Puppet Class: rundeck

Defined in:
manifests/init.pp

Summary

Class to manage installation and configuration of Rundeck.

Overview

Parameters:

  • override_dir (Stdlib::Absolutepath)

    An absolute path to the overrides directory. Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml

  • repo_config (Hash)

    A hash of repository attributes for configuring the rundeck package repositories. Examples/defaults for yumrepo can be found at RedHat.yaml, and for apt at Debian.yaml

  • manage_repo (Boolean) (defaults to: true)

    Whether to manage the package repository.

  • package_ensure (String[1]) (defaults to: 'installed')

    Ensure the state of the rundeck package, either present, absent or a specific version.

  • manage_home (Boolean) (defaults to: true)

    Whether to manage rundeck home dir.

  • user (String[1]) (defaults to: 'rundeck')

    The user that rundeck is installed as.

  • group (String[1]) (defaults to: 'rundeck')

    The group permission that rundeck is installed as.

  • manage_user (Boolean) (defaults to: false)

    Whether to manage ‘user` (and enforce `user_id` if set).

  • manage_group (Boolean) (defaults to: false)

    Whether to manage ‘group` (and enforce `group_id` if set).

  • user_id (Optional[Integer]) (defaults to: undef)

    If you want to have always the same user id. Eg. because of a NFS share.

  • group_id (Optional[Integer]) (defaults to: undef)

    If you want to have always the same group id. Eg. because of a NFS share.

  • admin_policies (Array[Hash]) (defaults to: [ { 'description' => 'Admin, all access', 'context' => { 'project' => '.*' }, 'for' => { 'resource' => [{ 'allow' => '*' }], 'adhoc' => [{ 'allow' => '*' }], 'job' => [{ 'allow' => '*' }], 'node' => [{ 'allow' => '*' }], }, 'by' => [{ 'group' => ['admin'] }], }, { 'description' => 'Admin, all access', 'context' => { 'application' => 'rundeck' }, 'for' => { 'project' => [{ 'allow' => '*' }], 'resource' => [{ 'allow' => '*' }], 'storage' => [{ 'allow' => '*' }], }, 'by' => [{ 'group' => ['admin'] }], }, ])

    Admin acl policies.

  • api_policies (Array[Hash]) (defaults to: [ { 'description' => 'API project level access control', 'context' => { 'project' => '.*' }, 'for' => { 'resource' => [ { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] }, { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] }, { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] }, ], 'adhoc' => [{ 'allow' => ['read', 'run', 'kill'] }], 'job' => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }], 'node' => [{ 'allow' => ['read', 'run'] }], }, 'by' => [{ 'group' => ['api_token_group'] }], }, { 'description' => 'API Application level access control', 'context' => { 'application' => 'rundeck' }, 'for' => { 'project' => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }], 'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }], 'storage' => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }], }, 'by' => [{ 'group' => ['api_token_group'] }], }, ])

    Apitoken acl policies.

  • manage_default_admin_policy (Boolean) (defaults to: true)

    Whether to manage the default admin policy.

  • manage_default_api_policy (Boolean) (defaults to: true)

    Whether to manage default api policy.

  • grails_server_url (Stdlib::HTTPUrl) (defaults to: "http://${facts['networking']['fqdn']}:4440")

    Sets ‘grails.serverURL` so that Rundeck knows its external address.

  • clustermode_enabled (Boolean) (defaults to: false)

    Wheter to enable cluster mode.

  • execution_mode (Enum['active', 'passive']) (defaults to: 'active')

    Set the execution mode to ‘active’ or ‘passive’.

  • api_token_max_duration (String[1]) (defaults to: '30d')

    Set the token max duration.

  • java_home (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Set the home directory of java.

  • jvm_args (String) (defaults to: '-Xmx1024m -Xms256m -server')

    Extra arguments for the JVM.

  • quartz_job_threadcount (Integer) (defaults to: 10)

    The maximum number of threads used by Rundeck for concurrent jobs.

