 manifests/config/project.pp delete mode 100644 manifests/config/rundeck.pp diff --git a/manifests/config.pp b/manifests/config.pp index fa4ada2ab..8d0dfd0af 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,8 +6,15 @@ assert_private() $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) - $properties_dir = $framework_config['framework.etc.dir'] - $base_dir = $framework_config['rdeck.base'] + $project_config = deep_merge(lookup('rundeck::project_config'), $rundeck::project_config) + + $base_dir = $framework_config['rdeck.base'] + $properties_dir = $framework_config['framework.etc.dir'] + + $service_notify = $rundeck::service_notify ? { + false => undef, + default => Service[$rundeck::service_name] + } File { owner => $rundeck::user, @@ -38,6 +45,7 @@ "${properties_dir}/log4j2.properties": content => epp($rundeck::log_properties_template), require => File[$properties_dir, $rundeck::service_logs_dir], + notify => $service_notify, ; } @@ -69,8 +77,18 @@ contain rundeck::config::jaas_auth contain rundeck::config::framework - contain rundeck::config::project - # contain rundeck::config::global::rundeck_config + + file { "${properties_dir}/project.properties": + ensure => file, + content => epp('rundeck/project.properties.epp', { _project_config => $project_config }), + notify => $service_notify, + } + + file { "${properties_dir}/rundeck-config.properties": + ensure => file, + content => epp($rundeck::config_template), + notify => $service_notify, + } # contain rundeck::config::global::file_keystore # Class['rundeck::config::global::framework'] diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 3290bcae5..4f72aecb6 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -19,6 +19,6 @@ file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), - require => File[$rundeck::config::properties_dir], + notify => $rundeck::config::service_notify, } } diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 603a74556..5bbf9557a 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -12,7 +12,7 @@ file { "${rundeck::config::properties_dir}/realm.properties": content => Sensitive(epp($rundeck::realm_template, { _auth_config => $_auth_config })), mode => '0600', - require => File[$rundeck::config::properties_dir], + notify => $rundeck::config::service_notify, } } else { file { "${rundeck::config::properties_dir}/realm.properties": @@ -26,9 +26,9 @@ $_ldap_login_module = 'JettyCachingLdapLoginModule' } - file { "${rundeck::config::properties_dir}/jaas-auth.conf": + file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf": content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), mode => '0600', - require => File[$rundeck::config::properties_dir], + notify => $rundeck::config::service_notify, } } diff --git a/manifests/config/project.pp b/manifests/config/project.pp deleted file mode 100644 index 9d55ab188..000000000 --- a/manifests/config/project.pp +++ /dev/null @@ -1,15 +0,0 @@ -# @api private -# -# @summary This private class is called from rundeck::config used to manage the default project properties. -# -class rundeck::config::project { - assert_private() - - $_project_config = deep_merge(lookup('rundeck::project_config'), $rundeck::project_config) - - file { "${rundeck::config::properties_dir}/project.properties": - ensure => file, - content => epp('rundeck/project.properties.epp', { _project_config => $_project_config }), - require => File[$rundeck::config::properties_dir], - } -} diff --git a/manifests/config/rundeck.pp b/manifests/config/rundeck.pp deleted file mode 100644 index 9a5d611c7..000000000 --- a/manifests/config/rundeck.pp +++ /dev/null @@ -1,19 +0,0 @@ -# @api private -# -# @summary This private class is called from rundeck::config used to manage the rundeck-config properties. -# -class rundeck::config::rundeck { - assert_private() - - $_service_notify = $rundeck::service_notify ? { - false => undef, - default => Service[$rundeck::service_name] - } - - file { "${rundeck::config::properties_dir}/rundeck-config.properties": - ensure => file, - content => epp($rundeck::config_template), - require => File[$rundeck::config::properties_dir], - notify => $_service_notify, - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 0d40bd0d1..2e7e38c05 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,8 +93,8 @@ # The name of the rundeck service. # @param service_ensure # State of the rundeck service (defaults to 'running') -# @param service_restart -# The restart of the rundeck service (default to true) +# @param service_notify +# Wheter to restart the rundeck service if config changes (default to true) # @param service_logs_dir # The path to the directory to store service related logs. # @param service_config @@ -165,7 +165,7 @@ Rundeck::Loglevel $app_log_level = 'info', Rundeck::Loglevel $audit_log_level = 'info', # Template config - String $config_template = 'rundeck/rundeck-config.epp', + String $config_template = 'rundeck/rundeck-config.properties.epp', String $override_template = 'rundeck/profile_overrides.epp', String $realm_template = 'rundeck/realm.properties.epp', String $acl_template = 'rundeck/aclpolicy.erb', @@ -183,7 +183,7 @@ Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', Boolean $security_roles_array_enabled = false, Array $security_roles_array = [], - Hash[String,String] $storage_encrypt_config = {}, + Hash $key_storage_encrypt_config = {}, # User config String $user = 'rundeck', String $group = 'rundeck', diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 262c11e68..73436ef45 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -36,8 +36,8 @@ rundeck.storage.provider."<%= $_i+1 %>".config.<%= $_k %> = "<%= $_v %>" <%- } -%> <%- } -%> -<%- $rundeck::key_storage_encrypt_config.keys.each |$k| { -%> -rundeck.storage.converter."1".<%= $k %> = "<%= $rundeck::config::global::rundeck_config::storage_encrypt_config[$k] %>" +<%- $rundeck::key_storage_encrypt_config.each |$_k, $_v| { -%> +rundeck.storage.converter."1".<%= $_k %> = "<%= $_v %>" <%- } -%> <%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> From 4056fa99d26f05cab8e6425a224d551190ac5adb Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:34:39 +0100 Subject: [PATCH 33/82] Use default jaas config --- templates/profile_overrides.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 42cd0fec9..68ef98d4f 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -2,7 +2,7 @@ RDECK_BASE=<%= $rundeck::config::base_dir %> RDECK_CONFIG=<%= $rundeck::config::properties_dir %> RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.groovy" RDECK_INSTALL=<%= $rundeck::config::base_dir %> -JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf +JAAS_CONF=$RDECK_CONFIG/jaas-loginmodule.conf LOGIN_MODULE=authentication JAVA_CMD=java RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" From 8aa1eec7884c465b673388bc7457946674cbec0c Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:35:39 +0100 Subject: [PATCH 34/82] Use properties file --- templates/profile_overrides.epp | 2 +- templates/rundeck-config.properties.epp | 34 ++++++++++++------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 68ef98d4f..52f657636 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -1,6 +1,6 @@ RDECK_BASE=<%= $rundeck::config::base_dir %> RDECK_CONFIG=<%= $rundeck::config::properties_dir %> -RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.groovy" +RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.properties" RDECK_INSTALL=<%= $rundeck::config::base_dir %> JAAS_CONF=$RDECK_CONFIG/jaas-loginmodule.conf LOGIN_MODULE=authentication diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 73436ef45..f69faf1a3 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -1,49 +1,49 @@ -loglevel.default = "<%= $rundeck::app_log_level %>" -rdeck.base = "<%= $rundeck::config::base_dir %>" +loglevel.default = <%= $rundeck::app_log_level %> +rdeck.base = <%= $rundeck::config::base_dir %> -rss.enabled = "<%= $rundeck::rss_enabled %>" +rss.enabled = <%= $rundeck::rss_enabled %> -grails.serverURL = "<%= $rundeck::config::framework_config['framework.server.url'] %>" +grails.serverURL = <%= $rundeck::config::framework_config['framework.server.url'] %> -rundeck.clusterMode.enabled = "<%= $rundeck::clustermode_enabled %>" -rundeck.executionMode = "<%= $rundeck::execution_mode %>" +rundeck.clusterMode.enabled = <%= $rundeck::clustermode_enabled %> +rundeck.executionMode = <%= $rundeck::execution_mode %> -quartz.threadPool.threadCount = "<%= $rundeck::quartz_job_threadcount %>" +quartz.threadPool.threadCount = <%= $rundeck::quartz_job_threadcount %> dataSource.dbCreate = update <%- $rundeck::database_config.each |$_k, $_v| {-%> -dataSource.<%= $_k %> = "<%= $_v %>" +dataSource.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::mail_config.each |$_k, $_v| {-%> -grails.mail.<%= $_k %> = "<%= $_v %>" +grails.mail.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::security_config.each |$_k, $_v| {-%> -<%= $k %> = "<%= $rundeck::security_config[$k] %>" +<%= $k %> = <%= $rundeck::security_config[$k] %> <%- } -%> <%- $rundeck::key_storage_config.each |$_i, $_cfg| { -%> -rundeck.storage.provider."<%= $_i+1 %>".type = "<%= $_cfg['type'] %>" -rundeck.storage.provider."<%= $_i+1 %>".path = "<%= $_cfg['path'] %>" +rundeck.storage.provider.<%= $_i+1 %>.type = <%= $_cfg['type'] %> +rundeck.storage.provider.<%= $_i+1 %>.path = <%= $_cfg['path'] %> <%- if $_cfg['removePathPrefix'] { -%> -rundeck.storage.provider."<%= $_i+1 %>".removePathPrefix = <%= $_cfg['removePathPrefix'] %> +rundeck.storage.provider.<%= $_i+1 %>.removePathPrefix = <%= $_cfg['removePathPrefix'] %> <%- } -%> <%- if $_cfg['config'] { -%> <%- $_cfg['config'].each |$_k, $_v| { -%> -rundeck.storage.provider."<%= $_i+1 %>".config.<%= $_k %> = "<%= $_v %>" +rundeck.storage.provider.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> <%- } -%> <%- } -%> <%- } -%> <%- $rundeck::key_storage_encrypt_config.each |$_k, $_v| { -%> -rundeck.storage.converter."1".<%= $_k %> = "<%= $_v %>" +rundeck.storage.converter.1.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> -rundeck.security.authorization.preauthenticated.<%= $_k %> = "<%= $_v %>" +rundeck.security.authorization.preauthenticated.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::gui_config.each |$_k, $_v| {-%> -<%= $_k %> = "<%= $_v %>" +<%= $_k %> = <%= $_v %> <%- } -%> From 33e5b544a0085b5a10cdc3aa97dca136849919b9 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:44:18 +0100 Subject: [PATCH 35/82] Move config which has defaults --- templates/rundeck-config.properties.epp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index f69faf1a3..75eb7acce 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -15,14 +15,6 @@ dataSource.dbCreate = update dataSource.<%= $_k %> = <%= $_v %> <%- } -%> -<%- $rundeck::mail_config.each |$_k, $_v| {-%> -grails.mail.<%= $_k %> = <%= $_v %> -<%- } -%> - -<%- $rundeck::security_config.each |$_k, $_v| {-%> -<%= $k %> = <%= $rundeck::security_config[$k] %> -<%- } -%> - <%- $rundeck::key_storage_config.each |$_i, $_cfg| { -%> rundeck.storage.provider.<%= $_i+1 %>.type = <%= $_cfg['type'] %> rundeck.storage.provider.<%= $_i+1 %>.path = <%= $_cfg['path'] %> @@ -36,6 +28,14 @@ rundeck.storage.provider.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> <%- } -%> <%- } -%> +<%- $rundeck::mail_config.each |$_k, $_v| {-%> +grails.mail.<%= $_k %> = <%= $_v %> +<%- } -%> + +<%- $rundeck::security_config.each |$_k, $_v| {-%> +<%= $k %> = <%= $rundeck::security_config[$k] %> +<%- } -%> + <%- $rundeck::key_storage_encrypt_config.each |$_k, $_v| { -%> rundeck.storage.converter.1.<%= $_k %> = <%= $_v %> <%- } -%> From 15d497a33579bf4d041242606f70c3668a217b60 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:50:54 +0100 Subject: [PATCH 36/82] Rename data to common and update init --- data/{defaults.yaml => common.yaml} | 6 ------ hiera.yaml | 6 +++--- manifests/init.pp | 5 +++-- 3 files changed, 6 insertions(+), 11 deletions(-) rename data/{defaults.yaml => common.yaml} (94%) diff --git a/data/defaults.yaml b/data/common.yaml similarity index 94% rename from data/defaults.yaml rename to data/common.yaml index 40a9ad615..802d36b41 100644 --- a/data/defaults.yaml +++ b/data/common.yaml @@ -127,15 +127,9 @@ rundeck::project_config: project.etc.dir: '/var/lib/rundeck/projects/${project.name}/etc' project.resources.file: '/var/lib/rundeck/projects/${project.name}/etc/resources.xml' -rundeck::file_keystorage_dir: '/var/lib/rundeck/var/storage' - rundeck::database_config: url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' rundeck::key_storage_config: - type: 'db' path: 'keys' - -rundeck::keystore_password: 'adminadmin' -rundeck::truststore_password: 'adminadmin' -rundeck::rdeck_base: '/var/lib/rundeck' diff --git a/hiera.yaml b/hiera.yaml index 08842e39c..fb602a143 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -6,8 +6,8 @@ defaults: data_hash: 'yaml_data' hierarchy: - - name: 'Operating System Family' + - name: 'Rundeck Operating System Family defaults' path: 'os/%{facts.os.family}.yaml' - - name: 'Rundeck defaults' - path: 'defaults.yaml' + - name: 'Rundeck common defaults' + path: 'common.yaml' diff --git a/manifests/init.pp b/manifests/init.pp index 2e7e38c05..663766aa6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -139,8 +139,6 @@ Hash $framework_config, Array[Hash] $key_storage_config, # Create type? Hash $project_config, - String $keystore_password, - String $truststore_password, Stdlib::Absolutepath $file_keystorage_dir, Stdlib::Absolutepath $override_dir, Hash $repo_config, @@ -181,6 +179,9 @@ Stdlib::Absolutepath $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key', Stdlib::Absolutepath $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt', Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + String $keystore_password = 'admin', + String $truststore_password = 'admin', + Boolean $security_roles_array_enabled = false, Array $security_roles_array = [], Hash $key_storage_encrypt_config = {}, From bee6962d7b59eab52267f6e4f937629e68a7a32f Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 13:56:27 +0100 Subject: [PATCH 37/82] Make param not mandatory --- manifests/init.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 663766aa6..f6196b94c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -139,11 +139,13 @@ Hash $framework_config, Array[Hash] $key_storage_config, # Create type? Hash $project_config, - Stdlib::Absolutepath $file_keystorage_dir, Stdlib::Absolutepath $override_dir, Hash $repo_config, Boolean $manage_repo = true, String $package_ensure = 'installed', + Boolean $manage_home = true, + + Stdlib::Absolutepath $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage", Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', @@ -217,7 +219,6 @@ Boolean $script_args_quoted = true, Stdlib::Absolutepath $script_interpreter = '/bin/bash', - Boolean $manage_home = true, ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) From 1c3c491a245f7782080137f510e6bbb9ea9762a2 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 14:41:14 +0100 Subject: [PATCH 38/82] Update keystorage config --- manifests/config.pp | 8 ++------ manifests/config/global/file_keystore.pp | 14 -------------- manifests/init.pp | 14 +++++++------- 3 files changed, 9 insertions(+), 27 deletions(-) delete mode 100644 manifests/config/global/file_keystore.pp diff --git a/manifests/config.pp b/manifests/config.pp index 8d0dfd0af..6ae25f4da 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -89,12 +89,8 @@ content => epp($rundeck::config_template), notify => $service_notify, } - # contain rundeck::config::global::file_keystore - # Class['rundeck::config::global::framework'] - # -> Class['rundeck::config::global::project'] - # -> Class['rundeck::config::global::rundeck_config'] - # -> Class['rundeck::config::global::file_keystore'] + create_resources(rundeck::config::resource::file_keystore, $rundeck::file_keystorage_keys) # if $ssl_enabled { # contain rundeck::config::global::ssl @@ -102,7 +98,7 @@ # -> Class['rundeck::config::global::ssl'] # } - # create_resources(rundeck::config::project, $projects) + # create_resources(rundeck::config::resource::project, $rundeck::projects) # if versioncmp( $package_ensure, '3.0.0' ) < 0 { # class { 'rundeck::config::global::web': diff --git a/manifests/config/global/file_keystore.pp b/manifests/config/global/file_keystore.pp deleted file mode 100644 index ab3195a6b..000000000 --- a/manifests/config/global/file_keystore.pp +++ /dev/null @@ -1,14 +0,0 @@ -# @api private -# -# @summary This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used. -# -class rundeck::config::global::file_keystore { - assert_private() - - $file_keystorage_dir = $rundeck::file_keystorage_dir - $group = $rundeck::config::group - $keys = $rundeck::config::file_keystorage_keys - $user = $rundeck::config::user - - create_resources(rundeck::config::file_keystore, $keys, { 'user' => $user, 'group' => $group }) -} diff --git a/manifests/init.pp b/manifests/init.pp index f6196b94c..e1f776ef2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -144,6 +144,13 @@ Boolean $manage_repo = true, String $package_ensure = 'installed', Boolean $manage_home = true, + # User config + String $user = 'rundeck', + String $group = 'rundeck', + Boolean $manage_user = false, + Boolean $manage_group = false, + Optional[Integer] $user_id = undef, + Optional[Integer] $group_id = undef, Stdlib::Absolutepath $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage", @@ -187,13 +194,6 @@ Boolean $security_roles_array_enabled = false, Array $security_roles_array = [], Hash $key_storage_encrypt_config = {}, - # User config - String $user = 'rundeck', - String $group = 'rundeck', - Boolean $manage_user = false, - Boolean $manage_group = false, - Optional[Integer] $user_id = undef, - Optional[Integer] $group_id = undef, # Service config String $service_name = 'rundeckd', Enum['stopped', 'running'] $service_ensure = 'running', From 1622f7e42d16ea495f632baa747ff7499071d514 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 14:45:53 +0100 Subject: [PATCH 39/82] Update user and group --- manifests/config/resource/file_keystore.pp | 5 +++-- manifests/init.pp | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/manifests/config/resource/file_keystore.pp b/manifests/config/resource/file_keystore.pp index ca68673da..b1dbf917d 100644 --- a/manifests/config/resource/file_keystore.pp +++ b/manifests/config/resource/file_keystore.pp @@ -55,9 +55,10 @@ String $content_modify_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), Optional[Integer] $content_size = undef, Stdlib::Absolutepath $file_keystorage_dir = $rundeck::file_keystorage_dir, - String $group = $rundeck::config::group, - String $user = $rundeck::config::user, + String $group = $rundeck::group, + String $user = $rundeck::user, ) { + include rundeck ensure_resource('file', [$file_keystorage_dir], { 'ensure' => 'directory' }) if !$content_size { diff --git a/manifests/init.pp b/manifests/init.pp index e1f776ef2..a34fa3588 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -227,7 +227,7 @@ contain rundeck::config contain rundeck::service - # Class['rundeck::install'] - # -> Class['rundeck::config'] - # ~> Class['rundeck::service'] + Class['rundeck::install'] + -> Class['rundeck::config'] + ~> Class['rundeck::service'] } From 3cf3b50a1404846e283fc2459695dc04e59a9c5d Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 15:13:18 +0100 Subject: [PATCH 40/82] Update default value --- manifests/config.pp | 10 +--------- manifests/config/framework.pp | 1 - manifests/config/jaas_auth.pp | 2 -- manifests/config/resource/file_keystore.pp | 4 ++-- manifests/init.pp | 3 --- 5 files changed, 3 insertions(+), 17 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 6ae25f4da..6719c7fd7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -11,11 +11,6 @@ $base_dir = $framework_config['rdeck.base'] $properties_dir = $framework_config['framework.etc.dir'] - $service_notify = $rundeck::service_notify ? { - false => undef, - default => Service[$rundeck::service_name] - } - File { owner => $rundeck::user, group => $rundeck::group, @@ -45,7 +40,6 @@ "${properties_dir}/log4j2.properties": content => epp($rundeck::log_properties_template), require => File[$properties_dir, $rundeck::service_logs_dir], - notify => $service_notify, ; } @@ -81,16 +75,14 @@ file { "${properties_dir}/project.properties": ensure => file, content => epp('rundeck/project.properties.epp', { _project_config => $project_config }), - notify => $service_notify, } file { "${properties_dir}/rundeck-config.properties": ensure => file, content => epp($rundeck::config_template), - notify => $service_notify, } - create_resources(rundeck::config::resource::file_keystore, $rundeck::file_keystorage_keys) + # create_resources(rundeck::config::resource::file_keystore, $rundeck::file_keystorage_keys) # if $ssl_enabled { # contain rundeck::config::global::ssl diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 4f72aecb6..1f4b774fc 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -19,6 +19,5 @@ file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), - notify => $rundeck::config::service_notify, } } diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 5bbf9557a..26061f484 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -12,7 +12,6 @@ file { "${rundeck::config::properties_dir}/realm.properties": content => Sensitive(epp($rundeck::realm_template, { _auth_config => $_auth_config })), mode => '0600', - notify => $rundeck::config::service_notify, } } else { file { "${rundeck::config::properties_dir}/realm.properties": @@ -29,6 +28,5 @@ file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf": content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), mode => '0600', - notify => $rundeck::config::service_notify, } } diff --git a/manifests/config/resource/file_keystore.pp b/manifests/config/resource/file_keystore.pp index b1dbf917d..921653aa6 100644 --- a/manifests/config/resource/file_keystore.pp +++ b/manifests/config/resource/file_keystore.pp @@ -48,8 +48,8 @@ Enum['password', 'public', 'private'] $data_type, String $path, String $value, - String $auth_created_username = $rundeck::framework_config['framework.ssh.user'], - String $auth_modified_username = $rundeck::framework_config['framework.ssh.user'], + String $auth_created_username = $rundeck::config::framework_config['framework.ssh.user'], + String $auth_modified_username = $rundeck::config::framework_config['framework.ssh.user'], String $content_creation_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), String $content_mask = 'content', String $content_modify_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), diff --git a/manifests/init.pp b/manifests/init.pp index a34fa3588..459c85d8e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -93,8 +93,6 @@ # The name of the rundeck service. # @param service_ensure # State of the rundeck service (defaults to 'running') -# @param service_notify -# Wheter to restart the rundeck service if config changes (default to true) # @param service_logs_dir # The path to the directory to store service related logs. # @param service_config @@ -197,7 +195,6 @@ # Service config String $service_name = 'rundeckd', Enum['stopped', 'running'] $service_ensure = 'running', - Boolean $service_notify = true, Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, From 7f2d23efd6d90f8b9b5a2865e34a19e8193590cb Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 21 Nov 2023 15:54:38 +0100 Subject: [PATCH 41/82] Remove file_keystore from core config --- manifests/config.pp | 4 ---- manifests/config/resource/file_keystore.pp | 2 +- manifests/init.pp | 8 ++------ 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 6719c7fd7..5d4d07ddc 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -82,16 +82,12 @@ content => epp($rundeck::config_template), } - # create_resources(rundeck::config::resource::file_keystore, $rundeck::file_keystorage_keys) - # if $ssl_enabled { # contain rundeck::config::global::ssl # Class['rundeck::config::global::rundeck_config'] # -> Class['rundeck::config::global::ssl'] # } - # create_resources(rundeck::config::resource::project, $rundeck::projects) - # if versioncmp( $package_ensure, '3.0.0' ) < 0 { # class { 'rundeck::config::global::web': # security_role => $security_role, diff --git a/manifests/config/resource/file_keystore.pp b/manifests/config/resource/file_keystore.pp index 921653aa6..f026bbd3e 100644 --- a/manifests/config/resource/file_keystore.pp +++ b/manifests/config/resource/file_keystore.pp @@ -54,7 +54,7 @@ String $content_mask = 'content', String $content_modify_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), Optional[Integer] $content_size = undef, - Stdlib::Absolutepath $file_keystorage_dir = $rundeck::file_keystorage_dir, + Stdlib::Absolutepath $file_keystorage_dir = "${rundeck::config::framework_config['framework.var.dir']}/storage", String $group = $rundeck::group, String $user = $rundeck::user, ) { diff --git a/manifests/init.pp b/manifests/init.pp index 459c85d8e..9285e9c44 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,8 +15,6 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param execution_mode # If set, allows setting the execution mode to 'active' or 'passive'. -# @param file_keystorage_dir -# Path to dir where the keystorage should be located. # @param file_keystorage_keys # Add keys to file keystorage. # @param framework_config @@ -150,11 +148,9 @@ Optional[Integer] $user_id = undef, Optional[Integer] $group_id = undef, - Stdlib::Absolutepath $file_keystorage_dir = "${framework_config['framework.var.dir']}/storage", - Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', - Hash $file_keystorage_keys = {}, + Hash $gui_config = {}, Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', @@ -198,9 +194,9 @@ Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, + # Project config Hash $projects = {}, - Integer $quartz_job_threadcount = 10, String $file_copier_provider = 'jsch-scp', String $node_executor_provider = 'jsch-ssh', From c31e2d0dac45d575850e72b32bb756755ab00f22 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 08:57:30 +0100 Subject: [PATCH 42/82] Remove deprecated files --- REFERENCE.md | 268 +++-------- manifests/config/resource/file_keystore.pp | 95 ---- manifests/config/resource/project.pp | 167 ------- manifests/config/resource/resource_source.pp | 454 ------------------ manifests/init.pp | 28 +- .../config/global/file_keystore_spec.rb | 46 -- templates/file_keystorage_meta.erb | 17 - templates/scm-export.properties.erb | 3 - templates/scm-import.properties.erb | 3 - 9 files changed, 63 insertions(+), 1018 deletions(-) delete mode 100644 manifests/config/resource/file_keystore.pp delete mode 100644 manifests/config/resource/project.pp delete mode 100644 manifests/config/resource/resource_source.pp delete mode 100644 spec/classes/config/global/file_keystore_spec.rb delete mode 100644 templates/file_keystorage_meta.erb delete mode 100644 templates/scm-export.properties.erb delete mode 100644 templates/scm-import.properties.erb diff --git a/REFERENCE.md b/REFERENCE.md index b391a7047..d5020d0f7 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -15,9 +15,6 @@ * `rundeck::config`: This class is called from rundeck to manage the configuration. * `rundeck::config::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. -* `rundeck::config::global::file_keystore`: This private class is used to manage the keys of the Rundeck key storage facility if a file-based backend is used. -* `rundeck::config::global::project`: This private class is called from rundeck::config used to manage the default project properties. -* `rundeck::config::global::rundeck_config`: This private class is called from rundeck::config used to manage the rundeck-config properties. * `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. * `rundeck::config::jaas_auth`: This private class is called from rundeck::config used to manage jaas authentication for rundeck. * `rundeck::install`: This class is called from rundeck for install. @@ -26,7 +23,6 @@ ### Defined types * [`rundeck::config::resource::aclpolicyfile`](#rundeck--config--resource--aclpolicyfile): This define will create a custom acl policy file. -* [`rundeck::config::resource::file_keystore`](#rundeck--config--resource--file_keystore): This define will create the 'content' and 'meta' components for the key to be stored. * [`rundeck::config::resource::plugin`](#rundeck--config--resource--plugin): This define will install a rundeck plugin. * [`rundeck::config::resource::project`](#rundeck--config--resource--project): This define can be used to configure rundeck projects. * [`rundeck::config::resource::resource_source`](#rundeck--config--resource--resource_source): This define will create a resource source that gathers node information. @@ -38,8 +34,10 @@ ### Data types -* [`Rundeck::Authconfig`](#Rundeck--Authconfig): Rundeck authentication config type. +* [`Rundeck::Auth_config`](#Rundeck--Auth_config): Rundeck authentication config type. +* [`Rundeck::Db_config`](#Rundeck--Db_config): Rundeck database config type. * [`Rundeck::Loglevel`](#Rundeck--Loglevel): Rundeck log level type. +* [`Rundeck::Mail_config`](#Rundeck--Mail_config): Rundeck mail config type. * [`Rundeck::Sourcetype`](#Rundeck--Sourcetype): Rundeck sourcetype type. ## Classes @@ -59,10 +57,7 @@ The following parameters are available in the `rundeck` class: * [`clustermode_enabled`](#-rundeck--clustermode_enabled) * [`database_config`](#-rundeck--database_config) * [`execution_mode`](#-rundeck--execution_mode) -* [`file_keystorage_dir`](#-rundeck--file_keystorage_dir) -* [`file_keystorage_keys`](#-rundeck--file_keystorage_keys) * [`framework_config`](#-rundeck--framework_config) -* [`grails_server_url`](#-rundeck--grails_server_url) * [`gui_config`](#-rundeck--gui_config) * [`java_home`](#-rundeck--java_home) * [`jvm_args`](#-rundeck--jvm_args) @@ -82,8 +77,6 @@ The following parameters are available in the `rundeck` class: * [`package_ensure`](#-rundeck--package_ensure) * [`preauthenticated_config`](#-rundeck--preauthenticated_config) * [`projects`](#-rundeck--projects) -* [`projects_description`](#-rundeck--projects_description) -* [`projects_organization`](#-rundeck--projects_organization) * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`app_log_level`](#-rundeck--app_log_level) * [`audit_log_level`](#-rundeck--audit_log_level) @@ -97,7 +90,6 @@ The following parameters are available in the `rundeck` class: * [`server_web_context`](#-rundeck--server_web_context) * [`service_name`](#-rundeck--service_name) * [`service_ensure`](#-rundeck--service_ensure) -* [`service_restart`](#-rundeck--service_restart) * [`service_logs_dir`](#-rundeck--service_logs_dir) * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) @@ -114,7 +106,8 @@ The following parameters are available in the `rundeck` class: * [`group_id`](#-rundeck--group_id) * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) -* [`storage_encrypt_config`](#-rundeck--storage_encrypt_config) +* [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) +* [`project_config`](#-rundeck--project_config) * [`override_dir`](#-rundeck--override_dir) * [`file_copier_provider`](#-rundeck--file_copier_provider) * [`node_executor_provider`](#-rundeck--node_executor_provider) @@ -152,7 +145,7 @@ Apitoken acl policies. Default value is located in data/common.yaml. ##### `auth_config` -Data type: `Rundeck::Authconfig` +Data type: `Rundeck::Auth_config` Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) Default value is located in data/common.yaml. @@ -167,7 +160,7 @@ Default value: `false` ##### `database_config` -Data type: `Hash` +Data type: `Rundeck::Db_config` Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) @@ -179,20 +172,6 @@ If set, allows setting the execution mode to 'active' or 'passive'. Default value: `'active'` -##### `file_keystorage_dir` - -Data type: `Stdlib::Absolutepath` - -Path to dir where the keystorage should be located. - -##### `file_keystorage_keys` - -Data type: `Hash` - -Add keys to file keystorage. - -Default value: `{}` - ##### `framework_config` Data type: `Hash` @@ -200,14 +179,6 @@ Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) Default value is located in data/common.yaml. -##### `grails_server_url` - -Data type: `Stdlib::HTTPUrl` - -Sets `grails.serverURL` so that Rundeck knows its external address. - -Default value: `"http://${facts['networking']['fqdn']}:4440"` - ##### `gui_config` Data type: `Hash` @@ -260,6 +231,8 @@ Data type: `String` The password for the given keystore. +Default value: `'admin'` + ##### `log_properties_template` Data type: `String` @@ -270,7 +243,7 @@ Default value: `'rundeck/log4j2.properties.epp'` ##### `mail_config` -Data type: `Hash` +Data type: `Rundeck::Mail_config` A hash of the notification email configuraton. @@ -345,6 +318,8 @@ Data type: `Hash` A hash of the rundeck preauthenticated config mode +Default value: `{}` + ##### `projects` Data type: `Hash` @@ -353,22 +328,6 @@ The hash of projects in your instance. Default value: `{}` -##### `projects_description` - -Data type: `String` - -The description that will be set by default for any projects. - -Default value: `''` - -##### `projects_organization` - -Data type: `String` - -The organization value that will be set by default for any projects. - -Default value: `''` - ##### `quartz_job_threadcount` Data type: `Integer` @@ -399,7 +358,7 @@ Data type: `String` Allows you to override the rundeck-config template. -Default value: `'rundeck/rundeck-config.epp'` +Default value: `'rundeck/rundeck-config.properties.epp'` ##### `manage_home` @@ -439,6 +398,8 @@ Data type: `Hash` A hash of the rundeck security configuration. +Default value: `{}` + ##### `security_role` Data type: `String` @@ -471,14 +432,6 @@ State of the rundeck service (defaults to 'running') Default value: `'running'` -##### `service_restart` - -Data type: `Boolean` - -The restart of the rundeck service (default to true) - -Default value: `true` - ##### `service_logs_dir` Data type: `Stdlib::Absolutepath` @@ -541,6 +494,8 @@ Data type: `String` The password for the given truststore. +Default value: `'admin'` + ##### `user` Data type: `String` @@ -605,15 +560,21 @@ Array value if you need more roles and you set true the "security_roles_array_en Default value: `[]` -##### `storage_encrypt_config` +##### `key_storage_encrypt_config` -Data type: `Hash[String,String]` +Data type: `Hash` Hash containing the necessary values to configure a plugin for key storage encryption. https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins Default value: `{}` +##### `project_config` + +Data type: `Hash` + + + ##### `override_dir` Data type: `Stdlib::Absolutepath` @@ -878,147 +839,6 @@ The template used for acl policy. Default is rundeck/aclpolicy.erb Default value: `"${module_name}/aclpolicy.erb"` -### `rundeck::config::resource::file_keystore` - -Currently supports password-based public keys. -Private keys are also supported, but not recommended to be privisioned via this mechanism -without the proper security policies for the private key data in place. - -#### Examples - -##### Basic usage. - -```puppet -rundeck::config::resource::file_keystore { 'mypassword': - path => 'myproject/mypassword', - value => 'secret', - content_type => 'application/x-rundeck-data-password', - data_type => 'password', -} -``` - -#### Parameters - -The following parameters are available in the `rundeck::config::resource::file_keystore` defined type: - -* [`content_type`](#-rundeck--config--resource--file_keystore--content_type) -* [`data_type`](#-rundeck--config--resource--file_keystore--data_type) -* [`path`](#-rundeck--config--resource--file_keystore--path) -* [`value`](#-rundeck--config--resource--file_keystore--value) -* [`auth_created_username`](#-rundeck--config--resource--file_keystore--auth_created_username) -* [`auth_modified_username`](#-rundeck--config--resource--file_keystore--auth_modified_username) -* [`content_creation_time`](#-rundeck--config--resource--file_keystore--content_creation_time) -* [`content_mask`](#-rundeck--config--resource--file_keystore--content_mask) -* [`content_modify_time`](#-rundeck--config--resource--file_keystore--content_modify_time) -* [`content_size`](#-rundeck--config--resource--file_keystore--content_size) -* [`file_keystorage_dir`](#-rundeck--config--resource--file_keystore--file_keystorage_dir) -* [`group`](#-rundeck--config--resource--file_keystore--group) -* [`user`](#-rundeck--config--resource--file_keystore--user) - -##### `content_type` - -Data type: - -```puppet -Enum[ - 'application/x-rundeck-data-password', - 'application/pgp-keys', - 'application/octet-stream' - ] -``` - -MIME type of the content - -##### `data_type` - -Data type: `Enum['password', 'public', 'private']` - -Data type (password, public-key or private-key) - -##### `path` - -Data type: `String` - -The path of the named key - -##### `value` - -Data type: `String` - -The actual value (password) of the named key - -##### `auth_created_username` - -Data type: `String` - -User who created the key - -Default value: `$rundeck::framework_config['framework.ssh.user']` - -##### `auth_modified_username` - -Data type: `String` - -User who last modified the key - -Default value: `$rundeck::framework_config['framework.ssh.user']` - -##### `content_creation_time` - -Data type: `String` - -When the key was first created - -Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))` - -##### `content_mask` - -Data type: `String` - -Content mask (default is 'content') - -Default value: `'content'` - -##### `content_modify_time` - -Data type: `String` - -When the key was modified - -Default value: `chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ'))` - -##### `content_size` - -Data type: `Optional[Integer]` - -Size of the content string in bytes - -Default value: `undef` - -##### `file_keystorage_dir` - -Data type: `Stdlib::Absolutepath` - -Base directory for file-based key storage (defaulted to /var/lib/rundeck/var/storage) - -Default value: `$rundeck::file_keystorage_dir` - -##### `group` - -Data type: `String` - -Default system group for the Rundeck framework - -Default value: `$rundeck::config::group` - -##### `user` - -Data type: `String` - -Default system user for the Rundeck framework - -Default value: `$rundeck::config::user` - ### `rundeck::config::resource::plugin` This define will install a rundeck plugin. @@ -1505,7 +1325,7 @@ Returns: `Any` ## Data types -### `Rundeck::Authconfig` +### `Rundeck::Auth_config` Rundeck authentication config type. @@ -1519,12 +1339,48 @@ Struct[{ }] ``` +### `Rundeck::Db_config` + +Rundeck database config type. + +Alias of + +```puppet +Struct[{ + 'url' => String, + Optional['driverClassName'] => String, + Optional['username'] => String, + Optional['password'] => String, + Optional['dialect'] => String, + Optional['properties.validationQuery'] => String, +}] +``` + ### `Rundeck::Loglevel` Rundeck log level type. Alias of `Enum['all', 'debug', 'error', 'fatal', 'info', 'off', 'trace', 'warn']` +### `Rundeck::Mail_config` + +Rundeck mail config type. + +Alias of + +```puppet +Struct[{ + Optional['host'] => String, + Optional['port'] => Integer, + Optional['username'] => String, + Optional['password'] => String, + Optional['props'] => Array[Hash], + Optional['default.from'] => String, + Optional['default.to'] => String, + Optional['disabled'] => Boolean, +}] +``` + ### `Rundeck::Sourcetype` Rundeck sourcetype type. diff --git a/manifests/config/resource/file_keystore.pp b/manifests/config/resource/file_keystore.pp deleted file mode 100644 index f026bbd3e..000000000 --- a/manifests/config/resource/file_keystore.pp +++ /dev/null @@ -1,95 +0,0 @@ -# @summary This define will create the 'content' and 'meta' components for the key to be stored. -# -# Currently supports password-based public keys. -# Private keys are also supported, but not recommended to be privisioned via this mechanism -# without the proper security policies for the private key data in place. -# -# @example Basic usage. -# rundeck::config::resource::file_keystore { 'mypassword': -# path => 'myproject/mypassword', -# value => 'secret', -# content_type => 'application/x-rundeck-data-password', -# data_type => 'password', -# } -# -# @param content_type -# MIME type of the content -# @param data_type -# Data type (password, public-key or private-key) -# @param path -# The path of the named key -# @param value -# The actual value (password) of the named key -# @param auth_created_username -# User who created the key -# @param auth_modified_username -# User who last modified the key -# @param content_creation_time -# When the key was first created -# @param content_mask -# Content mask (default is 'content') -# @param content_modify_time -# When the key was modified -# @param content_size -# Size of the content string in bytes -# @param file_keystorage_dir -# Base directory for file-based key storage (defaulted to /var/lib/rundeck/var/storage) -# @param group -# Default system group for the Rundeck framework -# @param user -# Default system user for the Rundeck framework -# -define rundeck::config::resource::file_keystore ( - Enum[ - 'application/x-rundeck-data-password', - 'application/pgp-keys', - 'application/octet-stream' - ] $content_type, - Enum['password', 'public', 'private'] $data_type, - String $path, - String $value, - String $auth_created_username = $rundeck::config::framework_config['framework.ssh.user'], - String $auth_modified_username = $rundeck::config::framework_config['framework.ssh.user'], - String $content_creation_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), - String $content_mask = 'content', - String $content_modify_time = chomp(generate('/bin/date', '+%Y-%m-%dT%H:%M:%SZ')), - Optional[Integer] $content_size = undef, - Stdlib::Absolutepath $file_keystorage_dir = "${rundeck::config::framework_config['framework.var.dir']}/storage", - String $group = $rundeck::group, - String $user = $rundeck::user, -) { - include rundeck - ensure_resource('file', [$file_keystorage_dir], { 'ensure' => 'directory' }) - - if !