Managing Puppet code with a source control repository
Last couple of months I’ve been working closely with Puppet. I wrote some blogs about it, recorded a VMware vRA Expert Talk video and had two successful events in the Netherlands where I presented and demo’ed the Puppet Enterprise integration with VMware vRealize Automation. For the demo part, Kevin Reeuwijk and I created customPuppet code and stored it on the local code repository of the Puppet Master. Over time the code changed somewhat and because we were not using source control we had no history who made what changes to the code and also had no possibility for a rollback if something went horribly wrong. Luckily that was not the case, but now I know the best way to manage your Puppet code is to use a source control repository. This control repository is where code management stores code and data to deploy your environments.
Puppet Code management uses Git repository branches to create environments. Environments allow you to designate a node or node group to use a specific environment. As you update the code in your control repository, code management tracks the state of that repository to keep each environment updated.
This blog post will learn you how to setup Gitlab CE and configure Puppet Enterprise to use it as a control repository for your Puppet code.
Some items are assumed to be installed and are not part of this guide:
- A virtual machine running Puppet Enterprise.
- A CentOS7 virtual machine to be used for Gitlab Community Edition.
- A virtual machine (or Docker container) running the Git tools.
Step 1 – Setup Gitlab Community Edition
SSH into the CentOS7 machine and login with root. First install some dependencies.
yum -y install postfix systemctl start postfix systemctl enable postfix
yum -y install curl openssh-server cronie
Optional, stop the firewall and disable it.
systemctl stop firewalld systemctl disable firewalld
Then install the latest version of Gitlab CE.
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh |bash yum install gitlab-ce
Edit /etc/gitlab.rb with nano or vim to change the external URL.
Change it in external_url ‘http://x.x.x.x or FQDN’
Configure and start Gitlab with the following command:
gitlab-ctl reconfigure
Check the status of Gitlab with:
gitlab-ctl status
Step 2 – Create a Puppet control repository in Gitlab
- Browse to the Gitlab CE server page and login with an account that has permissions to create groups and projects.
- Create a new group called ‘puppet’.
- Create a new control-repo project in the puppet group.
Step 3 – Setup SSH keys for Puppet Code Manager and Gitlab
- Login to the Puppet Enterprise server and create a set of SSH keys:
ssh-keygen #follow the prompts and accept all the defaults (ensure NO passphrase is set)
- Make the SSH keys available to Code Manager:
mkdir /etc/puppetlabs/puppetserver/ssh cp /root/.ssh/id_rsa /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa chown pe-puppet:pe-puppet /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa
- Copy the SSH public key to your clipboard:
cat /root/.ssh/id_rsa.pub #copy the output to the clipboard
- Browse to the User Settings page in Gitlab for the account you used to create the control-repo project:
- Browse to the Gitlab CE server page and login with the same account used in Step 2.
- Click on the user’s avatar icon on the top right-hand side of the page and click ‘Settings’.
- Go to the ‘SSH Keys’ section.
- Paste the clipboard contents into the ‘Key’ field.
- Enter a description in the ‘Title’ field. For example ‘Name of your Puppet server‘.
- Click ‘Add key’.
- Check that you are now able to SSH from the Puppet Enterprise server into the Gitlab server with your SSH key:
ssh git@<fqdn of your gitlab server>
- This should provide output similar to the following:
Step 4 – Push Starter Content to the Gitlab Puppet control repository
- Login to the virtual machine with the git tools installed, or use the following command to install the git tools on a fresh virtual machine:
yum install –y git
- Setup a git working folder:
cd ~ mkdir code cd code git init git config --global user.name "Your Name" git config --global user.email your.email@address.com
- Clone the Puppet starter content and push it to your Gitlab server:
git clone https://github.com/puppetlabs/control-repo.git cd control-repo git remote remove origin git remote add origin http://<fqdn of your gitlab server>/puppet/control-repo.git git push -u origin production #provide the credentials to the gitlab server when prompted
- You should see output similar to the following:
- Browse to the Gitlab CE server page and login with the same account used in Step 2.
- Go to your Puppet control-repo, click on the + icon in the middle of the screen and select New branch to create an additional environment.
- Set the Branch name to: dev
- Select Create from production and click ‘Create Branch’.
Step 5 – Setup Puppet Code Manager
- Open the Puppet Enterprise webconsole (https://<fqdn of your puppet master>) and login with username ‘admin’.
- Browse to ‘Classification’ and click the + sign next to PE Infrastructure.
- Click on the ‘PE Master’ group, the click the ‘Configuration’ tab .
- Look for the section called ‘Class:puppet_enterprise::profile::master’.
- Click on the ‘Parameter name’ dropdown box and select ‘code_manager_auto_configure’. Set its value to: true Then click the ‘Add parameter’ button to lock in this parameter.
- Click on the ‘Parameter name’ dropdown box and select ‘r10k_private_key’. Set its value to: /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa Then click the ‘Add parameter’ button to lock in this parameter.
- Click on the ‘Parameter name’ dropdown box and select ‘r10k_remote’. Set its value to: git@<fqdn of your Gitlab server>:puppet/control-repo.git Then click the ‘Add parameter’ button to lock in this parameter.
- Finally, scroll down the page and click the button ‘Commit 3 changes’ to make the changes permanent.
- Now you just need to run the Puppet agent on the server to have Code Manager set itself up. For this, login to the Puppet Master shell and execute the following command:
puppet agent -t
- When Code Manager is setup for the first time, some Puppet Master services will be restarted, this is normal.