  • auth_config (Rundeck::Auth_config) (defaults to: { 'file' => { 'auth_flag' => 'required', 'jaas_config' => { 'file' => '/etc/rundeck/realm.properties', }, 'realm_config' => { 'admin_user' => 'admin', 'admin_password' => 'admin', 'auth_users' => [], }, }, })

    Hash of properties for configuring [Rundeck JAAS Authentication](docs.rundeck.com/docs/administration/security/authentication.html#jetty-and-jaas-authentication)

  • database_config (Rundeck::Db_config) (defaults to: { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' })

    Hash of properties for configuring the [Rundeck Database](docs.rundeck.com/docs/administration/configuration/database)

  • framework_config (Hash) (defaults to: {})

    Hash of properties for configuring the [Rundeck Framework](docs.rundeck.com/docs/administration/configuration/config-file-reference.html#framework-properties) This hash will be merged with the [Rundeck defaults](github.com/voxpupuli/puppet-rundeck/blob/master/manifests/config.pp#L8-L20)

  • gui_config (Hash) (defaults to: {})

    Hash of properties for customizing the [Rundeck GUI](docs.rundeck.com/docs/administration/configuration/gui-customization.html)

  • mail_config (Rundeck::Mail_config) (defaults to: {})

    A hash of the notification email configuraton.

  • security_config (Hash) (defaults to: {})

    A hash of the rundeck security configuration.

  • preauthenticated_config (Hash) (defaults to: {})

    A hash of the rundeck preauthenticated configuration.

  • key_storage_config (Rundeck::Key_storage_config) (defaults to: [{ 'type' => 'db', 'path' => 'keys' }])

    An array with hashes of properties for customizing the [Rundeck Key Storage](docs.rundeck.com/docs/manual/key-storage/key-storage.html)

  • key_storage_encrypt_config (Array[Hash]) (defaults to: [])

    An array with hashes of properties for customizing the [Rundeck Key Storage converter](docs.rundeck.com/docs/administration/configuration/plugins/configuring.html#storage-converter-plugins)

  • app_log_level (Rundeck::Loglevel) (defaults to: 'info')

    The log4j logging level to be set for the Rundeck application.

  • audit_log_level (Rundeck::Loglevel) (defaults to: 'info')

    The log4j logging level to be set for the Rundeck autorization.

  • config_template (String[1]) (defaults to: 'rundeck/rundeck-config.properties.epp')

    The template used for rundeck-config properties. Needs to be in epp format.

  • override_template (String[1]) (defaults to: 'rundeck/profile_overrides.epp')

    The template used for rundeck profile overrides. Needs to be in epp format.

  • realm_template (String[1]) (defaults to: 'rundeck/realm.properties.epp')

    The template used for jaas realm properties. Needs to be in epp format.

  • log_properties_template (String[1]) (defaults to: 'rundeck/log4j2.properties.epp')

    The template used for log properties. Needs to be in epp format.

  • rss_enabled (Boolean) (defaults to: false)

    Boolean value if set to true enables RSS feeds that are public (non-authenticated)

  • server_web_context (Optional[String[1]]) (defaults to: undef)

    Web context path to use, such as “/rundeck”. host.domain:port/server_web_context

  • ssl_enabled (Boolean) (defaults to: false)

    Enable ssl for the rundeck web application.

  • ssl_port (Stdlib::Port) (defaults to: 4443)

    Ssl port of the rundeck web application.

  • ssl_certificate (Stdlib::Absolutepath) (defaults to: '/etc/rundeck/ssl/rundeck.crt')

    Full path to the SSL public key to be used by Rundeck.

  • ssl_private_key (Stdlib::Absolutepath) (defaults to: '/etc/rundeck/ssl/rundeck.key')

    Full path to the SSL private key to be used by Rundeck.

  • key_password (Optional[String[1]]) (defaults to: undef)

    The password used to protect the key in keystore.

  • keystore (Stdlib::Absolutepath) (defaults to: '/etc/rundeck/ssl/keystore')

    Full path to the java keystore to be used by Rundeck.

  • keystore_password (String[1]) (defaults to: 'adminadmin')

    The password for the given keystore.

  • truststore (Stdlib::Absolutepath) (defaults to: '/etc/rundeck/ssl/truststore')

    The full path to the java truststore to be used by Rundeck.

