Merge pull request 'neoloc/rundeck' (#121) from neoloc/rundeck into develop

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/121

Puppetfile

@@ -39,6 +39,7 @@ mod 'puppet-network', '2.2.0'
 mod 'puppet-kmod', '4.0.1'
 mod 'puppet-filemapper', '4.0.0'
 mod 'puppet-letsencrypt', '11.0.0'
+mod 'puppet-rundeck', '9.1.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'

hieradata/country/au/region/syd1/infra/sql/galera.eyaml

@@ -1,2 +1,3 @@
 ---
 mysql::db::grafana::pass: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAozi1vFf9KfwsGSdxXvhOWRn9Vqbr9AZ+cVJuIOmmLVZMRP4AJkkNgCCly+o1pxtMiU8EISUQuBWCBHUi+u2Y1YAjIABzTa2K+PCU7qqkdrJaxvKqmmKS7C/CWFKp1stYvYIvIofyvl9Q854nMcpvxQKL0PBGh3rIaUHHV3L0PH1UDLqL5j6OPXaNvKL4UzwMDDIVAd7F5yMbtSx2PT23pBLbPYsbG1jRx7pUS/d1ZE9E8h3OA2jxW/CBf68Sb2Xlrh7IAB/6RiLLpIsUyRMv9zrbPrMuKg/q5lzO0i9fejh5z3Z3YkdnhH61doUT/RSjAjz3JrWDGxomOSK0y8TxjjBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCg1kVqFs/mf4r+6EI32b8qgCBm6cL3JhVzj3Btit9D8VYU8mQcrIaXJZ3qF31zJMzCkw==]
+mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]

hieradata/country/au/region/syd1/infra/sql/galera.yaml

@@ -13,3 +13,12 @@ mysql::db:
       - INSERT
       - UPDATE
       - DELETE
+  rundeck:
+    name: rundeck
+    user: rundeck
+    password: "%{alias('mysql::db::rundeck::pass')}"
+    grant:
+      - SELECT
+      - INSERT
+      - UPDATE
+      - DELETE

hieradata/roles/infra/auth/glauth.yaml

@@ -59,6 +59,8 @@ glauth::users:
       - 20014
       - 20015
       - 20016
+      - 20017
+      - 20018
     loginshell: '/bin/bash'
     homedir: '/home/benvin'
     passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -134,6 +136,12 @@ glauth::services:
     othergroups:
       - 20016
     passsha256: '7af7e12fdc56e9050d16c167f4e34091ad3cf938283e13451b35f9b3d212bfa2'
+  svc_rundeck:
+    service_name: 'svc_rundeck'
+    mail: 'rundeck@service.main.unkin.net'
+    uidnumber: 30007
+    primarygroup: 20001
+    passsha256: 'b27786b22c5938d24ffc9be049de366b055c9f054bf38fb73bbd6fba9e1bd525'
 
 glauth::groups:
   users:
@@ -163,3 +171,21 @@ glauth::groups:
   nzbget_access:
     group_name: 'nzbget_access'
     gidnumber: 20016
+  rundeck_access:
+    group_name: 'rundeck_access'
+    gidnumber: 20017
+  rundeck_globaladmin:
+    group_name: 'rundeck_globaladmin'
+    gidnumber: 20018
+  rundeck_selfservice_admin:
+    group_name: 'rundeck_selfservice_admin'
+    gidnumber: 20019
+  rundeck_selfservice_user:
+    group_name: 'rundeck_selfservice_user'
+    gidnumber: 20020
+  rundeck_infrastructure_admin:
+    group_name: 'rundeck_infrastructure_admin'
+    gidnumber: 20021
+  rundeck_infrastructure_user:
+    group_name: 'rundeck_infrastructure_user'
+    gidnumber: 20022

