Rundeck module for Puppet

Table of Contents

1. Overview
2. Module Description - What the module does and why it is useful
3. Setup - The basics of getting started with rundeck
   • What rundeck affects
   • Setup requirements
   • Beginning with rundeck
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

Overview

The rundeck puppet module for installing and managing Rundeck

Module Description

This module provides a way to manage the installation and configuration of rundeck, it's projects, jobs and plugins.

Setup

Classes and Defined Types

Class: rundeck

The rundeck module primary class, guides the basic installation and management of rundeck on your system

Parameters within rundeck:

package_ensure

Ensure the state of the rundeck package, either present, absent or a specific version

auth_types

The method used to authenticate to Rundeck. Options: file, ldap, active_directory, ldap_shared, active_directory_shared. Default is file.

acl_template

The template used for admin acl policy. Default is rundeck/aclpolicy.erb.

api_template

The template used for apitoken acl policy. Default is rundeck/aclpolicy.erb.

properties_dir

The path to the configuration directory where the properties file are stored.

log_dir

The path to the directory to store logs.

user

The user that Rundeck is installed as.

group

The group that the Rundeck user is a member of.

rdeck_base

The installation directory for Rundeck.

server_web_context

Web context path to use, such as "/rundeck". http://host.domain:port/server_web_context

ssl_enabled

Enable ssl for the Rundeck web application.

ssl_keyfile and ssl_certfile

If ssl_enabled is True, you must supply this parameter. It is recommended that you provide the .crt and .key files separately via other means, such as a role or profile manifest.

How to: eg: environments/role/manifests/rundeck.pp

class role::rundeck (
...
  $ssl_keyfile                        = hiera('rundeck::config::ssl_keyfile', "/etc/rundeck/ssl/$fqdn.key"),
  $ssl_certfile                       = hiera('rundeck::config::ssl_certfile', "/etc/rundeck/ssl/$fqdn.crt"),
..
){
...
  validate_string($ssl_keyfile)
  validate_string($ssl_certfile)
...
  class { 'rundeck':
...
    ssl_keyfile                  => $ssl_keyfile,
    ssl_certfile                 => $ssl_certfile,
...
  }
...
}

Am End please add the module below to your environments/Puppetfile to use java_ks:

mod 'java_ks',
  :git => 'https://github.com/puppetlabs/puppetlabs-java_ks.git',
  :tag => '1.4.1'

session_timeout

Time limit (in minutes) for a logged in Rundeck web application user which as been inactive for a period of time.

projects

The hash of projects in your instance.

projects_organization

The organization value that will be set by default for any projects.

projects_description

The description that will be set by default for any projects.

quartz_job_threadcount

The maximum number of threads used by Rundeck for concurrent jobs by default is set to 10.

rd_loglevel

The log4j logging level to be set for the Rundeck application.

rss_enabled

Boolean value if set to true enables RSS feeds that are public (non-authenticated)

clustermode_enabled

Boolean value if set to true enables cluster mode

grails_server_url

The url used in sending email notifications.

dataSource_config

A hash of the data Source configuration.

keystore

Full path to the java keystore to be used by Rundeck.

keystore_password

The password for the given keystore.

key_password

The default key password.

truststore

The full path to the java truststore to be used by Rundeck.

truststore_password

The password for the given truststore.

service_name

The name of the rundeck service.

mail_config

A hash of the notification email configuraton.

security_config

A hash of the rundeck security configuration.

security_role

The name of the role that is required for all users to be allowed access.

security_roles_array_enabled

Boolean value if set to true enables security_roles_array.

security_roles_array

Array value if you want to have more role in web.xml

manage_yum_repo

Whether to manage the YUM repository containing the Rundeck rpm. Defaults to true.

file_keystorage_dir

The location of stored data like public keys, private keys.

Define: rundeck::config::aclpolicyfile

A definition for creating custom acl policy files

acl_policies

An array containing ACL policies. See rundeck::params::acl_policies / rundeck::params::api_policies as an example.

owner

The user that rundeck is installed as.

group

The group permission that rundeck is installed as.

properties_dir

The rundeck configuration directory.

