diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6ff5080ee8cd6c003e4299feb4563f47b2d22afc
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,35 @@
+---
+stages:
+ - pdk_validate
+ - g10k_deploy
+ - send_notification
+
+job_validate:
+ stage: pdk_validate
+ script:
+ - /home/gitlab-runner/bin/git-rev-count.sh ${CI_PROJECT_NAME} ${CI_COMMIT_REF_NAME}
+ - pdk validate puppet --parallel
+ tags:
+ - shared-runner
+
+job_deploy:
+ stage: g10k_deploy
+ when: on_success
+ script:
+ - /home/gitlab-runner/bin/ci2puppet.sh ${CI_PROJECT_NAME} ${CI_COMMIT_REF_NAME}
+ tags:
+ - shared-runner
+
+job_notification:
+ stage: send_notification
+ when: on_failure
+ variables:
+ msg: "*ERROR on Commit ID*: ${CI_COMMIT_SHA}\n*Commit Author*: ${GITLAB_USER_NAME}\n*Commit Title*: ${CI_COMMIT_TITLE}\n*Repository*: ${CI_PROJECT_NAME}\n*Branch*: ${CI_COMMIT_REF_NAME}"
+ script:
+ - echo -e "${msg}" > /home/gitlab-runner/${CI_PROJECT_NAME}_msg.txt
+ - cat /home/gitlab-runner/${CI_PROJECT_NAME}_rev_count_msg.txt >> /home/gitlab-runner/${CI_PROJECT_NAME}_msg.txt
+ - cat /home/gitlab-runner/msg_closure.txt >> /home/gitlab-runner/${CI_PROJECT_NAME}_msg.txt
+ - /usr/local/bin/upload_to_slack.sh /home/gitlab-runner/${CI_PROJECT_NAME}_msg.txt post "Puppet CI Error" "${DEVOPS_CHANNEL}" ${DEVOPSBOT_TOKEN} ERROR
+ - cat /home/gitlab-runner/${CI_PROJECT_NAME}_msg.txt | mail -s "Puppet CI Error on Repository ${CI_PROJECT_NAME}" $RCPT
+ tags:
+ - shared-runner
diff --git a/.puppet-lint.rc b/.puppet-lint.rc
index cc96ece0513d69709b87af611173e2a6e4532f62..6d61fb07e301ed1e9a2f8e0b9904587b1f9053b4 100644
--- a/.puppet-lint.rc
+++ b/.puppet-lint.rc
@@ -1 +1,2 @@
--relative
+--no-anchor_resource-check
diff --git a/functions/fw_builder.pp b/functions/fw_builder.pp
index c478fc949d3b18a7557eaac8267f1dcaefd55ed2..c6d745cb72bd2ad8d0777735dda7624d14db81e9 100644
--- a/functions/fw_builder.pp
+++ b/functions/fw_builder.pp
@@ -24,9 +24,7 @@ function fw_builder::fw_builder() {
# define, for latter use
#
if ($fw_conf['custom_ipset']) {
-
$ipsets = $fw_conf['custom_ipset'].keys().map |$name| {
-
# check if key names are valid
#
$ipset_keys = keys($fw_conf['custom_ipset'][$name])
@@ -50,9 +48,11 @@ function fw_builder::fw_builder() {
# getting IPs or FQDNs from 'hieradata' lookup, if 'hieradata' is defined
#
if ($fw_conf['custom_ipset'][$name]['hieradata']) {
- $_hieradata = flatten($fw_conf['custom_ipset'][$name]['hieradata'].map |$hash_name| {
- lookup($hash_name, Array, 'deep')
- })
+ $_hieradata = flatten(
+ $fw_conf['custom_ipset'][$name]['hieradata'].map |$hash_name| {
+ lookup($hash_name, Array, 'deep')
+ }
+ )
if $_hieradata !~ Fw_builder::List { fail("${_hieradata} types are not IPs, Networks or FQDNs") }
$hieradata = fw_builder::parser($_hieradata)
}
@@ -80,7 +80,7 @@ function fw_builder::fw_builder() {
}
} else {
# we use the same environment of the agent
- $env_string = "= '${::environment}'"
+ $env_string = "= '${facts['agent_specified_environment']}'"
}
"facts.fqdn ~ '${hash[name]}' and facts.agent_specified_environment ${env_string}"
