Manually register r10k GitLab runner with custom CA certs

r10k.pp

# site-modules/profile/manifests/r10k.pp
class profile::r10k(
  String $ssh_deploy_key_name = "id_rsa.simp-deploy.${facts['networking']['hostname']}",
){
  file{ '/etc/puppetlabs/r10k':
    ensure => 'directory',
    mode   => '0700',
  }
  file{ '/etc/puppetlabs/r10k/r10k.yaml':
    source => "puppet:///modules/${module_name}/r10k/r10k.yaml",
    mode   => '0700',
  }
}

r10k.yaml

# site-modules/profile/files/r10k/r10k.yaml
# TODO: make this a template; should use variable info
---
cachedir: /car/simp/cache/r10k

git:
  provider: shellgit
  private_key: /etc/puppetlabs/r10k/id_rsa.simp-deploy.TODO_TEMPLATE_THIS

sources:
  main:
    remote: TODO _TEMPLATE_THIS  # control repo url
    basedir: /etc/puppetlabs/code/environments
    private_key: /etc/puppetlabs/r10k/id_rsa.simp-deploy.TODO_TEMPLATE_THIS
 
 deploy:
   generate_types: true
   
   purge_levels:
     # - deployment # <-- removes environments not found in remote repo
     - puppetfile   # <-- removes unmanaged files under module directories
     - environment  # <-- removes unmanaged files under target environment directory

pool_size: 10 # number of threads to clone modules in parallel

postrun:
  ['/usr/local/sbin/safe_r10k_post_deploy.sh', '$modifiedenvs']

register-r10k-gitlab-runner.sh

gitlab-runner register \
  --tls-ca-file /etc/pki/simp/x509/cacerts/cacerts.pem \
  --url "$GITLAB_COORDINATOR_URL" \
  --registration-token "$TOKEN" \
  --tag-list "r10k,puppet-deploy-$(hostname -f)" \
  --name "SIMP Puppet Server r10k ($(hostname -f))" \
  --executor shell \
  --non-interactive \
  --env=GIT_SSL_CAINFO=/etc/pki/simp/x509/cacerts/cacerts.pem 
  
  # `--tls-cs-file` = sets CA trust for runner's HTTPS comms to GitLab
  # `--env=GIT_SSL_CAINFO=` sets CA trust of git for when the runner pulls 
  #  down each job's code or runs r10k on Puppetfiles with HTTPS urls
  # `--tag-list` includes a unqiuee tag for the Puppet server, as a hook to deploy to all

REMINDER.md

PUSH gitlab_inventory UPDATES!

runner_deploy.pp

# site-modules/profile/manifests/r10k/runner_deploy.pp
class profile::r10k::runner_deploy()
{
  pam::access::rule {'Allows gitlab-runner user to run sudo'
    users   => ['gitlab-runner'],
    origins => ['LOCAL'],
  }
  sudo::user_specification { 'Allow gitlab-runner to deploy r10k':
    user_list => ['gitlab-runner'],
    runas     => ['root:puppet'],
    cmnd      => ['/usr/local/sbin/safe_r10k_deploy.sh'],
    passwd    => false,
  }
  sudo::default_entry {'user_no_tty':
    def_type => 'user',
    content  => ['gitlab-runner !requiretty'],
  }
}

safe_r10k_deploy.sh

#!/bin/bash
# site-modules/profile/files/r10k/safe_r10k_deploy.sh
export PATH="/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:$PATH"
export GEM_PATH="/usr/share/simp/ruby/simp-r10k:$GEM_PATH"

PUPPET_ENV_DIR=/etc/puppetlabs/code/environments
R10K_LOG_LEVEL="${R10k_LOG_LEVEL:-notice}"

# Run with puppet group so puppetserver can read files
( umask 0007 && sg puppet -c "/usr/share/simp/bin/r10k deploy environment -v "$R10K_LOG_LEVEL" --puppetfile $*" )

if [ "$UID" -eq 0 ]; then
  # correct SELinux contexts
  chcon -R "--reference=$PUPPET_ENV_DIR" "$PUPPET_ENV_DIR"
fi

safe_r10k_post_deploy.sh

#!/bin/bash
# site-modules/profile/files/r10k/safe_r10k_post_deploy.sh

usage(){
  printf "Usage:\n\n$0 TARGET_ENV [TARGET_ENV...]\n\n"
  echo "Ensures that SIMP Omni environment directories exist after an r10k deploy"
  echo "If not, creates missing environment dirs for TARGET_ENV, linked to ${source_env}"
}

link_secondary_env(){
  if [ -e "$secondary_env_dir" ]; then
    echo "[X] Secondary environment path already exists: $secondary_env_dir"
    return
  fi
  if [ "$target_env" == "$source_env" ]; then
    >&2 echo "WARNING: not linking ${target_env} to itself"
    >&2 echo "ERROR: Secondary environment for ${source_env} DOES NOT EXIST"
    exit 2
  fi
  simp environment new "$target_env" --link "$source_env" --secondary-env --no-puppet-env --no-writable-env
}

link_writable_env(){
  if [ -e "$writable_env_dir" ]; then
    echo "[X] Writable environment path already exists: $writable_env_dir"
    return
  fi
  if [ "$target_env" == "$source_env" ]; then
    >&2 echo "WARNING: not linking ${target_env} to itself"
    >&2 echo "ERROR: Writable environment for ${source_env} DOES NOT EXIST"
    exit 2
  fi
  simp environment new "$target_env" --link "$source_env" --writable-env --no-puppet-env --no-secondary-env
}

process_env() {
  target_env="$1"
  source_env="production"
  secondary_env_dir="/var/simp/environments/$target_env"
  writable_env_dir="/opt/puppetlabs/server/data/puppetserver/simp/environments/$target_env"
  
  printf "\n\n== target env: '$target_env' (source env: '${source_env')\n\n"
  
  if [ "$target_env" == "$source_env" ]; then
    >&2 echo "WARNING: not linking ${target_env} to itself"
  fi
  
  link_writable_env
  link_secondary_env
}

if [ -z "$1" ]; then
  printf "\nERROR: Provide an environment to link\n"
  usage
  exit 1
fi

for target in "$@"; do
  process_env "$target"
done

ssh_deploy_key.pp

# site-modules/profile/manifests/r10k/ssh_deploy_key.pp
# Establishes SSH key for Puppetfiles with modules with SSH git urls
class profile::r10k::ssh_deploy_key()
{
  # source key from /var/simp/environments/production/site_files/r10k_deploy_keys/
  file{ "/etc/puppetlabs/r10k/${ssh_deploy_key_name}":
    source => "puppet:///modules/${module_name}/r10k_deploy_keys/${ssh_deploy_key_name}",
    owner  => 'root',
    group  => 'root',
    mode   => '0700',
  }
  file{ '/usr/local/sbin/safe_r10k_deploy.sh':
    source => "puppet:///modules/${module_name}/r10k/safe_r10k_deploy.sh",
    mode   => '0750',
  }
  file{ '/usr/local/sbin/safe_r10k_post_deploy.sh':
    source => "puppet:///modules/${module_name}/r10k/safe_r10k_post_deploy.sh",
    mode   => '0750',
  }   

}