finish webhook sections - https://gitlab.confdroid.com/internal/confdroid_management/-/issues/284

2025-10-23 17:21:00 +02:00
parent b50be96b34
commit 7f44883afd
5 changed files with 61 additions and 0 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -17,6 +17,7 @@
        "pydantic",
        "pylint",
        "pytest",
+        "refreshonly",
        "repolist",
        "requestlogging",
        "springframework",
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -17,6 +17,13 @@ class puppet_cd::firewall::iptables (
      dport => '8443',
      jump  => 'accept',
    }
+    if $pt_use_r10k_webhook == true {
+      firewall { '38080 open port 8080':
+        proto => 'tcp',
+        dport => '8080',
+        jump  => 'accept',
+      }
+    }
  }

  if $fqdn == $pt_db_fqdn {
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -236,11 +236,14 @@ class puppet_cd::params (
  $pt_r10k_webhook_erb              = 'puppet_cd/r10k/webhook.py.erb'
  $pt_r10k_req_file                 = "${pt_r10k_webhook_dir}/requirements.txt"
  $pt_r10k_req_erb                  = 'puppet_cd/r10k/requirements.txt.erb'
+  $pt_r10k_wh_service_file          = '/etc/systemd/system/r10k-webhook.service'
+  $pt_r10k_wh_service_erb           = 'puppet_cd/r10k/r10k_webhook_service.erb'

 # service
  $pt_server_service                = 'puppetserver'
  $pt_agent_service                 = 'puppet'
  $pt_db_service                    = 'puppetdb'
+  $pt_r10k_wb_service               = 'r10k-webhook'

 #
  # includes must be last
--- a/manifests/r10k/webhook.pp
+++ b/manifests/r10k/webhook.pp
@@ -60,5 +60,36 @@ class puppet_cd::r10k::webhook (
      require => [Package[$pt_r10k_webhook_pkg],File[$pt_r10k_req_file]],
      unless  => 'pip3 show fastapi',  # Idempotent check
    }
+
+    # establish exec systemd reload
+    exec { 'systemctl_daemon_reload':
+      command     => 'systemctl daemon-reload',
+      path        => ['/bin', '/usr/bin'],
+      require     => Exec['pip_install_r10k_webhook'],
+      refreshonly => true,
+    }
+
+    # install systemd service file
+    file { $pt_r10k_wh_service_file:
+      ensure   => file,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => systemd_unit_file_t,
+      seluser  => system_u,
+      content  => template($pt_r10k_wh_service_erb),
+      require  => Exec['systemctl_daemon_reload'],
+      notify   => Exec['systemctl_daemon_reload'],
+    }
+
+    # manage service
+    service { 'r10k-webhook':
+      ensure    => 'running',
+      enable    => true,
+      require   => File[$pt_r10k_wh_service_file],
+      subscribe => File[$pt_r10k_webhook_file],
+    }
  }
 }
--- a/templates/r10k/r10k_webhook_service.erb
+++ b/templates/r10k/r10k_webhook_service.erb
@@ -0,0 +1,19 @@
+[Unit]
+Description=r10k Webhook Server
+After=network.target haproxy.service
+
+[Service]
+Type=simple
+User=puppet
+Group=puppet
+WorkingDirectory=/opt/r10k-webhook
+ExecStart=/usr/bin/python3 /opt/r10k-webhook/webhook_server.py
+Restart=always
+RestartSec=5
+Environment=R10K_WEBHOOK_SECRET=YOUR_SECRET_HERE
+LimitNOFILE=65536
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target