$content_size { - $content_size_value = size($value) - } else { - $content_size_value = $content_size - } - - $key_fqpath = "${file_keystorage_dir}/content/keys/${path}" - $key_dirtree = dirtree($key_fqpath, $file_keystorage_dir) - $meta_fqpath = "${file_keystorage_dir}/meta/keys/${path}" - $meta_dirtree = dirtree($meta_fqpath, $file_keystorage_dir) - - File { - ensure => present, - mode => '0664', - owner => $user, - group => $group, - } - - ensure_resource('file', [$meta_dirtree, $key_dirtree], { 'ensure' => 'directory' }) - - file { "${key_fqpath}/${name}.${data_type}": - content => $value, - replace => false, - require => File[$key_fqpath], - } - - file { "${meta_fqpath}/${name}.${data_type}": - content => template('rundeck/file_keystorage_meta.erb'), - replace => false, - require => File[$meta_fqpath], - } -} diff --git a/manifests/config/resource/project.pp b/manifests/config/resource/project.pp deleted file mode 100644 index cc51fb513..000000000 --- a/manifests/config/resource/project.pp +++ /dev/null @@ -1,167 +0,0 @@ -# @summary This define can be used to configure rundeck projects. -# -# @example Basic usage. -# rundeck::config::resource::project { 'test project': -# ssh_keypath => '/var/lib/rundeck/.ssh/id_rsa', -# file_copier_provider => 'jsch-scp', -# node_executor_provider => 'jsch-ssh', -# resource_sources => $resource_hash, -# scm_import_properties => $scm_import_properties_hash, -# } -# -# @param file_copier_provider -# The type of proivder that will be used for copying files to each of the nodes -# @param framework_config -# Rundeck framework config -# @param group -# Rundeck group -# @param user -# Rundeck user -# @param node_executor_provider -# The type of provider that will be used to gather node resources -# @param node_executor_settings -# Node executor settings -# @param projects_dir -# The directory where rundeck is configured to store project information -# @param resource_sources -# A hash of rundeck::config::resource_source that will be used to specify the node resources for this project -# @param scm_import_properties -# A hash of name value pairs representing properties for the scm-import.properties file -# @param scm_export_properties -# A hash of name value pairs representing properties for the scm-export.properties file -# @param ssh_keypath -# The path to the ssh key that will be used by the ssh/scp providers -# -define rundeck::config::resource::project ( - String $file_copier_provider = $rundeck::file_copier_provider, - Hash $framework_config = $rundeck::framework_config, - String $group = $rundeck::group, - String $user = $rundeck::user, - String $node_executor_provider = $rundeck::node_executor_provider, - Hash $node_executor_settings = {}, - Optional[Stdlib::Absolutepath] $projects_dir = undef, - Hash $resource_sources = $rundeck::resource_sources, - Hash $scm_import_properties = {}, - Hash $scm_export_properties = {}, - Optional[Stdlib::Absolutepath] $ssh_keypath = undef, -) { - include rundeck - - $framework_properties = deep_merge($rundeck::params::framework_config, $rundeck::framework_config, $framework_config) - - $_ssh_keypath = $ssh_keypath ? { - undef => $framework_properties['framework.ssh.keypath'], - default => $ssh_keypath, - } - - $_projects_dir = $projects_dir ? { - undef => $framework_properties['framework.projects.dir'], - default => $projects_dir, - } - - $project_dir = "${_projects_dir}/${name}" - $properties_file = "${project_dir}/etc/project.properties" - $scm_import_properties_file = "${project_dir}/etc/scm-import.properties" - $scm_export_properties_file = "${project_dir}/etc/scm-export.properties" - - file { $project_dir: - ensure => directory, - owner => $user, - group => $group, - mode => '0775', - } - - file { $properties_file: - ensure => file, - owner => $user, - group => $group, - } - - file { $scm_import_properties_file: - ensure => file, - content => template('rundeck/scm-import.properties.erb'), - owner => $user, - group => $group, - } - - file { $scm_export_properties_file: - ensure => file, - content => template('rundeck/scm-export.properties.erb'), - owner => $user, - group => $group, - require => File["${project_dir}/etc"], - } - - file { "${project_dir}/var": - ensure => directory, - owner => $user, - group => $group, - require => File[$project_dir], - } - - file { "${project_dir}/etc": - ensure => directory, - owner => $user, - group => $group, - require => File[$project_dir], - } - - ini_setting { "${name}::project.name": - ensure => present, - path => $properties_file, - section => '', - setting => 'project.name', - value => $name, - require => File[$properties_file], - } - - ini_setting { "${name}::project.ssh-authentication": - ensure => present, - path => $properties_file, - section => '', - setting => 'project.ssh-authentication', - value => 'privateKey', - require => File[$properties_file], - } - - ini_setting { "${name}::project.ssh-keypath": - ensure => present, - path => $properties_file, - section => '', - setting => 'project.ssh-keypath', - value => $_ssh_keypath, - require => File[$properties_file], - } - - $resource_source_defaults = { - project_name => $name, - } - - create_resources(rundeck::config::resource_source, $resource_sources, $resource_source_defaults) - - #TODO: there are more settings to be added here for both filecopier and nodeexecutor - ini_setting { "${name}::service.FileCopier.default.provider": - ensure => present, - path => $properties_file, - section => '', - setting => 'service.FileCopier.default.provider', - value => $file_copier_provider, - require => File[$properties_file], - } - - ini_setting { "${name}::service.NodeExecutor.default.provider": - ensure => present, - path => $properties_file, - section => '', - setting => 'service.NodeExecutor.default.provider', - value => $node_executor_provider, - require => File[$properties_file], - } - - $node_executor_settings_defaults = { - path => $properties_file, - require => File[$properties_file], - } - - inifile::create_ini_settings($node_executor_settings, $node_executor_settings_defaults) -} diff --git a/manifests/config/resource/resource_source.pp b/manifests/config/resource/resource_source.pp deleted file mode 100644 index 77b0d82a4..000000000 --- a/manifests/config/resource/resource_source.pp +++ /dev/null @@ -1,454 +0,0 @@ -# @summary This define will create a resource source that gathers node information. -# -# @example Basic usage. -# rundeck::config::resource::resource_source { 'myresource': -# project_name => 'myproject', -# number => '1', -# source_type => 'file', -# include_server_node => false, -# resource_format => 'resourceyaml', -# } -# -# @param directory -# When the directory source_type is specified this is the path to that directory. -# @param include_server_node -# Boolean value to decide whether or not to include the server node in your list of avaliable nodes. -# @param mapping_params -# When using the aws-ec2 source_type,this specifies node attributes that will be set -# and what their values will be set to using a "selector" on properties of the EC2 Instance object. -# @param number -# The sequential number of the resource within the project. -# @param project_name -# The name of the project for which this resource in intended to be a part. -# @param resource_format -# The format of the resource that will procesed, either resourcexml or resourceyaml. -# @param running_only -# Boolean to retrieve only running AWS EC2 instances. -# @param script_args -# A string of the full arguments to pass the the specified script. -# @param script_args_quoted -# Boolean value. Quote the arguments of the script. -# @param script_file -# When the script source_type is specified this is the path that that script. -# @param script_interpreter -# The interpreter to use in executing the script. Defaults to: '/bin/bash' -# @param source_type -# The source type where resources will come from: file, directory, url or script. -# @param url -# When the url source_type is specified this is the path to that url. -# @param url_cache -# Boolean value. Keep a local cache of the resources pulled from the url. -# @param url_timeout -# An integer value in seconds that rundeck will wait for resources from the url before timing out. -# @param use_default_mapping -# When using the aws-ec2 source_type,this specifies wheter to use the default mapping or not. -# @param endpoint_url -# The API AWS endpoint. -# @param assume_role_arn -# When using the aws-ec2 source_type, this specifies the assume role ARN parameter. -# @param filter_tag -# String value for using tags. -# @param http_proxy_port -# An integer value that defines the http proxy port. -# @param refresh_interval -# How often the data will be updated. -# @param puppet_enterprise_host -# The Puppet Enterprise host. -# @param puppet_enterprise_port -# The Puppet Enterprise port. -# @param puppet_enterprise_ssl_dir -# The Puppet Enterprise ssl directory. -# @param puppet_enterprise_certificate_name -# The Puppet Enterprise certificate name. -# @param puppet_enterprise_mapping_file -# The Puppet Enterprise mapping file. -# @param puppet_enterprise_metrics_interval -# The Puppet Enterprise metrics interval. -# @param puppet_enterprise_node_query -# The Puppet Enterprise node query. -# @param puppet_enterprise_default_node_tag -# The Puppet Enterprise default node tag. -# @param puppet_enterprise_tag_source -# The Puppet Enterprise tag source. -# -define rundeck::config::resource::resource_source ( - Stdlib::Absolutepath $directory = $rundeck::params::default_resource_dir, - Boolean $include_server_node = $rundeck::params::include_server_node, - String $mapping_params = '', # lint:ignore:params_empty_string_assignment - Integer $number = 1, - Optional[String] $project_name = undef, - Enum['resourcexml', 'resourceyaml'] $resource_format = $rundeck::params::resource_format, - Boolean $running_only = true, - String $script_args = '', # lint:ignore:params_empty_string_assignment - Boolean $script_args_quoted = $rundeck::params::script_args_quoted, - Optional[Stdlib::Absolutepath] $script_file = undef, - String $script_interpreter = $rundeck::params::script_interpreter, - Rundeck::Sourcetype $source_type = $rundeck::params::default_source_type, - String $url = '', # lint:ignore:params_empty_string_assignment - Boolean $url_cache = $rundeck::params::url_cache, - Integer $url_timeout = $rundeck::params::url_timeout, - Boolean $use_default_mapping = true, - Optional[String] $endpoint_url = undef, - Optional[String[1]] $assume_role_arn = undef, - String $filter_tag = '', # lint:ignore:params_empty_string_assignment - Stdlib::Port $http_proxy_port = $rundeck::params::default_http_proxy_port, - Integer $refresh_interval = $rundeck::params::default_refresh_interval, - Optional[String] $puppet_enterprise_host = undef, - Optional[Stdlib::Port] $puppet_enterprise_port = undef, - Optional[Stdlib::Absolutepath] $puppet_enterprise_ssl_dir = undef, - Optional[String] $puppet_enterprise_certificate_name = undef, - Optional[Stdlib::Absolutepath] $puppet_enterprise_mapping_file = undef, - Optional[Integer] $puppet_enterprise_metrics_interval = undef, - Optional[String] $puppet_enterprise_node_query = undef, - Optional[String] $puppet_enterprise_default_node_tag = undef, - Optional[String] $puppet_enterprise_tag_source = undef, -) { - include rundeck - - $framework_properties = deep_merge($rundeck::params::framework_config, $rundeck::framework_config) - - $projects_dir = $framework_properties['framework.projects.dir'] - $user = $rundeck::user - $group = $rundeck::group - - if $project_name == undef { - fail('project_name must be specified') - } - - assert_type(Stdlib::Absolutepath, $projects_dir) - - ensure_resource('file', "${projects_dir}/${project_name}", { - 'ensure' => 'directory', - 'owner' => $user, - 'group' => $group - }) - ensure_resource('file', "${projects_dir}/${project_name}/etc", { - 'ensure' => 'directory', - 'owner' => $user, - 'group' => $group, - 'require' => File["${projects_dir}/${project_name}"] - }) - - $properties_dir = "${projects_dir}/${project_name}/etc" - $properties_file = "${properties_dir}/project.properties" - - ini_setting { "${name}::resources.source.${number}.type": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.type", - value => $source_type, - require => File[$properties_file], - } - - case downcase($source_type) { - 'file': { - case $resource_format { - 'resourcexml': { - $file_extension = 'xml' - } - 'resourceyaml': { - $file_extension = 'yaml' - } - default: { - err("The rundeck resource model resource_format ${resource_format} is not supported") - } - } - - $file = "${properties_dir}/${name}.${file_extension}" - - ini_setting { "${name}::resources.source.${number}.config.requireFileExists": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.requireFileExists", - value => bool2str(true), - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.includeServerNode": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.includeServerNode", - value => bool2str($include_server_node), - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.generateFileAutomatically": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.generateFileAutomatically", - value => bool2str(true), - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.format": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.format", - value => $resource_format, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.file": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.file", - value => $file, - require => File[$properties_file], - } - } - 'url': { - ini_setting { "${name}::resources.source.${number}.config.url": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.url", - value => $url, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.timeout": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.timeout", - value => $url_timeout, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.cache": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.cache", - value => bool2str($url_cache), - require => File[$properties_file], - } - } - 'directory': { - file { $directory: - ensure => directory, - owner => $user, - group => $group, - mode => '0740', - } - - ini_setting { "${name}::resources.source.${number}.config.directory": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.directory", - value => $directory, - require => File[$properties_file], - } - } - 'script': { - ini_setting { "${name}::resources.source.${number}.config.file": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.file", - value => $script_file, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.args": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.args", - value => $script_args, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.format": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.format", - value => $resource_format, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.interpreter": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.interpreter", - value => $script_interpreter, - require => File[$properties_file], - } - - ini_setting { "${name}::resources.source.${number}.config.argsQuoted": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.argsQuoted", - value => bool2str($script_args_quoted), - require => File[$properties_file], - } - } - 'aws-ec2': { - ini_setting { "${name}::resources.source.${number}.config.mappingParams": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.mappingParams", - value => $mapping_params, - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.useDefaultMapping": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.useDefaultMapping", - value => bool2str($use_default_mapping), - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.runningOnly": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.runningOnly", - value => bool2str($running_only), - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.endpoint": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.endpoint", - value => $endpoint_url, - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.assumeRoleArn": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.assumeRoleArn", - value => $assume_role_arn, - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.filter": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.filter", - value => $filter_tag, - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.httpProxyPort": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.httpProxyPort", - value => $http_proxy_port, - require => File[$properties_file], - } - ini_setting { "${name}::resources.source.${number}.config.refreshInterval": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.refreshInterval", - value => $refresh_interval, - require => File[$properties_file], - } - } - 'puppet-enterprise': { - if ( $puppet_enterprise_mapping_file ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_MAPPING_FILE": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_MAPPING_FILE", - value => $puppet_enterprise_mapping_file, - require => File[$properties_file], - } - } - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_HOST": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_HOST", - value => $puppet_enterprise_host, - require => File[$properties_file], - } - if ( $puppet_enterprise_metrics_interval ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_METRICS_INTERVAL": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_METRICS_INTERVAL", - value => $puppet_enterprise_metrics_interval, - require => File[$properties_file], - } - } - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_PORT": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_PORT", - value => $puppet_enterprise_port, - require => File[$properties_file], - } - if ( $puppet_enterprise_ssl_dir ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_SSL_DIR": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_SSL_DIR", - value => $puppet_enterprise_ssl_dir, - require => File[$properties_file], - } - } - if ( $puppet_enterprise_certificate_name ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME", - value => $puppet_enterprise_certificate_name, - require => File[$properties_file], - } - } - if $puppet_enterprise_node_query { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_NODE_QUERY": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_NODE_QUERY", - value => $puppet_enterprise_node_query, - require => File[$properties_file], - } - } - if ( $puppet_enterprise_default_node_tag ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_DEFAULT_NODE_TAG": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_DEFAULT_NODE_TAG", - value => $puppet_enterprise_default_node_tag, - require => File[$properties_file], - } - } - if ( $puppet_enterprise_tag_source ) { - ini_setting { "${name}::resources.source.${number}.config.PROPERTY_TAGS_SOURCE": - ensure => present, - path => $properties_file, - section => '', - setting => "resources.source.${number}.config.PROPERTY_TAGS_SOURCE", - value => $puppet_enterprise_tag_source, - require => File[$properties_file], - } - } - } - default: { - err("The rundeck resource model source_type ${source_type} is not supported") - } - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 9285e9c44..04378d71e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,13 +15,9 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param execution_mode # If set, allows setting the execution mode to 'active' or 'passive'. -# @param file_keystorage_keys -# Add keys to file keystorage. # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) # Default value is located in data/common.yaml. -# @param grails_server_url -# Sets `grails.serverURL` so that Rundeck knows its external address. # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) # @param java_home @@ -61,10 +57,6 @@ # A hash of the rundeck preauthenticated config mode # @param projects # The hash of projects in your instance. -# @param projects_description -# The description that will be set by default for any projects. -# @param projects_organization -# The organization value that will be set by default for any projects. # @param quartz_job_threadcount # The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # @param app_log_level @@ -123,7 +115,7 @@ # Boolean value if you need more roles. false or true (default is false). # @param security_roles_array # Array value if you need more roles and you set true the "security_roles_array_enabled" value. -# @param storage_encrypt_config +# @param key_storage_encrypt_config # Hash containing the necessary values to configure a plugin for key storage encryption. # https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins # @@ -194,24 +186,6 @@ Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, - - # Project config - Hash $projects = {}, - Integer $quartz_job_threadcount = 10, - String $file_copier_provider = 'jsch-scp', - String $node_executor_provider = 'jsch-ssh', - Hash $resource_sources = {}, - Enum['xml', 'yaml'] $resource_format = 'xml', - Boolean $include_server_node = false, - Enum['file'] $default_source_type = 'file', - Stdlib::Absolutepath $default_resource_dir = '/', - Stdlib::Port $default_http_proxy_port = 80, - Integer $default_refresh_interval = 30, - Boolean $url_cache = true, - Integer $url_timeout = 30, - Boolean $script_args_quoted = true, - Stdlib::Absolutepath $script_interpreter = '/bin/bash', - ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) diff --git a/spec/classes/config/global/file_keystore_spec.rb b/spec/classes/config/global/file_keystore_spec.rb deleted file mode 100644 index e6538d5cf..000000000 --- a/spec/classes/config/global/file_keystore_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe 'add file-based key storage' do - let(:params) do - { - file_keystorage_dir: '/var/lib/rundeck/var/storage', - file_keystorage_keys: { - 'password_key' => { - 'value' => 'gobbledygook', - 'path' => 'foo/bar', - 'data_type' => 'password', - 'content_type' => 'application/x-rundeck-data-password' - }, - 'public_key' => { - 'value' => 'ssh-rsa AAAAB3rhwL1EoAIuI3hw9wZL146zjPZ6FIqgZKvO24fpZENYnNfmHn5AuOGBXYGTjeVPMzwV7o0mt3iRWk8J9Ujqvzp45IHfEAE7SO2frEIbfALdcwcNggSReQa0du4nd user@localhost', - 'path' => 'foo/bar', - 'data_type' => 'public', - 'content_type' => 'application/pgp-keys' - } - } - } - end - - # base key storage directory needs to be there first - it { is_expected.to contain_file('/var/lib/rundeck/var/storage') } - - # content and meta data for passwords - it { is_expected.to contain_file('/var/lib/rundeck/var/storage/content/keys/foo/bar/password_key.password').with_content(%r{gobbledygook}) } - it { is_expected.to contain_file('/var/lib/rundeck/var/storage/meta/keys/foo/bar/password_key.password').with_content(%r{application/x-rundeck-data-password}) } - - # content and meta data for public keys - it { is_expected.to contain_file('/var/lib/rundeck/var/storage/content/keys/foo/bar/public_key.public').with_content(%r{ssh-rsa AAAAB3rhwL1EoAIuI3hw9wZL146zjPZ6FIqgZKvO24fpZENYnNfmHn5AuOGBXYGTjeVPMzwV7o0mt3iRWk8J9Ujqvzp45IHfEAE7SO2frEIbfALdcwcNggSReQa0du4nd user@localhost}) } - it { is_expected.to contain_file('/var/lib/rundeck/var/storage/meta/keys/foo/bar/public_key.public').with_content(%r{application/pgp-keys}) } - end - end - end -end diff --git a/templates/file_keystorage_meta.erb b/templates/file_keystorage_meta.erb deleted file mode 100644 index 2262905b3..000000000 --- a/templates/file_keystorage_meta.erb +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Rundeck-content-size":"<%= @content_size_value %>", - <%- if @data_type == "password" -%> - "Rundeck-data-type":"<%= @data_type %>", - "Rundeck-content-mask":"<%= @content_mask %>", - <%- elsif @data_type == "public" -%> - "Rundeck-key-type":"<%= @data_type %>", - <%- else -%> - "Rundeck-key-type":"<%= @data_type %>", - "Rundeck-content-mask":"<%= @content_mask %>", - <%- end -%> - "Rundeck-content-creation-time":"<%= @content_creation_time %>", - "Rundeck-auth-created-username":"<%= @auth_created_username %>", - "Rundeck-auth-modified-username":"<%= @auth_modified_username %>", - "Rundeck-content-modify-time":"<%= @content_modify_time %>", - "Rundeck-content-type":"<%= @content_type %>" -} diff --git a/templates/scm-export.properties.erb b/templates/scm-export.properties.erb deleted file mode 100644 index d01b83bef..000000000 --- a/templates/scm-export.properties.erb +++ /dev/null @@ -1,3 +0,0 @@ -<%- @scm_export_properties.sort.each do |k,v| -%> -<%= k %> = <%= v %> -<%- end -%> diff --git a/templates/scm-import.properties.erb b/templates/scm-import.properties.erb deleted file mode 100644 index 84ff261c0..000000000 --- a/templates/scm-import.properties.erb +++ /dev/null @@ -1,3 +0,0 @@ -<%- @scm_import_properties.sort.each do |k,v| -%> -<%= k %> = <%= v %> -<%- end -%> From 599555ac2c3c71fd259b4037730f117cf96db41e Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 09:07:34 +0100 Subject: [PATCH 43/82] Remove project config it;s managed in DB --- data/common.yaml | 5 ----- manifests/config.pp | 14 ++++++-------- manifests/config/{global => }/ssl.pp | 20 ++++++++++---------- templates/project.properties.epp | 3 --- 4 files changed, 16 insertions(+), 26 deletions(-) rename manifests/config/{global => }/ssl.pp (81%) delete mode 100644 templates/project.properties.epp diff --git a/data/common.yaml b/data/common.yaml index 802d36b41..bcfd0cb6e 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -122,11 +122,6 @@ rundeck::framework_config: framework.ssh.timeout: '0' rdeck.base: '/var/lib/rundeck' -rundeck::project_config: - project.dir: '/var/lib/rundeck/projects/${project.name}' - project.etc.dir: '/var/lib/rundeck/projects/${project.name}/etc' - project.resources.file: '/var/lib/rundeck/projects/${project.name}/etc/resources.xml' - rundeck::database_config: url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' diff --git a/manifests/config.pp b/manifests/config.pp index 5d4d07ddc..216cd9118 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,7 +6,6 @@ assert_private() $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) - $project_config = deep_merge(lookup('rundeck::project_config'), $rundeck::project_config) $base_dir = $framework_config['rdeck.base'] $properties_dir = $framework_config['framework.etc.dir'] @@ -73,8 +72,7 @@ contain rundeck::config::framework file { "${properties_dir}/project.properties": - ensure => file, - content => epp('rundeck/project.properties.epp', { _project_config => $project_config }), + ensure => absent, } file { "${properties_dir}/rundeck-config.properties": @@ -82,11 +80,11 @@ content => epp($rundeck::config_template), } - # if $ssl_enabled { - # contain rundeck::config::global::ssl - # Class['rundeck::config::global::rundeck_config'] - # -> Class['rundeck::config::global::ssl'] - # } + if $rundeck::ssl_enabled { + contain rundeck::config::ssl + File["${properties_dir}/rundeck-config.properties"] + -> Class['rundeck::config::ssl'] + } # if versioncmp( $package_ensure, '3.0.0' ) < 0 { # class { 'rundeck::config::global::web': diff --git a/manifests/config/global/ssl.pp b/manifests/config/ssl.pp similarity index 81% rename from manifests/config/global/ssl.pp rename to manifests/config/ssl.pp index 4b431ee24..17fa0c12d 100644 --- a/manifests/config/global/ssl.pp +++ b/manifests/config/ssl.pp @@ -2,20 +2,20 @@ # # @summary This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. # -class rundeck::config::global::ssl { +class rundeck::config::ssl { assert_private() - $group = $rundeck::config::group - $key_password = $rundeck::config::key_password - $ssl_keyfile = $rundeck::config::ssl_keyfile - $ssl_certfile = $rundeck::config::ssl_certfile - $keystore = $rundeck::config::keystore - $keystore_password = $rundeck::config::keystore_password + $group = $rundeck::group + $key_password = $rundeck::key_password + $ssl_keyfile = $rundeck::ssl_keyfile + $ssl_certfile = $rundeck::ssl_certfile + $keystore = $rundeck::keystore + $keystore_password = $rundeck::keystore_password $properties_dir = $rundeck::config::properties_dir $service_name = $rundeck::service_name - $truststore = $rundeck::config::truststore - $truststore_password = $rundeck::config::truststore_password - $user = $rundeck::config::user + $truststore = $rundeck::truststore + $truststore_password = $rundeck::truststore_password + $user = $rundeck::user $properties_file = "${properties_dir}/ssl/ssl.properties" diff --git a/templates/project.properties.epp b/templates/project.properties.epp deleted file mode 100644 index 80a811700..000000000 --- a/templates/project.properties.epp +++ /dev/null @@ -1,3 +0,0 @@ -<%- $_project_config.keys.unique.sort.each |$k| { -%> -<%= $k %> = <%= $_project_config[$k] %> -<%- } -%> From ecbf4c0bca70909ed3dd1d9309aa80c3d576624a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 09:22:20 +0100 Subject: [PATCH 44/82] Remove obsolete files and update refs --- REFERENCE.md | 562 +------------------- manifests/config.pp | 2 - manifests/config/framework.pp | 2 + manifests/init.pp | 5 - spec/classes/config/global/project_spec.rb | 37 -- spec/classes/config/global/scm_spec.rb | 76 --- spec/defines/config/project_spec.rb | 56 -- spec/defines/config/resource_source_spec.rb | 219 -------- 8 files changed, 3 insertions(+), 956 deletions(-) delete mode 100644 spec/classes/config/global/project_spec.rb delete mode 100644 spec/classes/config/global/scm_spec.rb delete mode 100644 spec/defines/config/project_spec.rb delete mode 100644 spec/defines/config/resource_source_spec.rb diff --git a/REFERENCE.md b/REFERENCE.md index d5020d0f7..95bef67c5 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -15,8 +15,8 @@ * `rundeck::config`: This class is called from rundeck to manage the configuration. * `rundeck::config::framework`: This private class is called from rundeck::config used to manage the framework properties of rundeck. -* `rundeck::config::global::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. * `rundeck::config::jaas_auth`: This private class is called from rundeck::config used to manage jaas authentication for rundeck. +* `rundeck::config::ssl`: This private class is called from rundeck::config used to manage the ssl properties if ssl is enabled. * `rundeck::install`: This class is called from rundeck for install. * `rundeck::service`: This class is called from rundeck to manage service. @@ -24,8 +24,6 @@ * [`rundeck::config::resource::aclpolicyfile`](#rundeck--config--resource--aclpolicyfile): This define will create a custom acl policy file. * [`rundeck::config::resource::plugin`](#rundeck--config--resource--plugin): This define will install a rundeck plugin. -* [`rundeck::config::resource::project`](#rundeck--config--resource--project): This define can be used to configure rundeck projects. -* [`rundeck::config::resource::resource_source`](#rundeck--config--resource--resource_source): This define will create a resource source that gathers node information. * [`rundeck::config::resource::securityroles`](#rundeck--config--resource--securityroles): Author: Zoltan Lanyi Date : 03.06.2016 ### Functions @@ -76,8 +74,6 @@ The following parameters are available in the `rundeck` class: * [`manage_repo`](#-rundeck--manage_repo) * [`package_ensure`](#-rundeck--package_ensure) * [`preauthenticated_config`](#-rundeck--preauthenticated_config) -* [`projects`](#-rundeck--projects) -* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`app_log_level`](#-rundeck--app_log_level) * [`audit_log_level`](#-rundeck--audit_log_level) * [`config_template`](#-rundeck--config_template) @@ -107,21 +103,7 @@ The following parameters are available in the `rundeck` class: * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) * [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) -* [`project_config`](#-rundeck--project_config) * [`override_dir`](#-rundeck--override_dir) -* [`file_copier_provider`](#-rundeck--file_copier_provider) -* [`node_executor_provider`](#-rundeck--node_executor_provider) -* [`resource_sources`](#-rundeck--resource_sources) -* [`resource_format`](#-rundeck--resource_format) -* [`include_server_node`](#-rundeck--include_server_node) -* [`default_source_type`](#-rundeck--default_source_type) -* [`default_resource_dir`](#-rundeck--default_resource_dir) -* [`default_http_proxy_port`](#-rundeck--default_http_proxy_port) -* [`default_refresh_interval`](#-rundeck--default_refresh_interval) -* [`url_cache`](#-rundeck--url_cache) -* [`url_timeout`](#-rundeck--url_timeout) -* [`script_args_quoted`](#-rundeck--script_args_quoted) -* [`script_interpreter`](#-rundeck--script_interpreter) ##### `acl_template` @@ -320,22 +302,6 @@ A hash of the rundeck preauthenticated config mode Default value: `{}` -##### `projects` - -Data type: `Hash` - -The hash of projects in your instance. - -Default value: `{}` - -##### `quartz_job_threadcount` - -Data type: `Integer` - -The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. - -Default value: `10` - ##### `app_log_level` Data type: `Rundeck::Loglevel` @@ -569,122 +535,12 @@ https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.h Default value: `{}` -##### `project_config` - -Data type: `Hash` - - - ##### `override_dir` Data type: `Stdlib::Absolutepath` -##### `file_copier_provider` - -Data type: `String` - - - -Default value: `'jsch-scp'` - -##### `node_executor_provider` - -Data type: `String` - - - -Default value: `'jsch-ssh'` - -##### `resource_sources` - -Data type: `Hash` - - - -Default value: `{}` - -##### `resource_format` - -Data type: `Enum['xml', 'yaml']` - - - -Default value: `'xml'` - -##### `include_server_node` - -Data type: `Boolean` - - - -Default value: `false` - -##### `default_source_type` - -Data type: `Enum['file']` - - - -Default value: `'file'` - -##### `default_resource_dir` - -Data type: `Stdlib::Absolutepath` - - - -Default value: `'/'` - -##### `default_http_proxy_port` - -Data type: `Stdlib::Port` - - - -Default value: `80` - -##### `default_refresh_interval` - -Data type: `Integer` - - - -Default value: `30` - -##### `url_cache` - -Data type: `Boolean` - - - -Default value: `true` - -##### `url_timeout` - -Data type: `Integer` - - - -Default value: `30` - -##### `script_args_quoted` - -Data type: `Boolean` - - - -Default value: `true` - -##### `script_interpreter` - -Data type: `Stdlib::Absolutepath` - - - -Default value: `'/bin/bash'` - ### `rundeck::config::global::web` Currently only manages the required for any user to login and session timout: @@ -874,422 +730,6 @@ Data type: `String` The http source or local path from which to get the plugin. -### `rundeck::config::resource::project` - -This define can be used to configure rundeck projects. - -#### Examples - -##### Basic usage. - -```puppet -rundeck::config::resource::project { 'test project': - ssh_keypath => '/var/lib/rundeck/.ssh/id_rsa', - file_copier_provider => 'jsch-scp', - node_executor_provider => 'jsch-ssh', - resource_sources => $resource_hash, - scm_import_properties => $scm_import_properties_hash, -} -``` - -#### Parameters - -The following parameters are available in the `rundeck::config::resource::project` defined type: - -* [`file_copier_provider`](#-rundeck--config--resource--project--file_copier_provider) -* [`framework_config`](#-rundeck--config--resource--project--framework_config) -* [`group`](#-rundeck--config--resource--project--group) -* [`user`](#-rundeck--config--resource--project--user) -* [`node_executor_provider`](#-rundeck--config--resource--project--node_executor_provider) -* [`node_executor_settings`](#-rundeck--config--resource--project--node_executor_settings) -* [`projects_dir`](#-rundeck--config--resource--project--projects_dir) -* [`resource_sources`](#-rundeck--config--resource--project--resource_sources) -* [`scm_import_properties`](#-rundeck--config--resource--project--scm_import_properties) -* [`scm_export_properties`](#-rundeck--config--resource--project--scm_export_properties) -* [`ssh_keypath`](#-rundeck--config--resource--project--ssh_keypath) - -##### `file_copier_provider` - -Data type: `String` - -The type of proivder that will be used for copying files to each of the nodes - -Default value: `$rundeck::file_copier_provider` - -##### `framework_config` - -Data type: `Hash` - -Rundeck framework config - -Default value: `$rundeck::framework_config` - -##### `group` - -Data type: `String` - -Rundeck group - -Default value: `$rundeck::group` - -##### `user` - -Data type: `String` - -Rundeck user - -Default value: `$rundeck::user` - -##### `node_executor_provider` - -Data type: `String` - -The type of provider that will be used to gather node resources - -Default value: `$rundeck::node_executor_provider` - -##### `node_executor_settings` - -Data type: `Hash` - -Node executor settings - -Default value: `{}` - -##### `projects_dir` - -Data type: `Optional[Stdlib::Absolutepath]` - -The directory where rundeck is configured to store project information - -Default value: `undef` - -##### `resource_sources` - -Data type: `Hash` - -A hash of rundeck::config::resource_source that will be used to specify the node resources for this project - -Default value: `$rundeck::resource_sources` - -##### `scm_import_properties` - -Data type: `Hash` - -A hash of name value pairs representing properties for the scm-import.properties file - -Default value: `{}` - -##### `scm_export_properties` - -Data type: `Hash` - -A hash of name value pairs representing properties for the scm-export.properties file - -Default value: `{}` - -##### `ssh_keypath` - -Data type: `Optional[Stdlib::Absolutepath]` - -The path to the ssh key that will be used by the ssh/scp providers - -Default value: `undef` - -### `rundeck::config::resource::resource_source` - -This define will create a resource source that gathers node information. - -#### Examples - -##### Basic usage. - -```puppet -rundeck::config::resource::resource_source { 'myresource': - project_name => 'myproject', - number => '1', - source_type => 'file', - include_server_node => false, - resource_format => 'resourceyaml', -} -``` - -#### Parameters - -The following parameters are available in the `rundeck::config::resource::resource_source` defined type: - -* [`directory`](#-rundeck--config--resource--resource_source--directory) -* [`include_server_node`](#-rundeck--config--resource--resource_source--include_server_node) -* [`mapping_params`](#-rundeck--config--resource--resource_source--mapping_params) -* [`number`](#-rundeck--config--resource--resource_source--number) -* [`project_name`](#-rundeck--config--resource--resource_source--project_name) -* [`resource_format`](#-rundeck--config--resource--resource_source--resource_format) -* [`running_only`](#-rundeck--config--resource--resource_source--running_only) -* [`script_args`](#-rundeck--config--resource--resource_source--script_args) -* [`script_args_quoted`](#-rundeck--config--resource--resource_source--script_args_quoted) -* [`script_file`](#-rundeck--config--resource--resource_source--script_file) -* [`script_interpreter`](#-rundeck--config--resource--resource_source--script_interpreter) -* [`source_type`](#-rundeck--config--resource--resource_source--source_type) -* [`url`](#-rundeck--config--resource--resource_source--url) -* [`url_cache`](#-rundeck--config--resource--resource_source--url_cache) -* [`url_timeout`](#-rundeck--config--resource--resource_source--url_timeout) -* [`use_default_mapping`](#-rundeck--config--resource--resource_source--use_default_mapping) -* [`endpoint_url`](#-rundeck--config--resource--resource_source--endpoint_url) -* [`assume_role_arn`](#-rundeck--config--resource--resource_source--assume_role_arn) -* [`filter_tag`](#-rundeck--config--resource--resource_source--filter_tag) -* [`http_proxy_port`](#-rundeck--config--resource--resource_source--http_proxy_port) -* [`refresh_interval`](#-rundeck--config--resource--resource_source--refresh_interval) -* [`puppet_enterprise_host`](#-rundeck--config--resource--resource_source--puppet_enterprise_host) -* [`puppet_enterprise_port`](#-rundeck--config--resource--resource_source--puppet_enterprise_port) -* [`puppet_enterprise_ssl_dir`](#-rundeck--config--resource--resource_source--puppet_enterprise_ssl_dir) -* [`puppet_enterprise_certificate_name`](#-rundeck--config--resource--resource_source--puppet_enterprise_certificate_name) -* [`puppet_enterprise_mapping_file`](#-rundeck--config--resource--resource_source--puppet_enterprise_mapping_file) -* [`puppet_enterprise_metrics_interval`](#-rundeck--config--resource--resource_source--puppet_enterprise_metrics_interval) -* [`puppet_enterprise_node_query`](#-rundeck--config--resource--resource_source--puppet_enterprise_node_query) -* [`puppet_enterprise_default_node_tag`](#-rundeck--config--resource--resource_source--puppet_enterprise_default_node_tag) -* [`puppet_enterprise_tag_source`](#-rundeck--config--resource--resource_source--puppet_enterprise_tag_source) - -##### `directory` - -Data