Define: rundeck::config::plugin

A definition for installing rundeck plugins

Parameters within rundeck::config::plugin:

source

The http source or local path from which to get the jar plugin.

ensure

Default set to 'present' and can be set to 'absent' to remove the plugin for the system.

timeout

Timeout in seconds. Default is set to 300 seconds which is the default for the Exec type.

Define: rundeck::config::project

A definition for managing rundeck projects

Parameters within rundeck::project:

file_copier_provider

The type of proivder that will be used for copying files to each of the nodes

node_executor_provider

The type of provider that will be used to gather node resources

resource_sources

A hash of rundeck::config::resource_source that will be used to specifiy the node resources for this project

ssh_keypath

The path the the ssh key that will be used by the ssh/scp providers

projects_dir

The directory where rundeck is configured to store project information

user

The user that rundeck is installed as.

group

The group permission that rundeck is installed as.

Define: rundeck::config::resource_source

A definition for managing the resource sources for a given project

Parameters within rundeck::resource_source:

project_name

The name of the project for which this resource in intended to be a part.

number

The sequential number of the resource within the project.

source_type

The source type where resources will come from: file, directory, url or script.

include_server_node

Boolean value to decide whether or not to include the server node in your list of avaliable nodes.

resource_format

The format of the resource that will procesed, either resourcexml or resourceyaml.

url

When the url source_type is specified this is the path to that url.

url_timeout

An integer value in seconds that rundeck will wait for resources from the url before timing out.

url_cache

Boolean value. Keep a local cache of the resources pulled from the url.

directory

When the directory source_type is specified this is the path to that directory.

script_file

When the script source_type is specified this is the path that that script.

script_args

A string of the full arguments to pass the the specified script.

script_args_quoted

Boolean value. Quote the arguments of the script.

script_interpreter

The interpreter to use in executing the script. Defaults to: '/bin/bash'

projects_dir

The directory where rundeck is configured to store project information.

user

The user that rundeck is installed as.

group

The group permission that rundeck is installed as.

Usage

Configuring shared authentication credentials

To perform LDAP authentication and file authorization see example examples/ldap_shared.pp

Configure a MySQL database

To use an external MySQL database, the database_config hash must be set to override the default values which result in a local file based storage. To enable key and project storage in the database, you must also set the two parameters associated parameters.

class { '::rundeck':
  key_storage_type      => 'db',
  projects_storage_type => 'db',
  database_config       => {
    'type'              => 'mysql',
    'url'               => $db_url,
    'username'          => 'rundeck',
    'password'          => $db_pass,
    'driverClassName'   => 'com.mysql.jdbc.Driver',
  }
}

Reference

Classes

Public Classes

• rundeck: Guides the basic installation of rundeck

Private Classes

• rundeck::install: Manages the installation of the rundeck packages
• rundeck::service: Manages the rundeck service
• rundeck::config: Manages all the global configuration of the rundeck application
• rundeck::config::global::framework: Manage the configuration of shell tools and core rundeck services
• rundeck::config::global::project: Managed the rundeck project configuration
• rundeck::config::global::rundeck_config: Manages the rundeck webapp configuration file
• rundeck::config::global::ssl: Manages the ssl configuration for the rundeck webapp

Defines

Public Defines

• rundeck::config::aclpolicyfile: Manages a acl policy file
• rundeck::config::plugin: Manages the installation of rundeck plugins
• rundeck::config::project: Manages the configuration of rundeck projects
• rundeck::config::resource_source: Manages resource sources for each project

Limitations

This module is tested on the following platforms:

• CentOS 5
• CentOS 6
• CentOS 7
• Ubuntu 12.04
• Ubuntu 14.04

It is tested with the OSS version of Puppet only.

Development

Contributing

Please read CONTRIBUTING.md for full details on contributing to this project.

Changelog

2017-01-13 - Release 3.3.0

This is the last release with puppet3 support!