hieradata/roles/infra/automation/rundeck.eyaml

@@ -0,0 +1,5 @@
+---
+vault::roleid: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJWBYeIT3nEfQCND1lqynQrfRufycLzSlvey/qToKzOWNhD2T3yREP01Jo2wQXKSbG98IsuqVuarVn8hepL55e317Q7ZLxcfvGkXpe25vqNm/nkGhjzaAKBp78NGoTvvNEdNnDd+ZUr/HjytubvNtvSb9xf4kMVWt/LnsWXkT+IfbEABHpdnh+mjG8tcsCYbhmG+k8CBjOumfyb+yORk/unypkRK47guVjmJ2ATck43DPgT4ZAKKEMbj3ExSB2i1wSZgFg0UGciyz2Rz/QZPYVPp37uBJmXW4a4ioZ5siPqGhnHdeGlPP6FH2VufngunTXT7TiCPt7BaczNnjpmHD0jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA8MSKsB4MSJXTosMYWvJSWgDD6sGq3p375Q/oLuqYVxdbGVhQTuKK+V/Y7sCYQwur393Uq2OuGuVSlqikauPSlzs0=]
+mysql::db::rundeck::pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcWmZuTro0DNX8X/6DCJdmxm85hawng2cjSm/M26/sAzlr7i3XLIjg5TQc3BpeiKWZvQ2XZWygOEcW7g0bHH7FBS6XTXswDiLCf7ssd0DYL+eQbh4p6VijBKObug33fp4+YJaqGV7YRUNqBjXQv/SSmxFqbNaRahUqwbMidJCyjGNmfCfbSd9WxI4/8j0L38rjXR3/i+/xzgVIhgz/qymmw0rky6jN14YrwRIkdW6loMFzVd12tqdX9kh7UBdE7j58ntQgJSilQn2pLmQs6dgcXSOeIi8Sln4R0MfAtOQ1c6LoKMUdb7k8xEszpGbhX7sw51kpwvnL1LS6PQ+T8T9wDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDm1sAUc6LFtslrIuwk1JlJgDAngDM/0g4dpgyNOZDsvAU8OualEL6HZ2RFGfibteUc11wZzHkdFZlvHz2JZdO7Huo=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAiE2zFn7rxZ4/oTX4JcuukoiC9Eno0GnsQLuVQCZscQNp+Bsi8QCA5SqiHmnMc0inhWPMlifze/0gBxopedMa+hR483tkOEaRqRNnOxehgmg8EWCAYgDwEoSwnoJZSHEI0NDugsO64R4AbqsDmh8iSaeFPdjplr0qhr4cx38xPaSf4B+jgABWaJ1JSoAcGtVlZbLljXzQXbzQNL9FjBWs6F8c/47BBmsImwy06d0OMNGsRvIndoRXBxrQAtQB1J5aIukeMmn6JbBRLGvGQfxRVywkHLrIM9UJYkgMif/1KkoWqg8ApKJFY6x7v+hgo//sVKf4aQ6nF7kov5v8y4VMDjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBD6aDrZ76FYm/uLSsSknZeHgDA+G7Hf5BEK/x089V3/XKn82KLnCMdycU1FnDCUXJ5s0HhyjOzKA/vms4vWX4ssnec=]
+rundeck_admin_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKiifIR1lY5tD9p5FHwGkc8pOEQ3ZQhZZ/y50gr+jrlUq6I2Jmt+S72eo92eyN/Ej8y9ED5jIfqybs3qmy6p7Ln+6KK7z5+nICZGKhm7/02jmx9qRcfnOH/nm+i+qyugyHFD/xGvjnQkU8FGWK6qMBppNISWGLp8QhuhcYrHjv5ziaP+/Y/+iTlWcqGmIGVNVpRHFov0nXnVuqaAYhkZyFzMX0uBKgNikn3xhXT5mEO7thiqZjMmrTE7xotW39+t8pwcFQT0xAU97v7hVGwO7L9aS+lrCNX+Ex2HZUMC6XbHu6htQhlpOSK7d0mE8IVFpLJZ3Nff1ojV33Xbb+uFxEzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDZZ3+/SYor8LZYUX1h9Re1gDCnCli5nSNOIsLmczbqqIGI92JtCCmqggDyaDZ2VdOeKtgYDXaND+0u3d4ikxrW1tg=]