type: `Stdlib::Absolutepath` - -When the directory source_type is specified this is the path to that directory. - -Default value: `$rundeck::params::default_resource_dir` - -##### `include_server_node` - -Data type: `Boolean` - -Boolean value to decide whether or not to include the server node in your list of avaliable nodes. - -Default value: `$rundeck::params::include_server_node` - -##### `mapping_params` - -Data type: `String` - -When using the aws-ec2 source_type,this specifies node attributes that will be set -and what their values will be set to using a "selector" on properties of the EC2 Instance object. - -Default value: `''` - -##### `number` - -Data type: `Integer` - -The sequential number of the resource within the project. - -Default value: `1` - -##### `project_name` - -Data type: `Optional[String]` - -The name of the project for which this resource in intended to be a part. - -Default value: `undef` - -##### `resource_format` - -Data type: `Enum['resourcexml', 'resourceyaml']` - -The format of the resource that will procesed, either resourcexml or resourceyaml. - -Default value: `$rundeck::params::resource_format` - -##### `running_only` - -Data type: `Boolean` - -Boolean to retrieve only running AWS EC2 instances. - -Default value: `true` - -##### `script_args` - -Data type: `String` - -A string of the full arguments to pass the the specified script. - -Default value: `''` - -##### `script_args_quoted` - -Data type: `Boolean` - -Boolean value. Quote the arguments of the script. - -Default value: `$rundeck::params::script_args_quoted` - -##### `script_file` - -Data type: `Optional[Stdlib::Absolutepath]` - -When the script source_type is specified this is the path that that script. - -Default value: `undef` - -##### `script_interpreter` - -Data type: `String` - -The interpreter to use in executing the script. Defaults to: '/bin/bash' - -Default value: `$rundeck::params::script_interpreter` - -##### `source_type` - -Data type: `Rundeck::Sourcetype` - -The source type where resources will come from: file, directory, url or script. - -Default value: `$rundeck::params::default_source_type` - -##### `url` - -Data type: `String` - -When the url source_type is specified this is the path to that url. - -Default value: `''` - -##### `url_cache` - -Data type: `Boolean` - -Boolean value. Keep a local cache of the resources pulled from the url. - -Default value: `$rundeck::params::url_cache` - -##### `url_timeout` - -Data type: `Integer` - -An integer value in seconds that rundeck will wait for resources from the url before timing out. - -Default value: `$rundeck::params::url_timeout` - -##### `use_default_mapping` - -Data type: `Boolean` - -When using the aws-ec2 source_type,this specifies wheter to use the default mapping or not. - -Default value: `true` - -##### `endpoint_url` - -Data type: `Optional[String]` - -The API AWS endpoint. - -Default value: `undef` - -##### `assume_role_arn` - -Data type: `Optional[String[1]]` - -When using the aws-ec2 source_type, this specifies the assume role ARN parameter. - -Default value: `undef` - -##### `filter_tag` - -Data type: `String` - -String value for using tags. - -Default value: `''` - -##### `http_proxy_port` - -Data type: `Stdlib::Port` - -An integer value that defines the http proxy port. - -Default value: `$rundeck::params::default_http_proxy_port` - -##### `refresh_interval` - -Data type: `Integer` - -How often the data will be updated. - -Default value: `$rundeck::params::default_refresh_interval` - -##### `puppet_enterprise_host` - -Data type: `Optional[String]` - -The Puppet Enterprise host. - -Default value: `undef` - -##### `puppet_enterprise_port` - -Data type: `Optional[Stdlib::Port]` - -The Puppet Enterprise port. - -Default value: `undef` - -##### `puppet_enterprise_ssl_dir` - -Data type: `Optional[Stdlib::Absolutepath]` - -The Puppet Enterprise ssl directory. - -Default value: `undef` - -##### `puppet_enterprise_certificate_name` - -Data type: `Optional[String]` - -The Puppet Enterprise certificate name. - -Default value: `undef` - -##### `puppet_enterprise_mapping_file` - -Data type: `Optional[Stdlib::Absolutepath]` - -The Puppet Enterprise mapping file. - -Default value: `undef` - -##### `puppet_enterprise_metrics_interval` - -Data type: `Optional[Integer]` - -The Puppet Enterprise metrics interval. - -Default value: `undef` - -##### `puppet_enterprise_node_query` - -Data type: `Optional[String]` - -The Puppet Enterprise node query. - -Default value: `undef` - -##### `puppet_enterprise_default_node_tag` - -Data type: `Optional[String]` - -The Puppet Enterprise default node tag. - -Default value: `undef` - -##### `puppet_enterprise_tag_source` - -Data type: `Optional[String]` - -The Puppet Enterprise tag source. - -Default value: `undef` - ### `rundeck::config::resource::securityroles` Author: Zoltan Lanyi diff --git a/manifests/config.pp b/manifests/config.pp index 216cd9118..2f511539b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -82,8 +82,6 @@ if $rundeck::ssl_enabled { contain rundeck::config::ssl - File["${properties_dir}/rundeck-config.properties"] - -> Class['rundeck::config::ssl'] } # if versioncmp( $package_ensure, '3.0.0' ) < 0 { diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 1f4b774fc..9909ddbdc 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -3,6 +3,8 @@ # @summary This private class is called from rundeck::config used to manage the framework properties of rundeck. # class rundeck::config::framework { + assert_private() + if $rundeck::ssl_enabled { $_ssl_conig = { 'framework.server.port' => $rundeck::ssl_port, diff --git a/manifests/init.pp b/manifests/init.pp index 04378d71e..636228c23 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -55,10 +55,6 @@ # Ensure the state of the rundeck package, either present, absent or a specific version # @param preauthenticated_config # A hash of the rundeck preauthenticated config mode -# @param projects -# The hash of projects in your instance. -# @param quartz_job_threadcount -# The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # @param app_log_level # The log4j logging level to be set for the Rundeck application. # @param audit_log_level @@ -126,7 +122,6 @@ Rundeck::Db_config $database_config, Hash $framework_config, Array[Hash] $key_storage_config, # Create type? - Hash $project_config, Stdlib::Absolutepath $override_dir, Hash $repo_config, Boolean $manage_repo = true, diff --git a/spec/classes/config/global/project_spec.rb b/spec/classes/config/global/project_spec.rb deleted file mode 100644 index 40a89e91b..000000000 --- a/spec/classes/config/global/project_spec.rb +++ /dev/null @@ -1,37 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe "rundeck::config::global::project class without any parameters on #{os}" do - let(:params) { {} } - - project_details = { - 'project.dir' => '/var/lib/rundeck/projects/${project.name}', - 'project.etc.dir' => '/var/lib/rundeck/projects/${project.name}/etc', - 'project.resources.file' => '/var/lib/rundeck/projects/${project.name}/etc/resources.xml', - 'project.description' => '', - 'project.organization' => '' - } - - it { is_expected.to contain_file('/etc/rundeck/project.properties') } - - project_details.each do |key, value| - it do - is_expected.to contain_ini_setting(key).with( - 'path' => '/etc/rundeck/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - end - end -end diff --git a/spec/classes/config/global/scm_spec.rb b/spec/classes/config/global/scm_spec.rb deleted file mode 100644 index 1a98df9b1..000000000 --- a/spec/classes/config/global/scm_spec.rb +++ /dev/null @@ -1,76 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe 'add scm properties to project' do - project_hash = { - 'project_1' => { - 'scm_import_properties' => { - 'scm.import.config.useFilePattern' => 'true', - 'scm.import.config.strictHostKeyChecking' => 'no', - 'scm.import.config.filePattern' => 'SBO/*', - 'scm.import.config.url' => 'git.repo.com/project_1.jobs.git', - 'scm.import.config.format' => 'yaml', - 'scm.import.config.dir' => '/var/lib/rundeck/projects/proect_1/scm', - 'scm.import.config.pathTemplate' => '${job.project}/${job.group}${job.name}-${job.id}.${config.format}', - 'scm.import.config.sshPrivateKeyPath' => '', - 'scm.import.config.gitPasswordPath' => '', - 'scm.import.config.branch' => 'master', - 'scm.import.enabled' => 'false', - 'scm.import.roles.0' => 'user', - 'scm.import.type' => 'git-import', - 'scm.import.username' => '', - 'scm.import.roles.count' => '3', - 'scm.import.trackedItems.count' => '0' - }, - 'scm_export_properties' => { - 'scm.export.enabled' => 'false', - 'scm.export.config.format' => 'yaml', - 'scm.export.config.dir' => '/var/lib/rundeck/projects/project_1/scm', - 'scm.export.config.url' => 'git.repo.com/project_1.jobs.git', - 'scm.export.config.branch' => 'master', - 'scm.export.config.pathTemplate' => '{job.project}/${job.group}${job.name}-${job.id}.${config.format}', - 'scm.export.config.strictHostKeyChecking' => 'no', - 'scm.export.config.gitPasswordPath' => '', - 'scm.export.config.sshPrivateKeyPath' => 'keys/${project}/users/scm/${user.login}.private', - 'scm.export.roles.count' => '2', - 'scm.export.roles.1' => 'user', - 'scm.export.type' => 'git-export', - 'scm.export.username' => '${user.username}', - 'scm.export.config.committerName' => '${user.fullName}', - 'scm.export.config.committerEmail' => '${user.email}' - } - } - } - let(:params) do - { - projects: project_hash - } - end - - # content and meta data for passwords - it { is_expected.to contain_file('/var/lib/rundeck/projects/project_1/etc/scm-import.properties') } - - project_hash['project_1']['scm_import_properties'].each do |key, value| - it 'generates valid content for scm-import.properties' do - content = catalogue.resource('file', '/var/lib/rundeck/projects/project_1/etc/scm-import.properties')[:content] - expect(content).to include("#{key} = #{value}") - end - end - project_hash['project_1']['scm_export_properties'].each do |key, value| - it 'generates valid content for scm-export.properties' do - content = catalogue.resource('file', '/var/lib/rundeck/projects/project_1/etc/scm-export.properties')[:content] - expect(content).to include("#{key} = #{value}") - end - end - end - end - end -end diff --git a/spec/defines/config/project_spec.rb b/spec/defines/config/project_spec.rb deleted file mode 100644 index 253262272..000000000 --- a/spec/defines/config/project_spec.rb +++ /dev/null @@ -1,56 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck::config::project', type: :define do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe "rundeck::config::project definition without any parameters on #{os}" do - projects_dir = '/var/rundeck/projects' - - let(:title) { 'test' } - let(:params) do - { - framework_config: { - 'framework.projects.dir' => projects_dir, - 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa' - }, - file_copier_provider: 'jsch-scp', - resource_sources: {}, - node_executor_provider: 'jsch-ssh', - user: 'rundedck', - group: 'rundeck' - } - end - - it { is_expected.to contain_file("#{projects_dir}/test/var").with('ensure' => 'directory') } - - it { is_expected.to contain_file("#{projects_dir}/test/etc").with('ensure' => 'directory') } - - it { is_expected.to contain_file("#{projects_dir}/test/etc/project.properties") } - - project_details = { - 'project.name' => 'test', - 'project.ssh-authentication' => 'privateKey', - 'project.ssh-keypath' => '/var/lib/rundeck/.ssh/id_rsa', - 'service.NodeExecutor.default.provider' => 'jsch-ssh', - 'service.FileCopier.default.provider' => 'jsch-scp' - } - - project_details.each do |key, value| - it do - is_expected.to contain_ini_setting("test::#{key}").with( - 'path' => '/var/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - end - end -end diff --git a/spec/defines/config/resource_source_spec.rb b/spec/defines/config/resource_source_spec.rb deleted file mode 100644 index 4c82dd197..000000000 --- a/spec/defines/config/resource_source_spec.rb +++ /dev/null @@ -1,219 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck::config::resource_source', type: :define do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - let :pre_condition do - [ - 'include rundeck', - "rundeck::config::project { 'test': }" - ] - end - - describe "rundeck::config::resource_source definition with default parameters on #{os}" do - let(:title) { 'source one' } - let(:params) do - { - 'project_name' => 'test', - 'source_type' => 'file', - 'include_server_node' => false, - 'resource_format' => 'resourcexml', - 'url_cache' => true, - 'url_timeout' => 50, - 'directory' => '/', - 'script_args_quoted' => true, - 'script_interpreter' => '/bin/bash' - } - end - - file_details = { - 'resources.source.1.config.requireFileExists' => 'true', - 'resources.source.1.config.includeServerNode' => 'false', - 'resources.source.1.config.generateFileAutomatically' => 'true', - 'resources.source.1.config.format' => 'resourcexml', - 'resources.source.1.config.file' => '/var/lib/rundeck/projects/test/etc/source one.xml', - 'resources.source.1.type' => 'file' - } - - file_details.each do |key, value| - it do - is_expected.to contain_ini_setting("source one::#{key}").with( - 'path' => '/var/lib/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - - it do - is_expected.to contain_file('/var/lib/rundeck/projects/test').with( - 'owner' => 'rundeck', - 'group' => 'rundeck' - ) - end - end - - describe "rundeck::config::resource_source definition with url parameters on #{os}" do - let(:title) { 'source one' } - let(:params) do - { - 'project_name' => 'test', - 'source_type' => 'url', - 'url' => 'http\://localhost\:9999', - 'include_server_node' => true, - 'url_cache' => true, - 'url_timeout' => 50, - 'directory' => '/', - 'resource_format' => 'resourcexml', - 'script_args_quoted' => true, - 'script_interpreter' => '/bin/bash' - } - end - - url_details = { - 'resources.source.1.config.url' => 'http\://localhost\:9999', - 'resources.source.1.config.timeout' => '50', - 'resources.source.1.config.cache' => 'true', - 'resources.source.1.type' => 'url' - } - - url_details.each do |key, value| - it do - is_expected.to contain_ini_setting("source one::#{key}").with( - 'path' => '/var/lib/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - - describe "rundeck::config::resource definition with directory parameters on #{os}" do - let(:title) { 'source one' } - let(:params) do - { - 'project_name' => 'test', - 'source_type' => 'directory', - 'directory' => '/fubar/resources', - 'include_server_node' => true, - 'resource_format' => 'resourcexml', - 'url_cache' => true, - 'url_timeout' => 50, - 'script_args_quoted' => true, - 'script_interpreter' => '/bin/bash' - - } - end - - directory_details = { - 'resources.source.1.config.directory' => '/fubar/resources', - 'resources.source.1.type' => 'directory' - } - - directory_details.each do |key, value| - it do - is_expected.to contain_ini_setting("source one::#{key}").with( - 'path' => '/var/lib/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - - describe "rundeck::config::resource definition with script parameters on #{os}" do - let(:title) { 'source one' } - let(:params) do - { - 'project_name' => 'test', - 'source_type' => 'script', - 'script_file' => '/fubar/test.sh', - 'script_args' => 'fubar', - 'include_server_node' => true, - 'resource_format' => 'resourcexml', - 'script_args_quoted' => true, - 'script_interpreter' => '/bin/bash', - 'url_cache' => true, - 'url_timeout' => 30, - 'directory' => '/' - } - end - - script_details = { - 'resources.source.1.config.file' => '/fubar/test.sh', - 'resources.source.1.config.interpreter' => '/bin/bash', - 'resources.source.1.config.format' => 'resourcexml', - 'resources.source.1.config.args' => 'fubar', - 'resources.source.1.config.argsQuoted' => true, - 'resources.source.1.type' => 'script' - } - - script_details.each do |key, value| - it do - is_expected.to contain_ini_setting("source one::#{key}").with( - 'path' => '/var/lib/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - - describe "rundeck::config::resource definition with Puppet Enterprise parameters on #{os}" do - let(:title) { 'source one' } - let(:params) do - { - 'project_name' => 'test', - 'include_server_node' => false, - 'resource_format' => 'resourcexml', - 'url_cache' => true, - 'url_timeout' => 50, - 'directory' => '/foo/bar/resources', - 'script_args_quoted' => true, - 'script_interpreter' => '/bin/bash', - - 'source_type' => 'puppet-enterprise', - 'puppet_enterprise_host' => 'localhost', - 'puppet_enterprise_port' => 8081, - 'puppet_enterprise_metrics_interval' => 15, - 'puppet_enterprise_mapping_file' => '/var/local/resource-mapping.json', - 'puppet_enterprise_ssl_dir' => '/opt/rundeck/puppetmaster_ssl', - 'puppet_enterprise_certificate_name' => 'localhost.localdomain', - 'puppet_enterprise_node_query' => '["=", ["fact", "osfamily"], "RedHat"]', - 'puppet_enterprise_default_node_tag' => 'default_tag', - 'puppet_enterprise_tag_source' => 'source_tag' - } - end - - puppet_enterprise_details = { - 'resources.source.1.type' => 'puppet-enterprise', - 'resources.source.1.config.PROPERTY_PUPPETDB_HOST' => 'localhost', - 'resources.source.1.config.PROPERTY_PUPPETDB_PORT' => '8081', - 'resources.source.1.config.PROPERTY_METRICS_INTERVAL' => '15', - 'resources.source.1.config.PROPERTY_MAPPING_FILE' => '/var/local/resource-mapping.json', - 'resources.source.1.config.PROPERTY_PUPPETDB_SSL_DIR' => '/opt/rundeck/puppetmaster_ssl', - 'resources.source.1.config.PROPERTY_PUPPETDB_CERTIFICATE_NAME' => 'localhost.localdomain', - 'resources.source.1.config.PROPERTY_NODE_QUERY' => '["=", ["fact", "osfamily"], "RedHat"]', - 'resources.source.1.config.PROPERTY_DEFAULT_NODE_TAG' => 'default_tag', - 'resources.source.1.config.PROPERTY_TAGS_SOURCE' => 'source_tag' - } - - puppet_enterprise_details.each do |key, value| - it do - is_expected.to contain_ini_setting("source one::#{key}").with( - 'path' => '/var/lib/rundeck/projects/test/etc/project.properties', - 'setting' => key, - 'value' => value - ) - end - end - end - end - end -end From 8277fa61feef93696363dd1e8eb54a26d2942f5a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 09:24:01 +0100 Subject: [PATCH 45/82] Remove more obsolete files and refs --- README.md | 3 +-- manifests/init.pp | 4 ++++ spec/acceptance/rundeck_spec.rb | 21 ------------------- .../config/global/rundeck_config_spec.rb | 3 --- 4 files changed, 5 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index c00983349..7737d180a 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,7 @@ The rundeck puppet module for installing and managing [Rundeck](http://rundeck.o ## Module Description -This module provides a way to manage the installation and configuration of -rundeck, its projects, jobs and plugins. +This module provides a way to manage the installation and configuration of rundeck and plugins. ## Setup diff --git a/manifests/init.pp b/manifests/init.pp index 636228c23..afda8eeb3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -114,6 +114,8 @@ # @param key_storage_encrypt_config # Hash containing the necessary values to configure a plugin for key storage encryption. # https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins +# @param quartz_job_threadcount +# The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # class rundeck ( Array[Hash] $admin_policies, @@ -181,6 +183,8 @@ Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, + + Integer $quartz_job_threadcount = 10, ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) diff --git a/spec/acceptance/rundeck_spec.rb b/spec/acceptance/rundeck_spec.rb index a6d2b67fc..f3bc91d52 100644 --- a/spec/acceptance/rundeck_spec.rb +++ b/spec/acceptance/rundeck_spec.rb @@ -31,27 +31,6 @@ class { 'rundeck': end end - context 'simple project' do - it 'applies successfully' do - pp = <<-EOS - class { 'rundeck': - projects => { - 'Wizzle' => {}, - } - } - EOS - - # Run it twice and test for idempotency - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe file('/var/lib/rundeck/projects/Wizzle/etc/project.properties') do - it { is_expected.to be_file } - its(:content) { is_expected.to match %r{service.FileCopier.default.provider = jsch-scp} } - end - end - context 'updrade to latest version' do it 'applies successfully' do pp = <<-EOS diff --git a/spec/classes/config/global/rundeck_config_spec.rb b/spec/classes/config/global/rundeck_config_spec.rb index 0571c3ca4..966259472 100644 --- a/spec/classes/config/global/rundeck_config_spec.rb +++ b/spec/classes/config/global/rundeck_config_spec.rb @@ -94,9 +94,6 @@ grails.serverURL = "http://foo.example.com:4440" rundeck.clusterMode.enabled = "false" - rundeck.projectsStorageType = "filesystem" - quartz.threadPool.threadCount = "10" - rundeck.storage.provider."1".type = "file" rundeck.storage.provider."1".path = "/" rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage" From a0ac890f62343d06139798b061d4f06ac3c01868 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 10:47:47 +0100 Subject: [PATCH 46/82] Update ssl config --- REFERENCE.md | 17 +++-- manifests/config.pp | 2 + manifests/config/jaas_auth.pp | 6 +- manifests/config/ssl.pp | 120 +++++++------------------------- manifests/init.pp | 15 ++-- templates/profile_overrides.epp | 9 +-- templates/ssl.properties.epp | 5 ++ 7 files changed, 63 insertions(+), 111 deletions(-) create mode 100644 templates/ssl.properties.epp diff --git a/REFERENCE.md b/REFERENCE.md index 95bef67c5..07dcd7892 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -66,8 +66,8 @@ The following parameters are available in the `rundeck` class: * [`log_properties_template`](#-rundeck--log_properties_template) * [`mail_config`](#-rundeck--mail_config) * [`key_password`](#-rundeck--key_password) -* [`ssl_keyfile`](#-rundeck--ssl_keyfile) -* [`ssl_certfile`](#-rundeck--ssl_certfile) +* [`ssl_private_key`](#-rundeck--ssl_private_key) +* [`ssl_certificate`](#-rundeck--ssl_certificate) * [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy) * [`manage_default_api_policy`](#-rundeck--manage_default_api_policy) * [`repo_config`](#-rundeck--repo_config) @@ -103,6 +103,7 @@ The following parameters are available in the `rundeck` class: * [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) * [`security_roles_array`](#-rundeck--security_roles_array) * [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) +* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`override_dir`](#-rundeck--override_dir) ##### `acl_template` @@ -239,7 +240,7 @@ The ssl key password. Default value: `undef` -##### `ssl_keyfile` +##### `ssl_private_key` Data type: `Stdlib::Absolutepath` @@ -247,7 +248,7 @@ Full path to the SSL private key to be used by Rundeck. Default value: `'/etc/rundeck/ssl/rundeck.key'` -##### `ssl_certfile` +##### `ssl_certificate` Data type: `Stdlib::Absolutepath` @@ -535,6 +536,14 @@ https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.h Default value: `{}` +##### `quartz_job_threadcount` + +Data type: `Integer` + +The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. + +Default value: `10` + ##### `override_dir` Data type: `Stdlib::Absolutepath` diff --git a/manifests/config.pp b/manifests/config.pp index 2f511539b..0e558666b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -37,6 +37,7 @@ mode => '0755', ; "${properties_dir}/log4j2.properties": + ensure => file, content => epp($rundeck::log_properties_template), require => File[$properties_dir, $rundeck::service_logs_dir], ; @@ -64,6 +65,7 @@ if ($rundeck::override_template) { file { "${rundeck::override_dir}/${rundeck::service_name}": + ensure => file, content => epp($rundeck::override_template), } } diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 26061f484..667be732b 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -10,8 +10,9 @@ if 'file' in $_auth_types { file { "${rundeck::config::properties_dir}/realm.properties": + ensure => file, content => Sensitive(epp($rundeck::realm_template, { _auth_config => $_auth_config })), - mode => '0600', + mode => '0400', } } else { file { "${rundeck::config::properties_dir}/realm.properties": @@ -26,7 +27,8 @@ } file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf": + ensure => file, content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), - mode => '0600', + mode => '0400', } } diff --git a/manifests/config/ssl.pp b/manifests/config/ssl.pp index 17fa0c12d..fa917be69 100644 --- a/manifests/config/ssl.pp +++ b/manifests/config/ssl.pp @@ -5,99 +5,31 @@ class rundeck::config::ssl { assert_private() - $group = $rundeck::group - $key_password = $rundeck::key_password - $ssl_keyfile = $rundeck::ssl_keyfile - $ssl_certfile = $rundeck::ssl_certfile - $keystore = $rundeck::keystore - $keystore_password = $rundeck::keystore_password - $properties_dir = $rundeck::config::properties_dir - $service_name = $rundeck::service_name - $truststore = $rundeck::truststore - $truststore_password = $rundeck::truststore_password - $user = $rundeck::user - - $properties_file = "${properties_dir}/ssl/ssl.properties" - - ensure_resource('file', $properties_dir, { - 'ensure' => 'directory', - 'owner' => $user, - 'group' => $group - }) - ensure_resource('file', "${properties_dir}/ssl", { - 'ensure' => 'directory', - 'owner' => $user, - 'group' => $group, - 'require' => File[$properties_dir] - }) - - java_ks { "rundeck:${properties_dir}/ssl/keystore": - ensure => present, - private_key => $ssl_keyfile, - certificate => $ssl_certfile, - password => $keystore_password, - destkeypass => $key_password, - trustcacerts => true, - } - -> java_ks { "rundeck:${properties_dir}/ssl/truststore": - ensure => present, - private_key => $ssl_keyfile, - certificate => $ssl_certfile, - password => $truststore_password, - destkeypass => $key_password, - trustcacerts => true, - } - - file { $properties_file: - ensure => file, - owner => $user, - group => $group, - mode => '0640', - require => File[$properties_dir], - } - - ini_setting { 'keystore': - ensure => present, - path => $properties_file, - section => '', - setting => 'keystore', - value => $keystore, - require => File[$properties_file], - } - - ini_setting { 'keystore.password': - ensure => present, - path => $properties_file, - section => '', - setting => 'keystore.password', - value => $keystore_password, - require => File[$properties_file], - } - - ini_setting { 'key.password': - ensure => present, - path => $properties_file, - section => '', - setting => 'key.password', - value => $key_password, - require => File[$properties_file], - } - - ini_setting { 'truststore': - ensure => present, - path => $properties_file, - section => '', - setting => 'truststore', - value => $truststore, - require => File[$properties_file], - } - - ini_setting { 'truststore.password': - ensure => present, - path => $properties_file, - section => '', - setting => 'truststore.password', - value => $truststore_password, - require => File[$properties_file], + file { + "${rundeck::config::properties_dir}/ssl": + ensure => directory, + mode => '0755', + ; + "${rundeck::config::properties_dir}/ssl/ssl.properties": + ensure => file, + content => Sensitive(epp('rundeck/ssl.properties.epp')), + mode => '0400', + ; + } + + java_ks { + default: + ensure => present, + private_key => $rundeck::ssl_private_key, + certificate => $rundeck::ssl_certificate, + destkeypass => $rundeck::key_password, + trustcacerts => true, + ; + "${rundeck::config::properties_dir}/ssl/keystore": + password => $rundeck::keystore_password, + ; + "${rundeck::config::properties_dir}/ssl/truststore": + password => $rundeck::truststore_password, + ; } } diff --git a/manifests/init.pp b/manifests/init.pp index afda8eeb3..25f7f1f32 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -38,9 +38,9 @@ # A hash of the notification email configuraton. # @param key_password # The ssl key password. -# @param ssl_keyfile +# @param ssl_private_key # Full path to the SSL private key to be used by Rundeck. -# @param ssl_certfile +# @param ssl_certificate # Full path to the SSL public key to be used by Rundeck. # @param manage_default_admin_policy # Boolean value if set to true enables default admin policy management @@ -129,7 +129,6 @@ Boolean $manage_repo = true, String $package_ensure = 'installed', Boolean $manage_home = true, - # User config String $user = 'rundeck', String $group = 'rundeck', Boolean $manage_user = false, @@ -144,7 +143,7 @@ Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', Optional[Hash] $kerberos_realms = undef, - Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', + Rundeck::Mail_config $mail_config = {}, Hash $security_config = {}, Hash $preauthenticated_config = {}, @@ -165,13 +164,15 @@ String $security_role = 'user', Optional[String] $server_web_context = undef, Integer $session_timeout = 30, + Boolean $ssl_enabled = false, Stdlib::Port $ssl_port = 4443, + Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', + Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', Optional[String] $key_password = undef, - Stdlib::Absolutepath $ssl_keyfile = '/etc/rundeck/ssl/rundeck.key', - Stdlib::Absolutepath $ssl_certfile = '/etc/rundeck/ssl/rundeck.crt', - Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', String $keystore_password = 'admin', + Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', String $truststore_password = 'admin', Boolean $security_roles_array_enabled = false, diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 52f657636..a2ee36c6a 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -7,6 +7,11 @@ LOGIN_MODULE=authentication JAVA_CMD=java RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" +<% if $rundeck::ssl_enabled { -%> +RUNDECK_WITH_SSL=true +RDECK_HTTPS_PORT=<%= $rundeck::ssl_port %> +<% } -%> + <% if $rundeck::server_web_context { -%> RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $rundeck::server_web_context %>" <% } -%> @@ -18,7 +23,3 @@ RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/ <% if $rundeck::java_home { %> JAVA_HOME=<%= $rundeck::java_home %> <% } %> - -<% if $rundeck::ssl_enabled { -%> -RUNDECK_WITH_SSL=true -<% } -%> diff --git a/templates/ssl.properties.epp b/templates/ssl.properties.epp new file mode 100644 index 000000000..1078b0056 --- /dev/null +++ b/templates/ssl.properties.epp @@ -0,0 +1,5 @@ +keystore=<%= $rundeck::keystore %> +keystore.password=<%= $rundeck::keystore_password %> +key.password=<%= $rundeck::key_password %> +truststore=<%= $rundeck::truststore %> +truststore.password=<%= $rundeck::truststore_password %> From 2f1b9b59a496d185bf66f25575df0a23831720b4 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 11:41:25 +0100 Subject: [PATCH 47/82] Use valid pass for java_ks --- manifests/config/ssl.pp | 8 +++++--- manifests/init.pp | 6 +++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/manifests/config/ssl.pp b/manifests/config/ssl.pp index fa917be69..0d8e55241 100644 --- a/manifests/config/ssl.pp +++ b/manifests/config/ssl.pp @@ -20,16 +20,18 @@ java_ks { default: ensure => present, - private_key => $rundeck::ssl_private_key, certificate => $rundeck::ssl_certificate, + private_key => $rundeck::ssl_private_key, destkeypass => $rundeck::key_password, trustcacerts => true, ; - "${rundeck::config::properties_dir}/ssl/keystore": + 'keystore': password => $rundeck::keystore_password, + target => "${rundeck::config::properties_dir}/ssl/keystore", ; - "${rundeck::config::properties_dir}/ssl/truststore": + 'truststore': password => $rundeck::truststore_password, + target => "${rundeck::config::properties_dir}/ssl/truststore", ; } } diff --git a/manifests/init.pp b/manifests/init.pp index 25f7f1f32..939a96cc5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,7 @@ # @param mail_config # A hash of the notification email configuraton. # @param key_password -# The ssl key password. +# The password used to protect the key in keystore. # @param ssl_private_key # Full path to the SSL private key to be used by Rundeck. # @param ssl_certificate @@ -171,9 +171,9 @@ Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', Optional[String] $key_password = undef, Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $keystore_password = 'admin', + String $keystore_password = 'adminadmin', Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', - String $truststore_password = 'admin', + String $truststore_password = 'adminadmin', Boolean $security_roles_array_enabled = false, Array $security_roles_array = [], From 44c95c5b16212c9e05b8affb3f9c99d43beea962 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 12:57:34 +0100 Subject: [PATCH 48/82] Update ssl template --- manifests/config.pp | 25 ++++++++++++++++--------- templates/ssl.properties.epp | 4 +++- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 0e558666b..80577384a 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -86,15 +86,22 @@ contain rundeck::config::ssl } - # if versioncmp( $package_ensure, '3.0.0' ) < 0 { - # class { 'rundeck::config::global::web': - # security_role => $security_role, - # session_timeout => $session_timeout, - # security_roles_array_enabled => $security_roles_array_enabled, - # security_roles_array => $security_roles_array, - # require => Class['rundeck::install'], - # } - # } + if versioncmp( $rundeck::package_ensure, '3.0.0' ) < 0 { + notify { 'test': + message => 'Add web', + } + # class { 'rundeck::config::global::web': + # security_role => $security_role, + # session_timeout => $session_timeout, + # security_roles_array_enabled => $security_roles_array_enabled, + # security_roles_array => $security_roles_array, + # require => Class['rundeck::install'], + # } + } else { + notify { 'test': + message => 'Dont add web', + } + } # if !empty($kerberos_realms) { # file { "${properties_dir}/krb5.conf": diff --git a/templates/ssl.properties.epp b/templates/ssl.properties.epp index 1078b0056..262218fca 100644 --- a/templates/ssl.properties.epp +++ b/templates/ssl.properties.epp @@ -1,5 +1,7 @@ keystore=<%= $rundeck::keystore %> keystore.password=<%= $rundeck::keystore_password %> -key.password=<%= $rundeck::key_password %> truststore=<%= $rundeck::truststore %> truststore.password=<%= $rundeck::truststore_password %> +<%- if $rundeck::key_password { -%> +key.password=<%= $rundeck::key_password %> +<%- } -%> From 32660400e5d82bed5dd6eebb2236a39042ea2115 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 13:15:06 +0100 Subject: [PATCH 49/82] Remove obsolete files --- REFERENCE.md | 128 +-------------------- manifests/config.pp | 27 ----- manifests/config/global/web.pp | 55 --------- manifests/config/resource/securityroles.pp | 14 --- manifests/init.pp | 15 --- spec/defines/config/securityroles_spec.rb | 34 ------ spec/fixtures/files/override.template | 1 - spec/fixtures/files/profile.template | 1 - templates/krb5.conf.erb | 11 -- templates/profile_overrides.epp | 4 - 10 files changed, 3 insertions(+), 287 deletions(-) delete mode 100644 manifests/config/global/web.pp delete mode 100644 manifests/config/resource/securityroles.pp delete mode 100644 spec/defines/config/securityroles_spec.rb delete mode 100644 spec/fixtures/files/override.template delete mode 100644 spec/fixtures/files/profile.template delete mode 100644 templates/krb5.conf.erb diff --git a/REFERENCE.md b/REFERENCE.md index 07dcd7892..395948caf 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -9,7 +9,6 @@ #### Public Classes * [`rundeck`](#rundeck): Class to manage installation and configuration of Rundeck. -* [`rundeck::config::global::web`](#rundeck--config--global--web): This class will manage the application's web.xml. #### Private Classes @@ -24,7 +23,6 @@ * [`rundeck::config::resource::aclpolicyfile`](#rundeck--config--resource--aclpolicyfile): This define will create a custom acl policy file. * [`rundeck::config::resource::plugin`](#rundeck--config--resource--plugin): This define will install a rundeck plugin. -* [`rundeck::config::resource::securityroles`](#rundeck--config--resource--securityroles): Author: Zoltan Lanyi Date : 03.06.2016 ### Functions @@ -59,7 +57,6 @@ The following parameters are available in the `rundeck` class: * [`gui_config`](#-rundeck--gui_config) * [`java_home`](#-rundeck--java_home) * [`jvm_args`](#-rundeck--jvm_args) -* [`kerberos_realms`](#-rundeck--kerberos_realms) * [`key_storage_config`](#-rundeck--key_storage_config) * [`keystore`](#-rundeck--keystore) * [`keystore_password`](#-rundeck--keystore_password) @@ -82,14 +79,12 @@ The following parameters are available in the `rundeck` class: * [`realm_template`](#-rundeck--realm_template) * [`rss_enabled`](#-rundeck--rss_enabled) * [`security_config`](#-rundeck--security_config) -* [`security_role`](#-rundeck--security_role) * [`server_web_context`](#-rundeck--server_web_context) * [`service_name`](#-rundeck--service_name) * [`service_ensure`](#-rundeck--service_ensure) * [`service_logs_dir`](#-rundeck--service_logs_dir) * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) -* [`session_timeout`](#-rundeck--session_timeout) * [`ssl_enabled`](#-rundeck--ssl_enabled) * [`ssl_port`](#-rundeck--ssl_port) * [`truststore`](#-rundeck--truststore) @@ -100,8 +95,6 @@ The following parameters are available in the `rundeck` class: * [`manage_group`](#-rundeck--manage_group) * [`user_id`](#-rundeck--user_id) * [`group_id`](#-rundeck--group_id) -* [`security_roles_array_enabled`](#-rundeck--security_roles_array_enabled) -* [`security_roles_array`](#-rundeck--security_roles_array) * [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`override_dir`](#-rundeck--override_dir) @@ -186,14 +179,6 @@ Extra arguments for the JVM. Default value: `'-Xmx1024m -Xms256m -server'` -##### `kerberos_realms` - -Data type: `Optional[Hash]` - -A hash of mappings between Kerberos domain DNS names and realm names - -Default value: `undef` - ##### `key_storage_config` Data type: `Array[Hash]` @@ -214,7 +199,7 @@ Data type: `String` The password for the given keystore. -Default value: `'admin'` +Default value: `'adminadmin'` ##### `log_properties_template` @@ -236,7 +221,7 @@ Default value: `{}` Data type: `Optional[String]` -The ssl key password. +The password used to protect the key in keystore. Default value: `undef` @@ -367,14 +352,6 @@ A hash of the rundeck security configuration. Default value: `{}` -##### `security_role` - -Data type: `String` - -Name of the role that is required for all users to be allowed access. - -Default value: `'user'` - ##### `server_web_context` Data type: `Optional[String]` @@ -423,14 +400,6 @@ Allows you to use your own override template instead of the default from the pac Default value: `undef` -##### `session_timeout` - -Data type: `Integer` - -Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. - -Default value: `30` - ##### `ssl_enabled` Data type: `Boolean` @@ -461,7 +430,7 @@ Data type: `String` The password for the given truststore. -Default value: `'admin'` +Default value: `'adminadmin'` ##### `user` @@ -511,22 +480,6 @@ If you want to have always the same group id. Eg. because of the NFS share. Default value: `undef` -##### `security_roles_array_enabled` - -Data type: `Boolean` - -Boolean value if you need more roles. false or true (default is false). - -Default value: `false` - -##### `security_roles_array` - -Data type: `Array` - -Array value if you need more roles and you set true the "security_roles_array_enabled" value. - -Default value: `[]` - ##### `key_storage_encrypt_config` Data type: `Hash` @@ -550,62 +503,6 @@ Data type: `Stdlib::Absolutepath` -### `rundeck::config::global::web` - -Currently only manages the required for any user to login and session timout: -http://rundeck.org/docs/administration/authenticating-users.html#security-role -http://rundeck.org/docs/administration/configuration-file-reference.html#session-timeout - -#### Parameters - -The following parameters are available in the `rundeck::config::global::web` class: - -* [`security_role`](#-rundeck--config--global--web--security_role) -* [`session_timeout`](#-rundeck--config--global--web--session_timeout) -* [`security_roles_array_enabled`](#-rundeck--config--global--web--security_roles_array_enabled) -* [`security_roles_array`](#-rundeck--config--global--web--security_roles_array) -* [`web_xml`](#-rundeck--config--global--web--web_xml) - -##### `security_role` - -Data type: `String[1]` - -Name of role that is required for all users to be allowed access. - -Default value: `$rundeck::params::security_role` - -##### `session_timeout` - -Data type: `Integer[0]` - -Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. - -Default value: `$rundeck::params::session_timeout` - -##### `security_roles_array_enabled` - -Data type: `Boolean` - -Boolen value if you want to have more roles in web.xml - -Default value: `$rundeck::params::security_roles_array_enabled` - -##### `security_roles_array` - -Data type: `Array` - -Array value if you set the value 'security_roles_array_enabled' to true. - -Default value: `$rundeck::params::security_roles_array` - -##### `web_xml` - -Data type: `Stdlib::Absolutepath` - - - -Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` - ## Defined types ### `rundeck::config::resource::aclpolicyfile` @@ -739,25 +636,6 @@ Data type: `String` The http source or local path from which to get the plugin. -### `rundeck::config::resource::securityroles` - -Author: Zoltan Lanyi -Date : 03.06.2016 - -#### Parameters - -The following parameters