Step 6 – Sync the control repository to the Puppet Master server
- We first need to create an access token to allow Code Manager to push content to the Puppet master:
#this example uses facter to get the local FQDN puppet access login --service-url https://`facter fqdn`:4433/rbac-api --lifetime 5y
- Now let’s perform a dry run to ensure Code Manager is working correctly:
puppet code deploy --dry-run
- You should see output similar to the following:
- Next, let’s retrieve the actual access token so we can setup a webhook in Gitlab:
puppet access show && echo #the echo command is used to add a linefeed after the puppet access show command #copy the resulting output to the clipboard
- Next, browse to your control-repo project in Gitlab and go to the ‘Settings’ section.
- Click on the ‘Integrations’ section.
- Enter the following URL in the ‘URL’ field:
https://<fqdn of your master>:8170/code-manager/v1/webhook?type=gitlab&token=<paste access token here> - Clear the ‘Enable SSL verification’ button, as we are using a self-signed certificate.
- Click the ‘Add webhook’ button to add the webhook.
- Logout and log back in your Gitlab server with the root account.
- Click on ‘Configure Gitlab’.
- Under ‘Admin area’ go to the ‘Settings’ section and scroll all the way down to Outbound Requests. Make sure this option is enabled. Click the ‘Save’ button if you made any changes.
- Logout and log back in your Gitlab server with the account used in Step 2.
- Browse to your control-repo project in Gitlab and go to the ‘Settings’ section.
- Click on the ‘Integrations’ section.
- Next to the newly configured webhook, click the ‘Test’ button, then select ‘Push events’. You should get an HTTP 200 result to indicate success!
Step 7 – Manage the Puppetfile for additional modules
- You now have your control-repo setup and Code Manager configured. You’re ready to start configuring your Puppetfile with modules from the Puppet Forge! As an example, use the following procedure to setup your Puppetfile.
- Browse to your control-repo project on your Gitlab server. Select the Production branch.
- Click the Puppetfile and click ‘Edit’.
- Configure your Puppetfile as follows:
forge "https://forge.puppet.com" # Puppet modules from Forge mod "puppetlabs/inifile", '1.6.0' mod "puppetlabs/stdlib", '4.25.0' mod "puppetlabs/concat", '4.2.1' mod "puppetlabs/acl", '2.0.1' mod "puppetlabs/chocolatey", '3.0.0' mod "puppetlabs/dsc", '1.5.0' mod "puppetlabs/dsc_lite", '0.2.0' mod "puppetlabs/iis", '4.3.1' mod "puppetlabs/powershell", '2.1.4' mod "puppetlabs/reboot", '1.2.1' mod "puppetlabs/registry", '1.1.4' mod "puppetlabs/wsus_client", '1.0.3' mod "puppet/download_file", '2.1.0' mod "puppet/windows_env", '3.1.0' mod "puppet/windows_eventlog", '2.0.0' mod "puppet/windowsfeature", '3.2.0' mod "puppet/windows_firewall", '2.0.0' mod "puppet/dotnet", '2.0.0' mod 'puppetlabs/apache', '3.1.0' mod 'puppetlabs/mysql', '5.3.0' mod 'puppetlabs/translate', '1.1.0' mod 'puppetlabs/pe_puppetserver_gem', '0.0.1' mod 'puppet/staging', '3.2.0' mod 'puppet/hiera', '3.3.2' # Community modules from Forge mod 'liamjbennett-win_facts', '0.0.2' mod 'crayfishx/firewalld', '3.4.0' mod 'reidmv/unzip', '0.1.2' mod 'stahnma/epel', '1.3.0' mod 'herculesteam/augeasproviders_core', '2.1.4' mod 'herculesteam/augeasproviders_ssh', '2.5.3' mod 'hunner/wordpress', '1.0.0' # Modules from Gitlab mod 'control-repo', :git => 'git@<FQDN of your Gitlab server>:puppet/control-repo.git', :branch => 'production' # Modules from Github mod 'autosign_example', :git => 'https://github.com/puppetlabs/puppet-vro-autosign_example' mod 'vro_plugin_user', :git => 'https://github.com/puppetlabs/puppet-vro-vro_plugin_user' mod 'vro_plugin_sshd', :git => 'https://github.com/puppetlabs/puppet-vro-vro_plugin_sshd'
*ensure you change the FQDN of the Gitlab server in the example to your actual FQDN!
- Click ‘Commit changes’, this will kick off a code deployment to the Puppet Master and get the modules installed. You can view the progress of the deployment on the Puppet Master with this command:
tail -f /var/log/puppetlabs/puppetserver/puppetserver.log
- Finally, to confirm the modules have been deployed, run this command:
puppet module list --modulepath /etc/puppetlabs/code/environments/production/modules
- You should see output similar to the following:
- Repeat the steps above for the ‘Dev‘ branch and off course you can use other modules in the Dev environment if you want.
That’s it! You are now ready to define profiles and roles in the /site section of your control-repo and store your Puppet code. Happy puppetizing!
Special thanks to Kevin Reeuwijk of Puppet who wrote the majority of this guide.
Related Posts
2 Comments
Leave a Reply Cancel reply
You must be logged in to post a comment.
Kevin is the man!
I get so far as the Step 6 dry-run commands which end in failure – any ideas why this if failing? My gitlab group is OPS and not puppet as in your lab – hence the git url difference.
Errors while collecting a list of environments to deploy (exit code: 1).
ERROR -> Unable to determine current branches for Git source ‘puppet’ (/etc/puppetlabs/code-staging/environments)
Original exception:
Failed to authenticate SSH session: Waiting for USERAUTH response at /opt/puppetlabs/server/data/code-manager/git/git@gitlab-ops-control_repo.git