hieradata/roles/infra/automation/rundeck.yaml

@@ -0,0 +1,202 @@
+---
+hiera_include:
+  - profiles::rundeck::server
+  - profiles::nginx::simpleproxy
+
+profiles::packages::exclude:
+  - jq
+
+profiles::ssh::sign::principals:
+  - rundeck.main.unkin.net
+  - rundeck.service.consul
+  - rundeck.query.consul
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'rundeck.query.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - rundeck.main.unkin.net
+  - rundeck.service.consul
+  - rundeck.query.consul
+  - "rundeck.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::nginx::simpleproxy::proxy_port: 4440
+profiles::nginx::simpleproxy::proxy_path: '/'
+nginx::client_max_body_size: 20M
+# additional altnames
+profiles::pki::vault::alt_names:
+  - rundeck.main.unkin.net
+  - rundeck.service.consul
+  - rundeck.query.consul
+  - "rundeck.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+consul::services:
+  rundeck:
+    service_name: 'rundeck'
+    tags:
+      - 'automation'
+      - 'rundeck'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'glauth_http_check'
+        name: 'glauth HTTP Check'
+        http: "http://%{facts.networking.fqdn}:4440"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: rundeck
+    disposition: write
+
+profiles::rundeck::server::mysql_backend: true
+profiles::rundeck::server::mysql_host: mariadb-prod.service.au-syd1.consul
+profiles::rundeck::server::grails_server_url: https://rundeck.service.consul
+profiles::rundeck::server::auth_config:
+  file:
+    auth_flag: 'sufficient'
+    jaas_config:
+      file: '/etc/rundeck/realm.properties'
+    realm_config:
+      admin_user: 'admin'
+      admin_password: "%{hiera('rundeck_admin_pass')}"
+  ldap:
+    jaas_config:
+      debug: 'true'
+      providerUrl: 'ldap://ldap.service.consul:389'
+      bindDn: 'cn=svc_rundeck,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+      bindPassword: "%{hiera('ldap_bindpass')}"
+      authenticationMethod: 'simple'
+      forceBindingLogin: 'true'
+      userBaseDn: 'ou=people,ou=users,dc=main,dc=unkin,dc=net'
+      userRdnAttribute: 'uid'
+      userIdAttribute: 'uid'
+      userPasswordAttribute: 'userPassword'
+      userObjectClass: 'posixAccount'
+      roleBaseDn: 'ou=groups,dc=main,dc=unkin,dc=net'
+      roleNameAttribute: 'uid'
+      roleMemberAttribute: 'uniqueMember'
+      roleObjectClass: 'groupOfUniqueNames'
+      nestedGroups: 'true'
+
+profiles::rundeck::server::key_storage_config:
+  - type: 'db'
+    path: 'keys'
+  - type: 'vault-storage'
+    path: 'vault'
+    config:
+      prefix: 'rundeck'
+      address: https://vault.query.consul:8200
+      storageBehaviour: 'vault'
+      secretBackend: rundeck
+      engineVersion: '2'
+      authBackend: approle
+      approleAuthMount: approle
+      approleId: "%{hiera('vault::roleid')}"
+
+profiles::rundeck::server::cli_projects:
+  Self-Service:
+    update_method: 'set'
+    config:
+      project.description: 'self-service tasks'
+      project.disable.executions: 'false'
+  Infrastructure:
+    config:
+      project.description: 'infrastructure management'
+      project.disable.schedule: 'false'
+
+profiles::rundeck::server::acl_policies:
+  global_admin_policy:
+    acl_policies:
+      - description: 'Global Admin, all access'
+        context:
+          application: "rundeck"
+        for:
+          project:
+            - allow: '*'
+          resource:
+            - allow: '*'
+          storage:
+            - allow: '*'
+        by:
+          - group: ['rundeck_globaladmin']
+      - description: 'Global Admin, all access'
+        context:
+          project: '.*'
+        for:
+          resource:
+            - allow: '*'
+          adhoc:
+            - allow: '*'
+          job:
+            - allow: '*'
+          node:
+            - allow: '*'
+        by:
+          - group: ['rundeck_globaladmin']
+  selfservice_admin_policy:
+    acl_policies:
+      - description: 'Admin, all access for Self-Service project'
+        context:
+          project: 'Self-Service'
+        for:
+          resource:
+            - allow: '*'
+          adhoc:
+            - allow: '*'
+          job:
+            - allow: '*'
+          node:
+            - allow: '*'
+        by:
+          - group: ['rundeck_selfserice_admin']
+  selfservice_user_policy:
+    acl_policies:
+      - description: 'Users can execute tasks but not edit for Self-Service project'
+        context:
+          project: 'Self-Service'
+        for:
+          resource:
+            - allow: ['read']
+          adhoc:
+            - allow: ['run']
+          job:
+            - allow: ['read', 'run']
+          node:
+            - allow: ['read', 'run']
+        by:
+          - group: ['rundeck_selfserice_user']
+  infrastructure_admin_policy:
+    acl_policies:
+      - description: 'Admin, all access for Infrastructure project'
+        context:
+          project: 'Infrastructure'
+        for:
+          resource:
+            - allow: '*'
+          adhoc:
+            - allow: '*'
+          job:
+            - allow: '*'
+          node:
+            - allow: '*'
+        by:
+          - group: ['rundeck_infrastructure_admin']
+  infrastructure_user_policy:
+    acl_policies:
+      - description: 'Users can execute tasks but not edit for Infrastructure project'
+        context:
+          project: 'Infrastructure'
+        for:
+          resource:
+            - allow: ['read']
+          adhoc:
+            - allow: ['run']
+          job:
+            - allow: ['read', 'run']
+          node:
+            - allow: ['read', 'run']
+        by:
+          - group: ['rundeck_infrastructure_user']