are available in the `rundeck::config::resource::securityroles` defined type: - -* [`web_xml`](#-rundeck--config--resource--securityroles--web_xml) - -##### `web_xml` - -Data type: `Stdlib::Absolutepath` - - - -Default value: `"${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml"` - ## Functions ### `validate_rd_policy` diff --git a/manifests/config.pp b/manifests/config.pp index 80577384a..c8bc2e9a9 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -85,31 +85,4 @@ if $rundeck::ssl_enabled { contain rundeck::config::ssl } - - if versioncmp( $rundeck::package_ensure, '3.0.0' ) < 0 { - notify { 'test': - message => 'Add web', - } - # class { 'rundeck::config::global::web': - # security_role => $security_role, - # session_timeout => $session_timeout, - # security_roles_array_enabled => $security_roles_array_enabled, - # security_roles_array => $security_roles_array, - # require => Class['rundeck::install'], - # } - } else { - notify { 'test': - message => 'Dont add web', - } - } - - # if !empty($kerberos_realms) { - # file { "${properties_dir}/krb5.conf": - # owner => $user, - # group => $group, - # mode => '0640', - # content => template('rundeck/krb5.conf.erb'), - # require => File[$properties_dir], - # } - # } } diff --git a/manifests/config/global/web.pp b/manifests/config/global/web.pp deleted file mode 100644 index 8577cabb0..000000000 --- a/manifests/config/global/web.pp +++ /dev/null @@ -1,55 +0,0 @@ -# @summary This class will manage the application's web.xml. -# -# Currently only manages the required for any user to login and session timout: -# http://rundeck.org/docs/administration/authenticating-users.html#security-role -# http://rundeck.org/docs/administration/configuration-file-reference.html#session-timeout -# -# @param security_role -# Name of role that is required for all users to be allowed access. -# @param session_timeout -# Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. -# @param security_roles_array_enabled -# Boolen value if you want to have more roles in web.xml -# @param security_roles_array -# Array value if you set the value 'security_roles_array_enabled' to true. -# -class rundeck::config::global::web ( - String[1] $security_role = $rundeck::params::security_role, - Integer[0] $session_timeout = $rundeck::params::session_timeout, - Boolean $security_roles_array_enabled = $rundeck::params::security_roles_array_enabled, - Array $security_roles_array = $rundeck::params::security_roles_array, - Stdlib::Absolutepath $web_xml = "${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml" -) inherits rundeck::params { - if $security_roles_array_enabled { - rundeck::config::securityroles { $security_roles_array: } - } - else { - augeas { 'rundeck/web.xml/security-role/role-name': - lens => 'Xml.lns', - incl => $rundeck::params::web_xml, - changes => ["set web-app/security-role/role-name/#text '${security_role}'"], - } - } - - augeas { 'rundeck/web.xml/session-config/session-timeout': - lens => 'Xml.lns', - incl => $rundeck::params::web_xml, - changes => ["set web-app/session-config/session-timeout/#text '${session_timeout}'"], - } - - if $rundeck::preauthenticated_config['enabled'] { - augeas { 'rundeck/web.xml/security-constraint/auth-constraint': - lens => 'Xml.lns', - incl => $rundeck::params::web_xml, - changes => ['rm web-app/security-constraint/auth-constraint'], - } - } - else { - augeas { 'rundeck/web.xml/security-constraint/auth-constraint/role-name': - lens => 'Xml.lns', - incl => $rundeck::params::web_xml, - changes => ["set web-app/security-constraint[last()+1]/auth-constraint/role-name/#text '*'"], - onlyif => 'match web-app/security-constraint/auth-constraint/role-name size == 0', - } - } -} diff --git a/manifests/config/resource/securityroles.pp b/manifests/config/resource/securityroles.pp deleted file mode 100644 index 7d774bf8e..000000000 --- a/manifests/config/resource/securityroles.pp +++ /dev/null @@ -1,14 +0,0 @@ -# -# Author: Zoltan Lanyi -# Date : 03.06.2016 -# -define rundeck::config::resource::securityroles ( - Stdlib::Absolutepath $web_xml = "${rundeck::home_dir}/exp/webapp/WEB-INF/web.xml" -) { - augeas { "rundeck/web.xml/security-role/role-name/${name}": - lens => 'Xml.lns', - incl => $web_xml, - onlyif => "match web-app/security-role/role-name[#text = '${name}'] size == 0", - changes => ["set web-app/security-role/#text[last()] '\t\t'", "set web-app/security-role/role-name[last()+1]/#text '${name}'", "set web-app/security-role/#text[last()+1] '\t'"], - } -} diff --git a/manifests/init.pp b/manifests/init.pp index 939a96cc5..baf4c0da0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,8 +24,6 @@ # Set the home directory of java. # @param jvm_args # Extra arguments for the JVM. -# @param kerberos_realms -# A hash of mappings between Kerberos domain DNS names and realm names # @param key_storage_config # An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) # @param keystore @@ -71,8 +69,6 @@ # Boolean value if set to true enables RSS feeds that are public (non-authenticated) # @param security_config # A hash of the rundeck security configuration. -# @param security_role -# Name of the role that is required for all users to be allowed access. # @param server_web_context # Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context # @param service_name @@ -85,8 +81,6 @@ # Allows you to use your own override template instead to config rundeckd init script. # @param service_script # Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. -# @param session_timeout -# Session timeout is an expired time limit for a logged in Rundeck GUI user which as been inactive for a period of time. # @param ssl_enabled # Enable ssl for the rundeck web application. # @param ssl_port @@ -107,10 +101,6 @@ # If you want to have always the same user id. Eg. because of the NFS share. # @param group_id # If you want to have always the same group id. Eg. because of the NFS share. -# @param security_roles_array_enabled -# Boolean value if you need more roles. false or true (default is false). -# @param security_roles_array -# Array value if you need more roles and you set true the "security_roles_array_enabled" value. # @param key_storage_encrypt_config # Hash containing the necessary values to configure a plugin for key storage encryption. # https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins @@ -142,7 +132,6 @@ Hash $gui_config = {}, Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', - Optional[Hash] $kerberos_realms = undef, Rundeck::Mail_config $mail_config = {}, Hash $security_config = {}, @@ -161,9 +150,7 @@ String $log_properties_template = 'rundeck/log4j2.properties.epp', Boolean $rss_enabled = false, - String $security_role = 'user', Optional[String] $server_web_context = undef, - Integer $session_timeout = 30, Boolean $ssl_enabled = false, Stdlib::Port $ssl_port = 4443, @@ -175,8 +162,6 @@ Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', String $truststore_password = 'adminadmin', - Boolean $security_roles_array_enabled = false, - Array $security_roles_array = [], Hash $key_storage_encrypt_config = {}, # Service config String $service_name = 'rundeckd', diff --git a/spec/defines/config/securityroles_spec.rb b/spec/defines/config/securityroles_spec.rb deleted file mode 100644 index 8f13104b4..000000000 --- a/spec/defines/config/securityroles_spec.rb +++ /dev/null @@ -1,34 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck::config::securityroles', type: :define do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) do - os_facts.merge( - serialnumber: 0, - rundeck_version: '' - ) - end - - describe 'with array parameters' do - let(:title) { 'source one' } - let(:params) do - { - 'package_ensure' => 'latest', - 'security_roles_array_enabled' => true - } - end - - security_roles_array = %w[devops roots] - - security_roles_array.each do |roles| - it "augeas with param: #{roles}" do - contain_augeas('rundeck/web.xml/security-role/role-name').with_changes(["set web-app/security-role/role-name/#text '#{roles}'"]) - end - end - end - end - end -end diff --git a/spec/fixtures/files/override.template b/spec/fixtures/files/override.template deleted file mode 100644 index d0f8a935b..000000000 --- a/spec/fixtures/files/override.template +++ /dev/null @@ -1 +0,0 @@ -test override template diff --git a/spec/fixtures/files/profile.template b/spec/fixtures/files/profile.template deleted file mode 100644 index 0e90314fb..000000000 --- a/spec/fixtures/files/profile.template +++ /dev/null @@ -1 +0,0 @@ -test template diff --git a/templates/krb5.conf.erb b/templates/krb5.conf.erb deleted file mode 100644 index 677f97ac7..000000000 --- a/templates/krb5.conf.erb +++ /dev/null @@ -1,11 +0,0 @@ -[realms] -<%- @kerberos_realms.each do |domain, realm| -%> - <%= realm %> = { - kdc = <%= domain %> - } -<%- end -%> - -[domain_realm] -<%- @kerberos_realms.each do |domain, realm| -%> - <%= domain %> = <%= realm %> -<%- end -%> \ No newline at end of file diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index a2ee36c6a..31eb16aa6 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -16,10 +16,6 @@ RDECK_HTTPS_PORT=<%= $rundeck::ssl_port %> RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $rundeck::server_web_context %>" <% } -%> -<% if $rundeck::kerberos_realms { -%> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Djava.security.krb5.conf=$RDECK_CONFIG/krb5.conf" -<% } -%> - <% if $rundeck::java_home { %> JAVA_HOME=<%= $rundeck::java_home %> <% } %> From 7a59f4656b7a7e5674803daeddd5d4c732bd8eab Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 13:43:37 +0100 Subject: [PATCH 50/82] Update init.pp --- manifests/init.pp | 114 +++++++++++++++++++++------------------------- 1 file changed, 52 insertions(+), 62 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index baf4c0da0..d1c87e598 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -108,69 +108,59 @@ # The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # class rundeck ( - Array[Hash] $admin_policies, - Array[Hash] $api_policies, - Rundeck::Auth_config $auth_config, - Rundeck::Db_config $database_config, - Hash $framework_config, - Array[Hash] $key_storage_config, # Create type? - Stdlib::Absolutepath $override_dir, - Hash $repo_config, - Boolean $manage_repo = true, - String $package_ensure = 'installed', - Boolean $manage_home = true, - String $user = 'rundeck', - String $group = 'rundeck', - Boolean $manage_user = false, - Boolean $manage_group = false, - Optional[Integer] $user_id = undef, - Optional[Integer] $group_id = undef, + Array[Hash] $admin_policies, + Array[Hash] $api_policies, + Rundeck::Auth_config $auth_config, + Rundeck::Db_config $database_config, + Hash $framework_config, + Array[Hash] $key_storage_config, + Stdlib::Absolutepath $override_dir, + Hash $repo_config, + Boolean $manage_repo = true, + String $package_ensure = 'installed', + Boolean $manage_home = true, + String $user = 'rundeck', + String $group = 'rundeck', + Boolean $manage_user = false, + Boolean $manage_group = false, + Optional[Integer] $user_id = undef, + Optional[Integer] $group_id = undef, + Boolean $clustermode_enabled = false, + Enum['active', 'passive'] $execution_mode = 'active', + Optional[Stdlib::Absolutepath] $java_home = undef, + String $jvm_args = '-Xmx1024m -Xms256m -server', + Integer $quartz_job_threadcount = 10, + Hash $gui_config = {}, + Rundeck::Mail_config $mail_config = {}, + Hash $security_config = {}, + Hash $preauthenticated_config = {}, + Hash $key_storage_encrypt_config = {}, + Boolean $manage_default_admin_policy = true, + Boolean $manage_default_api_policy = true, + Rundeck::Loglevel $app_log_level = 'info', + Rundeck::Loglevel $audit_log_level = 'info', + String $config_template = 'rundeck/rundeck-config.properties.epp', + String $override_template = 'rundeck/profile_overrides.epp', + String $realm_template = 'rundeck/realm.properties.epp', + String $acl_template = 'rundeck/aclpolicy.erb', + String $log_properties_template = 'rundeck/log4j2.properties.epp', + Boolean $rss_enabled = false, + Optional[String] $server_web_context = undef, + Boolean $ssl_enabled = false, + Stdlib::Port $ssl_port = 4443, + Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', + Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', + Optional[String] $key_password = undef, + Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', + String $keystore_password = 'adminadmin', + Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + String $truststore_password = 'adminadmin', + String $service_name = 'rundeckd', + Enum['stopped', 'running'] $service_ensure = 'running', + Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', + Optional[String] $service_config = undef, + Optional[String] $service_script = undef, - Boolean $clustermode_enabled = false, - Enum['active', 'passive'] $execution_mode = 'active', - - Hash $gui_config = {}, - Optional[Stdlib::Absolutepath] $java_home = undef, - String $jvm_args = '-Xmx1024m -Xms256m -server', - - Rundeck::Mail_config $mail_config = {}, - Hash $security_config = {}, - Hash $preauthenticated_config = {}, - - Boolean $manage_default_admin_policy = true, - Boolean $manage_default_api_policy = true, - # Log config - Rundeck::Loglevel $app_log_level = 'info', - Rundeck::Loglevel $audit_log_level = 'info', - # Template config - String $config_template = 'rundeck/rundeck-config.properties.epp', - String $override_template = 'rundeck/profile_overrides.epp', - String $realm_template = 'rundeck/realm.properties.epp', - String $acl_template = 'rundeck/aclpolicy.erb', - String $log_properties_template = 'rundeck/log4j2.properties.epp', - - Boolean $rss_enabled = false, - Optional[String] $server_web_context = undef, - - Boolean $ssl_enabled = false, - Stdlib::Port $ssl_port = 4443, - Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', - Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', - Optional[String] $key_password = undef, - Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $keystore_password = 'adminadmin', - Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', - String $truststore_password = 'adminadmin', - - Hash $key_storage_encrypt_config = {}, - # Service config - String $service_name = 'rundeckd', - Enum['stopped', 'running'] $service_ensure = 'running', - Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', - Optional[String] $service_config = undef, - Optional[String] $service_script = undef, - - Integer $quartz_job_threadcount = 10, ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) From b6147a90e0a779fbc5a9680887da5b53f89770c8 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 22 Nov 2023 13:46:03 +0100 Subject: [PATCH 51/82] Move resources and update ref --- REFERENCE.md | 44 +++++++++---------- manifests/config.pp | 4 +- .../config/{resource => }/aclpolicyfile.pp | 4 +- manifests/config/framework.pp | 5 ++- manifests/config/{resource => }/plugin.pp | 4 +- 5 files changed, 31 insertions(+), 30 deletions(-) rename manifests/config/{resource => }/aclpolicyfile.pp (95%) rename manifests/config/{resource => }/plugin.pp (91%) diff --git a/REFERENCE.md b/REFERENCE.md index 395948caf..0edeb7e98 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -21,8 +21,8 @@ ### Defined types -* [`rundeck::config::resource::aclpolicyfile`](#rundeck--config--resource--aclpolicyfile): This define will create a custom acl policy file. -* [`rundeck::config::resource::plugin`](#rundeck--config--resource--plugin): This define will install a rundeck plugin. +* [`rundeck::config::aclpolicyfile`](#rundeck--config--aclpolicyfile): This define will create a custom acl policy file. +* [`rundeck::config::plugin`](#rundeck--config--plugin): This define will install a rundeck plugin. ### Functions @@ -505,7 +505,7 @@ Data type: `Stdlib::Absolutepath` ## Defined types -### `rundeck::config::resource::aclpolicyfile` +### `rundeck::config::aclpolicyfile` This define will create a custom acl policy file. @@ -514,7 +514,7 @@ This define will create a custom acl policy file. ##### Admin access. ```puppet -rundeck::config::resource::aclpolicyfile { 'myPolicyFile': +rundeck::config::aclpolicyfile { 'myPolicyFile': acl_policies => [ { 'description' => 'Admin, all access', @@ -555,21 +555,21 @@ rundeck::config::resource::aclpolicyfile { 'myPolicyFile': #### Parameters -The following parameters are available in the `rundeck::config::resource::aclpolicyfile` defined type: +The following parameters are available in the `rundeck::config::aclpolicyfile` defined type: -* [`acl_policies`](#-rundeck--config--resource--aclpolicyfile--acl_policies) -* [`group`](#-rundeck--config--resource--aclpolicyfile--group) -* [`owner`](#-rundeck--config--resource--aclpolicyfile--owner) -* [`properties_dir`](#-rundeck--config--resource--aclpolicyfile--properties_dir) -* [`template_file`](#-rundeck--config--resource--aclpolicyfile--template_file) +* [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies) +* [`group`](#-rundeck--config--aclpolicyfile--group) +* [`owner`](#-rundeck--config--aclpolicyfile--owner) +* [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir) +* [`template_file`](#-rundeck--config--aclpolicyfile--template_file) -##### `acl_policies` +##### `acl_policies` Data type: `Array[Hash]` An array of hashes containing acl policies. See example. -##### `group` +##### `group` Data type: `String` @@ -577,7 +577,7 @@ The group permission that rundeck is installed as. Default value: `'rundeck'` -##### `owner` +##### `owner` Data type: `String` @@ -585,7 +585,7 @@ The user that rundeck is installed as. Default value: `'rundeck'` -##### `properties_dir` +##### `properties_dir` Data type: `Stdlib::Absolutepath` @@ -593,7 +593,7 @@ The rundeck configuration directory. Default value: `'/etc/rundeck'` -##### `template_file` +##### `template_file` Data type: `String` @@ -601,7 +601,7 @@ The template used for acl policy. Default is rundeck/aclpolicy.erb Default value: `"${module_name}/aclpolicy.erb"` -### `rundeck::config::resource::plugin` +### `rundeck::config::plugin` This define will install a rundeck plugin. @@ -610,19 +610,19 @@ This define will install a rundeck plugin. ##### Basic usage. ```puppet -rundeck::config::resource::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': +rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar', } ``` #### Parameters -The following parameters are available in the `rundeck::config::resource::plugin` defined type: +The following parameters are available in the `rundeck::config::plugin` defined type: -* [`ensure`](#-rundeck--config--resource--plugin--ensure) -* [`source`](#-rundeck--config--resource--plugin--source) +* [`ensure`](#-rundeck--config--plugin--ensure) +* [`source`](#-rundeck--config--plugin--source) -##### `ensure` +##### `ensure` Data type: `Enum['present', 'absent']` @@ -630,7 +630,7 @@ Set present or absent to add or remove the plugin Default value: `'present'` -##### `source` +##### `source` Data type: `String` diff --git a/manifests/config.pp b/manifests/config.pp index c8bc2e9a9..748ce906b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -44,7 +44,7 @@ } if $rundeck::manage_default_admin_policy { - rundeck::config::resource::aclpolicyfile { 'admin': + rundeck::config::aclpolicyfile { 'admin': acl_policies => $rundeck::admin_policies, owner => $rundeck::user, group => $rundeck::group, @@ -54,7 +54,7 @@ } if $rundeck::manage_default_api_policy { - rundeck::config::resource::aclpolicyfile { 'apitoken': + rundeck::config::aclpolicyfile { 'apitoken': acl_policies => $rundeck::api_policies, owner => $rundeck::user, group => $rundeck::group, diff --git a/manifests/config/resource/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp similarity index 95% rename from manifests/config/resource/aclpolicyfile.pp rename to manifests/config/aclpolicyfile.pp index 08174c986..e933b0558 100644 --- a/manifests/config/resource/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -1,7 +1,7 @@ # @summary This define will create a custom acl policy file. # # @example Admin access. -# rundeck::config::resource::aclpolicyfile { 'myPolicyFile': +# rundeck::config::aclpolicyfile { 'myPolicyFile': # acl_policies => [ # { # 'description' => 'Admin, all access', @@ -50,7 +50,7 @@ # @param template_file # The template used for acl policy. Default is rundeck/aclpolicy.erb # -define rundeck::config::resource::aclpolicyfile ( +define rundeck::config::aclpolicyfile ( Array[Hash] $acl_policies, String $group = 'rundeck', String $owner = 'rundeck', diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 9909ddbdc..6a216917b 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -16,10 +16,11 @@ $_server_uuid = { 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']) } - $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid, $_ssl_config) + $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid) + $_final_framework_config = deep_merge($_ssl_config, $_framework_config, { 'strategy' => 'first' }) # TODO: Test ssl_config merge file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, - content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), + content => epp('rundeck/framework.properties.epp', { _framework_config => $_final_framework_config }), } } diff --git a/manifests/config/resource/plugin.pp b/manifests/config/plugin.pp similarity index 91% rename from manifests/config/resource/plugin.pp rename to manifests/config/plugin.pp index 78ee31651..9b25539cb 100644 --- a/manifests/config/resource/plugin.pp +++ b/manifests/config/plugin.pp @@ -1,7 +1,7 @@ # @summary This define will install a rundeck plugin. # # @example Basic usage. -# rundeck::config::resource::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': +# rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': # source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar', # } # @@ -10,7 +10,7 @@ # @param source # The http source or local path from which to get the plugin. # -define rundeck::config::resource::plugin ( +define rundeck::config::plugin ( String $source, Enum['present', 'absent'] $ensure = 'present', ) { From 0502f1970c34111e87ae47b6bc093411cb22efcd Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 08:30:13 +0100 Subject: [PATCH 52/82] Fix ssl framework options --- REFERENCE.md | 9 --------- manifests/config/framework.pp | 9 ++++----- manifests/init.pp | 4 +++- templates/profile_overrides.epp | 1 - templates/rundeck-config.properties.epp | 2 +- 5 files changed, 8 insertions(+), 17 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 0edeb7e98..025af2855 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -86,7 +86,6 @@ The following parameters are available in the `rundeck` class: * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) * [`ssl_enabled`](#-rundeck--ssl_enabled) -* [`ssl_port`](#-rundeck--ssl_port) * [`truststore`](#-rundeck--truststore) * [`truststore_password`](#-rundeck--truststore_password) * [`user`](#-rundeck--user) @@ -408,14 +407,6 @@ Enable ssl for the rundeck web application. Default value: `false` -##### `ssl_port` - -Data type: `Stdlib::Port` - -Ssl port of the rundeck web application (default to '4443'). - -Default value: `4443` - ##### `truststore` Data type: `Stdlib::Absolutepath` diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 6a216917b..27d965f75 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -6,21 +6,20 @@ assert_private() if $rundeck::ssl_enabled { - $_ssl_conig = { + $_framework_ssl_config = { 'framework.server.port' => $rundeck::ssl_port, 'framework.server.url' => "https://${rundeck::config::framework_config['framework.server.name']}:${rundeck::ssl_port}", } } else { - $_ssl_config = {} + $_framework_ssl_config = {} } $_server_uuid = { 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']) } - $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid) - $_final_framework_config = deep_merge($_ssl_config, $_framework_config, { 'strategy' => 'first' }) # TODO: Test ssl_config merge + $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid, $_framework_ssl_config) file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, - content => epp('rundeck/framework.properties.epp', { _framework_config => $_final_framework_config }), + content => epp('rundeck/framework.properties.epp', { _framework_config => $_framework_config }), } } diff --git a/manifests/init.pp b/manifests/init.pp index d1c87e598..0cb5efc11 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -81,6 +81,8 @@ # Allows you to use your own override template instead to config rundeckd init script. # @param service_script # Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. +# @param grails_server_url +# Sets `grails.serverURL` so that Rundeck knows its external address. # @param ssl_enabled # Enable ssl for the rundeck web application. # @param ssl_port @@ -125,6 +127,7 @@ Boolean $manage_group = false, Optional[Integer] $user_id = undef, Optional[Integer] $group_id = undef, + Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', Optional[Stdlib::Absolutepath] $java_home = undef, @@ -160,7 +163,6 @@ Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', Optional[String] $service_config = undef, Optional[String] $service_script = undef, - ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 31eb16aa6..994bbe9a6 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -9,7 +9,6 @@ RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" <% if $rundeck::ssl_enabled { -%> RUNDECK_WITH_SSL=true -RDECK_HTTPS_PORT=<%= $rundeck::ssl_port %> <% } -%> <% if $rundeck::server_web_context { -%> diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 75eb7acce..71b99b6c2 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -3,7 +3,7 @@ rdeck.base = <%= $rundeck::config::base_dir %> rss.enabled = <%= $rundeck::rss_enabled %> -grails.serverURL = <%= $rundeck::config::framework_config['framework.server.url'] %> +grails.serverURL = <%= $rundeck::grails_server_url %> rundeck.clusterMode.enabled = <%= $rundeck::clustermode_enabled %> rundeck.executionMode = <%= $rundeck::execution_mode %> From dabc014c1ad56666c029f8b6d2d32b189005a232 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 09:27:48 +0100 Subject: [PATCH 53/82] Add ssl port --- templates/profile_overrides.epp | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 994bbe9a6..31eb16aa6 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -9,6 +9,7 @@ RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" <% if $rundeck::ssl_enabled { -%> RUNDECK_WITH_SSL=true +RDECK_HTTPS_PORT=<%= $rundeck::ssl_port %> <% } -%> <% if $rundeck::server_web_context { -%> From 1b7425ab77921c0636cdee845581b2a692f5146e Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 10:10:37 +0100 Subject: [PATCH 54/82] Use http port instead of https --- templates/profile_overrides.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index 31eb16aa6..dff93c24b 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -9,7 +9,7 @@ RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" <% if $rundeck::ssl_enabled { -%> RUNDECK_WITH_SSL=true -RDECK_HTTPS_PORT=<%= $rundeck::ssl_port %> +RDECK_HTTP_PORT=<%= $rundeck::ssl_port %> <% } -%> <% if $rundeck::server_web_context { -%> From 2192c3de9db498dcd6219c402087bcfdededf03b Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 10:59:02 +0100 Subject: [PATCH 55/82] Update profile overrides --- data/common.yaml | 6 +----- spec/classes/config/global/framework_spec.rb | 4 ---- templates/profile_overrides.epp | 15 ++++++++------- 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index bcfd0cb6e..a7d12fd70 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -107,15 +107,11 @@ rundeck::auth_config: auth_users: {} rundeck::framework_config: - framework.server.name: "%{facts.networking.fqdn}" framework.server.hostname: "%{facts.networking.hostname}" + framework.server.name: "%{facts.networking.fqdn}" framework.server.port: '4440' framework.server.url: "http://%{facts.networking.fqdn}:4440" - framework.projects.dir: '/var/lib/rundeck/projects' framework.etc.dir: '/etc/rundeck' - framework.var.dir: '/var/lib/rundeck/var' - framework.tmp.dir: '/var/lib/rundeck/var/tmp' - framework.logs.dir: '/var/lib/rundeck/logs' framework.libext.dir: '/var/lib/rundeck/libext' framework.ssh.keypath: '/var/lib/rundeck/.ssh/id_rsa' framework.ssh.user: 'rundeck' diff --git a/spec/classes/config/global/framework_spec.rb b/spec/classes/config/global/framework_spec.rb index ab0385c6e..c95831ec1 100644 --- a/spec/classes/config/global/framework_spec.rb +++ b/spec/classes/config/global/framework_spec.rb @@ -19,11 +19,7 @@ 'framework.server.url' => 'http://foo.example.com:4440', 'framework.server.username' => 'admin', 'framework.server.password' => 'admin', - 'framework.projects.dir' => '/var/lib/rundeck/projects', 'framework.etc.dir' => '/etc/rundeck', - 'framework.var.dir' => '/var/lib/rundeck/var', - 'framework.tmp.dir' => '/var/lib/rundeck/var/tmp', - 'framework.logs.dir' => '/var/lib/rundeck/logs', 'framework.libext.dir' => '/var/lib/rundeck/libext', 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', 'framework.ssh.user' => 'rundeck', diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index dff93c24b..ac6e4569a 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -1,19 +1,20 @@ -RDECK_BASE=<%= $rundeck::config::base_dir %> -RDECK_CONFIG=<%= $rundeck::config::properties_dir %> -RDECK_CONFIG_FILE="<%= $rundeck::config::properties_dir %>/rundeck-config.properties" -RDECK_INSTALL=<%= $rundeck::config::base_dir %> -JAAS_CONF=$RDECK_CONFIG/jaas-loginmodule.conf +RDECK_BASE="<%= $rundeck::config::base_dir %>" +RDECK_CONFIG="<%= $rundeck::config::properties_dir %>" +RDECK_CONFIG_FILE="${RDECK_CONFIG}/rundeck-config.properties" +RDECK_INSTALL="${RDECK_BASE}" LOGIN_MODULE=authentication JAVA_CMD=java RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" <% if $rundeck::ssl_enabled { -%> -RUNDECK_WITH_SSL=true RDECK_HTTP_PORT=<%= $rundeck::ssl_port %> +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Drundeck.ssl.config=${RDECK_CONFIG}/ssl/ssl.properties" +<% } else { -%> +RDECK_HTTP_PORT=<%= $rundeck::config::framework_config['framework.server.port'] %> <% } -%> <% if $rundeck::server_web_context { -%> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.web.context=<%= $rundeck::server_web_context %>" +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Dserver.servlet.context-path=<%= $rundeck::server_web_context %>" <% } -%> <% if $rundeck::java_home { %> From 7e98ad79b378fb499848aeda49a7d48b506f14a9 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 11:50:39 +0100 Subject: [PATCH 56/82] Update plugin code --- REFERENCE.md | 36 ++++++++++++++++++++++ data/common.yaml | 2 +- manifests/config/plugin.pp | 40 ++++++++++--------------- templates/rundeck-config.properties.epp | 17 ++++++++--- 4 files changed, 66 insertions(+), 29 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 025af2855..858b19088 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -85,7 +85,9 @@ The following parameters are available in the `rundeck` class: * [`service_logs_dir`](#-rundeck--service_logs_dir) * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) +* [`grails_server_url`](#-rundeck--grails_server_url) * [`ssl_enabled`](#-rundeck--ssl_enabled) +* [`ssl_port`](#-rundeck--ssl_port) * [`truststore`](#-rundeck--truststore) * [`truststore_password`](#-rundeck--truststore_password) * [`user`](#-rundeck--user) @@ -399,6 +401,14 @@ Allows you to use your own override template instead of the default from the pac Default value: `undef` +##### `grails_server_url` + +Data type: `Stdlib::HTTPUrl` + +Sets `grails.serverURL` so that Rundeck knows its external address. + +Default value: `"http://${facts['networking']['fqdn']}:4440"` + ##### `ssl_enabled` Data type: `Boolean` @@ -407,6 +417,14 @@ Enable ssl for the rundeck web application. Default value: `false` +##### `ssl_port` + +Data type: `Stdlib::Port` + +Ssl port of the rundeck web application (default to '4443'). + +Default value: `4443` + ##### `truststore` Data type: `Stdlib::Absolutepath` @@ -612,6 +630,8 @@ The following parameters are available in the `rundeck::config::plugin` defined * [`ensure`](#-rundeck--config--plugin--ensure) * [`source`](#-rundeck--config--plugin--source) +* [`plugins_dir`](#-rundeck--config--plugin--plugins_dir) +* [`proxy_server`](#-rundeck--config--plugin--proxy_server) ##### `ensure` @@ -627,6 +647,22 @@ Data type: `String` The http source or local path from which to get the plugin. +##### `plugins_dir` + +Data type: `Stdlib::Absolutepath` + +Dir where plugins will be installed. + +Default value: `'/var/lib/rundeck/libext'` + +##### `proxy_server` + +Data type: `Optional[Stdlib::HTTPUrl]` + +Get the plugin trough a proxy server. + +Default value: `undef` + ## Functions ### `validate_rd_policy` diff --git a/data/common.yaml b/data/common.yaml index a7d12fd70..e4705fc23 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -107,6 +107,7 @@ rundeck::auth_config: auth_users: {} rundeck::framework_config: + rdeck.base: '/var/lib/rundeck' framework.server.hostname: "%{facts.networking.hostname}" framework.server.name: "%{facts.networking.fqdn}" framework.server.port: '4440' @@ -116,7 +117,6 @@ rundeck::framework_config: framework.ssh.keypath: '/var/lib/rundeck/.ssh/id_rsa' framework.ssh.user: 'rundeck' framework.ssh.timeout: '0' - rdeck.base: '/var/lib/rundeck' rundeck::database_config: url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' diff --git a/manifests/config/plugin.pp b/manifests/config/plugin.pp index 9b25539cb..b3f87f53e 100644 --- a/manifests/config/plugin.pp +++ b/manifests/config/plugin.pp @@ -9,38 +9,30 @@ # Set present or absent to add or remove the plugin # @param source # The http source or local path from which to get the plugin. +# @param plugins_dir +# Directory where plugins will be installed. +# @param proxy_server +# Get the plugin trough a proxy server. # define rundeck::config::plugin ( String $source, - Enum['present', 'absent'] $ensure = 'present', + Enum['present', 'absent'] $ensure = 'present', + Stdlib::Absolutepath $plugins_dir = '/var/lib/rundeck/libext', + Optional[Stdlib::HTTPUrl] $proxy_server = undef, ) { - include rundeck - include archive - - $framework_config = deep_merge($rundeck::params::framework_config, $rundeck::framework_config) - - $user = $rundeck::user - $group = $rundeck::group - $plugin_dir = $framework_config['framework.libext.dir'] + ensure_resource('file', $plugins_dir, { 'ensure' => 'directory', 'mode' => '0755' }) if $ensure == 'present' { archive { "download plugin ${name}": - ensure => present, - source => $source, - path => "${plugin_dir}/${name}", - require => File[$plugin_dir], - before => File["${plugin_dir}/${name}"], - } - - file { "${plugin_dir}/${name}": - mode => '0644', - owner => $user, - group => $group, + ensure => present, + source => $source, + path => "${plugins_dir}/${name}", + proxy_server => $proxy_server, } } - elsif $ensure == 'absent' { - file { "${plugin_dir}/${name}": - ensure => 'absent', - } + + file { "${plugins_dir}/${name}": + ensure => $ensure, + mode => '0644', } } diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 71b99b6c2..651f56230 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -28,6 +28,19 @@ rundeck.storage.provider.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> <%- } -%> <%- } -%> +<%- $rundeck::key_storage_encrypt_config.each |$_i, $_cfg| { -%> +rundeck.storage.converter.<%= $_i+1 %>.type = <%= $_cfg['type'] %> +rundeck.storage.converter.<%= $_i+1 %>.path = <%= $_cfg['path'] %> +<%- if $_cfg['resourceSelector'] { -%> +rundeck.storage.converter.<%= $_i+1 %>.resourceSelector = <%= $_cfg['resourceSelector'] %> +<%- } -%> +<%- if $_cfg['config'] { -%> +<%- $_cfg['config'].each |$_k, $_v| { -%> +rundeck.storage.converter.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> +<%- } -%> +<%- } -%> +<%- } -%> + <%- $rundeck::mail_config.each |$_k, $_v| {-%> grails.mail.<%= $_k %> = <%= $_v %> <%- } -%> @@ -36,10 +49,6 @@ grails.mail.<%= $_k %> = <%= $_v %> <%= $k %> = <%= $rundeck::security_config[$k] %> <%- } -%> -<%- $rundeck::key_storage_encrypt_config.each |$_k, $_v| { -%> -rundeck.storage.converter.1.<%= $_k %> = <%= $_v %> -<%- } -%> - <%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> rundeck.security.authorization.preauthenticated.<%= $_k %> = <%= $_v %> <%- } -%> From e8e9ec0a71963dbdcbfc246d10557f5dd02fa520 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 13:41:43 +0100 Subject: [PATCH 57/82] Update doc --- REFERENCE.md | 30 +++++---------------- manifests/config.pp | 2 -- manifests/config/aclpolicyfile.pp | 11 ++++---- manifests/config/plugin.pp | 1 + manifests/init.pp | 3 --- templates/aclpolicy.epp | 43 +++++++++++++++++++++++++++++++ 6 files changed, 55 insertions(+), 35 deletions(-) create mode 100644 templates/aclpolicy.epp diff --git a/REFERENCE.md b/REFERENCE.md index 858b19088..5d2d609dc 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -46,7 +46,6 @@ Class to manage installation and configuration of Rundeck. The following parameters are available in the `rundeck` class: -* [`acl_template`](#-rundeck--acl_template) * [`admin_policies`](#-rundeck--admin_policies) * [`api_policies`](#-rundeck--api_policies) * [`auth_config`](#-rundeck--auth_config) @@ -100,14 +99,6 @@ The following parameters are available in the `rundeck` class: * [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`override_dir`](#-rundeck--override_dir) -##### `acl_template` - -Data type: `String` - -The template used for acl policy. Needs to be in epp format. - -Default value: `'rundeck/aclpolicy.erb'` - ##### `admin_policies` Data type: `Array[Hash]` @@ -567,10 +558,9 @@ rundeck::config::aclpolicyfile { 'myPolicyFile': The following parameters are available in the `rundeck::config::aclpolicyfile` defined type: * [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies) -* [`group`](#-rundeck--config--aclpolicyfile--group) * [`owner`](#-rundeck--config--aclpolicyfile--owner) +* [`group`](#-rundeck--config--aclpolicyfile--group) * [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir) -* [`template_file`](#-rundeck--config--aclpolicyfile--template_file) ##### `acl_policies` @@ -578,19 +568,19 @@ Data type: `Array[Hash]` An array of hashes containing acl policies. See example. -##### `group` +##### `owner` Data type: `String` -The group permission that rundeck is installed as. +The user that rundeck is installed as. Default value: `'rundeck'` -##### `owner` +##### `group` Data type: `String` -The user that rundeck is installed as. +The group permission that rundeck is installed as. Default value: `'rundeck'` @@ -602,14 +592,6 @@ The rundeck configuration directory. Default value: `'/etc/rundeck'` -##### `template_file` - -Data type: `String` - -The template used for acl policy. Default is rundeck/aclpolicy.erb - -Default value: `"${module_name}/aclpolicy.erb"` - ### `rundeck::config::plugin` This define will install a rundeck plugin. @@ -651,7 +633,7 @@ The http source or local path from which to get the plugin. Data type: `Stdlib::Absolutepath` -Dir where plugins will be installed. +Directory where plugins will be installed. Default value: `'/var/lib/rundeck/libext'` diff --git a/manifests/config.pp b/manifests/config.pp index 748ce906b..aeabcd345 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -49,7 +49,6 @@ owner => $rundeck::user, group => $rundeck::group, properties_dir => $properties_dir, - template_file => $rundeck::acl_template, } } @@ -59,7 +58,6 @@ owner => $rundeck::user, group => $rundeck::group, properties_dir => $properties_dir, - template_file => $rundeck::acl_template, } } diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp index e933b0558..26b83f676 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -41,26 +41,25 @@ # # @param acl_policies # An array of hashes containing acl policies. See example. -# @param group -# The group permission that rundeck is installed as. # @param owner # The user that rundeck is installed as. +# @param group +# The group permission that rundeck is installed as. # @param properties_dir # The rundeck configuration directory. -# @param template_file -# The template used for acl policy. Default is rundeck/aclpolicy.erb # define rundeck::config::aclpolicyfile ( Array[Hash] $acl_policies, String $group = 'rundeck', String $owner = 'rundeck', Stdlib::Absolutepath $properties_dir = '/etc/rundeck', - String $template_file = "${module_name}/aclpolicy.erb", ) { + ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'mode' => '0755' }) + file { "${properties_dir}/${name}.aclpolicy": owner => $owner, group => $group, mode => '0640', - content => template($template_file), + content => epp('rundeck/aclpolicy.epp'), } } diff --git a/manifests/config/plugin.pp b/manifests/config/plugin.pp index b3f87f53e..9da4f6024 100644 --- a/manifests/config/plugin.pp +++ b/manifests/config/plugin.pp @@ -28,6 +28,7 @@ source => $source, path => "${plugins_dir}/${name}", proxy_server => $proxy_server, + before => File["${plugins_dir}/${name}"], } } diff --git a/manifests/init.pp b/manifests/init.pp index 0cb5efc11..a3ccef56e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,5 @@ # @summary Class to manage installation and configuration of Rundeck. # -# @param acl_template -# The template used for acl policy. Needs to be in epp format. # @param admin_policies # Admin acl policies. Default value is located in data/common.yaml. # @param api_policies @@ -145,7 +143,6 @@ String $config_template = 'rundeck/rundeck-config.properties.epp', String $override_template = 'rundeck/profile_overrides.epp', String $realm_template = 'rundeck/realm.properties.epp', - String $acl_template = 'rundeck/aclpolicy.erb', String $log_properties_template = 'rundeck/log4j2.properties.epp', Boolean $rss_enabled = false, Optional[String] $server_web_context = undef, diff --git a/templates/aclpolicy.epp b/templates/aclpolicy.epp new file mode 100644 index 000000000..7274971dc --- /dev/null +++ b/templates/aclpolicy.epp @@ -0,0 +1,43 @@ +<% @acl_policies.each_with_index |$policy, $index| { -%> +description: '<%= $policy['description'] %>' +context: + <%= $policy['context'].keys[0] %>: '<%= $policy['context'].values[0] %>' +for: +<% $policy['for'].each |$resource, $kind| { -%> + <%= $resource %>: + <%- $kind.each |$rules| { -%> + <% $first_key = true -%> + <% $rules.each |$type, $action| { -%> + <% if ["allow", "deny"].include?