config_version.rb

#!/opt/puppetlabs/puppet/bin/ruby
require 'rugged'
require 'octokit'
require 'yaml'

# needs refactoring for code manager
# https://github.com/puppetlabs/control-repo/blob/production/scripts/code_manager_config_version.rb
environmentpath = ARGV[0]
environment     = ARGV[1]

config = YAML.load_file('/etc/config_version.yaml')
client = Octokit::Client.new(:access_token => config['api_key'])
repo   = Rugged::Repository.discover(File.join(environmentpath, environment))

# sha1 hash of the newest commit in environment
head_sha = repo.head.target_id

# Lookup up the commit via github API
commit = client.commit(config['repo'],head_sha,
                       :accept => 'application/vnd.github.cryptographer-preview')


# Get the commit message from github or fail back to the message off disk
message = commit[:commit][:message] || repo.lookup(head_sha)

if commit[:commit][:verification][:verified]
  badge = "🔏"
else
  badge = "🔓"
end

puts "%s  [%s](%s)" % [badge,message,commit[:html_url]]

Overview

I have been planing arround with GPG signing commits and passing that along to puppet. I have some more interesting thoughts on blocking commits that are not signed for the future. In the present, here a simple config version to show you if your puppet code that you are applying is verified according to github's new GPG key features.

Install Prerequisites

Install required gems

  # rugged ships with PE 3.8 and higher
  package {'octokit':
    ensure   => 'present',
    provider => 'puppet_gem',
  }

Generate Github API token

Follow these steps to create a github API token with the following privs:

While you are there , upload your GPG key to github so it knows yours identity (extra credit if you use a yubikey).

  # Use eyaml to encrypt the key in the repository code
  $gpg_verification_api_key = hiera('gpg_verification_api_key')

  file {'/etc/config_version.yaml':
    ensure  => 'file',
    owner   => 'root',
    group   => '0',
    content => inline_template('<%= { "repo" => "acidprime/puppet", "api_key" => @gpg_verification_api_key }.to_yaml %>'),
  }

The resultant file should be created on all masters (not agents) via the code example above.

cat /etc/config_version.yaml

---
repo: 'acidprime/puppet'
api_key: '123456781563725316578361253571285 '

Test

Read up on signing commits

You can view these in the new Github UI

Download the gist above and test the script

git commit --allow-empty -S -m 'Verified commit'
# git push origin production
./config_version.rb /etc/puppetlabs/code/environments production

git commit --allow-empty -m 'Unverified Commit'
# git push origin production
[root@puppet ~]# ./config_version.rb /etc/puppetlabs/code/environments production

# Deploy

Once tested , add to control-repo and add the following to environment.conf in the root of your control-repo
https://github.com/puppetlabs/control-repo/blob/production/environment.conf#L2

config_version      = 'scripts/config_version.rb $environmentpath $environment'
...