Merge branch 'jenkins-build-12' into 'master'

Auto-merge for build 12

See merge request puppet/puppet_cd!10

.vscode/settings.json

@@ -14,9 +14,11 @@
         "kahadb",
         "levelname",
         "logappender",
+        "NOFILE",
         "pydantic",
         "pylint",
         "pytest",
+        "refreshonly",
         "repolist",
         "requestlogging",
         "springframework",

doc/puppet_classes/puppet_cd_3A_3Afirewall_3A_3Aiptables.html

@@ -139,7 +139,14 @@
 41
 42
 43
-44</pre>
+44
+45
+46
+47
+48
+49
+50
+51</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/firewall/iptables.pp', line 6</span>
@@ -158,6 +165,13 @@ class puppet_cd::firewall::iptables (
       dport =&gt; &#39;8443&#39;,
       jump  =&gt; &#39;accept&#39;,
     }
+    if $pt_use_r10k_webhook == true {
+      firewall { &#39;38080 open port 8080&#39;:
+        proto =&gt; &#39;tcp&#39;,
+        dport =&gt; &#39;8080&#39;,
+        jump  =&gt; &#39;accept&#39;,
+      }
+    }
   }
 
   if $fqdn == $pt_db_fqdn {

doc/puppet_classes/puppet_cd_3A_3Aparams.html

@@ -1677,7 +1677,10 @@
 245
 246
 247
-248</pre>
+248
+249
+250
+251</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/params.pp', line 88</span>
@@ -1833,11 +1836,14 @@ class puppet_cd::params (
   $pt_r10k_webhook_erb              = &#39;puppet_cd/r10k/webhook.py.erb&#39;
   $pt_r10k_req_file                 = &quot;${pt_r10k_webhook_dir}/requirements.txt&quot;
   $pt_r10k_req_erb                  = &#39;puppet_cd/r10k/requirements.txt.erb&#39;
+  $pt_r10k_wh_service_file          = &#39;/etc/systemd/system/r10k-webhook.service&#39;
+  $pt_r10k_wh_service_erb           = &#39;puppet_cd/r10k/r10k_webhook_service.erb&#39;
 
 # service
   $pt_server_service                = &#39;puppetserver&#39;
   $pt_agent_service                 = &#39;puppet&#39;
   $pt_db_service                    = &#39;puppetdb&#39;
+  $pt_r10k_wb_service               = &#39;r10k-webhook&#39;
 
 #
   # includes must be last

doc/puppet_classes/puppet_cd_3A_3Ar10k_3A_3Awebhook.html

@@ -159,7 +159,38 @@
 61
 62
 63
-64</pre>
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
+90
+91
+92
+93
+94
+95</pre>
       </td>
       <td>
         <pre class="code"><span class="info file"># File 'manifests/r10k/webhook.pp', line 6</span>
@@ -221,6 +252,37 @@ class puppet_cd::r10k::webhook (
       require =&gt; [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
       unless  =&gt; &#39;pip3 show fastapi&#39;,  # Idempotent check
     }
+
+    # establish exec systemd reload
+    exec { &#39;systemctl_daemon_reload&#39;:
+      command     =&gt; &#39;systemctl daemon-reload&#39;,
+      path        =&gt; [&#39;/bin&#39;, &#39;/usr/bin&#39;],
+      require     =&gt; Exec[&#39;pip_install_r10k_webhook&#39;],
+      refreshonly =&gt; true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   =&gt; file,
+      owner    =&gt; &#39;root&#39;,
+      group    =&gt; &#39;root&#39;,
+      mode     =&gt; &#39;0644&#39;,
+      selrange =&gt; s0,
+      selrole  =&gt; object_r,
+      seltype  =&gt; systemd_unit_file_t,
+      seluser  =&gt; system_u,
+      content  =&gt; template($pt_r10k_wh_service_erb),
+      require  =&gt; Exec[&#39;systemctl_daemon_reload&#39;],
+      notify   =&gt; Exec[&#39;systemctl_daemon_reload&#39;],
+    }
+
+    # manage service
+    service { &#39;r10k-webhook&#39;:
+      ensure    =&gt; &#39;running&#39;,
+      enable    =&gt; true,
+      require   =&gt; File[$pt_r10k_wh_service_file],
+      subscribe =&gt; File[$pt_r10k_webhook_file],
+    }
   }
 }</pre>
       </td>

manifests/firewall/iptables.pp

@@ -17,6 +17,13 @@ class puppet_cd::firewall::iptables (
       dport => '8443',
       jump  => 'accept',
     }
+    if $pt_use_r10k_webhook == true {
+      firewall { '38080 open port 8080':
+        proto => 'tcp',
+        dport => '8080',
+        jump  => 'accept',
+      }
+    }
   }
 
   if $fqdn == $pt_db_fqdn {

manifests/params.pp

@@ -236,11 +236,14 @@ class puppet_cd::params (
   $pt_r10k_webhook_erb              = 'puppet_cd/r10k/webhook.py.erb'
   $pt_r10k_req_file                 = "${pt_r10k_webhook_dir}/requirements.txt"
   $pt_r10k_req_erb                  = 'puppet_cd/r10k/requirements.txt.erb'
+  $pt_r10k_wh_service_file          = '/etc/systemd/system/r10k-webhook.service'
+  $pt_r10k_wh_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'
 
 # service
   $pt_server_service                = 'puppetserver'
   $pt_agent_service                 = 'puppet'
   $pt_db_service                    = 'puppetdb'
+  $pt_r10k_wb_service               = 'r10k-webhook'
 
 #
   # includes must be last

manifests/r10k/webhook.pp

@@ -60,5 +60,36 @@ class puppet_cd::r10k::webhook (
       require => [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
       unless  => 'pip3 show fastapi',  # Idempotent check
     }
+
+    # establish exec systemd reload
+    exec { 'systemctl_daemon_reload':
+      command     => 'systemctl daemon-reload',
+      path        => ['/bin', '/usr/bin'],
+      require     => Exec['pip_install_r10k_webhook'],
+      refreshonly => true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_r10k_wh_service_erb),
+      require  => Exec['systemctl_daemon_reload'],
+      notify   => Exec['systemctl_daemon_reload'],
+    }
+
+    # manage service
+    service { 'r10k-webhook':
+      ensure    => 'running',
+      enable    => true,
+      require   => File[$pt_r10k_wh_service_file],
+      subscribe => File[$pt_r10k_webhook_file],
+    }
   }
 }

templates/r10k/r10k_webhook_service.erb

@@ -0,0 +1,19 @@
+[Unit]
+Description=r10k Webhook Server
+After=network.target haproxy.service
+
+[Service]
+Type=simple
+User=puppet
+Group=puppet
+WorkingDirectory=/opt/r10k-webhook
+ExecStart=/usr/bin/python3 /opt/r10k-webhook/webhook_server.py
+Restart=always
+RestartSec=5
+Environment=R10K_WEBHOOK_SECRET=YOUR_SECRET_HERE
+LimitNOFILE=65536
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target