($type) -%> + <% if $first_key -%>-<%- else %> <% end -%> <%= $type %>: <% if $action.is_a? String -%>'<%= $action %>'<%-else-%><%= $action %><%-end%> + <% elsif ["match", "equals", "contains", "subset"].include?($type) -%> + <% if $first_key -%>-<%- else %> <% end -%> <%= $type %>: + <% $action.each |$k, $v| { -%> + <%= $k %>: <% if $v.is_a? String -%>'<%= $v %>'<%-else-%><%= $v %><%-end%> + <% } -%> + <% end -%> + <% $first_key = false -%> + <% } -%> + <% } -%> +<% } -%> +by: +<% $policy['by'].each |$by| { -%> +<% if !$by['group'].nil? && $by['group'] != :undef -%> + group: + <% $by['group'].each |$group| { -%> + - '<%= $group %>' + <% } -%> +<% end -%> +<% if !$by['username'].nil? && $by['username'] != :undef -%> + username: + <% $by['username'].each |$username| { -%> + - '<%= $username %>' + <% } -%> +<% end -%> +<% } -%> +<% if $index != (@acl_policies.length-1) -%> + +--- + +<% end -%> +<% } -%> From b718731f7add6e96531bd295c0b4deb36495ac3e Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 13:59:35 +0100 Subject: [PATCH 58/82] Change policy template to epp --- manifests/config/aclpolicyfile.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp index 26b83f676..2d3767350 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -60,6 +60,6 @@ owner => $owner, group => $group, mode => '0640', - content => epp('rundeck/aclpolicy.epp'), + content => template('rundeck/aclpolicy.erb'), } } From c4835834b33ad5c86afdc6d2642bebb028181dbc Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 23 Nov 2023 14:12:30 +0100 Subject: [PATCH 59/82] Update defines --- REFERENCE.md | 615 +++++++++++------- data/{os => }/Debian.yaml | 0 data/{os => }/RedHat.yaml | 0 data/common.yaml | 126 ---- hiera.yaml | 5 +- manifests/config/aclpolicyfile.pp | 64 +- manifests/config/framework.pp | 4 +- manifests/config/plugin.pp | 14 +- manifests/init.pp | 328 ++++++---- .../config/{global => }/aclpolicyfile_spec.rb | 0 .../config/{global => }/framework_spec.rb | 0 spec/classes/config/global/gui_config_spec.rb | 30 - .../config/global/rundeck_config_spec.rb | 143 ---- .../config/global/service_restart_spec.rb | 31 - .../auth_spec.rb => jaas_auth_spec.rb} | 0 spec/classes/config/{global => }/ssl_spec.rb | 0 spec/classes/config_spec.rb | 80 +-- templates/aclpolicy.epp | 71 +- templates/aclpolicy.erb | 43 -- templates/jaas-auth.conf.epp | 26 +- templates/profile_overrides.epp | 6 +- types/key_storage_config.pp | 8 + types/sourcetype.pp | 2 - 23 files changed, 708 insertions(+), 888 deletions(-) rename data/{os => }/Debian.yaml (100%) rename data/{os => }/RedHat.yaml (100%) delete mode 100644 data/common.yaml rename spec/classes/config/{global => }/aclpolicyfile_spec.rb (100%) rename spec/classes/config/{global => }/framework_spec.rb (100%) delete mode 100644 spec/classes/config/global/gui_config_spec.rb delete mode 100644 spec/classes/config/global/rundeck_config_spec.rb delete mode 100644 spec/classes/config/global/service_restart_spec.rb rename spec/classes/config/{global/auth_spec.rb => jaas_auth_spec.rb} (100%) rename spec/classes/config/{global => }/ssl_spec.rb (100%) delete mode 100644 templates/aclpolicy.erb create mode 100644 types/key_storage_config.pp delete mode 100644 types/sourcetype.pp diff --git a/REFERENCE.md b/REFERENCE.md index 5d2d609dc..4b44d0513 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -32,9 +32,9 @@ * [`Rundeck::Auth_config`](#Rundeck--Auth_config): Rundeck authentication config type. * [`Rundeck::Db_config`](#Rundeck--Db_config): Rundeck database config type. +* [`Rundeck::Key_storage_config`](#Rundeck--Key_storage_config): Rundeck key storage config type. * [`Rundeck::Loglevel`](#Rundeck--Loglevel): Rundeck log level type. * [`Rundeck::Mail_config`](#Rundeck--Mail_config): Rundeck mail config type. -* [`Rundeck::Sourcetype`](#Rundeck--Sourcetype): Rundeck sourcetype type. ## Classes @@ -46,240 +46,379 @@ Class to manage installation and configuration of Rundeck. The following parameters are available in the `rundeck` class: +* [`manage_repo`](#-rundeck--manage_repo) +* [`repo_config`](#-rundeck--repo_config) +* [`package_ensure`](#-rundeck--package_ensure) +* [`manage_home`](#-rundeck--manage_home) +* [`user`](#-rundeck--user) +* [`group`](#-rundeck--group) +* [`manage_user`](#-rundeck--manage_user) +* [`manage_group`](#-rundeck--manage_group) +* [`user_id`](#-rundeck--user_id) +* [`group_id`](#-rundeck--group_id) * [`admin_policies`](#-rundeck--admin_policies) * [`api_policies`](#-rundeck--api_policies) -* [`auth_config`](#-rundeck--auth_config) +* [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy) +* [`manage_default_api_policy`](#-rundeck--manage_default_api_policy) +* [`grails_server_url`](#-rundeck--grails_server_url) * [`clustermode_enabled`](#-rundeck--clustermode_enabled) -* [`database_config`](#-rundeck--database_config) * [`execution_mode`](#-rundeck--execution_mode) -* [`framework_config`](#-rundeck--framework_config) -* [`gui_config`](#-rundeck--gui_config) * [`java_home`](#-rundeck--java_home) * [`jvm_args`](#-rundeck--jvm_args) -* [`key_storage_config`](#-rundeck--key_storage_config) -* [`keystore`](#-rundeck--keystore) -* [`keystore_password`](#-rundeck--keystore_password) -* [`log_properties_template`](#-rundeck--log_properties_template) +* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) +* [`auth_config`](#-rundeck--auth_config) +* [`database_config`](#-rundeck--database_config) +* [`framework_config`](#-rundeck--framework_config) +* [`gui_config`](#-rundeck--gui_config) * [`mail_config`](#-rundeck--mail_config) -* [`key_password`](#-rundeck--key_password) -* [`ssl_private_key`](#-rundeck--ssl_private_key) -* [`ssl_certificate`](#-rundeck--ssl_certificate) -* [`manage_default_admin_policy`](#-rundeck--manage_default_admin_policy) -* [`manage_default_api_policy`](#-rundeck--manage_default_api_policy) -* [`repo_config`](#-rundeck--repo_config) -* [`manage_repo`](#-rundeck--manage_repo) -* [`package_ensure`](#-rundeck--package_ensure) +* [`security_config`](#-rundeck--security_config) * [`preauthenticated_config`](#-rundeck--preauthenticated_config) +* [`key_storage_config`](#-rundeck--key_storage_config) +* [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) * [`app_log_level`](#-rundeck--app_log_level) * [`audit_log_level`](#-rundeck--audit_log_level) * [`config_template`](#-rundeck--config_template) -* [`manage_home`](#-rundeck--manage_home) * [`override_template`](#-rundeck--override_template) * [`realm_template`](#-rundeck--realm_template) +* [`log_properties_template`](#-rundeck--log_properties_template) * [`rss_enabled`](#-rundeck--rss_enabled) -* [`security_config`](#-rundeck--security_config) * [`server_web_context`](#-rundeck--server_web_context) +* [`ssl_enabled`](#-rundeck--ssl_enabled) +* [`ssl_port`](#-rundeck--ssl_port) +* [`ssl_certificate`](#-rundeck--ssl_certificate) +* [`ssl_private_key`](#-rundeck--ssl_private_key) +* [`key_password`](#-rundeck--key_password) +* [`keystore`](#-rundeck--keystore) +* [`keystore_password`](#-rundeck--keystore_password) +* [`truststore`](#-rundeck--truststore) +* [`truststore_password`](#-rundeck--truststore_password) * [`service_name`](#-rundeck--service_name) * [`service_ensure`](#-rundeck--service_ensure) * [`service_logs_dir`](#-rundeck--service_logs_dir) +* [`service_notify`](#-rundeck--service_notify) * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) -* [`grails_server_url`](#-rundeck--grails_server_url) -* [`ssl_enabled`](#-rundeck--ssl_enabled) -* [`ssl_port`](#-rundeck--ssl_port) -* [`truststore`](#-rundeck--truststore) -* [`truststore_password`](#-rundeck--truststore_password) -* [`user`](#-rundeck--user) -* [`group`](#-rundeck--group) -* [`manage_user`](#-rundeck--manage_user) -* [`manage_group`](#-rundeck--manage_group) -* [`user_id`](#-rundeck--user_id) -* [`group_id`](#-rundeck--group_id) -* [`key_storage_encrypt_config`](#-rundeck--key_storage_encrypt_config) -* [`quartz_job_threadcount`](#-rundeck--quartz_job_threadcount) * [`override_dir`](#-rundeck--override_dir) -##### `admin_policies` +##### `manage_repo` -Data type: `Array[Hash]` +Data type: `Boolean` -Admin acl policies. Default value is located in data/common.yaml. +Whether to manage the package repository. -##### `api_policies` +Default value: `true` -Data type: `Array[Hash]` +##### `repo_config` -Apitoken acl policies. Default value is located in data/common.yaml. +Data type: `Hash` -##### `auth_config` +A hash of repository types and attributes for configuring the rundeck package repositories. +Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml -Data type: `Rundeck::Auth_config` +##### `package_ensure` -Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) -Default value is located in data/common.yaml. +Data type: `String` -##### `clustermode_enabled` +Ensure the state of the rundeck package, either present, absent or a specific version. + +Default value: `'installed'` + +##### `manage_home` Data type: `Boolean` -Boolean value if set to true enables cluster mode +Whether to manage rundeck home dir. -Default value: `false` +Default value: `true` -##### `database_config` +##### `user` -Data type: `Rundeck::Db_config` +Data type: `String` -Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) +The user that rundeck is installed as. -##### `execution_mode` +Default value: `'rundeck'` -Data type: `Enum['active', 'passive']` +##### `group` -If set, allows setting the execution mode to 'active' or 'passive'. +Data type: `String` -Default value: `'active'` +The group permission that rundeck is installed as. -##### `framework_config` +Default value: `'rundeck'` -Data type: `Hash` +##### `manage_user` -Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -Default value is located in data/common.yaml. +Data type: `Boolean` -##### `gui_config` +Whether to manage `user` (and enforce `user_id` if set). -Data type: `Hash` +Default value: `false` -Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) +##### `manage_group` -Default value: `{}` +Data type: `Boolean` -##### `java_home` +Whether to manage `group` (and enforce `group_id` if set). -Data type: `Optional[Stdlib::Absolutepath]` +Default value: `false` -Set the home directory of java. +##### `user_id` + +Data type: `Optional[Integer]` + +If you want to have always the same user id. Eg. because of a NFS share. Default value: `undef` -##### `jvm_args` +##### `group_id` -Data type: `String` +Data type: `Optional[Integer]` -Extra arguments for the JVM. +If you want to have always the same group id. Eg. because of a NFS share. -Default value: `'-Xmx1024m -Xms256m -server'` +Default value: `undef` -##### `key_storage_config` +##### `admin_policies` Data type: `Array[Hash]` -An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) +Admin acl policies. -##### `keystore` +Default value: -Data type: `Stdlib::Absolutepath` +```puppet +[ + { + 'description' => 'Admin, all access', + 'context' => { 'project' => '.*' }, + 'for' => { + 'resource' => [{ 'allow' => '*' }], + 'adhoc' => [{ 'allow' => '*' }], + 'job' => [{ 'allow' => '*' }], + 'node' => [{ 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['admin'] }], + }, + { + 'description' => 'Admin, all access', + 'context' => { 'application' => 'rundeck' }, + 'for' => { + 'project' => [{ 'allow' => '*' }], + 'resource' => [{ 'allow' => '*' }], + 'storage' => [{ 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['admin'] }], + }, + ] +``` -Full path to the java keystore to be used by Rundeck. +##### `api_policies` -Default value: `'/etc/rundeck/ssl/keystore'` +Data type: `Array[Hash]` -##### `keystore_password` +Apitoken acl policies. -Data type: `String` +Default value: -The password for the given keystore. +```puppet +[ + { + 'description' => 'API project level access control', + 'context' => { 'project' => '.*' }, + 'for' => { + 'resource' => [ + { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] }, + { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] }, + { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] }, + ], + 'adhoc' => [{ 'allow' => ['read', 'run', 'kill'] }], + 'job' => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }], + 'node' => [{ 'allow' => ['read', 'run'] }], + }, + 'by' => [{ 'group' => ['api_token_group'] }], + }, + { + 'description' => 'API Application level access control', + 'context' => { 'application' => 'rundeck' }, + 'for' => { + 'project' => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }], + 'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }], + 'storage' => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['api_token_group'] }], + }, + ] +``` -Default value: `'adminadmin'` +##### `manage_default_admin_policy` -##### `log_properties_template` +Data type: `Boolean` -Data type: `String` +Whether to manage the default admin policy. -The template used for log properties. Needs to be in epp format. +Default value: `true` -Default value: `'rundeck/log4j2.properties.epp'` +##### `manage_default_api_policy` -##### `mail_config` +Data type: `Boolean` -Data type: `Rundeck::Mail_config` +Whether to manage default api policy. -A hash of the notification email configuraton. +Default value: `true` -Default value: `{}` +##### `grails_server_url` -##### `key_password` +Data type: `Stdlib::HTTPUrl` -Data type: `Optional[String]` +Sets `grails.serverURL` so that Rundeck knows its external address. -The password used to protect the key in keystore. +Default value: `"http://${facts['networking']['fqdn']}:4440"` + +##### `clustermode_enabled` + +Data type: `Boolean` + +Wheter to enable cluster mode. + +Default value: `false` + +##### `execution_mode` + +Data type: `Enum['active', 'passive']` + +Set the execution mode to 'active' or 'passive'. + +Default value: `'active'` + +##### `java_home` + +Data type: `Optional[Stdlib::Absolutepath]` + +Set the home directory of java. Default value: `undef` -##### `ssl_private_key` +##### `jvm_args` -Data type: `Stdlib::Absolutepath` +Data type: `String` -Full path to the SSL private key to be used by Rundeck. +Extra arguments for the JVM. -Default value: `'/etc/rundeck/ssl/rundeck.key'` +Default value: `'-Xmx1024m -Xms256m -server'` -##### `ssl_certificate` +##### `quartz_job_threadcount` -Data type: `Stdlib::Absolutepath` +Data type: `Integer` -Full path to the SSL public key to be used by Rundeck. +The maximum number of threads used by Rundeck for concurrent jobs. -Default value: `'/etc/rundeck/ssl/rundeck.crt'` +Default value: `10` -##### `manage_default_admin_policy` +##### `auth_config` -Data type: `Boolean` +Data type: `Rundeck::Auth_config` -Boolean value if set to true enables default admin policy management +Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) -Default value: `true` +Default value: -##### `manage_default_api_policy` +```puppet +{ + 'file' => { + 'auth_flag' => 'required', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => {}, + }, + }, + } +``` -Data type: `Boolean` +##### `database_config` -Boolean value if set to true enables default api policy management +Data type: `Rundeck::Db_config` -Default value: `true` +Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) -##### `repo_config` +Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }` + +##### `framework_config` Data type: `Hash` -A hash of repository types and attributes for configuring the rundeck package repositories. -Examples/defaults for yumrepo can be found at data/os/RedHat.yaml, and for apt at data/os/Debian.yaml +Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -##### `manage_repo` +Default value: -Data type: `Boolean` +```puppet +{ + 'rdeck.base' => '/var/lib/rundeck', + 'framework.server.hostname' => $facts['networking']['hostname'], + 'framework.server.name' => $facts['networking']['fqdn'], + 'framework.server.port' => '4440', + 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", + 'framework.etc.dir' => '/etc/rundeck', + 'framework.libext.dir' => '/var/lib/rundeck/libext', + 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', + 'framework.ssh.user' => 'rundeck', + 'framework.ssh.timeout' => '0', + 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), + } +``` -Whether to manage the package repository. Defaults to true. +##### `gui_config` -Default value: `true` +Data type: `Hash` -##### `package_ensure` +Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) -Data type: `String` +Default value: `{}` -Ensure the state of the rundeck package, either present, absent or a specific version +##### `mail_config` -Default value: `'installed'` +Data type: `Rundeck::Mail_config` + +A hash of the notification email configuraton. + +Default value: `{}` + +##### `security_config` + +Data type: `Hash` + +A hash of the rundeck security configuration. + +Default value: `{}` ##### `preauthenticated_config` Data type: `Hash` -A hash of the rundeck preauthenticated config mode +A hash of the rundeck preauthenticated configuration. Default value: `{}` +##### `key_storage_config` + +Data type: `Rundeck::Key_storage_config` + +An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) + +Default value: `[{ 'type' => 'db', 'path' => 'keys' }]` + +##### `key_storage_encrypt_config` + +Data type: `Array[Hash]` + +An array with hashes of properties for customizing the [Rundeck Key Storage converter](https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins) + +Default value: `[{}]` + ##### `app_log_level` Data type: `Rundeck::Loglevel` @@ -300,23 +439,15 @@ Default value: `'info'` Data type: `String` -Allows you to override the rundeck-config template. +The template used for rundeck-config properties. Needs to be in epp format. Default value: `'rundeck/rundeck-config.properties.epp'` -##### `manage_home` - -Data type: `Boolean` - -Whether to manage rundeck home dir. Defaults to true. - -Default value: `true` - ##### `override_template` Data type: `String` -Allows you to use your own override template for rundeck profile instead of the default from the package maintainer +The template used for rundeck profile overrides. Needs to be in epp format. Default value: `'rundeck/profile_overrides.epp'` @@ -324,25 +455,25 @@ Default value: `'rundeck/profile_overrides.epp'` Data type: `String` -Allows you to use your own override template for realm properties instead of the default from the package maintainer +The template used for jaas realm properties. Needs to be in epp format. Default value: `'rundeck/realm.properties.epp'` -##### `rss_enabled` +##### `log_properties_template` -Data type: `Boolean` +Data type: `String` -Boolean value if set to true enables RSS feeds that are public (non-authenticated) +The template used for log properties. Needs to be in epp format. -Default value: `false` +Default value: `'rundeck/log4j2.properties.epp'` -##### `security_config` +##### `rss_enabled` -Data type: `Hash` +Data type: `Boolean` -A hash of the rundeck security configuration. +Boolean value if set to true enables RSS feeds that are public (non-authenticated) -Default value: `{}` +Default value: `false` ##### `server_web_context` @@ -352,69 +483,61 @@ Web context path to use, such as "/rundeck". http://host.domain:port/server_web_ Default value: `undef` -##### `service_name` +##### `ssl_enabled` -Data type: `String` +Data type: `Boolean` -The name of the rundeck service. +Enable ssl for the rundeck web application. -Default value: `'rundeckd'` +Default value: `false` -##### `service_ensure` +##### `ssl_port` -Data type: `Enum['stopped', 'running']` +Data type: `Stdlib::Port` -State of the rundeck service (defaults to 'running') +Ssl port of the rundeck web application. -Default value: `'running'` +Default value: `4443` -##### `service_logs_dir` +##### `ssl_certificate` Data type: `Stdlib::Absolutepath` -The path to the directory to store service related logs. +Full path to the SSL public key to be used by Rundeck. -Default value: `'/var/log/rundeck'` +Default value: `'/etc/rundeck/ssl/rundeck.crt'` -##### `service_config` +##### `ssl_private_key` -Data type: `Optional[String]` +Data type: `Stdlib::Absolutepath` -Allows you to use your own override template instead to config rundeckd init script. +Full path to the SSL private key to be used by Rundeck. -Default value: `undef` +Default value: `'/etc/rundeck/ssl/rundeck.key'` -##### `service_script` +##### `key_password` Data type: `Optional[String]` -Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. +The password used to protect the key in keystore. Default value: `undef` -##### `grails_server_url` - -Data type: `Stdlib::HTTPUrl` - -Sets `grails.serverURL` so that Rundeck knows its external address. - -Default value: `"http://${facts['networking']['fqdn']}:4440"` - -##### `ssl_enabled` +##### `keystore` -Data type: `Boolean` +Data type: `Stdlib::Absolutepath` -Enable ssl for the rundeck web application. +Full path to the java keystore to be used by Rundeck. -Default value: `false` +Default value: `'/etc/rundeck/ssl/keystore'` -##### `ssl_port` +##### `keystore_password` -Data type: `Stdlib::Port` +Data type: `String` -Ssl port of the rundeck web application (default to '4443'). +The password for the given keystore. -Default value: `4443` +Default value: `'adminadmin'` ##### `truststore` @@ -432,71 +555,54 @@ The password for the given truststore. Default value: `'adminadmin'` -##### `user` +##### `service_name` Data type: `String` -The user that rundeck is installed as. +The name of the rundeck service. -Default value: `'rundeck'` +Default value: `'rundeckd'` -##### `group` +##### `service_ensure` -Data type: `String` +Data type: `Enum['stopped', 'running']` -The group permission that rundeck is installed as. +State of the rundeck service. -Default value: `'rundeck'` +Default value: `'running'` -##### `manage_user` +##### `service_logs_dir` -Data type: `Boolean` +Data type: `Stdlib::Absolutepath` -Whether to manage `user` (and enforce `user_id` if set). Defaults to false. +The path to the directory to store service related logs. -Default value: `false` +Default value: `'/var/log/rundeck'` -##### `manage_group` +##### `service_notify` Data type: `Boolean` -Whether to manage `group` (and enforce `group_id` if set). Defaults to false. +Wheter to notify and restart the rundeck service if config changes. -Default value: `false` +Default value: `true` -##### `user_id` +##### `service_config` -Data type: `Optional[Integer]` +Data type: `Optional[String]` -If you want to have always the same user id. Eg. because of the NFS share. +Allows you to use your own override template instead to config rundeckd init script. Default value: `undef` -##### `group_id` +##### `service_script` -Data type: `Optional[Integer]` +Data type: `Optional[String]` -If you want to have always the same group id. Eg. because of the NFS share. +Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. Default value: `undef` -##### `key_storage_encrypt_config` - -Data type: `Hash` - -Hash containing the necessary values to configure a plugin for key storage encryption. -https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins - -Default value: `{}` - -##### `quartz_job_threadcount` - -Data type: `Integer` - -The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. - -Default value: `10` - ##### `override_dir` Data type: `Stdlib::Absolutepath` @@ -517,38 +623,26 @@ This define will create a custom acl policy file. rundeck::config::aclpolicyfile { 'myPolicyFile': acl_policies => [ { - 'description' => 'Admin, all access', - 'context' => { - 'type' => 'project', - 'rule' => '.*', + 'description' => 'Admin, all access', + 'context' => { 'project' => '.*' }, + 'for' => { + 'resource' => [{ 'allow' => '*' }], + 'adhoc' => [{ 'allow' => '*' }], + 'job' => [{ 'allow' => '*' }], + 'node' => [{ 'allow' => '*' }], }, - 'resource_types' => [ - { 'type' => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - { 'type' => 'adhoc', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - { 'type' => 'job', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - { 'type' => 'node', 'rules' => [{ 'name' => 'allow','rule' => '*' }] } - ], - 'by' => { - 'group' => ['admin'], - 'username' => undef, - } + 'by' => [{ 'group' => ['admin'] }], }, { - 'description' => 'Admin, all access', - 'context' => { - 'type' => 'application', - 'rule' => 'rundeck', + 'description' => 'Admin, all access', + 'context' => { 'application' => 'rundeck' }, + 'for' => { + 'project' => [{ 'allow' => '*' }], + 'resource' => [{ 'allow' => '*' }], + 'storage' => [{ 'allow' => '*' }], }, - 'resource_types' => [ - { 'type' => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - { 'type' => 'project', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - { 'type' => 'storage', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, - ], - 'by' => { - 'group' => ['admin'], - 'username' => undef, - } - } + 'by' => [{ 'group' => ['admin'] }], + }, ], } ``` @@ -558,6 +652,7 @@ rundeck::config::aclpolicyfile { 'myPolicyFile': The following parameters are available in the `rundeck::config::aclpolicyfile` defined type: * [`acl_policies`](#-rundeck--config--aclpolicyfile--acl_policies) +* [`ensure`](#-rundeck--config--aclpolicyfile--ensure) * [`owner`](#-rundeck--config--aclpolicyfile--owner) * [`group`](#-rundeck--config--aclpolicyfile--group) * [`properties_dir`](#-rundeck--config--aclpolicyfile--properties_dir) @@ -568,6 +663,14 @@ Data type: `Array[Hash]` An array of hashes containing acl policies. See example. +##### `ensure` + +Data type: `Enum['present', 'absent']` + +Set present or absent to add or remove the acl policy file. + +Default value: `'present'` + ##### `owner` Data type: `String` @@ -610,24 +713,42 @@ rundeck::config::plugin { 'rundeck-hipchat-plugin-1.0.0.jar': The following parameters are available in the `rundeck::config::plugin` defined type: -* [`ensure`](#-rundeck--config--plugin--ensure) * [`source`](#-rundeck--config--plugin--source) +* [`ensure`](#-rundeck--config--plugin--ensure) +* [`owner`](#-rundeck--config--plugin--owner) +* [`group`](#-rundeck--config--plugin--group) * [`plugins_dir`](#-rundeck--config--plugin--plugins_dir) * [`proxy_server`](#-rundeck--config--plugin--proxy_server) +##### `source` + +Data type: `String` + +The http source or local path from which to get the plugin. + ##### `ensure` Data type: `Enum['present', 'absent']` -Set present or absent to add or remove the plugin +Set present or absent to add or remove the plugin. Default value: `'present'` -##### `source` +##### `owner` Data type: `String` -The http source or local path from which to get the plugin. +The user that rundeck is installed as. + +Default value: `'rundeck'` + +##### `group` + +Data type: `String` + +The group permission that rundeck is installed as. + +Default value: `'rundeck'` ##### `plugins_dir` @@ -692,6 +813,20 @@ Struct[{ }] ``` +### `Rundeck::Key_storage_config` + +Rundeck key storage config type. + +Alias of + +```puppet +Array[Struct[{ + 'type' => String, + 'path' => String, + Optional['config'] => Hash, + }]] +``` + ### `Rundeck::Loglevel` Rundeck log level type. @@ -717,9 +852,3 @@ Struct[{ }] ``` -### `Rundeck::Sourcetype` - -Rundeck sourcetype type. - -Alias of `Enum['file', 'directory', 'url', 'script', 'aws-ec2', 'puppet-enterprise']` - diff --git a/data/os/Debian.yaml b/data/Debian.yaml similarity index 100% rename from data/os/Debian.yaml rename to data/Debian.yaml diff --git a/data/os/RedHat.yaml b/data/RedHat.yaml similarity index 100% rename from data/os/RedHat.yaml rename to data/RedHat.yaml diff --git a/data/common.yaml b/data/common.yaml deleted file mode 100644 index e4705fc23..000000000 --- a/data/common.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -rundeck::admin_policies: - - description: 'Admin, all access' - context: - project: '.*' - for: - resource: - - allow: '*' - adhoc: - - allow: '*' - job: - - allow: '*' - node: - - allow: '*' - by: - - group: - - 'admin' - - - description: 'Admin, all access' - context: - application: 'rundeck' - for: - resource: - - allow: '*' - project: - - allow: '*' - storage: - - allow: '*' - by: - - group: - - 'admin' - -rundeck::api_policies: - - description: 'API project level access control' - context: - project: '.*' - for: - resource: - - equals: - kind: 'job' - allow: - - 'create' - - 'delete' - - equals: - kind: 'node' - allow: - - 'read' - - 'create' - - 'update' - - 'refresh' - - equals: - kind: 'event' - allow: - - 'read' - - 'create' - adhoc: - - allow: - - 'read' - - 'run' - - 'kill' - job: - - allow: - - 'create' - - 'read' - - 'update' - - 'delete' - - 'run' - - 'kill' - node: - - allow: - - 'read' - - 'run' - by: - - group: - - 'api_token_group' - - - description: 'API Application level access control' - context: - application: 'rundeck' - for: - resource: - - equals: - kind: 'system' - allow: - - 'read' - project: - - match: - name: '.*' - allow: - - 'read' - storage: - - match: - path: '(keys|keys/.*)' - allow: '*' - by: - - group: - - 'api_token_group' - -rundeck::auth_config: - file: - auth_flag: 'required' - jaas_config: - file: '/etc/rundeck/realm.properties' - realm_config: - admin_user: 'admin' - admin_password: 'admin' - auth_users: {} - -rundeck::framework_config: - rdeck.base: '/var/lib/rundeck' - framework.server.hostname: "%{facts.networking.hostname}" - framework.server.name: "%{facts.networking.fqdn}" - framework.server.port: '4440' - framework.server.url: "http://%{facts.networking.fqdn}:4440" - framework.etc.dir: '/etc/rundeck' - framework.libext.dir: '/var/lib/rundeck/libext' - framework.ssh.keypath: '/var/lib/rundeck/.ssh/id_rsa' - framework.ssh.user: 'rundeck' - framework.ssh.timeout: '0' - -rundeck::database_config: - url: 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' - -rundeck::key_storage_config: - - type: 'db' - path: 'keys' diff --git a/hiera.yaml b/hiera.yaml index fb602a143..89cf4fb83 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -7,7 +7,4 @@ defaults: hierarchy: - name: 'Rundeck Operating System Family defaults' - path: 'os/%{facts.os.family}.yaml' - - - name: 'Rundeck common defaults' - path: 'common.yaml' + path: '%{facts.os.family}.yaml' diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp index 2d3767350..2da260cd1 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -4,43 +4,33 @@ # rundeck::config::aclpolicyfile { 'myPolicyFile': # acl_policies => [ # { -# 'description' => 'Admin, all access', -# 'context' => { -# 'type' => 'project', -# 'rule' => '.*', +# 'description' => 'Admin, all access', +# 'context' => { 'project' => '.*' }, +# 'for' => { +# 'resource' => [{ 'allow' => '*' }], +# 'adhoc' => [{ 'allow' => '*' }], +# 'job' => [{ 'allow' => '*' }], +# 'node' => [{ 'allow' => '*' }], # }, -# 'resource_types' => [ -# { 'type' => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# { 'type' => 'adhoc', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# { 'type' => 'job', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# { 'type' => 'node', 'rules' => [{ 'name' => 'allow','rule' => '*' }] } -# ], -# 'by' => { -# 'group' => ['admin'], -# 'username' => undef, -# } +# 'by' => [{ 'group' => ['admin'] }], # }, # { -# 'description' => 'Admin, all access', -# 'context' => { -# 'type' => 'application', -# 'rule' => 'rundeck', +# 'description' => 'Admin, all access', +# 'context' => { 'application' => 'rundeck' }, +# 'for' => { +# 'project' => [{ 'allow' => '*' }], +# 'resource' => [{ 'allow' => '*' }], +# 'storage' => [{ 'allow' => '*' }], # }, -# 'resource_types' => [ -# { 'type' => 'resource', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# { 'type' => 'project', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# { 'type' => 'storage', 'rules' => [{ 'name' => 'allow','rule' => '*' }] }, -# ], -# 'by' => { -# 'group' => ['admin'], -# 'username' => undef, -# } -# } +# 'by' => [{ 'group' => ['admin'] }], +# }, # ], # } # # @param acl_policies # An array of hashes containing acl policies. See example. +# @param ensure +# Set present or absent to add or remove the acl policy file. # @param owner # The user that rundeck is installed as. # @param group @@ -49,17 +39,21 @@ # The rundeck configuration directory. # define rundeck::config::aclpolicyfile ( - Array[Hash] $acl_policies, - String $group = 'rundeck', - String $owner = 'rundeck', - Stdlib::Absolutepath $properties_dir = '/etc/rundeck', + Array[Hash] $acl_policies, + Enum['present', 'absent'] $ensure = 'present', + String $owner = 'rundeck', + String $group = 'rundeck', + Stdlib::Absolutepath $properties_dir = '/etc/rundeck', ) { - ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'mode' => '0755' }) + validate_rd_policy($acl_policies) + + ensure_resource('file', $properties_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' }) file { "${properties_dir}/${name}.aclpolicy": + ensure => $ensure, owner => $owner, group => $group, - mode => '0640', - content => template('rundeck/aclpolicy.erb'), + mode => '0644', + content => epp('rundeck/aclpolicy.epp', { _acl_policies => $acl_policies }), } } diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index 27d965f75..b3820f800 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -14,9 +14,7 @@ $_framework_ssl_config = {} } - $_server_uuid = { 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']) } - - $_framework_config = deep_merge($rundeck::config::framework_config, $_server_uuid, $_framework_ssl_config) + $_framework_config = deep_merge($rundeck::config::framework_config, $_framework_ssl_config) file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, diff --git a/manifests/config/plugin.pp b/manifests/config/plugin.pp index 9da4f6024..8320a2bda 100644 --- a/manifests/config/plugin.pp +++ b/manifests/config/plugin.pp @@ -5,10 +5,14 @@ # source => 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar', # } # -# @param ensure -# Set present or absent to add or remove the plugin # @param source # The http source or local path from which to get the plugin. +# @param ensure +# Set present or absent to add or remove the plugin. +# @param owner +# The user that rundeck is installed as. +# @param group +# The group permission that rundeck is installed as. # @param plugins_dir # Directory where plugins will be installed. # @param proxy_server @@ -17,10 +21,12 @@ define rundeck::config::plugin ( String $source, Enum['present', 'absent'] $ensure = 'present', + String $owner = 'rundeck', + String $group = 'rundeck', Stdlib::Absolutepath $plugins_dir = '/var/lib/rundeck/libext', Optional[Stdlib::HTTPUrl] $proxy_server = undef, ) { - ensure_resource('file', $plugins_dir, { 'ensure' => 'directory', 'mode' => '0755' }) + ensure_resource('file', $plugins_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' }) if $ensure == 'present' { archive { "download plugin ${name}": @@ -34,6 +40,8 @@ file { "${plugins_dir}/${name}": ensure => $ensure, + owner => $owner, + group => $group, mode => '0644', } } diff --git a/manifests/init.pp b/manifests/init.pp index a3ccef56e..e7ce8f78d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,165 +1,237 @@ # @summary Class to manage installation and configuration of Rundeck. # +# @param manage_repo +# Whether to manage the package repository. +# @param repo_config +# A hash of repository types and attributes for configuring the rundeck package repositories. +# Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml +# @param package_ensure +# Ensure the state of the rundeck package, either present, absent or a specific version. +# @param manage_home +# Whether to manage rundeck home dir. +# @param user +# The user that rundeck is installed as. +# @param group +# The group permission that rundeck is installed as. +# @param manage_user +# Whether to manage `user` (and enforce `user_id` if set). +# @param manage_group +# Whether to manage `group` (and enforce `group_id` if set). +# @param user_id +# If you want to have always the same user id. Eg. because of a NFS share. +# @param group_id +# If you want to have always the same group id. Eg. because of a NFS share. # @param admin_policies -# Admin acl policies. Default value is located in data/common.yaml. +# Admin acl policies. # @param api_policies -# Apitoken acl policies. Default value is located in data/common.yaml. +# Apitoken acl policies. +# @param manage_default_admin_policy +# Whether to manage the default admin policy. +# @param manage_default_api_policy +# Whether to manage default api policy. +# @param grails_server_url +# Sets `grails.serverURL` so that Rundeck knows its external address. +# @param clustermode_enabled +# Wheter to enable cluster mode. +# @param execution_mode +# Set the execution mode to 'active' or 'passive'. +# @param java_home +# Set the home directory of java. +# @param jvm_args +# Extra arguments for the JVM. +# @param quartz_job_threadcount +# The maximum number of threads used by Rundeck for concurrent jobs. # @param auth_config # Hash of properties for configuring [Rundeck JAAS Authentication](https://docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication) -# Default value is located in data/common.yaml. -# @param clustermode_enabled -# Boolean value if set to true enables cluster mode # @param database_config # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) -# @param execution_mode -# If set, allows setting the execution mode to 'active' or 'passive'. # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -# Default value is located in data/common.yaml. # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) -# @param java_home -# Set the home directory of java. -# @param jvm_args -# Extra arguments for the JVM. -# @param key_storage_config -# An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) -# @param keystore -# Full path to the java keystore to be used by Rundeck. -# @param keystore_password -# The password for the given keystore. -# @param log_properties_template -# The template used for log properties. Needs to be in epp format. # @param mail_config # A hash of the notification email configuraton. -# @param key_password -# The password used to protect the key in keystore. -# @param ssl_private_key -# Full path to the SSL private key to be used by Rundeck. -# @param ssl_certificate -# Full path to the SSL public key to be used by Rundeck. -# @param manage_default_admin_policy -# Boolean value if set to true enables default admin policy management -# @param manage_default_api_policy -# Boolean value if set to true enables default api policy management -# @param repo_config -# A hash of repository types and attributes for configuring the rundeck package repositories. -# Examples/defaults for yumrepo can be found at data/os/RedHat.yaml, and for apt at data/os/Debian.yaml -# @param manage_repo -# Whether to manage the package repository. Defaults to true. -# @param package_ensure -# Ensure the state of the rundeck package, either present, absent or a specific version +# @param security_config +# A hash of the rundeck security configuration. # @param preauthenticated_config -# A hash of the rundeck preauthenticated config mode +# A hash of the rundeck preauthenticated configuration. +# @param key_storage_config +# An array with hashes of properties for customizing the [Rundeck Key Storage](https://docs.rundeck.com/docs/manual/key-storage/key-storage.html) +# @param key_storage_encrypt_config +# An array with hashes of properties for customizing the [Rundeck Key Storage converter](https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins) # @param app_log_level # The log4j logging level to be set for the Rundeck application. # @param audit_log_level # The log4j logging level to be set for the Rundeck autorization. # @param config_template -# Allows you to override the rundeck-config template. -# @param manage_home -# Whether to manage rundeck home dir. Defaults to true. +# The template used for rundeck-config properties. Needs to be in epp format. # @param override_template -# Allows you to use your own override template for rundeck profile instead of the default from the package maintainer +# The template used for rundeck profile overrides. Needs to be in epp format. # @param realm_template -# Allows you to use your own override template for realm properties instead of the default from the package maintainer +# The template used for jaas realm properties. Needs to be in epp format. +# @param log_properties_template +# The template used for log properties. Needs to be in epp format. # @param rss_enabled # Boolean value if set to true enables RSS feeds that are public (non-authenticated) -# @param security_config -# A hash of the rundeck security configuration. # @param server_web_context # Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context +# @param ssl_enabled +# Enable ssl for the rundeck web application. +# @param ssl_port +# Ssl port of the rundeck web application. +# @param ssl_certificate +# Full path to the SSL public key to be used by Rundeck. +# @param ssl_private_key +# Full path to the SSL private key to be used by Rundeck. +# @param key_password +# The password used to protect the key in keystore. +# @param keystore +# Full path to the java keystore to be used by Rundeck. +# @param keystore_password +# The password for the given keystore. +# @param truststore +# The full path to the java truststore to be used by Rundeck. +# @param truststore_password +# The password for the given truststore. # @param service_name # The name of the rundeck service. # @param service_ensure -# State of the rundeck service (defaults to 'running') +# State of the rundeck service. # @param service_logs_dir # The path to the directory to store service related logs. +# @param service_notify +# Wheter to notify and restart the rundeck service if config changes. # @param service_config # Allows you to use your own override template instead to config rundeckd init script. # @param service_script # Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. -# @param grails_server_url -# Sets `grails.serverURL` so that Rundeck knows its external address. -# @param ssl_enabled -# Enable ssl for the rundeck web application. -# @param ssl_port -# Ssl port of the rundeck web application (default to '4443'). -# @param truststore -# The full path to the java truststore to be used by Rundeck. -# @param truststore_password -# The password for the given truststore. -# @param user -# The user that rundeck is installed as. -# @param group -# The group permission that rundeck is installed as. -# @param manage_user -# Whether to manage `user` (and enforce `user_id` if set). Defaults to false. -# @param manage_group -# Whether to manage `group` (and enforce `group_id` if set). Defaults to false. -# @param user_id -# If you want to have always the same user id. Eg. because of the NFS share. -# @param group_id -# If you want to have always the same group id. Eg. because of the NFS share. -# @param key_storage_encrypt_config -# Hash containing the necessary values to configure a plugin for key storage encryption. -# https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins -# @param quartz_job_threadcount -# The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10. # class rundeck ( - Array[Hash] $admin_policies, - Array[Hash] $api_policies, - Rundeck::Auth_config $auth_config, - Rundeck::Db_config $database_config, - Hash $framework_config, - Array[Hash] $key_storage_config, Stdlib::Absolutepath $override_dir, Hash $repo_config, - Boolean $manage_repo = true, - String $package_ensure = 'installed', - Boolean $manage_home = true, - String $user = 'rundeck', - String $group = 'rundeck', - Boolean $manage_user = false, - Boolean $manage_group = false, - Optional[Integer] $user_id = undef, - Optional[Integer] $group_id = undef, - Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", - Boolean $clustermode_enabled = false, - Enum['active', 'passive'] $execution_mode = 'active', - Optional[Stdlib::Absolutepath] $java_home = undef, - String $jvm_args = '-Xmx1024m -Xms256m -server', - Integer $quartz_job_threadcount = 10, - Hash $gui_config = {}, - Rundeck::Mail_config $mail_config = {}, - Hash $security_config = {}, - Hash $preauthenticated_config = {}, - Hash $key_storage_encrypt_config = {}, + Boolean $manage_repo = true, + String $package_ensure = 'installed', + Boolean $manage_home = true, + String $user = 'rundeck', + String $group = 'rundeck', + Boolean $manage_user = false, + Boolean $manage_group = false, + Optional[Integer] $user_id = undef, + Optional[Integer] $group_id = undef, + Array[Hash] $admin_policies = [ + { + 'description' => 'Admin, all access', + 'context' => { 'project' => '.