From 663a97ab51b420c98c2e520e95085566de3bc36c Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 4 May 2025 16:16:05 +0200 Subject: [PATCH 1/2] webhook: make blocked_branches options configureable --- README.md | 3 +- REFERENCE.md | 43 +++++++++++++++++----------- manifests/webhook.pp | 19 ++++++------ manifests/webhook/service.pp | 14 +++++---- spec/acceptance/r10k_webhook_spec.rb | 28 ++++++++++++++++-- types/webhook/config/r10k.pp | 17 +++++------ 6 files changed, 83 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 534648cf..b3fe4eaf 100644 --- a/README.md +++ b/README.md @@ -586,7 +586,8 @@ class { 'r10k::webhook': ### Ignore deploying some environments Since [2.10.0](https://github.com/voxpupuli/webhook-go/releases/tag/v2.10.0) the webhook has support for ignoring certain branches. -This is not yet configureable via the puppet module. +When a deployment is triggered for that branch, it will return am HTTP 403 error code. +You can configure an array of branches via `r10k::webhook::blocked_branches`. ### configuring the webservice/deploy user diff --git a/REFERENCE.md b/REFERENCE.md index ab9b971f..a2319e7b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -533,6 +533,7 @@ The following parameters are available in the `r10k::webhook` class: * [`service_enabled`](#-r10k--webhook--service_enabled) * [`config_ensure`](#-r10k--webhook--config_ensure) * [`config_path`](#-r10k--webhook--config_path) +* [`blocked_branches`](#-r10k--webhook--blocked_branches) * [`chatops`](#-r10k--webhook--chatops) * [`tls`](#-r10k--webhook--tls) * [`queue`](#-r10k--webhook--queue) @@ -611,6 +612,14 @@ Data type: `String` Default value: `'/etc/voxpupuli/webhook.yml'` +##### `blocked_branches` + +Data type: `Array[String[1]]` + +array of branches that the webhook will not deploy + +Default value: `[]` + ##### `chatops` Data type: `R10k::Webhook::Config::ChatOps` @@ -691,14 +700,15 @@ Default value: ```puppet { - command_path => '/opt/puppetlabs/puppet/bin/r10k', - config_path => '/etc/puppetlabs/r10k/r10k.yaml', - default_branch => 'production', - prefix => undef, - allow_uppercase => false, - verbose => true, - deploy_modules => true, - generate_types => true, + command_path => '/opt/puppetlabs/puppet/bin/r10k', + config_path => '/etc/puppetlabs/r10k/r10k.yaml', + default_branch => 'production', + prefix => undef, + allow_uppercase => false, + verbose => true, + deploy_modules => true, + generate_types => true, + blocked_branches => $blocked_branches, } ``` @@ -771,14 +781,15 @@ Alias of ```puppet Struct[{ - command_path => Optional[Stdlib::Absolutepath], - config_path => Optional[Stdlib::Absolutepath], - default_branch => Optional[String[1]], - prefix => Optional[String[1]], - allow_uppercase => Optional[Boolean], - verbose => Optional[Boolean], - deploy_modules => Optional[Boolean], - generate_types => Optional[Boolean], + command_path => Optional[Stdlib::Absolutepath], + config_path => Optional[Stdlib::Absolutepath], + default_branch => Optional[String[1]], + prefix => Optional[String[1]], + allow_uppercase => Optional[Boolean], + verbose => Optional[Boolean], + deploy_modules => Optional[Boolean], + generate_types => Optional[Boolean], + blocked_branches => Optional[Array[String[1]]], }] ``` diff --git a/manifests/webhook.pp b/manifests/webhook.pp index a3c9788a..9ce5adba 100644 --- a/manifests/webhook.pp +++ b/manifests/webhook.pp @@ -9,6 +9,7 @@ # @param service_enabled # @param config_ensure # @param config_path +# @param blocked_branches array of branches that the webhook will not deploy # @param chatops # @param tls # @param queue @@ -28,6 +29,7 @@ Boolean $service_enabled = true, String $config_ensure = 'file', String $config_path = '/etc/voxpupuli/webhook.yml', + Array[String[1]] $blocked_branches = [], R10k::Webhook::Config::ChatOps $chatops = { enabled => false, service => undef, @@ -55,14 +57,15 @@ queue => $queue, }, R10k::Webhook::Config::R10k $r10k = { - command_path => '/opt/puppetlabs/puppet/bin/r10k', - config_path => '/etc/puppetlabs/r10k/r10k.yaml', - default_branch => 'production', - prefix => undef, - allow_uppercase => false, - verbose => true, - deploy_modules => true, - generate_types => true, + command_path => '/opt/puppetlabs/puppet/bin/r10k', + config_path => '/etc/puppetlabs/r10k/r10k.yaml', + default_branch => 'production', + prefix => undef, + allow_uppercase => false, + verbose => true, + deploy_modules => true, + generate_types => true, + blocked_branches => $blocked_branches, }, R10k::Webhook::Config $config = { server => $server, diff --git a/manifests/webhook/service.pp b/manifests/webhook/service.pp index ef8fc58e..a58e6b02 100644 --- a/manifests/webhook/service.pp +++ b/manifests/webhook/service.pp @@ -6,10 +6,14 @@ ensure => $r10k::webhook::service_ensure, enable => $r10k::webhook::service_enabled, } - if $r10k::webhook::service_user { - systemd::dropin_file { 'user.conf': - unit => 'webhook-go.service', - content => "[Service]\nUser=${r10k::webhook::service_user}\n", - } + $dropin_ensure = if $r10k::webhook::service_user and $r10k::webhook::service_ensure { + 'present' + } else { + 'absent' + } + systemd::dropin_file { 'user.conf': + ensure => $dropin_ensure, + unit => 'webhook-go.service', + content => "[Service]\nUser=${r10k::webhook::service_user}\n", } } diff --git a/spec/acceptance/r10k_webhook_spec.rb b/spec/acceptance/r10k_webhook_spec.rb index 8ca1ba94..dd216037 100644 --- a/spec/acceptance/r10k_webhook_spec.rb +++ b/spec/acceptance/r10k_webhook_spec.rb @@ -54,8 +54,8 @@ class { 'r10k': } end end - describe package('webhook-go') do - it { is_expected.to be_installed } + describe command('systemctl cat webhook-go') do + its(:stdout) { is_expected.to match(%r{User=puppet}) } end describe file('/etc/voxpupuli/webhook.yml') do @@ -65,6 +65,19 @@ class { 'r10k': } expect(subject).to be_grouped_into 'root' end end + end + + context 'with blocked_branches' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + class { 'r10k': } + -> class { 'r10k::webhook': + blocked_branches => ['production'], + } + PUPPET + end + end describe service('webhook-go') do it { is_expected.to be_enabled } @@ -72,7 +85,16 @@ class { 'r10k': } end describe command('systemctl cat webhook-go') do - its(:stdout) { is_expected.to match(%r{User=puppet}) } + its(:stdout) { is_expected.not_to match(%r{User=puppet}) } + end + + describe file('/etc/voxpupuli/webhook.yml') do + it 'exists and has content' do + expect(subject).to exist + expect(subject).to be_owned_by 'root' + expect(subject).to be_grouped_into 'root' + expect(subject).to contain "---\nserver:\n protected: true\n user: puppet\n password: puppet\n blocked_branches: ['production']\n" + end end end end diff --git a/types/webhook/config/r10k.pp b/types/webhook/config/r10k.pp index 7102ae83..a68b3c16 100644 --- a/types/webhook/config/r10k.pp +++ b/types/webhook/config/r10k.pp @@ -1,11 +1,12 @@ # @summary webhook config r10k type type R10k::Webhook::Config::R10k = Struct[{ - command_path => Optional[Stdlib::Absolutepath], - config_path => Optional[Stdlib::Absolutepath], - default_branch => Optional[String[1]], - prefix => Optional[String[1]], - allow_uppercase => Optional[Boolean], - verbose => Optional[Boolean], - deploy_modules => Optional[Boolean], - generate_types => Optional[Boolean], + command_path => Optional[Stdlib::Absolutepath], + config_path => Optional[Stdlib::Absolutepath], + default_branch => Optional[String[1]], + prefix => Optional[String[1]], + allow_uppercase => Optional[Boolean], + verbose => Optional[Boolean], + deploy_modules => Optional[Boolean], + generate_types => Optional[Boolean], + blocked_branches => Optional[Array[String[1]]], }] From cd0db3d4e5892f7dd25a3c7945b9085831918c02 Mon Sep 17 00:00:00 2001 From: Hugo Haakseth Date: Mon, 21 Jul 2025 10:58:19 +0200 Subject: [PATCH 2/2] Rebase and fix service_user issues --- manifests/webhook/service.pp | 2 +- spec/classes/webhook_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/webhook/service.pp b/manifests/webhook/service.pp index a58e6b02..1c089dad 100644 --- a/manifests/webhook/service.pp +++ b/manifests/webhook/service.pp @@ -6,7 +6,7 @@ ensure => $r10k::webhook::service_ensure, enable => $r10k::webhook::service_enabled, } - $dropin_ensure = if $r10k::webhook::service_user and $r10k::webhook::service_ensure { + $dropin_ensure = if $r10k::webhook::service_user { 'present' } else { 'absent' diff --git a/spec/classes/webhook_spec.rb b/spec/classes/webhook_spec.rb index a15d62ad..22bc1a23 100644 --- a/spec/classes/webhook_spec.rb +++ b/spec/classes/webhook_spec.rb @@ -107,7 +107,7 @@ it { is_expected.to contain_class('r10k::webhook::config') } it { is_expected.to contain_package('webhook-go').with_ensure('present') } it { is_expected.to contain_service('webhook-go.service').with_ensure('running') } - it { is_expected.not_to contain_systemd__dropin_file('user.conf') } + it { is_expected.to contain_systemd__dropin_file('user.conf').with_ensure('absent') } it { is_expected.to contain_file('webhook.yml').with_content(content) } if os_facts[:os]['family'] == 'RedHat'