  • truststore_password (String[1]) (defaults to: 'adminadmin')

    The password for the given truststore.

  • service_name (String[1]) (defaults to: 'rundeckd')

    The name of the rundeck service.

  • service_ensure (Enum['stopped', 'running']) (defaults to: 'running')

    State of the rundeck service.

  • service_logs_dir (Stdlib::Absolutepath) (defaults to: '/var/log/rundeck')

    The path to the directory to store service related logs.

  • service_notify (Boolean) (defaults to: true)

    Wheter to notify and restart the rundeck service if config changes.

  • service_config (Optional[String[1]]) (defaults to: undef)

    Allows you to use your own override template instead to config rundeckd init script.

  • service_script (Optional[String[1]]) (defaults to: undef)

    Allows you to use your own override template instead of the default from the package maintainer for rundeckd init script.

  • manage_cli (Boolean) (defaults to: true)

    Whether to manage rundeck cli config and resource with the rundeck class or not.

  • cli_version (String[1]) (defaults to: 'installed')

    Ensure the state of the rundeck cli package, either present, absent or a specific version.

  • cli_user (String[1]) (defaults to: 'admin')

    Cli user to authenticate.

  • cli_password (String[1]) (defaults to: 'admin')

    Cli password to authenticate.

  • cli_token (Optional[String[8]]) (defaults to: undef)

    Cli token to authenticate.

  • cli_projects (Hash[String, Rundeck::Project]) (defaults to: {})

    Cli projects config.



127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
# File 'manifests/init.pp', line 127