*' }, + 'for' => { + 'resource' => [{ 'allow' => '*' }], + 'adhoc' => [{ 'allow' => '*' }], + 'job' => [{ 'allow' => '*' }], + 'node' => [{ 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['admin'] }], + }, + { + 'description' => 'Admin, all access', + 'context' => { 'application' => 'rundeck' }, + 'for' => { + 'project' => [{ 'allow' => '*' }], + 'resource' => [{ 'allow' => '*' }], + 'storage' => [{ 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['admin'] }], + }, + ], + Array[Hash] $api_policies = [ + { + 'description' => 'API project level access control', + 'context' => { 'project' => '.*' }, + 'for' => { + 'resource' => [ + { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] }, + { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] }, + { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] }, + ], + 'adhoc' => [{ 'allow' => ['read', 'run', 'kill'] }], + 'job' => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }], + 'node' => [{ 'allow' => ['read', 'run'] }], + }, + 'by' => [{ 'group' => ['api_token_group'] }], + }, + { + 'description' => 'API Application level access control', + 'context' => { 'application' => 'rundeck' }, + 'for' => { + 'project' => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }], + 'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }], + 'storage' => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }], + }, + 'by' => [{ 'group' => ['api_token_group'] }], + }, + ], Boolean $manage_default_admin_policy = true, - Boolean $manage_default_api_policy = true, - Rundeck::Loglevel $app_log_level = 'info', - Rundeck::Loglevel $audit_log_level = 'info', - String $config_template = 'rundeck/rundeck-config.properties.epp', - String $override_template = 'rundeck/profile_overrides.epp', - String $realm_template = 'rundeck/realm.properties.epp', - String $log_properties_template = 'rundeck/log4j2.properties.epp', - Boolean $rss_enabled = false, - Optional[String] $server_web_context = undef, - Boolean $ssl_enabled = false, - Stdlib::Port $ssl_port = 4443, - Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', - Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', - Optional[String] $key_password = undef, - Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $keystore_password = 'adminadmin', - Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', - String $truststore_password = 'adminadmin', - String $service_name = 'rundeckd', - Enum['stopped', 'running'] $service_ensure = 'running', - Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', - Optional[String] $service_config = undef, - Optional[String] $service_script = undef, + Boolean $manage_default_api_policy = true, + Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", + Boolean $clustermode_enabled = false, + Enum['active', 'passive'] $execution_mode = 'active', + Optional[Stdlib::Absolutepath] $java_home = undef, + String $jvm_args = '-Xmx1024m -Xms256m -server', + Integer $quartz_job_threadcount = 10, + Rundeck::Auth_config $auth_config = { + 'file' => { + 'auth_flag' => 'required', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => {}, + }, + }, + }, + Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }, + Hash $framework_config = { + 'rdeck.base' => '/var/lib/rundeck', + 'framework.server.hostname' => $facts['networking']['hostname'], + 'framework.server.name' => $facts['networking']['fqdn'], + 'framework.server.port' => '4440', + 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", + 'framework.etc.dir' => '/etc/rundeck', + 'framework.libext.dir' => '/var/lib/rundeck/libext', + 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', + 'framework.ssh.user' => 'rundeck', + 'framework.ssh.timeout' => '0', + 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), + }, + Hash $gui_config = {}, + Rundeck::Mail_config $mail_config = {}, + Hash $security_config = {}, + Hash $preauthenticated_config = {}, + Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }], + Array[Hash] $key_storage_encrypt_config = [{}], + Rundeck::Loglevel $app_log_level = 'info', + Rundeck::Loglevel $audit_log_level = 'info', + String $config_template = 'rundeck/rundeck-config.properties.epp', + String $override_template = 'rundeck/profile_overrides.epp', + String $realm_template = 'rundeck/realm.properties.epp', + String $log_properties_template = 'rundeck/log4j2.properties.epp', + Boolean $rss_enabled = false, + Optional[String] $server_web_context = undef, + Boolean $ssl_enabled = false, + Stdlib::Port $ssl_port = 4443, + Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', + Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', + Optional[String] $key_password = undef, + Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', + String $keystore_password = 'adminadmin', + Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + String $truststore_password = 'adminadmin', + String $service_name = 'rundeckd', + Enum['stopped', 'running'] $service_ensure = 'running', + Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', + Boolean $service_notify = true, + Optional[String] $service_config = undef, + Optional[String] $service_script = undef, ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) @@ -168,7 +240,13 @@ contain rundeck::config contain rundeck::service - Class['rundeck::install'] - -> Class['rundeck::config'] - ~> Class['rundeck::service'] + if $service_notify { + Class['rundeck::install'] + -> Class['rundeck::config'] + ~> Class['rundeck::service'] + } else { + Class['rundeck::install'] + -> Class['rundeck::config'] + -> Class['rundeck::service'] + } } diff --git a/spec/classes/config/global/aclpolicyfile_spec.rb b/spec/classes/config/aclpolicyfile_spec.rb similarity index 100% rename from spec/classes/config/global/aclpolicyfile_spec.rb rename to spec/classes/config/aclpolicyfile_spec.rb diff --git a/spec/classes/config/global/framework_spec.rb b/spec/classes/config/framework_spec.rb similarity index 100% rename from spec/classes/config/global/framework_spec.rb rename to spec/classes/config/framework_spec.rb diff --git a/spec/classes/config/global/gui_config_spec.rb b/spec/classes/config/global/gui_config_spec.rb deleted file mode 100644 index 5d1cbbc72..000000000 --- a/spec/classes/config/global/gui_config_spec.rb +++ /dev/null @@ -1,30 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } - let(:params) do - { - gui_config: { - 'rundeck.gui.title' => 'Test title', - 'rundeck.gui.brand.html' => 'App', - 'rundeck.gui.logo' => 'test-logo.png', - 'rundeck.gui.login.welcome' => 'Weclome to Rundeck' - } - } - end - - # content and meta data for passwords - it 'generates gui_config content for rundeck-config.groovy' do - is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy'). - with_content(%r{rundeck.gui.title = "Test title"}). - with_content(%r{rundeck.gui.brand.html = "App"}). - with_content(%r{rundeck.gui.logo = "test-logo.png"}). - with_content(%r{rundeck.gui.login.welcome = "Weclome to Rundeck"}) - end - end - end -end diff --git a/spec/classes/config/global/rundeck_config_spec.rb b/spec/classes/config/global/rundeck_config_spec.rb deleted file mode 100644 index 966259472..000000000 --- a/spec/classes/config/global/rundeck_config_spec.rb +++ /dev/null @@ -1,143 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe "rundeck::config::global::rundeck_config class with use hmac request tokens parameter on #{os}" do - value = true - security_hash = { - 'useHMacRequestTokens' => value - } - let(:params) { { security_config: security_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.useHMacRequestTokens = #{value}}) } - end - - describe "rundeck::config::global::rundeck_config class with use api cookie access parameter on #{os}" do - value = true - security_hash = { - 'apiCookieAccess' => value - } - let(:params) { { security_config: security_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.apiCookieAccess\.enabled = #{value}}) } - end - - describe "rundeck::config::global::rundeck_config class with api tokens duration parameter on #{os}" do - duration = '0' - security_hash = { - 'apiTokensDuration' => duration - } - let(:params) { { security_config: security_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.api\.tokens\.duration\.max = "#{duration}"}) } - end - - describe "rundeck::config::global::rundeck_config class with csrf referrer filter method parameter on #{os}" do - value = 'NONE' - security_hash = { - 'csrfRefererFilterMethod' => value - } - let(:params) { { security_config: security_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.filterMethod = #{value}}) } - end - - describe "rundeck::config::global::rundeck_config class with csrf referrer require https parameter on #{os}" do - value = true - security_hash = { - 'csrfRefererRequireHttps' => value - } - let(:params) { { security_config: security_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.requireHttps = #{value}}) } - end - - describe "rundeck::config::global::rundeck_config class with no security parameters on #{os}" do - bool_value = true - filter_method_parameter = 'NONE' - duration = '0' - security_hash = {} - let(:params) { { security_config: security_hash } } - - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.useHMacRequestTokens = #{bool_value}}) } - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.apiCookieAccess\.enabled = #{bool_value}}) } - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.api\.tokens\.duration\.max = "#{duration}"}) } - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.filterMethod = #{filter_method_parameter}}) } - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.allowApi = #{bool_value}}) } - it { is_expected.not_to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.security\.csrf\.referer\.requireHttps = #{bool_value}}) } - end - - describe "rundeck::config::global::rundeck_config class without any parameters on #{os}" do - let(:params) { {} } - - default_config = <<-CONFIG.gsub(%r{[^\S\n]{10}}, '') - loglevel.default = "INFO" - rdeck.base = "/var/lib/rundeck" - rss.enabled = "false" - rundeck.log4j.config.file = "/etc/rundeck/log4j.properties" - - rundeck.security.useHMacRequestTokens = true - rundeck.security.apiCookieAccess.enabled = true - - dataSource { - dbCreate = "update" - url = "jdbc:h2:file:/var/lib/rundeck/data/rundeckdb" - } - - grails.serverURL = "http://foo.example.com:4440" - rundeck.clusterMode.enabled = "false" - - rundeck.storage.provider."1".type = "file" - rundeck.storage.provider."1".path = "/" - rundeck.storage.provider."1".config.baseDir = "/var/lib/rundeck/var/storage" - - - rundeck.security.authorization.preauthenticated.enabled = "false" - rundeck.security.authorization.preauthenticated.attributeName = "REMOTE_USER_GROUPS" - rundeck.security.authorization.preauthenticated.delimiter = ":" - rundeck.security.authorization.preauthenticated.userNameHeader = "X-Forwarded-Uuid" - rundeck.security.authorization.preauthenticated.userRolesHeader = "X-Forwarded-Roles" - rundeck.security.authorization.preauthenticated.redirectLogout = "false" - rundeck.security.authorization.preauthenticated.redirectUrl = "/oauth2/sign_in" - - CONFIG - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with('content' => default_config) } - end - - describe "rundeck::config::global::rundeck_config class with execution mode parameter 'active' on #{os}" do - let(:params) { { execution_mode: 'active' } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.executionMode = "active"}) } - end - - describe "rundeck::config::global::rundeck_config class with execution mode parameter 'passive' on #{os}" do - let(:params) { { execution_mode: 'passive' } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.executionMode = "passive"}) } - end - - describe "rundeck::config::global::rundeck_config class with key storage encryption on #{os}" do - storage_encrypt_config_hash = { - 'type' => 'thetype', - 'path' => '/storagepath', - 'config.encryptionType' => 'basic', - 'config.password' => 'verysecure' - } - let(:params) { { storage_encrypt_config: storage_encrypt_config_hash } } - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.type = "thetype"}) } - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.path = "/storagepath"}) } - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.config\.encryptionType = "basic"}) } - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').with_content(%r{rundeck\.storage\.converter\."1"\.config\.password = "verysecure"}) } - end - end - end -end diff --git a/spec/classes/config/global/service_restart_spec.rb b/spec/classes/config/global/service_restart_spec.rb deleted file mode 100644 index 10164217d..000000000 --- a/spec/classes/config/global/service_restart_spec.rb +++ /dev/null @@ -1,31 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe 'with empty params' do - let(:params) do - {} - end - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').that_notifies('Service[rundeckd]') } - end - - describe 'with service_restart false' do - let(:params) do - { - service_restart: false - } - end - - it { is_expected.to contain_file('/etc/rundeck/rundeck-config.groovy').without_notify } - end - end - end -end diff --git a/spec/classes/config/global/auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb similarity index 100% rename from spec/classes/config/global/auth_spec.rb rename to spec/classes/config/jaas_auth_spec.rb diff --git a/spec/classes/config/global/ssl_spec.rb b/spec/classes/config/ssl_spec.rb similarity index 100% rename from spec/classes/config/global/ssl_spec.rb rename to spec/classes/config/ssl_spec.rb diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index a613ac5fa..7f3ed976f 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -6,7 +6,7 @@ on_supported_os.each do |os, facts| context "on #{os}" do overrides = '/etc/default/rundeckd' - overrides = '/etc/sysconfig/rundeckd' if %w[RedHat Amazon].include? facts[:os]['family'] + overrides = '/etc/sysconfig/rundeckd' if %w[RedHat].include? facts[:os]['family'] let :facts do facts @@ -15,61 +15,54 @@ describe "rundeck::config class without any parameters on #{os}" do it { is_expected.to contain_file('/var/lib/rundeck').with('ensure' => 'directory') } it { is_expected.to contain_file('/var/lib/rundeck/libext').with('ensure' => 'directory') } - it { is_expected.to contain_class('rundeck::config::global::framework') } - it { is_expected.to contain_class('rundeck::config::global::project') } - it { is_expected.to contain_class('rundeck::config::global::rundeck_config') } - it { is_expected.to contain_file('/etc/rundeck').with('ensure' => 'directory') } - it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') } + it { is_expected.to contain_file('/etc/rundeck/log4j2.properties') } - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('PropertyFileLoginModule') - expect(content).to include('/etc/rundeck/realm.properties') + it 'generates valid content for log4j2.propertiess' do + content = catalogue.resource('file', '/etc/rundeck/log4j2.properties')[:content] + expect(content).to include('property.baseDir = /var/log/rundeck') end - it { is_expected.to contain_file('/etc/rundeck/realm.properties') } - - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - end - - it { is_expected.to contain_file('/etc/rundeck/log4j.properties') } - - it 'generates valid content for log4j.propertiess' do - content = catalogue.resource('file', '/etc/rundeck/log4j.properties')[:content] - expect(content).to include('log4j.appender.server-logger.file=/var/log/rundeck/rundeck.log') - end + it { is_expected.to contain_rundeck__config__aclpolicyfile('admin') } + it { is_expected.to contain_rundeck__config__aclpolicyfile('apitoken') } - it { is_expected.not_to contain_file('/etc/rundeck/profile') } it { is_expected.to contain_file(overrides) } it 'generates valid content for the profile overrides file' do content = catalogue.resource('file', overrides)[:content] expect(content).to include('RDECK_BASE=/var/lib/rundeck') expect(content).to include('RDECK_CONFIG=/etc/rundeck') - expect(content).to include('RDECK_INSTALL=/var/lib/rundeck') - expect(content).to include('JAAS_CONF=$RDECK_CONFIG/jaas-auth.conf') + expect(content).to include('RDECK_CONFIG_FILE=$RDECK_CONFIG/rundeck-config.properties') + expect(content).to include('RDECK_INSTALL=$RDECK_BASE') expect(content).to include('LOGIN_MODULE=authentication') expect(content).to include('RDECK_JVM_SETTINGS="-Xmx1024m -Xms256m -server"') + expect(content).to include('RDECK_HTTP_PORT=4440') end - it { is_expected.to contain_rundeck__config__aclpolicyfile('admin') } - it { is_expected.to contain_rundeck__config__aclpolicyfile('apitoken') } - end - - describe 'rundeck::config with rdeck_profile_template set' do - template = 'rundeck/../spec/fixtures/files/profile.template' - let(:params) { { rdeck_profile_template: template } } - - it { is_expected.to contain_file('/etc/rundeck/profile') } + it { is_expected.to contain_class('rundeck::config::jaas_auth') } + it { is_expected.to contain_class('rundeck::config::framework') } + + it { is_expected.to contain_file('/etc/project.properties').with('ensure' => 'absent') } + it { is_expected.to contain_file('/etc/rundeck-config.properties').with('ensure' => 'file') } + + it 'generates valid content for rundeck-config.properties' do + content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content] + expect(content).to include('loglevel.default = info') + expect(content).to include('rdeck.base = /var/lib/rundeck') + expect(content).to include('rss.enabled = false') + expect(content).to include('rundeck.clusterMode.enabled = false') + expect(content).to include('rundeck.executionMode = active') + expect(content).to include('quartz.threadPool.threadCount = 10') + expect(content).to include('dataSource.url = jdbc:h2:file:/var/lib/rundeck/data/rundeckdb') + expect(content).to include('rundeck.storage.provider.1.type = db') + expect(content).to include('rundeck.storage.provider.1.path = keys') + end end - describe 'rundeck::config with rdeck_override_template set' do + describe 'rundeck::config with override_template set' do template = 'rundeck/../spec/fixtures/files/override.template' - let(:params) { { rdeck_override_template: template } } + let(:params) { { override_template: template } } it { is_expected.to contain_file(overrides) } @@ -90,19 +83,6 @@ expect(content).to include("RDECK_JVM_SETTINGS=\"#{jvm_args}\"") end end - - describe 'rundeck::config with manage_home=false with external homedir file resource' do - let(:pre_condition) { 'File{"/var/lib/rundeck": ensure => directory }' } - let(:params) { { manage_home: false } } - - it { is_expected.to contain_file('/var/lib/rundeck').that_comes_before('File[/var/lib/rundeck/.ssh/id_rsa]') } - end - - describe 'rundeck::config with manage_home=false but no external homedir file resource' do - let(:params) { { manage_home: false } } - - it { is_expected.to raise_error(Puppet::PreformattedError, %r{when rundeck::manage_home = false a file definition for the home directory must be included outside of this module.}) } - end end end end diff --git a/templates/aclpolicy.epp b/templates/aclpolicy.epp index 7274971dc..0563c3f91 100644 --- a/templates/aclpolicy.epp +++ b/templates/aclpolicy.epp @@ -1,43 +1,46 @@ -<% @acl_policies.each_with_index |$policy, $index| { -%> -description: '<%= $policy['description'] %>' +<%- $_acl_policies.each |$_index, $_policy| { -%> +description: <%= $_policy['description'] %> context: - <%= $policy['context'].keys[0] %>: '<%= $policy['context'].values[0] %>' + <%= $_policy['context'].keys[0] %>: "<%= $_policy['context'].values[0] %>" for: -<% $policy['for'].each |$resource, $kind| { -%> - <%= $resource %>: - <%- $kind.each |$rules| { -%> - <% $first_key = true -%> - <% $rules.each |$type, $action| { -%> - <% if ["allow", "deny"].include?($type) -%> - <% if $first_key -%>-<%- else %> <% end -%> <%= $type %>: <% if $action.is_a? String -%>'<%= $action %>'<%-else-%><%= $action %><%-end%> - <% elsif ["match", "equals", "contains", "subset"].include?($type) -%> - <% if $first_key -%>-<%- else %> <% end -%> <%= $type %>: - <% $action.each |$k, $v| { -%> - <%= $k %>: <% if $v.is_a? String -%>'<%= $v %>'<%-else-%><%= $v %><%-end%> - <% } -%> - <% end -%> - <% $first_key = false -%> +<%- $_policy['for'].each |$_resource, $_kind| { -%> + <%= $_resource %>: + <%- $_kind.each |$_rules| { -%> + <%- $_rules.each |$_type, $_action| { -%> + <%- if keys($_rules)[0] == $_type { -%> + <%- $_first_key = '- ' -%> + <% } else { -%> + <%- $_first_key = ' ' -%> <% } -%> - <% } -%> -<% } -%> + <%- if $_type in ['allow', 'deny'] { -%> + <%= $_first_key %><%= $_type %>: <% if $_action =~ String { -%>'<%= $_action %>'<% } else { -%><%= $_action %><%- } %> + <%- } elsif $_type in ['match', 'equals', 'contains', 'subset'] { -%> + <%= $_first_key %><%= $_type %>: + <%- $_action.each |$_k, $_v| { -%> + <%= $_k %>: <% if $_v =~ String { -%>'<%= $_v %>'<% } else { -%><%= $_v %><%- } %> + <%- } -%> + <%- } -%> + <%- } -%> + <%- } -%> +<%- } -%> by: -<% $policy['by'].each |$by| { -%> -<% if !$by['group'].nil? && $by['group'] != :undef -%> +<%- $_policy['by'].each |$_by| { -%> +<%- if $_by['group'] { -%> group: - <% $by['group'].each |$group| { -%> - - '<%= $group %>' - <% } -%> -<% end -%> -<% if !$by['username'].nil? && $by['username'] != :undef -%> + <%- $_by['group'].each |$_group| { -%> + - '<%= $_group %>' + <%- } -%> +<%- } -%> +<%- if $_by['username'] { -%> username: - <% $by['username'].each |$username| { -%> - - '<%= $username %>' - <% } -%> -<% end -%> -<% } -%> -<% if $index != (@acl_policies.length-1) -%> + <%- $_by['username'].each |$_username| { -%> + - '<%= $_username %>' + <%- } -%> +<%- } -%> +<%- } -%> +<%- if $_index != ( $_acl_policies.length -1 ) {-%> --- -<% end -%> -<% } -%> +<%- } -%> +<%- } -%> diff --git a/templates/aclpolicy.erb b/templates/aclpolicy.erb deleted file mode 100644 index 0fbfe46e7..000000000 --- a/templates/aclpolicy.erb +++ /dev/null @@ -1,43 +0,0 @@ -<%- @acl_policies.each_with_index do |policy, index| -%> -description: '<%= policy['description'] %>' -context: - <%= policy['context'].keys[0] %>: '<%= policy['context'].values[0] %>' -for: -<%- policy['for'].each do |resource,kind| -%> - <%= resource %>: - <%- kind.each do |rules| -%> - <%- first_key = true -%> - <%- rules.each do |type, action| -%> - <%- if %w( allow deny ).include?(type) -%> - <% if first_key -%>-<%- else %> <% end -%> <%= type %>: <%- if action.is_a? String -%>'<%= action %>'<%-else-%><%= action %><%-end%> - <%- elsif %w( match equals contains subset ).include?(type) -%> - <% if first_key -%>-<%- else %> <% end -%> <%= type %>: - <%- action.each do |k,v| -%> - <%= k %>: <%- if v.is_a? String -%>'<%= v %>'<%-else-%><%= v %><%-end%> - <%- end -%> - <%- end -%> - <%- first_key = false -%> - <%- end -%> - <%- end -%> -<%- end -%> -by: -<%- policy['by'].each do |by| -%> -<%- if !by['group'].nil? && by['group'] != :undef -%> - group: - <%- by['group'].each do |group| -%> - - '<%= group %>' - <%- end -%> -<%- end -%> -<%- if !by['username'].nil? && by['username'] != :undef -%> - username: - <%- by['username'].each do |username| -%> - - '<%= username %>' - <%- end -%> -<%- end -%> -<%- end -%> -<%- if index != (@acl_policies.length-1) -%> - ---- - -<%- end -%> -<%- end -%> diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 4d71665db..0d4615339 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -3,31 +3,31 @@ authentication { <%- if $_type == 'file' { -%> <%- if $_auth_config['file']['auth_flag'] {-%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $_auth_config['file']['auth_flag'] %> -<%-} else {-%> +<%- } else {-%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required -<%-}-%> -<%- $_auth_config['file']['jaas_config'].each |$_key, $_value| {-%> - <%= $_key -%>="<%= $_value -%>" -<%-}-%>; +<%- }-%> +<%- $_auth_config['file']['jaas_config'].each |$_k, $_v| {-%> + <%= $_k -%>=<% if keys($_auth_config['file']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- }-%>; <%- } elsif $_type == 'ldap' { -%> <%- if $_auth_config['ldap']['auth_flag'] {-%> com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> <%= $_auth_config['ldap']['auth_flag'] %> -<%-} else {-%> +<%- } else {-%> com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> required -<%-}-%> +<%- }-%> contextFactory="com.sun.jndi.ldap.LdapCtxFactory" <%- $_auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> - <%= $_key -%>="<%= $_value -%>" -<%-}-%>; + <%= $_k -%>=<% if keys($_auth_config['ldap']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- }-%>; <%- } elsif $_type == 'pam' { -%> <%- if $_auth_config['pam']['auth_flag'] {-%> org.rundeck.jaas.jetty.JettyPamLoginModule <%= $_auth_config['pam']['auth_flag'] %> -<%-} else {-%> +<%- } else {-%> org.rundeck.jaas.jetty.JettyPamLoginModule required -<%-}-%> +<%- }-%> <%- $_auth_config['pam']['jaas_config'].each |$_key, $_value| {-%> - <%= $_key -%>="<%= $_value -%>" -<%-}-%>; + <%= $_k -%>=<% if keys($_auth_config['pam']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- }-%> <%- } -%> <%- } -%> }; diff --git a/templates/profile_overrides.epp b/templates/profile_overrides.epp index ac6e4569a..dd9c49f69 100644 --- a/templates/profile_overrides.epp +++ b/templates/profile_overrides.epp @@ -1,14 +1,14 @@ RDECK_BASE="<%= $rundeck::config::base_dir %>" RDECK_CONFIG="<%= $rundeck::config::properties_dir %>" -RDECK_CONFIG_FILE="${RDECK_CONFIG}/rundeck-config.properties" -RDECK_INSTALL="${RDECK_BASE}" +RDECK_CONFIG_FILE="$RDECK_CONFIG/rundeck-config.properties" +RDECK_INSTALL="$RDECK_BASE" LOGIN_MODULE=authentication JAVA_CMD=java RDECK_JVM_SETTINGS="<%= $rundeck::jvm_args %>" <% if $rundeck::ssl_enabled { -%> RDECK_HTTP_PORT=<%= $rundeck::ssl_port %> -RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Drundeck.ssl.config=${RDECK_CONFIG}/ssl/ssl.properties" +RDECK_JVM_SETTINGS="$RDECK_JVM_SETTINGS -Drundeck.ssl.config=$RDECK_CONFIG/ssl/ssl.properties" <% } else { -%> RDECK_HTTP_PORT=<%= $rundeck::config::framework_config['framework.server.port'] %> <% } -%> diff --git a/types/key_storage_config.pp b/types/key_storage_config.pp new file mode 100644 index 000000000..25a146a45 --- /dev/null +++ b/types/key_storage_config.pp @@ -0,0 +1,8 @@ +# Rundeck key storage config type. +type Rundeck::Key_storage_config = Array[ + Struct[{ + 'type' => String, + 'path' => String, + Optional['config'] => Hash, + }] +] diff --git a/types/sourcetype.pp b/types/sourcetype.pp deleted file mode 100644 index 5215800d4..000000000 --- a/types/sourcetype.pp +++ /dev/null @@ -1,2 +0,0 @@ -# Rundeck sourcetype type. -type Rundeck::Sourcetype = Enum['file', 'directory', 'url', 'script', 'aws-ec2', 'puppet-enterprise'] From b9245222a8219c576ca3c18c552fe4c5209e8570 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 27 Nov 2023 15:13:48 +0100 Subject: [PATCH 60/82] Update jaas auth template --- templates/jaas-auth.conf.epp | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-auth.conf.epp index 0d4615339..c937f1d55 100644 --- a/templates/jaas-auth.conf.epp +++ b/templates/jaas-auth.conf.epp @@ -1,33 +1,33 @@ authentication { <%- $_auth_config.keys.each |$_type| { -%> <%- if $_type == 'file' { -%> -<%- if $_auth_config['file']['auth_flag'] {-%> +<%- if $_auth_config['file']['auth_flag'] { -%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule <%= $_auth_config['file']['auth_flag'] %> -<%- } else {-%> +<%- } else { -%> org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required -<%- }-%> -<%- $_auth_config['file']['jaas_config'].each |$_k, $_v| {-%> - <%= $_k -%>=<% if keys($_auth_config['file']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> -<%- }-%>; +<%- } -%> +<%- $_auth_config['file']['jaas_config'].each |$_k, $_v| { -%> + <%= $_k -%>=<% if keys($_auth_config['file']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- } -%> <%- } elsif $_type == 'ldap' { -%> -<%- if $_auth_config['ldap']['auth_flag'] {-%> +<%- if $_auth_config['ldap']['auth_flag'] { -%> com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> <%= $_auth_config['ldap']['auth_flag'] %> -<%- } else {-%> +<%- } else { -%> com.dtolabs.rundeck.jetty.jaas.<%= $_ldap_login_module %> required -<%- }-%> +<%- } -%> contextFactory="com.sun.jndi.ldap.LdapCtxFactory" -<%- $_auth_config['ldap']['jaas_config'].each |$_key, $_value| {-%> - <%= $_k -%>=<% if keys($_auth_config['ldap']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> -<%- }-%>; +<%- $_auth_config['ldap']['jaas_config'].each |$_k, $_v| { -%> + <%= $_k -%>=<% if keys($_auth_config['ldap']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- } -%> <%- } elsif $_type == 'pam' { -%> -<%- if $_auth_config['pam']['auth_flag'] {-%> +<%- if $_auth_config['pam']['auth_flag'] { -%> org.rundeck.jaas.jetty.JettyPamLoginModule <%= $_auth_config['pam']['auth_flag'] %> -<%- } else {-%> +<%- } else { -%> org.rundeck.jaas.jetty.JettyPamLoginModule required -<%- }-%> -<%- $_auth_config['pam']['jaas_config'].each |$_key, $_value| {-%> - <%= $_k -%>=<% if keys($_auth_config['pam']['jaas_config'])[-1] == $_key { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> -<%- }-%> +<%- } -%> +<%- $_auth_config['pam']['jaas_config'].each |$_k, $_v| { -%> + <%= $_k -%>=<% if keys($_auth_config['pam']['jaas_config'])[-1] == $_k { -%>"<%= $_v %>";<% } else { -%>"<%= $_v %>"<%- } %> +<%- } -%> <%- } -%> <%- } -%> }; From 05702d44d573b7850fedfaff883ff1aa10d776ba Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 27 Nov 2023 15:26:37 +0100 Subject: [PATCH 61/82] Update config.pp --- manifests/config.pp | 2 +- manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index aeabcd345..5b14fac8e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,7 +5,7 @@ class rundeck::config { assert_private() - $framework_config = deep_merge(lookup('rundeck::framework_config'), $rundeck::framework_config) + $framework_config = $rundeck::framework_config $base_dir = $framework_config['rdeck.base'] $properties_dir = $framework_config['framework.etc.dir'] diff --git a/manifests/init.pp b/manifests/init.pp index e7ce8f78d..823e86bf8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -208,7 +208,7 @@ Hash $security_config = {}, Hash $preauthenticated_config = {}, Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }], - Array[Hash] $key_storage_encrypt_config = [{}], + Array[Hash] $key_storage_encrypt_config = [], Rundeck::Loglevel $app_log_level = 'info', Rundeck::Loglevel $audit_log_level = 'info', String $config_template = 'rundeck/rundeck-config.properties.epp', From c92d3f0bbe99bdd190d7b3bc99c941646cf8a32c Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 27 Nov 2023 15:46:58 +0100 Subject: [PATCH 62/82] Update reference --- REFERENCE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4b44d0513..9bc2835c9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -417,7 +417,7 @@ Data type: `Array[Hash]` An array with hashes of properties for customizing the [Rundeck Key Storage converter](https://docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins) -Default value: `[{}]` +Default value: `[]` ##### `app_log_level` From 405c19757628a8597da74aa7af6f8623b84728dc Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 27 Nov 2023 16:35:37 +0100 Subject: [PATCH 63/82] Update specs and add todo's --- README.md | 2 + metadata.json | 8 -- spec/classes/config/aclpolicyfile_spec.rb | 2 +- spec/classes/config/framework_spec.rb | 2 +- spec/classes/config/jaas_auth_spec.rb | 123 ++-------------------- templates/realm.properties.epp | 2 +- 6 files changed, 12 insertions(+), 127 deletions(-) diff --git a/README.md b/README.md index 7737d180a..532d52163 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ ## Overview +# TODO: Update readme + The rundeck puppet module for installing and managing [Rundeck](http://rundeck.org/) ### Supported Versions of Rundeck diff --git a/metadata.json b/metadata.json index 4c174c865..a2ef399e5 100644 --- a/metadata.json +++ b/metadata.json @@ -71,14 +71,6 @@ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.25.0 < 10.0.0" }, - { - "name": "pltraining/dirtree", - "version_requirement": ">= 0.3.0 < 2.0.0" - }, - { - "name": "puppetlabs/inifile", - "version_requirement": ">= 4.1.0 < 7.0.0" - }, { "name": "puppetlabs/java_ks", "version_requirement": ">= 1.3.1 < 6.0.0" diff --git a/spec/classes/config/aclpolicyfile_spec.rb b/spec/classes/config/aclpolicyfile_spec.rb index a66e0e1b4..fea408413 100644 --- a/spec/classes/config/aclpolicyfile_spec.rb +++ b/spec/classes/config/aclpolicyfile_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck::config::global::aclpolicyfile class without any parameters on #{os}" do + describe "rundeck::config::aclpolicyfile class without any parameters on #{os}" do let(:params) { {} } default_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') diff --git a/spec/classes/config/framework_spec.rb b/spec/classes/config/framework_spec.rb index c95831ec1..1e5684740 100644 --- a/spec/classes/config/framework_spec.rb +++ b/spec/classes/config/framework_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck::config::global::framework class without any parameters on #{os}" do + describe "rundeck::config::framework class without any parameters on #{os}" do let(:params) { {} } framework_details = { diff --git a/spec/classes/config/jaas_auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb index 6dcd81349..b2375d100 100644 --- a/spec/classes/config/jaas_auth_spec.rb +++ b/spec/classes/config/jaas_auth_spec.rb @@ -22,7 +22,7 @@ end it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(jaas_auth).to include(login_module) end end @@ -44,7 +44,7 @@ end it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(jaas_auth).to include(login_module) end end @@ -79,7 +79,7 @@ end it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(jaas_auth).to include(login_module) end end @@ -168,98 +168,7 @@ end it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('userFirstNameAttribute="givenName"') - expect(content).to include('userLastNameAttribute="sn"') - expect(content).to include('userEmailAttribute="mail"') - end - end - - describe 'with multiauth active_directory and file auth users array' do - let(:params) do - { - auth_config: { - 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] - }, - { - 'username' => 'anotheruser', - 'password' => 'anotherpassword', - 'roles' => ['user'] - } - ] - }, - - 'active_directory' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true' - } - } - } - end - - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password,user,deploy') - expect(content).to include('anotheruser:anotherpassword,user') - end - end - - describe 'with active_directory using ldap_sync' do - let(:params) do - { - auth_config: { - 'active_directory' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true', - 'sync_first_name_attribute' => 'givenName', - 'sync_last_name_attribute' => 'sn', - 'sync_email_attribute' => 'mail' - } - }, - security_config: { - 'syncLdapUser' => true - } - } - end - - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(content).to include('userFirstNameAttribute="givenName"') expect(content).to include('userLastNameAttribute="sn"') expect(content).to include('userEmailAttribute="mail"') @@ -289,7 +198,7 @@ end it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(jaas_auth).to include(login_module) end end @@ -316,7 +225,7 @@ end it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(jaas_auth).to include(login_module) end end @@ -334,25 +243,7 @@ end it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('rolePrefix="rundeck_"') - end - end - - describe 'active_directory with rolePrefix' do - let(:params) do - { - auth_config: { - 'active_directory' => { - 'url' => 'localhost:389', - 'role_prefix' => 'rundeck_' - } - } - } - end - - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] + content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] expect(content).to include('rolePrefix="rundeck_"') end end diff --git a/templates/realm.properties.epp b/templates/realm.properties.epp index 0500e1f6a..8deff98af 100644 --- a/templates/realm.properties.epp +++ b/templates/realm.properties.epp @@ -23,7 +23,7 @@ # <%= $_auth_config['file']['realm_config']['admin_user'] %>:<%= $_auth_config['file']['realm_config']['admin_password'] %>,user,admin,architect,deploy,build <%- if $_auth_config['file']['realm_config']['auth_users'] { -%> - <%- if is_array($_auth_config['file']['realm_config']['auth_users']) { -%> + <%- if $_auth_config['file']['realm_config']['auth_users'] =~ Array { -%> <%- $_auth_config['file']['realm_config']['auth_users'].each |$x| { -%> <%- if $x['username'] { -%> <%= $x['username'] -%>:<%= $x['password'] -%> From e7ffcebe142cb28f9c9679abd9ef2c9aff57245c Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 27 Nov 2023 16:51:24 +0100 Subject: [PATCH 64/82] Update policy template and unit test --- spec/classes/config/aclpolicyfile_spec.rb | 4 ++-- templates/aclpolicy.epp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/classes/config/aclpolicyfile_spec.rb b/spec/classes/config/aclpolicyfile_spec.rb index fea408413..87436ed81 100644 --- a/spec/classes/config/aclpolicyfile_spec.rb +++ b/spec/classes/config/aclpolicyfile_spec.rb @@ -13,7 +13,7 @@ let(:params) { {} } default_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') - description: 'Admin, all access' + description: Admin, all access context: project: '.