• Add tags to fix aclpolicy
• Bump puppetlabs/inifile dependency version
• This adds a boolean class parameter to the rundeck class to allow people
• Add more specific scope on the variable
• Fix several markdown issues
• rubocop: fix RSpec/ImplicitExpect
• rubocop: fix RSpec/NotToNot
• Add missing badges
• Install rundeck from apt for osfamily debian
• Add backwards compatibility for debian installations with wget deb files
• Add puppetlabs/apt module dependency
• Add variable quartz_job_threadCount
• Set puppet minimum version_requirement to 3.8.7
• Set minimum version dependencies (for Puppet 4)
• Add userPasswordAttribute to ldap config, like AD config

2016-10-05 - Release 3.2.0

• Modulesync with latest Vox Pupuli defaults
• Add support to set user and group id. #254 (zlanyi)
• Add puppet_enterprise_ssl_dir param #256 (ltutar)
• Improve test coverage #258 (ltutar)
• Add missing 'rd_auditlevel' parameter to config.pp #262 (tomtheun)
• Update puppet/archive dependency #267 (alexjfisher)
• Feature: generate Keytool for SSL #261 (zlanyi)

2016-07-11 - Release 3.1.0

###Features

• Add support for more security role in web.xml #250 (zlanyi)
• able to change ssl port through parameter #249 (ltutar)
• modulesync to latest foxpupuli defaults #245, #240 (bastelfreak)
• Sync metadata.json license to be same as LICENSE (MIT) #244 (juniorsysadmin)
• Remove tests directory #243 (alexjfisher)
• Example manifest to demo-install Rundeck on EL7 #242 (vinzent)
• added puppet enterprise resource type #241 (dalisch)
• fixed management of $file_keystore_dir #239 (dalisch)

2016-05-26 - Release 3.0.0

Summary

• We dropped Ruby1.8 support!
• Rundeck preauthenticated-mode mode config.
• Several improvements and bugfixes.

Features

• Add ability to specify different project and key storage types #167 (jyaworski)
• Add support for customizing profile #174 (danifr)
• Support preauthenticated mode config #175 (danifr)
• Added management of scm-import.properties #193 (dalisch)
• Add Rundeck GUI customization properties #210 (dalisch)
• Add note and example about using an external MySQL DB #213 (zleswomp)
• Add CentOS 7 to tested platforms #214 (zleswomp)
• Add ability to specify node executor settings #217 (DevOpsFu)
• Add param to configure service state #223 (danifr)
• Do not write non-existent mail configuration #234 (ak0ska)
• Added option to template : 'forceBindingLoginUseRootContextForRoles' #228 (zlanyi)

Bugfixes

• Fix(validate_rd_policy) expand relative path for require #201 (igalic)
• Fix indentation for nodename property in aclpolicy template #209 (cy4n)
• Fix audit loglevel 207 #212 (remixtj)
• Documentation fixes #215 (zleswomp)
• Correcting values of project.organization and projection.description #221 (brmorris)
• Simple fix aclpolicy.erb template #222 (devcfgc)

Improvements

• Simplify the acl template #173 (grafjo)
• Default policy management is now optional #184 (bovy89)
• Linting changes and rubocop updates #185 (jyaworski)
• Update from voxpupuli modulesync_config #187 (jyaworski)
• Order variables alphabetically #189 (danifr)
• Remove auth-constraint from web.xml if preauthenticated mode enabled #190 (danifr)
• Ensure rundeck directories are owned by $user and $group #191 (danifr)
• Revert "Simplify the acl template" #195 (jyaworski)
• Pin rake to avoid rubocop/rake 11 incompatibility #200 (roidelapluie)
• Refactored file permissions management #204 (dalisch)
• Update _auth_file.erb (fixes #206) #211 (remixtj)
• Amend default policy for full storage control #216 (zleswomp)
• Automate configuration of SCM export properties in a project #218 (dalisch)
• Allow disabling download of debian package. #219 (aequitas)
• Simple fix qualify command #220 (devcfgc)
• Update from voxpupuli modulesync_config #227 (jyaworski)

#2016-02-19 - Release 2.2.0

Summary

New defined type for managing file-based keystores and lots of bugfixes.