class rundeck (
  Stdlib::Absolutepath $override_dir,
  Hash $repo_config,
  Boolean $manage_repo = true,
  String[1] $package_ensure = 'installed',
  Boolean $manage_home = true,
  String[1] $user = 'rundeck',
  String[1] $group = 'rundeck',
  Boolean $manage_user = false,
  Boolean $manage_group = false,
  Optional[Integer] $user_id = undef,
  Optional[Integer] $group_id = undef,
  Array[Hash] $admin_policies = [
    {
      'description' => 'Admin, all access',
      'context'     => { 'project' => '.*' },
      'for'         => {
        'resource' => [{ 'allow' => '*' }],
        'adhoc'    => [{ 'allow' => '*' }],
        'job'      => [{ 'allow' => '*' }],
        'node'     => [{ 'allow' => '*' }],
      },
      'by'          => [{ 'group' => ['admin'] }],
    },
    {
      'description' => 'Admin, all access',
      'context'     => { 'application' => 'rundeck' },
      'for'         => {
        'project'  => [{ 'allow' => '*' }],
        'resource' => [{ 'allow' => '*' }],
        'storage'  => [{ 'allow' => '*' }],
      },
      'by'          => [{ 'group' => ['admin'] }],
    },
  ],
  Array[Hash] $api_policies = [
    {
      'description' => 'API project level access control',
      'context'     => { 'project' => '.*' },
      'for'         => {
        'resource' => [
          { 'equals' => { 'kind' => 'job' }, 'allow' => ['create', 'delete'] },
          { 'equals' => { 'kind' => 'node' }, 'allow' => ['read', 'create', 'update', 'refresh'] },
          { 'equals' => { 'kind' => 'event' }, 'allow' => ['read', 'create'] },
        ],
        'adhoc'    => [{ 'allow' => ['read', 'run', 'kill'] }],
        'job'      => [{ 'allow' => ['read', 'create', 'update', 'delete', 'run', 'kill'] }],
        'node'     => [{ 'allow' => ['read', 'run'] }],
      },
      'by'          => [{ 'group' => ['api_token_group'] }],
    },
    {
      'description' => 'API Application level access control',
      'context'     => { 'application' => 'rundeck' },
      'for'         => {
        'project'  => [{ 'match' => { 'name' => '.*' }, 'allow' => ['read'] }],
        'resource' => [{ 'equals' => { 'kind' => 'system' }, 'allow' => ['read'] }],
        'storage'  => [{ 'match' => { 'path' => '(keys|keys/.*)' }, 'allow' => '*' }],
      },
      'by'          => [{ 'group' => ['api_token_group'] }],
    },
  ],
  Boolean $manage_default_admin_policy = true,
  Boolean $manage_default_api_policy = true,
  Stdlib::HTTPUrl $grails_server_url = "http://${facts['networking']['fqdn']}:4440",
  Boolean $clustermode_enabled = false,
  Enum['active', 'passive'] $execution_mode = 'active',
  String[1] $api_token_max_duration = '30d',
  Optional[Stdlib::Absolutepath] $java_home = undef,
  String $jvm_args = '-Xmx1024m -Xms256m -server',
  Integer $quartz_job_threadcount = 10,
  Rundeck::Auth_config $auth_config = {
    'file' => {
      'auth_flag'    => 'required',
      'jaas_config'  => {
        'file' => '/etc/rundeck/realm.properties',
      },
      'realm_config' => {
        'admin_user'     => 'admin',
        'admin_password' => 'admin',
        'auth_users'     => [],
      },
    },
  },
  Rundeck::Db_config $database_config = { 'url' => 'jdbc:h2:file:/var/lib/rundeck/data/rundeckdb' },
  Hash $framework_config = {},
  Hash $gui_config = {},
  Rundeck::Mail_config $mail_config = {},
  Hash $security_config = {},
  Hash $preauthenticated_config = {},
  Rundeck::Key_storage_config $key_storage_config = [{ 'type' => 'db', 'path' => 'keys' }],
  Array[Hash] $key_storage_encrypt_config = [],
  Rundeck::Loglevel $app_log_level = 'info',
  Rundeck::Loglevel $audit_log_level = 'info',
  String[1] $config_template = 'rundeck/rundeck-config.properties.epp',
  String[1] $override_template = 'rundeck/profile_overrides.epp',
  String[1] $realm_template = 'rundeck/realm.properties.epp',
  String[1] $log_properties_template = 'rundeck/log4j2.properties.epp',
  Boolean $rss_enabled = false,
  Optional[String[1]] $server_web_context = undef,
  Boolean $ssl_enabled = false,
  Stdlib::Port $ssl_port = 4443,
  Stdlib::Absolutepath $ssl_certificate = '/etc/rundeck/ssl/rundeck.crt',
  Stdlib::Absolutepath $ssl_private_key = '/etc/rundeck/ssl/rundeck.key',
  Optional[String[1]] $key_password = undef,
  Stdlib::Absolutepath $keystore = '/etc/rundeck/ssl/keystore',
  String[1] $keystore_password = 'adminadmin',
  Stdlib::Absolutepath $truststore = '/etc/rundeck/ssl/truststore',
  String[1] $truststore_password = 'adminadmin',
  String[1] $service_name = 'rundeckd',
  Enum['stopped', 'running'] $service_ensure = 'running',
  Stdlib::Absolutepath $service_logs_dir = '/var/log/rundeck',
  Boolean $service_notify = true,
  Optional[String[1]] $service_config = undef,
  Optional[String[1]] $service_script = undef,
  Boolean $manage_cli = true,
  String[1] $cli_version = 'installed',
  String[1] $cli_user = 'admin',
  String[1] $cli_password = 'admin',
  Optional[String[8]] $cli_token = undef,
  Hash[String, Rundeck::Project] $cli_projects = {},
) {
  validate_rd_policy($admin_policies)
  validate_rd_policy($api_policies)

  contain rundeck::install
  contain rundeck::config
  contain rundeck::service

  if $service_notify {
    Class['rundeck::install']
    -> Class['rundeck::config']
    ~> Class['rundeck::service']
  } else {
    Class['rundeck::install']
    -> Class['rundeck::config']
    -> Class['rundeck::service']
  }

  if $manage_cli {
    class { 'rundeck::cli':
      manage_repo       => false,
      notify_conn_check => true,
      version           => $cli_version,
      url               => $rundeck::config::framework_config['framework.server.url'],
      bypass_url        => $grails_server_url,
      user              => $cli_user,
      password          => $cli_password,
      token             => $cli_token,
      projects          => $cli_projects,
    }

    Class['rundeck::service']
    -> Class['rundeck::cli']
  }
}