},
@@ -90,7 +90,7 @@ function fw_builder::fw_builder() {
# facts.fqdn ~ 'nomad\d+\.geant\.org' and facts.agent_specified_environment = 'test') or (facts.fqdn ~ ...
$query = "inventory[facts.hostname, facts.ipaddress, facts.ipaddress6, facts.fqdn] { (${pdb_filter}) order by certname }"
$full_list = puppetdb_query($query)
- $searchlist = $full_list.map |$hash| { $hash['facts.ipaddress']} + $full_list.map |$hash| { $hash['facts.ipaddress6'] }
+ $searchlist = $full_list.map |$hash| { $hash['facts.ipaddress'] } + $full_list.map |$hash| { $hash['facts.ipaddress6'] }
# an empty list creates an empty fact, it means that the regex is not working
# and the firewall setting is ineffective. We better fail here
if $searchlist !~ Fw_builder::Iplist {
@@ -116,10 +116,9 @@ function fw_builder::fw_builder() {
"fwb_${name}_v6":
set => $full_ip_list_sorted.filter |$ip| { $ip =~ Stdlib::IP::Address::V6 },
options => {
- 'family' => 'inet6'
- }
- };
- { $name => $full_ip_list }
+ 'family' => 'inet6',
+ },
+ }; { $name => $full_ip_list }
}
}
} else {
@@ -127,7 +126,7 @@ function fw_builder::fw_builder() {
}
file { '/etc/facter/facts.d/fw_ipsets.yaml':
- content => to_yaml({fw_ipsets => $ipsets});
+ content => to_yaml({ fw_ipsets => $ipsets });
}
# emit warning if the key is deinfed and it's empty
diff --git a/functions/fw_builder_public_ips.pp b/functions/fw_builder_public_ips.pp
index fdcab571fd11030881f4171fb07ba561f4e44ec6..53c10a6d0ec94c15ccd2c65ee6d834720f494f4c 100644
--- a/functions/fw_builder_public_ips.pp
+++ b/functions/fw_builder_public_ips.pp
@@ -27,13 +27,12 @@ function fw_builder::fw_builder_public_ips(
# when puppet runs for the first time these facts are not available
if $facts_fw_conf =~ Undef or $facts_ipsets =~ Undef {
$public_ipsets = []
- # if public is empty it's seen as empty string
+ # if public is empty it's seen as empty string
} elsif $facts_fw_conf['public'] =~ String or $facts_fw_conf['public'] =~ Undef {
$public_ipsets = []
} else {
# if public is present and contains some value
if 'public' in $facts_fw_conf {
-
$facts_fw_conf_public = $facts_fw_conf['public']
# create a list of lists with all the ipsets in public
diff --git a/manifests/chains.pp b/manifests/chains.pp
index 8d258d15462ab9fab7cd78c0d4b47402eb8d3a55..8941569fe99313f57c6fadfe30ce37e1d87cc1b8 100644
--- a/manifests/chains.pp
+++ b/manifests/chains.pp
@@ -7,13 +7,19 @@
#
# === Parameters
#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
# === Requires
#
# === Examples
#
class fw_builder::chains (
- $ipv4_enable = $fw_builder::params::ipv4_enable,
- $ipv6_enable = $fw_builder::params::ipv6_enable
+ Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
+ Boolean $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
@@ -64,7 +70,6 @@ class fw_builder::chains (
ipset => "${trusted_net} src",
provider => $provider;
}
-
}
if ($ipv4_enable) {
diff --git a/manifests/docker.pp b/manifests/docker.pp
index 3a585bb314c2ddceccc670930db8ceb463c83e14..756dbcbd4b1eb4b6d3186aa03e47b433d11949a0 100644
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -36,25 +36,27 @@ class fw_builder::docker {
purge => false,
}
- firewallchain { [
- 'INPUT:nat:IPv4', 'PREROUTING:nat:IPv4',
- 'OUTPUT:nat:IPv4', 'PREROUTING:mangle:IPv4',
- 'POSTROUTING:mangle:IPv4', 'INPUT:mangle:IPv4',
- 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4',
- 'OUTPUT:raw:IPv4', 'PREROUTING:raw:IPv4'
+ firewallchain {
+ [
+ 'INPUT:nat:IPv4', 'PREROUTING:nat:IPv4',
+ 'OUTPUT:nat:IPv4', 'PREROUTING:mangle:IPv4',
+ 'POSTROUTING:mangle:IPv4', 'INPUT:mangle:IPv4',
+ 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4',
+ 'OUTPUT:raw:IPv4', 'PREROUTING:raw:IPv4',
]:
- purge => true,
- ignore => ['DOCKER', 'cali-', 'KUBE'],
+ purge => true,
+ ignore => ['DOCKER', 'cali-', 'KUBE'],
}
# this is is for kube / cali
- firewallchain { [
- 'cali-PREROUTING:mangle:IPv4', 'cali-failsafe-in:mangle:IPv4',
- 'cali-from-host-endpoint:mangle:IPv4', 'cali-failsafe-in:raw:IPv4',
- 'cali-failsafe-out:raw:IPv4', 'cali-from-host-endpoint:raw:IPv4',
- 'cali-to-host-endpoint:raw:IPv4', 'KUBE-SERVICES:filter:IPv4'
+ firewallchain {
+ [
+ 'cali-PREROUTING:mangle:IPv4', 'cali-failsafe-in:mangle:IPv4',