*' for: @@ -31,7 +31,7 @@ --- - description: 'Admin, all access' + description: Admin, all access context: application: 'rundeck' for: diff --git a/templates/aclpolicy.epp b/templates/aclpolicy.epp index 0563c3f91..22e6432a7 100644 --- a/templates/aclpolicy.epp +++ b/templates/aclpolicy.epp @@ -1,7 +1,7 @@ <%- $_acl_policies.each |$_index, $_policy| { -%> description: <%= $_policy['description'] %> context: - <%= $_policy['context'].keys[0] %>: "<%= $_policy['context'].values[0] %>" + <%= $_policy['context'].keys[0] %>: '<%= $_policy['context'].values[0] %>' for: <%- $_policy['for'].each |$_resource, $_kind| { -%> <%= $_resource %>: From 1b096d79ee46ca3716f9ac1f7663eec94d8ff56a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 07:27:07 +0100 Subject: [PATCH 65/82] Update framework config --- REFERENCE.md | 19 ++----------------- manifests/config.pp | 16 +++++++++++++++- manifests/config/framework.pp | 2 +- manifests/init.pp | 15 ++------------- 4 files changed, 20 insertions(+), 32 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 9bc2835c9..a7e228fda 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -352,24 +352,9 @@ Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }` Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) +This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref -Default value: - -```puppet -{ - 'rdeck.base' => '/var/lib/rundeck', - 'framework.server.hostname' => $facts['networking']['hostname'], - 'framework.server.name' => $facts['networking']['fqdn'], - 'framework.server.port' => '4440', - 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", - 'framework.etc.dir' => '/etc/rundeck', - 'framework.libext.dir' => '/var/lib/rundeck/libext', - 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', - 'framework.ssh.user' => 'rundeck', - 'framework.ssh.timeout' => '0', - 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), - } -``` +Default value: `{}` ##### `gui_config` diff --git a/manifests/config.pp b/manifests/config.pp index 5b14fac8e..c7dc44906 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,7 +5,21 @@ class rundeck::config { assert_private() - $framework_config = $rundeck::framework_config + $_framework_defaults = { + 'rdeck.base' => '/var/lib/rundeck', + 'framework.server.hostname' => $facts['networking']['hostname'], + 'framework.server.name' => $facts['networking']['fqdn'], + 'framework.server.port' => '4440', + 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", + 'framework.etc.dir' => '/etc/rundeck', + 'framework.libext.dir' => '/var/lib/rundeck/libext', + 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', + 'framework.ssh.user' => 'rundeck', + 'framework.ssh.timeout' => '0', + 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), + } + + $framework_config = $_framework_defaults + $rundeck::framework_config $base_dir = $framework_config['rdeck.base'] $properties_dir = $framework_config['framework.etc.dir'] diff --git a/manifests/config/framework.pp b/manifests/config/framework.pp index b3820f800..87c2b6f4d 100644 --- a/manifests/config/framework.pp +++ b/manifests/config/framework.pp @@ -14,7 +14,7 @@ $_framework_ssl_config = {} } - $_framework_config = deep_merge($rundeck::config::framework_config, $_framework_ssl_config) + $_framework_config = $rundeck::config::framework_config + $_framework_ssl_config file { "${rundeck::config::properties_dir}/framework.properties": ensure => file, diff --git a/manifests/init.pp b/manifests/init.pp index 823e86bf8..0be53d1ed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,6 +47,7 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) +# This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) # @param mail_config @@ -190,19 +191,7 @@ }, }, Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }, - Hash $framework_config = { - 'rdeck.base' => '/var/lib/rundeck', - 'framework.server.hostname' => $facts['networking']['hostname'], - 'framework.server.name' => $facts['networking']['fqdn'], - 'framework.server.port' => '4440', - 'framework.server.url' => "http://${facts['networking']['fqdn']}:4440", - 'framework.etc.dir' => '/etc/rundeck', - 'framework.libext.dir' => '/var/lib/rundeck/libext', - 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', - 'framework.ssh.user' => 'rundeck', - 'framework.ssh.timeout' => '0', - 'rundeck.server.uuid' => fqdn_uuid($facts['networking']['fqdn']), - }, + Hash $framework_config = {}, Hash $gui_config = {}, Rundeck::Mail_config $mail_config = {}, Hash $security_config = {}, From a0c9f5b1999cfbfd0fa604efab1ca6648fc868d2 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 12:08:27 +0100 Subject: [PATCH 66/82] Update specs reference and config templates --- .fixtures.yml | 2 - REFERENCE.md | 8 +- manifests/config/jaas_auth.pp | 5 +- manifests/init.pp | 8 +- manifests/install.pp | 1 - spec/classes/config/aclpolicyfile_spec.rb | 55 ---- spec/classes/config/framework_spec.rb | 48 ++- spec/classes/config/jaas_auth_spec.rb | 310 ++++++++++-------- spec/classes/config/ssl_spec.rb | 63 ++-- spec/classes/config_spec.rb | 18 +- spec/classes/install_spec.rb | 23 +- spec/classes/rundeck_spec.rb | 73 ++--- spec/classes/service_spec.rb | 2 +- spec/defines/config/aclpolicyfile_spec.rb | 113 +++++-- spec/defines/config/plugin_spec.rb | 4 +- templates/framework.properties.epp | 4 +- ...uth.conf.epp => jaas-loginmodule.conf.epp} | 0 templates/rundeck-config.properties.epp | 4 +- 18 files changed, 369 insertions(+), 372 deletions(-) delete mode 100644 spec/classes/config/aclpolicyfile_spec.rb rename templates/{jaas-auth.conf.epp => jaas-loginmodule.conf.epp} (100%) diff --git a/.fixtures.yml b/.fixtures.yml index 9e4fdca72..586cb448a 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,7 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib.git" - inifile: "https://github.com/puppetlabs/puppetlabs-inifile.git" archive: "https://github.com/puppet-community/puppet-archive.git" - dirtree: "https://github.com/puppetlabs/pltraining-dirtree.git" java_ks: "https://github.com/puppetlabs/puppetlabs-java_ks.git" apt: "https://github.com/puppetlabs/puppetlabs-apt.git" yumrepo_core: diff --git a/REFERENCE.md b/REFERENCE.md index a7e228fda..91750578d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -326,14 +326,14 @@ Default value: ```puppet { 'file' => { - 'auth_flag' => 'required', - 'jaas_config' => { + 'auth_flag' => 'required', + 'jaas_config' => { 'file' => '/etc/rundeck/realm.properties', }, 'realm_config' => { 'admin_user' => 'admin', 'admin_password' => 'admin', - 'auth_users' => {}, + 'auth_users' => [], }, }, } @@ -352,7 +352,7 @@ Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }` Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref +This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref Default value: `{}` diff --git a/manifests/config/jaas_auth.pp b/manifests/config/jaas_auth.pp index 667be732b..7185242cd 100644 --- a/manifests/config/jaas_auth.pp +++ b/manifests/config/jaas_auth.pp @@ -28,7 +28,10 @@ file { "${rundeck::config::properties_dir}/jaas-loginmodule.conf": ensure => file, - content => Sensitive(epp('rundeck/jaas-auth.conf.epp', { _auth_config => $_auth_config, _ldap_login_module => $_ldap_login_module })), + content => Sensitive(epp('rundeck/jaas-loginmodule.conf.epp', { + '_auth_config' => $_auth_config, + '_ldap_login_module' => $_ldap_login_module + })), mode => '0400', } } diff --git a/manifests/init.pp b/manifests/init.pp index 0be53d1ed..2fc3c1f4a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,7 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -# This hash will be merged some [defaults](https://github.com/voxpupuli/puppet-rundeck/blob/ffcc77ea943f2ee52257004ec6385ab3a3aa6f91/manifests/config.pp#L8C12-L8C12) # TODO: Update ref +# This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) # @param mail_config @@ -179,14 +179,14 @@ Integer $quartz_job_threadcount = 10, Rundeck::Auth_config $auth_config = { 'file' => { - 'auth_flag' => 'required', - 'jaas_config' => { + 'auth_flag' => 'required', + 'jaas_config' => { 'file' => '/etc/rundeck/realm.properties', }, 'realm_config' => { 'admin_user' => 'admin', 'admin_password' => 'admin', - 'auth_users' => {}, + 'auth_users' => [], }, }, }, diff --git a/manifests/install.pp b/manifests/install.pp index 2fce99f77..1d50ea650 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -26,7 +26,6 @@ uid => $rundeck::user_id, gid => $rundeck::group_id, system => true, - before => File['/var/rundeck'], } if $rundeck::user != 'rundeck' { diff --git a/spec/classes/config/aclpolicyfile_spec.rb b/spec/classes/config/aclpolicyfile_spec.rb deleted file mode 100644 index 87436ed81..000000000 --- a/spec/classes/config/aclpolicyfile_spec.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'rundeck' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - describe "rundeck::config::aclpolicyfile class without any parameters on #{os}" do - let(:params) { {} } - - default_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') - description: Admin, all access - context: - project: '.*' - for: - resource: - - allow: '*' - adhoc: - - allow: '*' - job: - - allow: '*' - node: - - allow: '*' - by: - group: - - 'admin' - - --- - - description: Admin, all access - context: - application: 'rundeck' - for: - resource: - - allow: '*' - project: - - allow: '*' - storage: - - allow: '*' - by: - group: - - 'admin' - CONFIG - - it do - is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with_content(default_acl) - end - end - end - end -end diff --git a/spec/classes/config/framework_spec.rb b/spec/classes/config/framework_spec.rb index 1e5684740..bca688bb7 100644 --- a/spec/classes/config/framework_spec.rb +++ b/spec/classes/config/framework_spec.rb @@ -3,22 +3,18 @@ require 'spec_helper' describe 'rundeck' do - on_supported_os.each do |os, facts| + on_supported_os.each do |os, os_facts| context "on #{os}" do - let :facts do - facts - end + let(:facts) { os_facts } - describe "rundeck::config::framework class without any parameters on #{os}" do + context 'without any parameters test rundeck::config::framework' do let(:params) { {} } framework_details = { 'framework.server.name' => 'foo.example.com', - 'framework.server.hostname' => 'foo.example.com', + 'framework.server.hostname' => 'foo', 'framework.server.port' => '4440', 'framework.server.url' => 'http://foo.example.com:4440', - 'framework.server.username' => 'admin', - 'framework.server.password' => 'admin', 'framework.etc.dir' => '/etc/rundeck', 'framework.libext.dir' => '/var/lib/rundeck/libext', 'framework.ssh.keypath' => '/var/lib/rundeck/.ssh/id_rsa', @@ -36,30 +32,28 @@ end end - context 'add plugin configuration' do - describe 'add plugin configuration for the logstash plugin' do - let(:params) do - { - framework_config: { - 'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700' - } + context 'add plugin configuration for the logstash plugin' do + let(:params) do + { + framework_config: { + 'framework.plugin.StreamingLogWriter.LogstashPlugin.port' => '9700' } - end + } + end - it 'generates valid content for framework.properties' do - content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] - expect(content).to include('framework.server.name = foo.example.com') - expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700') - end + it 'generates valid content for framework.properties' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('framework.server.name = foo.example.com') + expect(content).to include('framework.plugin.StreamingLogWriter.LogstashPlugin.port = 9700') end end - context 'setting framework.server.{port,url}' do - describe 'with non-default framework.server.hostname' do + context 'setting framework.server.{name,url}' do + context 'with non-default framework.server.hostname' do let(:params) do { framework_config: { - 'framework.server.hostname' => 'rundeck.example.com' + 'framework.server.url' => 'rundeck.example.com' } } end @@ -71,7 +65,7 @@ end end - describe 'ssl_enabled with non-default SSL port' do + context 'ssl_enabled with non-default SSL port' do let(:params) do { ssl_enabled: true, @@ -86,13 +80,13 @@ end end - describe 'ssl_enabled with non-default framework.server.hostname' do + context 'ssl_enabled with non-default framework.server.hostname' do let(:params) do { ssl_enabled: true, ssl_port: 443, framework_config: { - 'framework.server.hostname' => 'rundeck.example.com' + 'framework.server.name' => 'rundeck.example.com' } } end diff --git a/spec/classes/config/jaas_auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb index b2375d100..e3a676a3b 100644 --- a/spec/classes/config/jaas_auth_spec.rb +++ b/spec/classes/config/jaas_auth_spec.rb @@ -3,37 +3,44 @@ require 'spec_helper' describe 'rundeck' do - let(:login_module) { 'org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient' } - on_supported_os.each do |os, facts| context "on #{os}" do let :facts do facts end - describe 'with empty params' do + context 'with empty auth config test rundeck::config::jaas_auth' do let(:params) do - {} + { + auth_config: {} + } end - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - end + it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'absent') } - it 'contains PropertyFileLoginModule and be sufficient' do + it 'jaas-loginmodule.conf contains no auth classes' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).not_to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule') + expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule') + expect(jaas_auth).not_to include('com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule') + expect(jaas_auth).not_to include('org.rundeck.jaas.jetty.JettyPamLoginModule') end end - describe 'with empty auth users array' do + context 'file auth with empty auth users array' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [] - } + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [], + }, + }, } } end @@ -43,30 +50,31 @@ expect(content).to include('admin:admin,user,admin,architect,deploy,build') end - it 'contains PropertyFileLoginModule and be sufficient' do + it 'contains PropertyFileLoginModule and default auth_flag' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with auth users array' do + context 'file auth with single auth user without roles' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] - }, - { - 'username' => 'anotheruser', - 'password' => 'anotherpassword', - 'roles' => ['user'] - } - ] - } + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password' + } + ] + }, + }, } } end @@ -74,54 +82,35 @@ it 'generates valid content for realm.properties' do content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password,user,deploy') - expect(content).to include('anotheruser:anotherpassword,user') + expect(content).to include('testuser:password') end it 'contains PropertyFileLoginModule and be sufficient' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with multiauth ldap and file auth users array' do + context 'file auth with single auth user and roles' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] - }, - { - 'username' => 'anotheruser', - 'password' => 'anotherpassword', - 'roles' => ['user'] - } - ] + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + } + ] + }, }, - - 'ldap' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true' - } } } end @@ -130,63 +119,40 @@ content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') expect(content).to include('testuser:password,user,deploy') - expect(content).to include('anotheruser:anotherpassword,user') - end - end - - describe 'with ldap using ldap_sync' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'debug' => 'true', - 'url' => 'localhost:389', - 'force_binding' => 'true', - 'force_binding_use_root' => 'true', - 'bind_dn' => 'test_rundeck', - 'bind_password' => 'abc123', - 'user_base_dn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', - 'user_rdn_attribute' => 'sAMAccountName', - 'user_id_attribute' => 'sAMAccountName', - 'user_password_attribute' => 'unicodePwd', - 'user_object_class' => 'user', - 'role_base_dn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'member', - 'role_object_class' => 'group', - 'supplemental_roles' => 'user', - 'nested_groups' => 'true', - 'sync_first_name_attribute' => 'givenName', - 'sync_last_name_attribute' => 'sn', - 'sync_email_attribute' => 'mail' - } - }, - security_config: { - 'syncLdapUser' => true - } - } end - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(content).to include('userFirstNameAttribute="givenName"') - expect(content).to include('userLastNameAttribute="sn"') - expect(content).to include('userEmailAttribute="mail"') + it 'contains PropertyFileLoginModule and be sufficient' do + jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required') end end - describe 'with auth user without roles' do + context 'file auth with auth users array and auth_flag' do let(:params) do { auth_config: { 'file' => { - 'auth_users' => [ - { - 'username' => 'testuser', - 'password' => 'password' - } - ] - } + 'auth_flag' => 'sufficient', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + }, + { + 'username' => 'anotheruser', + 'password' => 'anotherpassword', + 'roles' => ['user'] + }, + ], + }, + }, } } end @@ -194,57 +160,135 @@ it 'generates valid content for realm.properties' do content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password') + expect(content).to include('testuser:password,user,deploy') + expect(content).to include('anotheruser:anotherpassword,user') end it 'contains PropertyFileLoginModule and be sufficient' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + expect(jaas_auth).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient') end end - describe 'backward compatibility (no array of users)' do + context 'with ldap auth using ldap_sync' do let(:params) do { auth_config: { - 'file' => { - 'auth_users' => { - 'username' => 'testuser', - 'password' => 'password', - 'roles' => %w[user deploy] + 'ldap' => { + 'jaas_config' => { + 'debug' => 'true', + 'providerUrl' => 'ldap://server:389', + 'bindDn' => 'cn=Manager,dc=example,dc=com', + 'bindPassword' => 'secret', + 'authenticationMethod' => 'simple', + 'forceBindingLogin' => 'false', + 'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', + 'userRdnAttribute' => 'sAMAccountName', + 'userIdAttribute' => 'sAMAccountName', + 'userPasswordAttribute' => 'unicodePwd', + 'userObjectClass' => 'user', + 'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', + 'roleNameAttribute' => 'cn', + 'roleMemberAttribute' => 'member', + 'roleObjectClass' => 'group' } } + }, + security_config: { + 'syncLdapUser' => true } } end - it 'generates valid content for realm.properties' do - content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] - expect(content).to include('admin:admin,user,admin,architect,deploy,build') - expect(content).to include('testuser:password,user,deploy') + it 'generates valid content for rundeck-config.properties' do + content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content] + expect(content).to include('rundeck.security.syncLdapUser = true') end - it 'contains PropertyFileLoginModule and be sufficient' do - jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(jaas_auth).to include(login_module) + it 'generates valid content for jaas-loginmodule.conf' do + content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] + expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required') + expect(content).to include('debug="true"') + expect(content).to include('providerUrl="ldap://server:389"') + expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"') + expect(content).to include('bindPassword="secret"') + expect(content).to include('authenticationMethod="simple"') + expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"') + expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"') + expect(content).to include('roleObjectClass="group";') end end - describe 'ldap with rolePrefix' do + context 'with multiauth ldap and file with auth users array' do let(:params) do { auth_config: { + 'file' => { + 'auth_flag' => 'sufficient', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + }, + { + 'username' => 'anotheruser', + 'password' => 'anotherpassword', + 'roles' => ['user'] + }, + ], + }, + }, 'ldap' => { - 'url' => 'localhost:389', - 'role_prefix' => 'rundeck_' + 'jaas_config' => { + 'debug' => 'true', + 'providerUrl' => 'ldap://server:389', + 'bindDn' => 'cn=Manager,dc=example,dc=com', + 'bindPassword' => 'secret', + 'authenticationMethod' => 'simple', + 'forceBindingLogin' => 'false', + 'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', + 'userRdnAttribute' => 'sAMAccountName', + 'userIdAttribute' => 'sAMAccountName', + 'userPasswordAttribute' => 'unicodePwd', + 'userObjectClass' => 'user', + 'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', + 'roleNameAttribute' => 'cn', + 'roleMemberAttribute' => 'member', + 'roleObjectClass' => 'group', + 'nestedGroups' => 'true' + }, } } } end - it 'generates valid content for jaas-auth.conf' do + it 'generates valid content for realm.properties' do + content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] + expect(content).to include('admin:admin,user,admin,architect,deploy,build') + expect(content).to include('testuser:password,user,deploy') + expect(content).to include('anotheruser:anotherpassword,user') + end + + it 'generates valid content for jaas-loginmodule.conf' do content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(content).to include('rolePrefix="rundeck_"') + expect(content).to include('org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient') + expect(content).to include('file="/etc/rundeck/realm.properties";') + expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required') + expect(content).to include('debug="true"') + expect(content).to include('providerUrl="ldap://server:389"') + expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"') + expect(content).to include('bindPassword="secret"') + expect(content).to include('authenticationMethod="simple"') + expect(content).to include('userBaseDn="ou=users,ou=accounts,ou=corp,dc=xyz,dc=com"') + expect(content).to include('roleBaseDn="ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com"') + expect(content).to include('nestedGroups="true";') end end end diff --git a/spec/classes/config/ssl_spec.rb b/spec/classes/config/ssl_spec.rb index 14edcec0c..05258dfe0 100644 --- a/spec/classes/config/ssl_spec.rb +++ b/spec/classes/config/ssl_spec.rb @@ -3,35 +3,48 @@ require 'spec_helper' describe 'rundeck' do - on_supported_os.each do |os, os_facts| + on_supported_os.each do |os, facts| context "on #{os}" do - let(:params) do - { - ssl_enabled: true - } + let :facts do + facts end - let(:facts) do - os_facts + + context 'with ssl_enabled => true' do + let(:params) do + { + ssl_enabled: true + } + end + + ssl_details = { + 'keystore' => '/etc/rundeck/ssl/keystore', + 'keystore.password' => 'adminadmin', + 'truststore' => '/etc/rundeck/ssl/truststore', + 'truststore.password' => 'adminadmin' + } + + it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') } + it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') } + + ssl_details.each do |key, value| + it 'generates valid content for ssl.properties' do + content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] + expect(content).to include("#{key}=#{value}") + end + end end - ssl_details = { - 'keystore' => '/etc/rundeck/ssl/keystore', - 'keystore.password' => 'adminadmin', - 'key.password' => 'adminadmin', - 'truststore' => '/etc/rundeck/ssl/truststore', - 'truststore.password' => 'adminadmin' - } - - it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') } - it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') } - - ssl_details.each do |key, value| - it do - is_expected.to contain_ini_setting(key).with( - 'path' => '/etc/rundeck/ssl/ssl.properties', - 'setting' => key, - 'value' => value - ) + context 'with ssl_enabled => true and key_password => verysecure' do + let(:params) do + { + ssl_enabled: true, + key_password: 'verysecure' + } + end + + it 'generates valid content for ssl.properties' do + content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] + expect(content).to include('key.password=verysecure') end end end diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 7f3ed976f..fadf9470f 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -12,7 +12,7 @@ facts end - describe "rundeck::config class without any parameters on #{os}" do + context 'without any parameters test rundeck::config' do it { is_expected.to contain_file('/var/lib/rundeck').with('ensure' => 'directory') } it { is_expected.to contain_file('/var/lib/rundeck/libext').with('ensure' => 'directory') } it { is_expected.to contain_file('/etc/rundeck').with('ensure' => 'directory') } @@ -31,10 +31,10 @@ it 'generates valid content for the profile overrides file' do content = catalogue.resource('file', overrides)[:content] - expect(content).to include('RDECK_BASE=/var/lib/rundeck') - expect(content).to include('RDECK_CONFIG=/etc/rundeck') - expect(content).to include('RDECK_CONFIG_FILE=$RDECK_CONFIG/rundeck-config.properties') - expect(content).to include('RDECK_INSTALL=$RDECK_BASE') + expect(content).to include('RDECK_BASE="/var/lib/rundeck"') + expect(content).to include('RDECK_CONFIG="/etc/rundeck"') + expect(content).to include('RDECK_CONFIG_FILE="$RDECK_CONFIG/rundeck-config.properties"') + expect(content).to include('RDECK_INSTALL="$RDECK_BASE"') expect(content).to include('LOGIN_MODULE=authentication') expect(content).to include('RDECK_JVM_SETTINGS="-Xmx1024m -Xms256m -server"') expect(content).to include('RDECK_HTTP_PORT=4440') @@ -43,8 +43,8 @@ it { is_expected.to contain_class('rundeck::config::jaas_auth') } it { is_expected.to contain_class('rundeck::config::framework') } - it { is_expected.to contain_file('/etc/project.properties').with('ensure' => 'absent') } - it { is_expected.to contain_file('/etc/rundeck-config.properties').with('ensure' => 'file') } + it { is_expected.to contain_file('/etc/rundeck/project.properties').with('ensure' => 'absent') } + it { is_expected.to contain_file('/etc/rundeck/rundeck-config.properties').with('ensure' => 'file') } it 'generates valid content for rundeck-config.properties' do content = catalogue.resource('file', '/etc/rundeck/rundeck-config.properties')[:content] @@ -60,7 +60,7 @@ end end - describe 'rundeck::config with override_template set' do + context 'with override_template set' do template = 'rundeck/../spec/fixtures/files/override.template' let(:params) { { override_template: template } } @@ -72,7 +72,7 @@ end end - describe 'rundeck::config with jvm_args set' do + context 'with jvm_args set' do jvm_args = '-Dserver.http.port=8008 -Xms2048m -Xmx2048m -server' let(:params) { { jvm_args: jvm_args } } diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index bfe0bd42b..af3295747 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -9,28 +9,21 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'without any parameters test rundeck::install' do let(:params) { {} } it { is_expected.not_to contain_user('rundeck') } - it do - is_expected.to contain_file('/var/rundeck').with( - ensure: 'directory', - owner: 'rundeck', - group: 'rundeck', - recurse: true - ) - end - case facts[:os]['family'] when 'RedHat' it do is_expected.to contain_yumrepo('rundeck').with( baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', - gpgcheck: 0, - repo_gpgcheck: 1, - gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' + descr: 'Rundeck repository', + enabled: 1, + gpgcheck: 1, + gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey', + repo_gpgcheck: 1 ).that_comes_before('Package[rundeck]') end when 'Debian' @@ -40,7 +33,7 @@ end end - describe 'different user and group' do + context 'with different user and group' do let(:params) do { manage_user: true, @@ -59,7 +52,7 @@ it { is_expected.to contain_user('rundeck').with('ensure' => 'absent') } end - describe 'different user and group with ids' do + context 'different user and group with ids' do let(:params) do { manage_user: true, diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb index f00901a14..3628e6365 100644 --- a/spec/classes/rundeck_spec.rb +++ b/spec/classes/rundeck_spec.rb @@ -9,73 +9,40 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'rundeck class without any parameters' do let(:params) { {} } it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('rundeck::params') } it { is_expected.to contain_class('rundeck::install').that_comes_before('Class[rundeck::config]') } it { is_expected.to contain_class('rundeck::config').that_notifies('Class[rundeck::service]') } it { is_expected.to contain_class('rundeck::service') } + it { is_expected.to contain_class('rundeck::config::jaas_auth') } + it { is_expected.to contain_class('rundeck::config::framework') } + it { is_expected.not_to contain_class('rundeck::config::ssl') } end - context 'non-platform-specific config parameters' do - # auth_config cannot be passed as a parameter to rundeck::config :-( - # so we have to test it here - describe 'setting auth_config ldap roleUsernameMemberAttribute' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'role_username_member_attribute' => 'memberUid' - } - } - } - end - - it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') } - - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('roleUsernameMemberAttribute="memberUid"') - expect(content).not_to include('roleMemberAttribute') - end + context 'rundeck class with ssl_enabled => true' do + let(:params) do + { + ssl_enabled: true + } end - describe 'setting auth_config ldap url' do - let(:params) do - { - auth_config: { - 'ldap' => { - 'url' => 'ldaps://myrealldap.example.com', - 'server' => 'fakeldap', - 'port' => '983' - } - } - } - end - - it { is_expected.to contain_file('/etc/rundeck/jaas-auth.conf') } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('rundeck::config::ssl') } + end - it 'generates valid content for jaas-auth.conf' do - content = catalogue.resource('file', '/etc/rundeck/jaas-auth.conf')[:content] - expect(content).to include('providerUrl="ldaps://myrealldap.example.com"') - expect(content).not_to include('providerUrl="ldap://fakeldap:983"') - end + context 'override server uuid' do + let :facts do + # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0 + override_facts(super(), networking: { fqdn: 'rundeck.example.com' }) end - describe 'uuid setting' do - let :facts do - # uuid is ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0 - override_facts(super(), networking: { fqdn: 'rundeck.example.com' }) - end - - it { is_expected.to contain_file('/etc/rundeck/framework.properties') } + it { is_expected.to contain_file('/etc/rundeck/framework.properties') } - it 'uses fqdn fact for \'rundeck.server.uuid\'' do - content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] - expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0') - end + it 'uses fqdn fact for \'rundeck.server.uuid\'' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('rundeck.server.uuid = ac7c2cbd-14fa-5ba3-b3f2-d436e9b8a3b0') end end end diff --git a/spec/classes/service_spec.rb b/spec/classes/service_spec.rb index 37899f0b5..23428d89e 100644 --- a/spec/classes/service_spec.rb +++ b/spec/classes/service_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck class without any parameters on #{os}" do + context 'without any parameters test rundeck::service' do let(:params) { {} } it { is_expected.to contain_service('rundeckd') } diff --git a/spec/defines/config/aclpolicyfile_spec.rb b/spec/defines/config/aclpolicyfile_spec.rb index f1a3c4e31..dc43c48c6 100644 --- a/spec/defines/config/aclpolicyfile_spec.rb +++ b/spec/defines/config/aclpolicyfile_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe 'rundeck::config::aclpolicyfile', type: :define do - test_policies = [ + admin_policy = [ { 'description' => 'Admin, all access', 'context' => { @@ -11,36 +11,37 @@ }, 'for' => { 'resource' => [ - { 'equals' => { 'kind' => 'job' }, 'allow' => ['create'] } - ] + { 'allow' => '*' } + ], + 'adhoc' => [ + { 'allow' => '*' } + ], + 'job' => [ + { 'allow' => '*' } + ], + 'node' => [ + { 'allow' => '*' } + ], }, 'by' => [ { 'group' => ['admin'] } - ] + ], }, { 'description' => 'Admin, all access', 'context' => { 'application' => 'rundeck' }, - 'for' => { - 'resource' => [ - { 'equals' => { 'kind' => 'project' }, 'allow' => ['create'] } - ] - }, - 'by' => [ - { 'group' => ['admin'] } - ] - }, - { - 'description' => 'System-level read access to a specific project', - 'context' => { - 'application' => 'rundeck' - }, 'for' => { 'project' => [ - { 'equals' => { 'name' => 'project' }, 'allow' => ['read'] } - ] + { 'allow' => '*' } + ], + 'resource' => [ + { 'allow' => '*' } + ], + 'storage' => [ + { 'allow' => '*' } + ], }, 'by' => [ { 'group' => ['admin'] } @@ -48,36 +49,76 @@ } ] - context 'default parameters' do - let(:title) { 'defaultPolicy' } + admin_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') + description: Admin, all access + context: + project: '.*' + for: + resource: + - allow: '*' + adhoc: + - allow: '*' + job: + - allow: '*' + node: + - allow: '*' + by: + group: + - 'admin' + + --- + + description: Admin, all access + context: + application: 'rundeck' + for: + project: + - allow: '*' + resource: + - allow: '*' + storage: + - allow: '*' + by: + group: + - 'admin' + CONFIG + + context 'with admin acl and default parameters' do + let(:title) { 'admin' } let(:params) do { - acl_policies: test_policies + acl_policies: admin_policy, } end - it do - is_expected.to contain_file('/etc/rundeck/defaultPolicy.aclpolicy').with('owner' => 'rundeck', - 'group' => 'rundeck', - 'mode' => '0640') - end + it { + is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with( + owner: 'rundeck', + group: 'rundeck', + mode: '0644', + content: admin_acl + ) + } end - context 'custom parameters' do - let(:title) { 'myPolicy' } + context 'with admin acl and custom parameters' do + let(:title) { 'admin' } let(:params) do { - acl_policies: test_policies, + acl_policies: admin_policy, properties_dir: '/etc/rundeck-acl', owner: 'myUser', group: 'myGroup' } end - it do - is_expected.to contain_file('/etc/rundeck-acl/myPolicy.aclpolicy').with('owner' => 'myUser', - 'group' => 'myGroup', - 'mode' => '0640') - end + it { + is_expected.to contain_file('/etc/rundeck-acl/admin.aclpolicy').with( + owner: 'myUser', + group: 'myGroup', + mode: '0644', + content: admin_acl + ) + } end end diff --git a/spec/defines/config/plugin_spec.rb b/spec/defines/config/plugin_spec.rb index 288d91f89..04705a3cb 100644 --- a/spec/defines/config/plugin_spec.rb +++ b/spec/defines/config/plugin_spec.rb @@ -9,7 +9,7 @@ facts end - describe "rundeck::config::plugin definition without any parameters on #{os}" do + context 'install rundeck hipchat plugin' do name = 'rundeck-hipchat-plugin-1.0.0.jar' source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar' plugin_dir = '/var/lib/rundeck/libext' @@ -36,7 +36,7 @@ end end - describe "rundeck::config::plugin definition with ensure set to absent on #{os}" do + context 'make rundeck hipchat plugin absent' do name = 'rundeck-hipchat-plugin-1.0.0.jar' source = 'http://search.maven.org/remotecontent?filepath=com/hbakkum/rundeck/plugins/rundeck-hipchat-plugin/1.0.0/rundeck-hipchat-plugin-1.0.0.jar' plugin_dir = '/var/lib/rundeck/libext' diff --git a/templates/framework.properties.epp b/templates/framework.properties.epp index 188aa4caa..f4241c085 100644 --- a/templates/framework.properties.epp +++ b/templates/framework.properties.epp @@ -1,3 +1,3 @@ -<%- $_framework_config.keys.unique.sort.each |$k| { -%> -<%= $k %> = <%= $_framework_config[$k] %> +<%- $_framework_config.each |$_k, $_v| { -%> +<%= $_k %> = <%= $_v %> <%- } -%> diff --git a/templates/jaas-auth.conf.epp b/templates/jaas-loginmodule.conf.epp similarity index 100% rename from templates/jaas-auth.conf.epp rename to templates/jaas-loginmodule.conf.epp diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 651f56230..0736c6ddc 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -46,7 +46,7 @@ grails.mail.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::security_config.each |$_k, $_v| {-%> -<%= $k %> = <%= $rundeck::security_config[$k] %> +rundeck.security.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::preauthenticated_config.each |$_k, $_v| { -%> @@ -54,5 +54,5 @@ rundeck.security.authorization.preauthenticated.<%= $_k %> = <%= $_v %> <%- } -%> <%- $rundeck::gui_config.each |$_k, $_v| {-%> -<%= $_k %> = <%= $_v %> +rundeck.gui.<%= $_k %> = <%= $_v %> <%- } -%> From 2d4ce4af402250cefcbae17a6fbddd9178551f91 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 15:24:02 +0100 Subject: [PATCH 67/82] Disable gpg check for yumrepo --- data/RedHat.yaml | 2 +- spec/classes/install_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/RedHat.yaml b/data/RedHat.yaml index 32c4a76e9..7ef94ea02 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -7,6 +7,6 @@ rundeck::repo_config: baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch' descr: 'Rundeck repository' enabled: 1 - gpgcheck: 1 + gpgcheck: 0 gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' repo_gpgcheck: 1 diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index af3295747..5a7471b43 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -21,7 +21,7 @@ baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', descr: 'Rundeck repository', enabled: 1, - gpgcheck: 1, + gpgcheck: 0, gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey', repo_gpgcheck: 1 ).that_comes_before('Package[rundeck]') From 3f9df6097226c8e9b8e8928b75f3772f2b738b9a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 15:31:10 +0100 Subject: [PATCH 68/82] Fix wrong hiera parameter for repo_config --- data/Debian.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index ff12a6521..b7069eb6f 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -1,7 +1,7 @@ --- rundeck::override_dir: '/etc/default' -rundeck::repoconfig: +rundeck::repo_config: 'apt::source': 'rundeck': location: 'https://packagecloud.io/pagerduty/rundeck/any' From c112b914d03fd1b93b9b3510006e5d5bb361fb43 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 18:02:11 +0100 Subject: [PATCH 69/82] Update unit tests --- spec/classes/config/framework_spec.rb | 27 ++++++------- spec/classes/config/jaas_auth_spec.rb | 6 ++- spec/classes/config/ssl_spec.rb | 33 +++++++++++++++ spec/classes/config_spec.rb | 15 ++----- spec/classes/rundeck_spec.rb | 16 +++++++- spec/defines/config/aclpolicyfile_spec.rb | 49 ++++++++++++++--------- 6 files changed, 97 insertions(+), 49 deletions(-) diff --git a/spec/classes/config/framework_spec.rb b/spec/classes/config/framework_spec.rb index bca688bb7..4d653f0e5 100644 --- a/spec/classes/config/framework_spec.rb +++ b/spec/classes/config/framework_spec.rb @@ -49,19 +49,18 @@ end context 'setting framework.server.