Features

• Adding new defined type rundeck::config::file_keystore for provisioning of password and public keys for file-based keystorage (#172)

Bugfixes

• Adding missing ssh_keypath to project defined type (#153)
• Added ldap login module if ldap in the provided auth_types (#163)
• Ensuring config that uses ini_file always uses string values (#164)
• Adding 'rundeck_server' property to acl_template (#148)
• Fix validation of resource_source number parameter (#171)

Improvements

• Disable H2 database logging in log4j.properties (#161)
• Move rundeck_version to a proper fact (#165)

##2015-11-20 - Release 2.1.0

Summary

Fixing the autoload bug in the new acl validation function. Lots of new parameters to customize settings.

Features

• Added support for shared authentication credentials
• Added RHEL7/CentOS7 to supported OS list
• Added new class rundeck::config::global::web to manage security-role in web.xml
• Added examples
• New parameter projects to allow you to prove a hash of rundeck::config::project instances
• New parameter realm_template allowing you to override the realm.properties template
• New parameter rdeck_config_template allowing you to override the rundeck-config template
• New parameter session_timeout to allow modification of the gui session timeout in web.xml
• New parameter file_keystorage_dir to allow non-default path to key storage

Bugfixes

• Fixing the autoload of the rundeck_acl function
• Ensure ssl configuration is only included when ssl_enabled is set.
• Fixed syntax in facts
• Removed the java dependency from the package install.
• Fixing bugs in the aclpolicy template

##2015-09-11 - Release 2.0.0 ###Summary

####Features

• New defined type rundeck::config::aclpolicyfile
• Refactored plugin installation to use puppet/archive
• Refactored rundeck::config::resource_source
• New class rundeck::facts to install rundeck facts and external facts
• Added param server_web_context to pass into the JVM args
• Add support for a different JAVA_HOME directory
• Added new function to validate acl policies
• Added support for PAM authentication

Bugfixes

• Ensure service is restarted on all config changes
• Support installing rundeck with non-default user and groups
• Fixing bind CN for ldap configuration
• Fix the projects directory default in framework.properties
• Download packages over https

Breaking changes

• Removed params plugin_dir, user and group from rundeck::config::plugin
• Removed params user and group from rundeck::config::resource_source
• Removed the management of the JRE
• Changes the format of the acl polices hash - see params.pp for example.

##2015-05-22 - Release 1.2.0 ###Summary

Support for API ACLS and some bug fixes for RedHat/CentOS

####Features

• Add support for multiple auth users
• Add option to configure API acls

####Bugfixes

• Fix bug with grails.mail.default.from
• Fix rundeck_version fact on RHEL-based systems
• Require java 7 for RHEL based systems
• Fix user and group for project directory
• Ensure service is restarted after upgrade on RHEL based systems
• Adding missing storage rule to acl policy defaults

##2015-03-24 - Release 1.1.0 ###Summary

This release contained many new features and refactorings. Exciting stuff.

####Features

• Allow optional management of the JRE
• Add initial support for support for clustermode
• Allow an alternative service script
• Add LDAP + ActiveDirectory login support
• Make managing the yum repository optional
• Adding support for alternative database configurations
• Refactoring rundeck-config from ini_settings to groovy format
• Add support for passing e-email configuration to grails

####Bugfixes

• Fix deep merging of framework_config
• Make sure that changes in the ssl settings trigger a restart in the rundeckd service
• Fixing lots of beaker tests

##2014-10-13 - Release 1.0.0 ###Summary

This release is focused on cleaning up the module and closing down a number of annoying bugs that have been around a while. Some refactoring has also taken place to make it a little eaiser and cleaner to add features in further reeleases.

####Features

• adding support for the redhat rundeck repo
• updating default rundeck version to 2.2.3
• improving documentation and tests

####Bugfixes

• fixing bug in layout of admin.aclpolicy file
• fixing default config settings for servername and grails_server_url which causes bug in page loading
• fixing some idempotency issues
• refactoring the configuration of the module

##2014-04-04 - Release 0.2.0 ###Summary

This release is focused on managing more configuration and resources in the rundeck application

####Features

• adding definitions for plugins, projects, and resource sources
• adding support for managing the majority of the Rundeck configuration
• more tests

##2014-03-28 - Release 0.1.0 ###Summary

Initial release.