site/profiles/manifests/rundeck/server.pp

@@ -0,0 +1,89 @@
+# profiles::rundeck::server
+class profiles::rundeck::server (
+  Struct[{
+    Optional['file'] => Hash[String, Any],
+    Optional['ldap'] => Hash[String, Any],
+    Optional['pam']  => Hash[String, Any]
+  }] $auth_config = {},
+  Array[Hash] $key_storage_config = [],
+  Hash      $acl_policies   = {},
+  Hash      $cli_projects   = {},
+  String    $cli_user       = 'admin',
+  String    $cli_password   = lookup('rundeck_admin_pass'),
+  Boolean   $mysql_backend  = true,
+  String    $mysql_user     = 'rundeck',
+  String    $mysql_name     = 'rundeck',
+  String    $mysql_pass     = fqdn_rand_string(16),
+  Stdlib::Host $mysql_host  = '127.0.0.1',
+  Stdlib::Port $mysql_port  = 3306,
+  Stdlib::Absolutepath $extra_libs_dir = '/var/lib/rundeck/lib',
+  Stdlib::Absolutepath $jdbc_driver_dest = "${extra_libs_dir}/mariadb-java-client-3.4.1.jar",
+  Stdlib::HTTPSUrl $jdbc_driver_url = 'https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar',
+  Stdlib::HTTPSUrl $grails_server_url = "https://${facts['networking']['fqdn']}:4440",
+  String $jvm_args = '-Xmx1024m -Xms256m -server -Drundeck.jetty.connector.forwarded=true',
+){
+
+  # when using mysql backend
+  if $mysql_backend {
+
+    # export a mariadb user
+    @@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
+      ensure        => present,
+      password_hash => mysql::password($mysql_pass),
+      tag           => $facts['region'],
+    }
+
+    # export a mariadb permission
+    @@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
+      ensure     => present,
+      table      => "${mysql_name}.*",
+      user       => "${mysql_user}@${facts['networking']['fqdn']}",
+      privileges => ['ALL'],
+      tag        => $facts['region'],
+    }
+
+    # create the missing /var/lib/rundeck/lib directory
+    mkdir::p {$extra_libs_dir:}
+    file {$extra_libs_dir:
+      ensure  => directory,
+      owner   => 'rundeck',
+      group   => 'rundeck',
+      mode    => '0755',
+      require => Package['rundeck'],
+      before  => Service['rundeckd'],
+    }
+
+    # download the jdbc driver, place in /var/lib/rundeck/lib
+    archive { $jdbc_driver_dest:
+      ensure  => present,
+      source  => $jdbc_driver_url,
+      extract => false,
+      user    => 'rundeck',
+      group   => 'rundeck',
+      require => File[$extra_libs_dir],
+      before  => Service['rundeckd'],
+    }
+
+    $database_config = {
+      'url'             => "jdbc:mysql://${mysql_host}:${mysql_port}/${mysql_name}",
+      'username'        => $mysql_user,
+      'password'        => $mysql_pass,
+      'driverClassName' => 'org.mariadb.jdbc.Driver',
+    }
+  }else{
+    $database_config = {}
+  }
+
+  class { 'rundeck':
+    grails_server_url  => $grails_server_url,
+    auth_config        => $auth_config,
+    key_storage_config => $key_storage_config,
+    database_config    => $database_config,
+    cli_user           => $cli_user,
+    cli_password       => $cli_password,
+    jvm_args           => $jvm_args,
+  }
+
+  create_resources('rundeck::config::aclpolicyfile', $acl_policies)
+  create_resources('rundeck::config::project', $cli_projects)
+}

site/roles/manifests/infra/automation/rundeck.pp

@@ -0,0 +1,10 @@
+# a role to deploy rundeck
+class roles::infra::automation::rundeck {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}