+ 'cali-from-host-endpoint:mangle:IPv4', 'cali-failsafe-in:raw:IPv4',
+ 'cali-failsafe-out:raw:IPv4', 'cali-from-host-endpoint:raw:IPv4',
+ 'cali-to-host-endpoint:raw:IPv4', 'KUBE-SERVICES:filter:IPv4',
]:
- purge => false,
+ purge => false,
}
}
# vim:ts=2:sw=2
diff --git a/manifests/init.pp b/manifests/init.pp
index d1ff11aa5ee3b3595e6d976755d548783bd8815a..bf7216f5dbfb7be92340fead28e21d83002044aa 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -29,6 +29,10 @@
# [*limit*] Variant[Undef, String]
# define limit for RST and Dropped connection on post.pp
#
+# === Requires
+#
+# === Examples
+#
# == Authors:
#
# Pete Pedersen<pete.pedersen@geant.org>
@@ -36,14 +40,14 @@
#
class fw_builder (
Fw_builder::Iplist $trusted_networks,
- Boolean $manage_docker = $fw_builder::params::manage_docker,
- Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
- Boolean $ipv6_enable = $fw_builder::params::ipv6_enable,
- Boolean $logging = $fw_builder::params::logging,
- Boolean $purge_rules = $fw_builder::params::purge_rules,
- Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
- Optional[String] $limit = $fw_builder::params::limit,
- $ipset_package_ensure = $fw_builder::params::ipset_package_ensure
+ Boolean $manage_docker = $fw_builder::params::manage_docker,
+ Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
+ Boolean $ipv6_enable = $fw_builder::params::ipv6_enable,
+ Boolean $logging = $fw_builder::params::logging,
+ Boolean $purge_rules = $fw_builder::params::purge_rules,
+ Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
+ Optional[String] $limit = $fw_builder::params::limit,
+ String $ipset_package_ensure = $fw_builder::params::ipset_package_ensure
) inherits fw_builder::params {
if ! ($purge_rules) and ($manage_docker) {
fail('cannot set purge_rules to false and manage_docker to true')
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
index 4b04b970c19375fe2a3e30ab09d1fed692870d4c..4dfe0574e100cc0bf7cd8277624bf4cb510d305f 100644
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -1,9 +1,20 @@
# Class: fw_builder::ipset
#
+# === Parameters
+#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
+# === Requires
+#
+# === Examples
#
class fw_builder::ipset (
- $ipv4_enable = $fw_builder::params::ipv4_enable,
- $ipv6_enable = $fw_builder::params::ipv6_enable
+ Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
+ Boolean $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
@@ -22,7 +33,7 @@ class fw_builder::ipset (
class { 'ipset':
packages => $packages,
package_ensure => $fw_builder::ipset_package_ensure,
- firewall_service => $firewall_service
+ firewall_service => $firewall_service;
}
if ($ipv4_enable) {
@@ -40,7 +51,9 @@ class fw_builder::ipset (
ensure => 'present',
type => 'hash:net',
set => $trusted_networks_v6,
- options => {'family' => 'inet6'}
+ options => {
+ 'family' => 'inet6',
+ };
}
}
}
diff --git a/manifests/logrotate.pp b/manifests/logrotate.pp
index 6e6150a4947fa763e9bdb8183803df009a33ce13..56654c58bedd79afa6159c2e31ae6e0715dcbec5 100644
--- a/manifests/logrotate.pp
+++ b/manifests/logrotate.pp
@@ -1,13 +1,20 @@
# == Class: fw_builder
#
-# == Authors:
+# == Parameter
#
-# Pete Pedersen<pete.pedersen@geant.org>
-# Massimiliano Adamo<massimiliano.adamo@geant.org>
+# [*logging*] Boolean
+# enable logging
+#
+# [*log_rotation_days*] Integer
+# define log retention in days
+#
+# === Requires
+#
+# === Examples
#
class fw_builder::logrotate (
- $logging = $fw_builder::params::logging,
- $log_rotation_days = $fw_builder::params::log_rotation_days
+ Boolean $logging = $fw_builder::params::logging,
+ Integer $log_rotation_days = $fw_builder::params::log_rotation_days
) {
assert_private()
diff --git a/manifests/post.pp b/manifests/post.pp
index 6c33915bf2a3ebd75aae93689a5002a97cd4e368..2a07fc18c9bf1e10dbc7c08bab81a3ccc32596f5 100644
--- a/manifests/post.pp
+++ b/manifests/post.pp
@@ -1,7 +1,16 @@
# == Class: fw_builder::post
#
+# == Parameter
+#
+# [*logging*] Boolean
+# enable logging
+#
+# === Requires
+#
+# === Examples
+#
class fw_builder::post (
- $logging = $fw_builder::params::logging
+ Boolean $logging = $fw_builder::params::logging
) {
assert_private()