{name,url}' do - context 'with non-default framework.server.hostname' do + context 'with non-default framework.server.url' do let(:params) do { framework_config: { - 'framework.server.url' => 'rundeck.example.com' + 'framework.server.url' => 'http://rundeck.example.com:4440' } } end - it do - is_expected.to contain_file('/etc/rundeck/framework.properties').with_content( - %r{framework\.server\.url = http://rundeck\.example\.com:4440} - ) + it 'generates valid content for framework.properties' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('framework.server.url = http://rundeck.example.com:4440') end end @@ -73,10 +72,10 @@ } end - it do - is_expected.to contain_file('/etc/rundeck/framework.properties'). \ - with_content(%r{^framework\.server\.port = 443$}). \ - with_content(%r{framework\.server\.url = https://foo\.example\.com:443}) + it 'generates valid content for framework.properties' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('framework.server.port = 443') + expect(content).to include('framework.server.url = https://foo.example.com:443') end end @@ -91,10 +90,10 @@ } end - it do - is_expected.to contain_file('/etc/rundeck/framework.properties'). \ - with_content(%r{^framework\.server\.port = 443$}). \ - with_content(%r{framework\.server\.url = https://rundeck\.example\.com:443}) + it 'generates valid content for framework.properties' do + content = catalogue.resource('file', '/etc/rundeck/framework.properties')[:content] + expect(content).to include('framework.server.port = 443') + expect(content).to include('framework.server.url = https://rundeck.example.com:443') end end end diff --git a/spec/classes/config/jaas_auth_spec.rb b/spec/classes/config/jaas_auth_spec.rb index e3a676a3b..6484e7c66 100644 --- a/spec/classes/config/jaas_auth_spec.rb +++ b/spec/classes/config/jaas_auth_spec.rb @@ -17,6 +17,7 @@ end it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'absent') } + it { is_expected.to contain_file('/etc/rundeck/jaas-loginmodule.conf').with(ensure: 'file') } it 'jaas-loginmodule.conf contains no auth classes' do jaas_auth = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] @@ -45,6 +46,9 @@ } end + it { is_expected.to contain_file('/etc/rundeck/realm.properties').with(ensure: 'file') } + it { is_expected.to contain_file('/etc/rundeck/jaas-loginmodule.conf').with(ensure: 'file') } + it 'generates valid content for realm.properties' do content = catalogue.resource('file', '/etc/rundeck/realm.properties')[:content] expect(content).to include('admin:admin,user,admin,architect,deploy,build') @@ -207,7 +211,7 @@ it 'generates valid content for jaas-loginmodule.conf' do content = catalogue.resource('file', '/etc/rundeck/jaas-loginmodule.conf')[:content] - expect(content).to include('com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required') + expect(content).to include(' com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required') expect(content).to include('debug="true"') expect(content).to include('providerUrl="ldap://server:389"') expect(content).to include('bindDn="cn=Manager,dc=example,dc=com"') diff --git a/spec/classes/config/ssl_spec.rb b/spec/classes/config/ssl_spec.rb index 05258dfe0..534358c47 100644 --- a/spec/classes/config/ssl_spec.rb +++ b/spec/classes/config/ssl_spec.rb @@ -26,6 +26,25 @@ it { is_expected.to contain_file('/etc/rundeck/ssl').with('ensure' => 'directory') } it { is_expected.to contain_file('/etc/rundeck/ssl/ssl.properties') } + it { + is_expected.to contain_java_ks('keystore').with( + ensure: 'present', + certificate: '/etc/rundeck/ssl/rundeck.crt', + private_key: '/etc/rundeck/ssl/rundeck.key', + trustcacerts: true, + password: 'adminadmin', + target: '/etc/rundeck/ssl/keystore', + ) + } + + it { + is_expected.to contain_java_ks('truststore').with( + ensure: 'present', + password: 'adminadmin', + target: '/etc/rundeck/ssl/truststore' + ) + } + ssl_details.each do |key, value| it 'generates valid content for ssl.properties' do content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] @@ -42,6 +61,20 @@ } end + it { + is_expected.to contain_java_ks('keystore').with( + ensure: 'present', + destkeypass: 'verysecure' + ) + } + + it { + is_expected.to contain_java_ks('truststore').with( + ensure: 'present', + destkeypass: 'verysecure' + ) + } + it 'generates valid content for ssl.properties' do content = catalogue.resource('file', '/etc/rundeck/ssl/ssl.properties')[:content] expect(content).to include('key.password=verysecure') diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index fadf9470f..0cabe488b 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -16,6 +16,7 @@ it { is_expected.to contain_file('/var/lib/rundeck').with('ensure' => 'directory') } it { is_expected.to contain_file('/var/lib/rundeck/libext').with('ensure' => 'directory') } it { is_expected.to contain_file('/etc/rundeck').with('ensure' => 'directory') } + it { is_expected.to contain_file('/var/log/rundeck').with('ensure' => 'directory') } it { is_expected.to contain_file('/etc/rundeck/log4j2.properties') } @@ -25,7 +26,9 @@ end it { is_expected.to contain_rundeck__config__aclpolicyfile('admin') } + it { is_expected.to contain_file('/etc/rundeck/admin.aclpolicy') } it { is_expected.to contain_rundeck__config__aclpolicyfile('apitoken') } + it { is_expected.to contain_file('/etc/rundeck/apitoken.aclpolicy') } it { is_expected.to contain_file(overrides) } @@ -60,18 +63,6 @@ end end - context 'with override_template set' do - template = 'rundeck/../spec/fixtures/files/override.template' - let(:params) { { override_template: template } } - - it { is_expected.to contain_file(overrides) } - - it 'uses the content for the profile overrides template' do - content = catalogue.resource('file', overrides)[:content] - expect(content).to include('test override template') - end - end - context 'with jvm_args set' do jvm_args = '-Dserver.http.port=8008 -Xms2048m -Xmx2048m -server' let(:params) { { jvm_args: jvm_args } } diff --git a/spec/classes/rundeck_spec.rb b/spec/classes/rundeck_spec.rb index 3628e6365..983cff476 100644 --- a/spec/classes/rundeck_spec.rb +++ b/spec/classes/rundeck_spec.rb @@ -9,7 +9,7 @@ facts end - context 'rundeck class without any parameters' do + context 'without any parameters test rundeck' do let(:params) { {} } it { is_expected.to compile.with_all_deps } @@ -21,7 +21,19 @@ it { is_expected.not_to contain_class('rundeck::config::ssl') } end - context 'rundeck class with ssl_enabled => true' do + context 'with service_notify => false' do + let(:params) do + { + service_notify: false + } + end + + it { is_expected.to contain_class('rundeck::install').that_comes_before('Class[rundeck::config]') } + it { is_expected.to contain_class('rundeck::config').that_comes_before('Class[rundeck::service]') } + it { is_expected.to contain_class('rundeck::service') } + end + + context 'with ssl_enabled => true' do let(:params) do { ssl_enabled: true diff --git a/spec/defines/config/aclpolicyfile_spec.rb b/spec/defines/config/aclpolicyfile_spec.rb index dc43c48c6..133bb9f71 100644 --- a/spec/defines/config/aclpolicyfile_spec.rb +++ b/spec/defines/config/aclpolicyfile_spec.rb @@ -3,9 +3,9 @@ require 'spec_helper' describe 'rundeck::config::aclpolicyfile', type: :define do - admin_policy = [ + test_policy = [ { - 'description' => 'Admin, all access', + 'description' => 'Test project access', 'context' => { 'project' => '.*' }, @@ -24,11 +24,11 @@ ], }, 'by' => [ - { 'group' => ['admin'] } + { 'group' => ['test'] } ], }, { - 'description' => 'Admin, all access', + 'description' => 'Test application access', 'context' => { 'application' => 'rundeck' }, @@ -44,13 +44,13 @@ ], }, 'by' => [ - { 'group' => ['admin'] } + { 'group' => ['test'] } ] } ] - admin_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') - description: Admin, all access + test_acl = <<~CONFIG.gsub(%r{[^\S\n]{10}}, '') + description: Test project access context: project: '.*' for: @@ -64,11 +64,11 @@ - allow: '*' by: group: - - 'admin' + - 'test' --- - description: Admin, all access + description: Test application access context: application: 'rundeck' for: @@ -80,32 +80,32 @@ - allow: '*' by: group: - - 'admin' + - 'test' CONFIG - context 'with admin acl and default parameters' do - let(:title) { 'admin' } + context 'with test acl and default parameters' do + let(:title) { 'test' } let(:params) do { - acl_policies: admin_policy, + acl_policies: test_policy, } end it { - is_expected.to contain_file('/etc/rundeck/admin.aclpolicy').with( + is_expected.to contain_file('/etc/rundeck/test.aclpolicy').with( owner: 'rundeck', group: 'rundeck', mode: '0644', - content: admin_acl + content: test_acl ) } end - context 'with admin acl and custom parameters' do - let(:title) { 'admin' } + context 'with test acl and custom parameters' do + let(:title) { 'test' } let(:params) do { - acl_policies: admin_policy, + acl_policies: test_policy, properties_dir: '/etc/rundeck-acl', owner: 'myUser', group: 'myGroup' @@ -113,11 +113,20 @@ end it { - is_expected.to contain_file('/etc/rundeck-acl/admin.aclpolicy').with( + is_expected.to contain_file('/etc/rundeck-acl').with( + ensure: 'directory', + owner: 'myUser', + group: 'myGroup', + mode: '0755' + ) + } + + it { + is_expected.to contain_file('/etc/rundeck-acl/test.aclpolicy').with( owner: 'myUser', group: 'myGroup', mode: '0644', - content: admin_acl + content: test_acl ) } end From 001da6e0fa343e867b4e674a9c101e1d71ae1be9 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Tue, 28 Nov 2023 18:10:52 +0100 Subject: [PATCH 70/82] Update spec, reference and remove todo --- REFERENCE.md | 2 +- data/Debian.yaml | 18 ++++++++---------- manifests/config.pp | 2 +- manifests/init.pp | 4 ++-- manifests/service.pp | 2 +- spec/classes/config/ssl_spec.rb | 2 +- 6 files changed, 14 insertions(+), 16 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 91750578d..ee6ff6b42 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -352,7 +352,7 @@ Default value: `{ 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }` Data type: `Hash` Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref +This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/master/manifests/config.pp#L8-L20) Default value: `{}` diff --git a/data/Debian.yaml b/data/Debian.yaml index b7069eb6f..8dc91c5ab 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -2,13 +2,11 @@ rundeck::override_dir: '/etc/default' rundeck::repo_config: - 'apt::source': - 'rundeck': - location: 'https://packagecloud.io/pagerduty/rundeck/any' - release: 'any' - repos: 'main' - comment: 'Official repository for Rundeck' - key: - id: '0DDD2FA79B15D736ECEA32B89B5206167C5C34C0' - source: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' - server: 'keyserver.ubuntu.com' + rundeck: + location: https://packagecloud.io/pagerduty/rundeck/any + release: any + repos: main + comment: Official repository for Rundeck + key: + name: rundeck.asc + source: https://packagecloud.io/pagerduty/rundeck/gpgkey diff --git a/manifests/config.pp b/manifests/config.pp index c7dc44906..f39798dfd 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -75,7 +75,7 @@ } } - if ($rundeck::override_template) { + if $rundeck::override_template { file { "${rundeck::override_dir}/${rundeck::service_name}": ensure => file, content => epp($rundeck::override_template), diff --git a/manifests/init.pp b/manifests/init.pp index 2fc3c1f4a..07e2e1e56 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,7 @@ # Hash of properties for configuring the [Rundeck Database](https://docs.rundeck.com/docs/administration/configuration/database) # @param framework_config # Hash of properties for configuring the [Rundeck Framework](https://docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) -# This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/4eb3f4158f49cd1176090897aa88098f1e4507ab/manifests/config.pp#L8-L20) # TODO: Update ref +# This hash will be merged with the [Rundeck defaults](https://github.com/voxpupuli/puppet-rundeck/blob/master/manifests/config.pp#L8-L20) # @param gui_config # Hash of properties for customizing the [Rundeck GUI](https://docs.rundeck.com/docs/administration/configuration/gui-customization.html) # @param mail_config @@ -111,7 +111,7 @@ Stdlib::Absolutepath $override_dir, Hash $repo_config, Boolean $manage_repo = true, - String $package_ensure = 'installed', + String[1] $package_ensure = 'installed', Boolean $manage_home = true, String $user = 'rundeck', String $group = 'rundeck', diff --git a/manifests/service.pp b/manifests/service.pp index 1cd40b847..057714bfc 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -9,7 +9,7 @@ file { '/etc/init/rundeckd.conf': ensure => file, mode => '0644', - content => template($rundeck::service_config), + content => epp($rundeck::service_config), } } diff --git a/spec/classes/config/ssl_spec.rb b/spec/classes/config/ssl_spec.rb index 534358c47..4f17ed721 100644 --- a/spec/classes/config/ssl_spec.rb +++ b/spec/classes/config/ssl_spec.rb @@ -33,7 +33,7 @@ private_key: '/etc/rundeck/ssl/rundeck.key', trustcacerts: true, password: 'adminadmin', - target: '/etc/rundeck/ssl/keystore', + target: '/etc/rundeck/ssl/keystore' ) } From c0c072022de0b4906e951577018f16f8e4891ec6 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 29 Nov 2023 15:37:02 +0100 Subject: [PATCH 71/82] Update references and repo config also don't align class parameters --- REFERENCE.md | 40 ++++++------ data/Debian.yaml | 7 +- data/RedHat.yaml | 16 ++--- manifests/config/aclpolicyfile.pp | 10 +-- manifests/config/plugin.pp | 10 +-- manifests/init.pp | 104 +++++++++++++++--------------- manifests/install.pp | 35 ++++++++-- spec/classes/install_spec.rb | 13 ++-- 8 files changed, 127 insertions(+), 108 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index ee6ff6b42..c30e5abb8 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -112,12 +112,12 @@ Default value: `true` Data type: `Hash` -A hash of repository types and attributes for configuring the rundeck package repositories. +A hash of repository attributes for configuring the rundeck package repositories. Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml ##### `package_ensure` -Data type: `String` +Data type: `String[1]` Ensure the state of the rundeck package, either present, absent or a specific version. @@ -133,7 +133,7 @@ Default value: `true` ##### `user` -Data type: `String` +Data type: `String[1]` The user that rundeck is installed as. @@ -141,7 +141,7 @@ Default value: `'rundeck'` ##### `group` -Data type: `String` +Data type: `String[1]` The group permission that rundeck is installed as. @@ -422,7 +422,7 @@ Default value: `'info'` ##### `config_template` -Data type: `String` +Data type: `String[1]` The template used for rundeck-config properties. Needs to be in epp format. @@ -430,7 +430,7 @@ Default value: `'rundeck/rundeck-config.properties.epp'` ##### `override_template` -Data type: `String` +Data type: `String[1]` The template used for rundeck profile overrides. Needs to be in epp format. @@ -438,7 +438,7 @@ Default value: `'rundeck/profile_overrides.epp'` ##### `realm_template` -Data type: `String` +Data type: `String[1]` The template used for jaas realm properties. Needs to be in epp format. @@ -446,7 +446,7 @@ Default value: `'rundeck/realm.properties.epp'` ##### `log_properties_template` -Data type: `String` +Data type: `String[1]` The template used for log properties. Needs to be in epp format. @@ -462,7 +462,7 @@ Default value: `false` ##### `server_web_context` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context @@ -502,7 +502,7 @@ Default value: `'/etc/rundeck/ssl/rundeck.key'` ##### `key_password` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` The password used to protect the key in keystore. @@ -518,7 +518,7 @@ Default value: `'/etc/rundeck/ssl/keystore'` ##### `keystore_password` -Data type: `String` +Data type: `String[1]` The password for the given keystore. @@ -534,7 +534,7 @@ Default value: `'/etc/rundeck/ssl/truststore'` ##### `truststore_password` -Data type: `String` +Data type: `String[1]` The password for the given truststore. @@ -542,7 +542,7 @@ Default value: `'adminadmin'` ##### `service_name` -Data type: `String` +Data type: `String[1]` The name of the rundeck service. @@ -574,7 +574,7 @@ Default value: `true` ##### `service_config` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` Allows you to use your own override template instead to config rundeckd init script. @@ -582,7 +582,7 @@ Default value: `undef` ##### `service_script` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. @@ -658,7 +658,7 @@ Default value: `'present'` ##### `owner` -Data type: `String` +Data type: `String[1]` The user that rundeck is installed as. @@ -666,7 +666,7 @@ Default value: `'rundeck'` ##### `group` -Data type: `String` +Data type: `String[1]` The group permission that rundeck is installed as. @@ -707,7 +707,7 @@ The following parameters are available in the `rundeck::config::plugin` defined ##### `source` -Data type: `String` +Data type: `String[1]` The http source or local path from which to get the plugin. @@ -721,7 +721,7 @@ Default value: `'present'` ##### `owner` -Data type: `String` +Data type: `String[1]` The user that rundeck is installed as. @@ -729,7 +729,7 @@ Default value: `'rundeck'` ##### `group` -Data type: `String` +Data type: `String[1]` The group permission that rundeck is installed as. diff --git a/data/Debian.yaml b/data/Debian.yaml index 8dc91c5ab..92659a75e 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -1,12 +1,11 @@ --- -rundeck::override_dir: '/etc/default' +rundeck::override_dir: /etc/default rundeck::repo_config: rundeck: - location: https://packagecloud.io/pagerduty/rundeck/any + location: https://packages.rundeck.com/pagerduty/rundeck/any release: any repos: main - comment: Official repository for Rundeck key: name: rundeck.asc - source: https://packagecloud.io/pagerduty/rundeck/gpgkey + source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey diff --git a/data/RedHat.yaml b/data/RedHat.yaml index 7ef94ea02..4b58b42f7 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -1,12 +1,10 @@ --- -rundeck::override_dir: '/etc/sysconfig' +rundeck::override_dir: /etc/sysconfig rundeck::repo_config: - 'yumrepo': - 'rundeck': - baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch' - descr: 'Rundeck repository' - enabled: 1 - gpgcheck: 0 - gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey' - repo_gpgcheck: 1 + rundeck: + baseurl: https://packages.rundeck.com/pagerduty/rundeckpro/rpm_any/rpm_any/$basearch + repo_gpgcheck: 1 + gpgcheck: 1 + enabled: 1 + gpgkey: https://packages.rundeck.com/pagerduty/rundeckpro/gpgkey,https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key diff --git a/manifests/config/aclpolicyfile.pp b/manifests/config/aclpolicyfile.pp index 2da260cd1..518bf44f2 100644 --- a/manifests/config/aclpolicyfile.pp +++ b/manifests/config/aclpolicyfile.pp @@ -39,11 +39,11 @@ # The rundeck configuration directory. # define rundeck::config::aclpolicyfile ( - Array[Hash] $acl_policies, - Enum['present', 'absent'] $ensure = 'present', - String $owner = 'rundeck', - String $group = 'rundeck', - Stdlib::Absolutepath $properties_dir = '/etc/rundeck', + Array[Hash] $acl_policies, + Enum['present', 'absent'] $ensure = 'present', + String[1] $owner = 'rundeck', + String[1] $group = 'rundeck', + Stdlib::Absolutepath $properties_dir = '/etc/rundeck', ) { validate_rd_policy($acl_policies) diff --git a/manifests/config/plugin.pp b/manifests/config/plugin.pp index 8320a2bda..9ccccf85e 100644 --- a/manifests/config/plugin.pp +++ b/manifests/config/plugin.pp @@ -19,11 +19,11 @@ # Get the plugin trough a proxy server. # define rundeck::config::plugin ( - String $source, - Enum['present', 'absent'] $ensure = 'present', - String $owner = 'rundeck', - String $group = 'rundeck', - Stdlib::Absolutepath $plugins_dir = '/var/lib/rundeck/libext', + String[1] $source, + Enum['present', 'absent'] $ensure = 'present', + String[1] $owner = 'rundeck', + String[1] $group = 'rundeck', + Stdlib::Absolutepath $plugins_dir = '/var/lib/rundeck/libext', Optional[Stdlib::HTTPUrl] $proxy_server = undef, ) { ensure_resource('file', $plugins_dir, { 'ensure' => 'directory', 'owner' => $owner, 'group' => $group, 'mode' => '0755' }) diff --git a/manifests/init.pp b/manifests/init.pp index 07e2e1e56..f131714be 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,7 +3,7 @@ # @param manage_repo # Whether to manage the package repository. # @param repo_config -# A hash of repository types and attributes for configuring the rundeck package repositories. +# A hash of repository attributes for configuring the rundeck package repositories. # Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml # @param package_ensure # Ensure the state of the rundeck package, either present, absent or a specific version. @@ -108,18 +108,18 @@ # Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script. # class rundeck ( - Stdlib::Absolutepath $override_dir, - Hash $repo_config, - Boolean $manage_repo = true, + Stdlib::Absolutepath $override_dir, + Hash $repo_config, + Boolean $manage_repo = true, String[1] $package_ensure = 'installed', - Boolean $manage_home = true, - String $user = 'rundeck', - String $group = 'rundeck', - Boolean $manage_user = false, - Boolean $manage_group = false, - Optional[Integer] $user_id = undef, - Optional[Integer] $group_id = undef, - Array[Hash] $admin_policies = [ + Boolean $manage_home = true, + String[1] $user = 'rundeck', + String[1] $group = 'rundeck', + Boolean $manage_user = false, + Boolean $manage_group = false, + Optional[Integer] $user_id = undef, + Optional[Integer] $group_id = undef, + Array[Hash] $admin_policies = [ { 'description' => 'Admin, all access', 'context' => { 'project' => '.*' }, @@ -142,7 +142,7 @@ 'by' => [{ 'group' => ['admin'] }], }, ], - Array[Hash] $api_policies = [ + Array[Hash] $api_policies = [ { 'description' => 'API project level access control', 'context' => { 'project' => '.*' }, @@ -169,15 +169,15 @@ 'by' => [{ 'group' => ['api_token_group'] }], }, ], - Boolean $manage_default_admin_policy = true, - Boolean $manage_default_api_policy = true, - Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", - Boolean $clustermode_enabled = false, - Enum['active', 'passive'] $execution_mode = 'active', + Boolean $manage_default_admin_policy = true, + Boolean $manage_default_api_policy = true, + Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", + Boolean $clustermode_enabled = false, + Enum['active', 'passive'] $execution_mode = 'active', Optional[Stdlib::Absolutepath] $java_home = undef, - String $jvm_args = '-Xmx1024m -Xms256m -server', - Integer $quartz_job_threadcount = 10, - Rundeck::Auth_config $auth_config = { + String $jvm_args = '-Xmx1024m -Xms256m -server', + Integer $quartz_job_threadcount = 10, + Rundeck::Auth_config $auth_config = { 'file' => { 'auth_flag' => 'required', 'jaas_config' => { @@ -190,37 +190,37 @@ }, }, }, - Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }, - Hash $framework_config = {}, - Hash $gui_config = {}, - Rundeck::Mail_config $mail_config = {}, - Hash $security_config = {}, - Hash $preauthenticated_config = {}, - Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }], - Array[Hash] $key_storage_encrypt_config = [], - Rundeck::Loglevel $app_log_level = 'info', - Rundeck::Loglevel $audit_log_level = 'info', - String $config_template = 'rundeck/rundeck-config.properties.epp', - String $override_template = 'rundeck/profile_overrides.epp', - String $realm_template = 'rundeck/realm.properties.epp', - String $log_properties_template = 'rundeck/log4j2.properties.epp', - Boolean $rss_enabled = false, - Optional[String] $server_web_context = undef, - Boolean $ssl_enabled = false, - Stdlib::Port $ssl_port = 4443, - Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', - Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', - Optional[String] $key_password = undef, - Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', - String $keystore_password = 'adminadmin', - Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', - String $truststore_password = 'adminadmin', - String $service_name = 'rundeckd', - Enum['stopped', 'running'] $service_ensure = 'running', - Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', - Boolean $service_notify = true, - Optional[String] $service_config = undef, - Optional[String] $service_script = undef, + Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' }, + Hash $framework_config = {}, + Hash $gui_config = {}, + Rundeck::Mail_config $mail_config = {}, + Hash $security_config = {}, + Hash $preauthenticated_config = {}, + Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }], + Array[Hash] $key_storage_encrypt_config = [], + Rundeck::Loglevel $app_log_level = 'info', + Rundeck::Loglevel $audit_log_level = 'info', + String[1] $config_template = 'rundeck/rundeck-config.properties.epp', + String[1] $override_template = 'rundeck/profile_overrides.epp', + String[1] $realm_template = 'rundeck/realm.properties.epp', + String[1] $log_properties_template = 'rundeck/log4j2.properties.epp', + Boolean $rss_enabled = false, + Optional[String[1]] $server_web_context = undef, + Boolean $ssl_enabled = false, + Stdlib::Port $ssl_port = 4443, + Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt', + Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key', + Optional[String[1]] $key_password = undef, + Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore', + String[1] $keystore_password = 'adminadmin', + Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore', + String[1] $truststore_password = 'adminadmin', + String[1] $service_name = 'rundeckd', + Enum['stopped', 'running'] $service_ensure = 'running', + Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck', + Boolean $service_notify = true, + Optional[String[1]] $service_config = undef, + Optional[String[1]] $service_script = undef, ) { validate_rd_policy($admin_policies) validate_rd_policy($api_policies) diff --git a/manifests/install.pp b/manifests/install.pp index 1d50ea650..2657f45fa 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -36,16 +36,39 @@ } case $facts['os']['family'] { - /RedHat|Debian/: { + 'RedHat': { if $rundeck::manage_repo { - $rundeck::repo_config.each() | String $_resource_type, Hash $_resources | { - if downcase($_resource_type) == 'apt::source' { - Class['Apt::Update'] -> Package['rundeck'] + $rundeck::repo_config.each | String $_repo_name, Hash $_attributes| { + yumrepo { $_repo_name: + * => $_attributes, + before => Package['rundeck'], } - create_resources($_resource_type, $_resources, { 'before' => Package['rundeck'] }) } } - ensure_packages(['rundeck'], { 'ensure' => $rundeck::package_ensure, notify => Class['rundeck::service'] }) + + package { 'rundeck': + ensure => $rundeck::package_ensure, + notify => Class['rundeck::service'], + } + } + 'Debian': { + if $rundeck::manage_repo { + include apt + + $rundeck::repo_config.each | String $_repo_name, Hash $_attributes | { + apt::source { $_repo_name: + * => $_attributes, + before => Package['rundeck'], + } + } + + Class['Apt::Update'] -> Package['rundeck'] + } + + package { 'rundeck': + ensure => $rundeck::package_ensure, + notify => Class['rundeck::service'], + } } default: { err("The osfamily: ${facts['os']['family']} is not supported") diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index 5a7471b43..cf1501378 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -18,18 +18,17 @@ when 'RedHat' it do is_expected.to contain_yumrepo('rundeck').with( - baseurl: 'https://packagecloud.io/pagerduty/rundeck/rpm_any/rpm_any/$basearch', - descr: 'Rundeck repository', + baseurl: 'https://packages.rundeck.com/pagerduty/rundeckpro/rpm_any/rpm_any/$basearch', + repo_gpgcheck: 1, + gpgcheck: 1, enabled: 1, - gpgcheck: 0, - gpgkey: 'https://packagecloud.io/pagerduty/rundeck/gpgkey', - repo_gpgcheck: 1 + gpgkey: 'https://packages.rundeck.com/pagerduty/rundeckpro/gpgkey,https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key' ).that_comes_before('Package[rundeck]') end when 'Debian' - it { is_expected.to contain_apt__source('rundeck').with_location('https://packagecloud.io/pagerduty/rundeck/any') } + it { is_expected.to contain_apt__source('rundeck').with_location('https://packages.rundeck.com/pagerduty/rundeck/any') } + it { is_expected.to contain_class('apt::update').that_comes_before('Package[rundeck]') } it { is_expected.to contain_package('rundeck').that_notifies('Class[rundeck::service]') } - it { is_expected.to contain_package('rundeck').that_requires('Class[apt::update]') } end end From c62513f92bbc27a8e83d9fa06800905fbd347f8f Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 29 Nov 2023 17:34:23 +0100 Subject: [PATCH 72/82] Update repo config --- data/Debian.yaml | 2 +- data/RedHat.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index 92659a75e..fc4d6324b 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -7,5 +7,5 @@ rundeck::repo_config: release: any repos: main key: - name: rundeck.asc + id: rundeck.asc source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey diff --git a/data/RedHat.yaml b/data/RedHat.yaml index 4b58b42f7..c9770a0db 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -7,4 +7,4 @@ rundeck::repo_config: repo_gpgcheck: 1 gpgcheck: 1 enabled: 1 - gpgkey: https://packages.rundeck.com/pagerduty/rundeckpro/gpgkey,https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key + gpgkey: https://packages.rundeck.com/pagerduty/rundeck/gpgkey From 224b07ba1626a856aa74f4d00c16ca7f5bb67b5d Mon Sep 17 00:00:00 2001 From: Joris29 Date: Wed, 29 Nov 2023 17:47:14 +0100 Subject: [PATCH 73/82] Update install spec --- data/Debian.yaml | 2 +- data/RedHat.yaml | 4 ++-- manifests/install.pp | 2 -- spec/classes/install_spec.rb | 6 +++--- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index fc4d6324b..60c915bc7 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -7,5 +7,5 @@ rundeck::repo_config: release: any repos: main key: - id: rundeck.asc + name: rundeck.gpg source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey diff --git a/data/RedHat.yaml b/data/RedHat.yaml index c9770a0db..ffc954725 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -3,8 +3,8 @@ rundeck::override_dir: /etc/sysconfig rundeck::repo_config: rundeck: - baseurl: https://packages.rundeck.com/pagerduty/rundeckpro/rpm_any/rpm_any/$basearch + baseurl: https://packages.rundeck.com/pagerduty/rundeck/rpm_any/rpm_any/$basearch repo_gpgcheck: 1 - gpgcheck: 1 + gpgcheck: 0 enabled: 1 gpgkey: https://packages.rundeck.com/pagerduty/rundeck/gpgkey diff --git a/manifests/install.pp b/manifests/install.pp index 2657f45fa..928391457 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -53,8 +53,6 @@ } 'Debian': { if $rundeck::manage_repo { - include apt - $rundeck::repo_config.each | String $_repo_name, Hash $_attributes | { apt::source { $_repo_name: * => $_attributes, diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index cf1501378..698a08a29 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -18,11 +18,11 @@ when 'RedHat' it do is_expected.to contain_yumrepo('rundeck').with( - baseurl: 'https://packages.rundeck.com/pagerduty/rundeckpro/rpm_any/rpm_any/$basearch', + baseurl: 'https://packages.rundeck.com/pagerduty/rundeck/rpm_any/rpm_any/$basearch', repo_gpgcheck: 1, - gpgcheck: 1, + gpgcheck: 0, enabled: 1, - gpgkey: 'https://packages.rundeck.com/pagerduty/rundeckpro/gpgkey,https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key' + gpgkey: 'https://packages.rundeck.com/pagerduty/rundeck/gpgkey' ).that_comes_before('Package[rundeck]') end when 'Debian' From d5aff092d1532f91044d39bd51330e247e7dc71a Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 30 Nov 2023 09:14:11 +0100 Subject: [PATCH 74/82] Update readme and simplify install --- README.md | 86 ++++++++++++++++++++++++-------------------- manifests/install.pp | 19 ++++------ 2 files changed, 55 insertions(+), 50 deletions(-) diff --git a/README.md b/README.md index 532d52163..426c90760 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,6 @@ ## Overview -# TODO: Update readme - The rundeck puppet module for installing and managing [Rundeck](http://rundeck.org/) ### Supported Versions of Rundeck @@ -66,14 +64,13 @@ class { 'rundeck': key_storage_config => [ { 'type' => 'db', - 'path' => '/', + 'path' => 'keys', }, ], - database_config => { - 'type' => 'mysql', - 'url' => $db_url, + database_config => { + 'url' => 'jdbc:mysql://myserver/rundeck', 'username' => 'rundeck', - 'password' => $db_pass, + 'password' => 'verysecure', 'driverClassName' => 'com.mysql.jdbc.Driver', }, } @@ -83,9 +80,9 @@ class { 'rundeck': ```Puppet class { 'rundeck': - ssl_enabled => true, - ssl_keyfile => $ssl_keyfile, - ssl_certfile => $ssl_certfile, + ssl_enabled => true, + ssl_certificate => '/path/to/cert', + ssl_private_key => '/path/to/key', } ``` @@ -98,7 +95,7 @@ class { 'rundeck': key_storage_config => [ { 'type' => 'vault-storage', - 'path' => '/', + 'path' => 'keys', 'config' => { 'prefix' => 'rundeck', 'address' => 'https://vault.example.com', @@ -122,14 +119,14 @@ class { 'rundeck': key_storage_config => [ { 'type' => 'file', - 'path' => '/keys', + 'path' => 'keys', 'config' => { 'baseDir => '/path/to/dir', }, }, { 'type' => 'db', - 'path' => '/keys/database', + 'path' => 'keys/database', }, ], } @@ -143,33 +140,46 @@ To perform LDAP authentication and file authorization following code can be used class { 'rundeck': auth_config => { 'file' => { - 'auth_users' => [ - { - 'username' => 'rooty', - 'roles' => ['admin'], - }, - { - 'username' => 'stan', - 'roles' => ['sre'], - } - ], + 'auth_flag' => 'sufficient', + 'jaas_config' => { + 'file' => '/etc/rundeck/realm.properties', + }, + 'realm_config' => { + 'admin_user' => 'admin', + 'admin_password' => 'admin', + 'auth_users' => [ + { + 'username' => 'testuser', + 'password' => 'password', + 'roles' => %w[user deploy] + }, + { + 'username' => 'anotheruser', + 'password' => 'anotherpassword', + 'roles' => ['user'] + }, + ], + }, }, 'ldap' => { - 'url' => 'ldap://ldap:389', - 'force_binding' => true, - 'bind_dn' => 'cn=ProxyUser,dc=example,dc=com', - 'bind_password' => 'secret', - 'user_base_dn' => 'ou=Users,dc=example,dc=com', - 'user_rdn_attribute' => 'uid', - 'user_id_attribute' => 'uid', - 'user_object_class' => 'inetOrgPerson', - 'role_base_dn' => 'ou=Groups,dc=example,dc=com', - 'role_name_attribute' => 'cn', - 'role_member_attribute' => 'memberUid', - 'role_username_member_attribute' => 'memberUid', - 'role_object_class' => 'posixGroup', - 'supplemental_roles' => 'user', - 'nested_groups' => false, + 'jaas_config' => { + 'debug' => 'true', + 'providerUrl' => 'ldap://server:389', + 'bindDn' => 'cn=Manager,dc=example,dc=com', + 'bindPassword' => 'secret', + 'authenticationMethod' => 'simple', + 'forceBindingLogin' => 'false', + 'userBaseDn' => 'ou=users,ou=accounts,ou=corp,dc=xyz,dc=com', + 'userRdnAttribute' => 'sAMAccountName', + 'userIdAttribute' => 'sAMAccountName', + 'userPasswordAttribute' => 'unicodePwd', + 'userObjectClass' => 'user', + 'roleBaseDn' => 'ou=role based,ou=security,ou=groups,ou=test,dc=xyz,dc=com', + 'roleNameAttribute' => 'cn', + 'roleMemberAttribute' => 'member', + 'roleObjectClass' => 'group', + 'nestedGroups' => 'true' + }, }, }, } diff --git a/manifests/install.pp b/manifests/install.pp index 928391457..5c8ec0075 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -45,31 +45,26 @@ } } } - - package { 'rundeck': - ensure => $rundeck::package_ensure, - notify => Class['rundeck::service'], - } } 'Debian': { if $rundeck::manage_repo { - $rundeck::repo_config.each | String $_repo_name, Hash $_attributes | { + $rundeck::repo_config.each | String $_repo_name, Hash $_attributes| { apt::source { $_repo_name: * => $_attributes, before => Package['rundeck'], } } - - Class['Apt::Update'] -> Package['rundeck'] } - package { 'rundeck': - ensure => $rundeck::package_ensure, - notify => Class['rundeck::service'], - } + Class['Apt::Update'] -> Package['rundeck'] } default: { err("The osfamily: ${facts['os']['family']} is not supported") } } + + package { 'rundeck': + ensure => $rundeck::package_ensure, + notify => Class['rundeck::service'], + } } From 5710fbf03ca2d18c3ec31cb9019a768bf972fa39 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 30 Nov 2023 10:14:46 +0100 Subject: [PATCH 75/82] Add sensitive for db --- types/db_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/types/db_config.pp b/types/db_config.pp index 374ac1b6c..780038c7d 100644 --- a/types/db_config.pp +++ b/types/db_config.pp @@ -3,7 +3,7 @@ 'url' => String, Optional['driverClassName'] => String, Optional['username'] => String, - Optional['password'] => String, + Optional['password'] => Variant[String[8], Sensitive[String[8]]], Optional['dialect'] => String, Optional['properties.validationQuery'] => String, }] From baf7fc66dd29227b507ad1c0f4c2a904b9410306 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Thu, 30 Nov 2023 10:17:32 +0100 Subject: [PATCH 76/82] Update mail_config password type --- REFERENCE.md | 4 ++-- types/mail_config.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index c30e5abb8..270f8743d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -792,7 +792,7 @@ Struct[{ 'url' => String, Optional['driverClassName'] => String, Optional['username'] => String, - Optional['password'] => String, + Optional['password'] => Variant[String[8], Sensitive[String[8]]], Optional['dialect'] => String, Optional['properties.validationQuery'] => String, }] @@ -829,7 +829,7 @@ Struct[{ Optional['host'] => String, Optional['port'] => Integer, Optional['username'] => String, - Optional['password'] => String, + Optional['password'] => Variant[String[8], Sensitive[String[8]]], Optional['props'] => Array[Hash], Optional['default.from'] => String, Optional['default.to'] => String, diff --git a/types/mail_config.pp b/types/mail_config.pp index a5a6155e1..6495dca95 100644 --- a/types/mail_config.pp +++ b/types/mail_config.pp @@ -3,7 +3,7 @@ Optional['host'] => String, Optional['port'] => Integer, Optional['username'] => String, - Optional['password'] => String, + Optional['password'] => Variant[String[8], Sensitive[String[8]]], Optional['props'] => Array[Hash], Optional['default.from'] => String, Optional['default.to'] => String, From 96d42b692aec977c247a9097a4f6220ab14a4eaf Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 1 Dec 2023 10:47:36 +0100 Subject: [PATCH 77/82] Add new line between key storage config --- templates/rundeck-config.properties.epp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index 0736c6ddc..f910c716b 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -26,6 +26,7 @@ rundeck.storage.provider.<%= $_i+1 %>.removePathPrefix = <%= $_cfg['removePathPr rundeck.storage.provider.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> <%- } -%> <%- } -%> + <%- } -%> <%- $rundeck::key_storage_encrypt_config.each |$_i, $_cfg| { -%> @@ -39,6 +40,7 @@ rundeck.storage.converter.<%= $_i+1 %>.resourceSelector = <%= $_cfg['resourceSel rundeck.storage.converter.<%= $_i+1 %>.config.<%= $_k %> = <%= $_v %> <%- } -%> <%- } -%> + <%- } -%> <%- $rundeck::mail_config.each |$_k, $_v| {-%> From ba23060b08d3fb64d8d8f53d2303dbf2aa3124c8 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 1 Dec 2023 10:57:56 +0100 Subject: [PATCH 78/82] Add api token max duration --- REFERENCE.md | 9 +++++++++ manifests/init.pp | 1 + templates/rundeck-config.properties.epp | 1 + 3 files changed, 11 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index 270f8743d..162dbbe11 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -99,6 +99,7 @@ The following parameters are available in the `rundeck` class: * [`service_config`](#-rundeck--service_config) * [`service_script`](#-rundeck--service_script) * [`override_dir`](#-rundeck--override_dir) +* [`api_token_max_duration`](#-rundeck--api_token_max_duration) ##### `manage_repo` @@ -594,6 +595,14 @@ Data type: `Stdlib::Absolutepath` +##### `api_token_max_duration` + +Data type: `String[1]` + + + +Default value: `'30d'` + ## Defined types ### `rundeck::config::aclpolicyfile` diff --git a/manifests/init.pp b/manifests/init.pp index f131714be..8e98f393d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -174,6 +174,7 @@ Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440", Boolean $clustermode_enabled = false, Enum['active', 'passive'] $execution_mode = 'active', + String[1] $api_token_max_duration = '30d', Optional[Stdlib::Absolutepath] $java_home = undef, String $jvm_args = '-Xmx1024m -Xms256m -server', Integer $quartz_job_threadcount = 10, diff --git a/templates/rundeck-config.properties.epp b/templates/rundeck-config.properties.epp index f910c716b..6e0130726 100644 --- a/templates/rundeck-config.properties.epp +++ b/templates/rundeck-config.properties.epp @@ -7,6 +7,7 @@ grails.serverURL = <%= $rundeck::grails_server_url %> rundeck.clusterMode.enabled = <%= $rundeck::clustermode_enabled %> rundeck.executionMode = <%= $rundeck::execution_mode %> +rundeck.api.tokens.duration.max = <%= $rundeck::api_token_max_duration %> quartz.threadPool.threadCount = <%= $rundeck::quartz_job_threadcount %> From d501d49e60d2f9a9f037d2632cdad4696e7e5827 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Fri, 1 Dec 2023 14:50:34 +0100 Subject: [PATCH 79/82] Update auth_config type and refs --- REFERENCE.md | 6 +++--- types/auth_config.pp | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 162dbbe11..fe0dcb06b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -784,9 +784,9 @@ Alias of ```puppet Struct[{ - Optional['file'] => Hash[String, Data], - Optional['ldap'] => Hash[String, Data], - Optional['pam'] => Hash[String, Data], + Optional['file'] => Hash[String, Any], + Optional['ldap'] => Hash[String, Any], + Optional['pam'] => Hash[String, Any], }] ``` diff --git a/types/auth_config.pp b/types/auth_config.pp index bc9f7de4a..6b57606b1 100644 --- a/types/auth_config.pp +++ b/types/auth_config.pp @@ -1,6 +1,6 @@ # Rundeck authentication config type. type Rundeck::Auth_config = Struct[{ - Optional['file'] => Hash[String, Data], - Optional['ldap'] => Hash[String, Data], - Optional['pam'] => Hash[String, Data], + Optional['file'] => Hash[String, Any], + Optional['ldap'] => Hash[String, Any], + Optional['pam'] => Hash[String, Any], }] From 8f877718ef439baa632e4ef077ad9fde6b622a70 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 4 Dec 2023 17:43:04 +0100 Subject: [PATCH 80/82] Test debian config --- data/Debian.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index 60c915bc7..7313898cc 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -3,9 +3,9 @@ rundeck::override_dir: /etc/default rundeck::repo_config: rundeck: - location: https://packages.rundeck.com/pagerduty/rundeck/any + location: https://packagecloud.io/pagerduty/rundeck/any release: any repos: main key: name: rundeck.gpg - source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey + source: https://packagecloud.io/pagerduty/rundeck/gpgkey From cd6a40599ea0b20b808fe7dff8ac91cac23d3a64 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 4 Dec 2023 17:51:23 +0100 Subject: [PATCH 81/82] Test source --- data/Debian.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index 7313898cc..b56774788 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -3,9 +3,9 @@ rundeck::override_dir: /etc/default rundeck::repo_config: rundeck: - location: https://packagecloud.io/pagerduty/rundeck/any + location: https://packages.rundeck.com/pagerduty/rundeck/any release: any repos: main key: name: rundeck.gpg - source: https://packagecloud.io/pagerduty/rundeck/gpgkey + source: https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key From b0fa7701375d083653ecb283348ceaa85c1d4132 Mon Sep 17 00:00:00 2001 From: Joris29 Date: Mon, 4 Dec 2023 18:13:12 +0100 Subject: [PATCH 82/82] Update debian repo config --- data/Debian.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/Debian.yaml b/data/Debian.yaml index b56774788..0f8bcbfad 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -7,5 +7,5 @@ rundeck::repo_config: release: any repos: main key: - name: rundeck.gpg - source: https://docs.rundeck.com/keys/BUILD-GPG-KEY-20230105.key + name: rundeck + source: https://packages.rundeck.com/pagerduty/rundeck/gpgkey