How to Integrate Puppet Master with Git

Pretty much all of us engineers want to manage Puppet code in a source control for traceability and manageability. I’m going to write a step-by-step documentation on how to just do it based on this document, this documentation and some other documentation I found by Googling. I had a hard time finding a single document that takes me to where Puppet works out of Git source control, so here it is.

Create a Control Repo from the Puppet template

We will create a Git repo based on a template that Puppet offers on GitHub. Here is the picture of how it work.

Getting Puppet Master Ready to Sync

Using ssh-keygen, create public/private key pair.

First of all, ssh into the Puppet master you installed as root and generate an SSH private/public key pair.

# ssh-keygen -t rsa -b 2048 -C 'code_manager' -f /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa -q -N ''

It generates 2 files id-control_repo.rsa and id-control_repo.rsa.pub under /etc/puppetlabs/puppetserver/ssh. id-control_repo.rsa is the private key and id-control_repo.rsa.pub is the public key. Let’s print the content of the public key to get the text.

# cat /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa.pub

Next make sure that the user pe-puppet created by the puppet installation has the ownership on the directory /etc/puppetlabs/puppetserver/ssh Execute the following command.

# chown -R pe-puppet:pe-puppet /etc/puppetlabs/puppetserver/ssh

Next make sure that the pe-puppet account has rwx permissions for the files in SSH key directory.

# chmod 755 /etc/puppetlabs/puppetserver/ssh/

Getting a Git repo Ready

Puppet master (optionally) needs a Git repo to pull code from. In this example, I will use GitLab as my source. This process does not need to be performed on Puppet master. Please skip this section if you already have access to GitLab (or other Git) repository.

SSH Key to GitLab

  1. Open your terminal or console.
  2. Generate a SSH key.
    $ ssh-keygen -t ed25519
  3. Print the public key on your console.
    $ cat ~/.ssh/id_ed25519.pub
  4. Navigate to gitlab.com on your browser.
  5. Click on the icon at the upper right corner of the screen and select Settings.
  6. Click SSH Keys from the menu on the left.
  7. On the terminal, copy the printed public key in the previous section and paste it to the Key textarea and click Add key button.
  8. Now you are ready to access GitLab.

Create a New Repo on GitLab

In this section, we will create a repo on GitLab where Puppet master pull code from. The source control does not have to be GitLab. Any Git server will do as long as your Puppet master can reach it.

  1. Navigate to gitlab.com on your browser and login.
  2. Click New Project button.
  3. Enter control-repo in Project name (or whatever you like). Keep the project private if you don’t want to expose the code but I am making this one a public because this is just an example and I would like to share the code to public later on. Click Create project button.

Cloning control-repo from GitHub to GitLab

Puppet provides us with a template source in GitHub, so we will copy the repo to my own repo on GitLab. The following process can be done from your desktop. As long as you create a copied repo on GitLab, our mission is accomplished in this section.Puppet provides us with a template source in GitHub, so we will copy the repo to my own repo on GitLab. The following process can be done from your desktop. As long as you create a copied repo on GitLab, our mission is accomplished in this section.

  1. Open your terminal and navigate to the directory where you want to store the code to. (e.g. C:\Windows\Users\[myaccount]\Dev)
  2. Clone the source repo from GitHub.
    $ git clone git@github.com:puppetlabs/control-repo.git
  3. We don’t want to push any change to GitHub, so we will remove the origin.
    $ git remote remove origin
  4. Add the URL to the GitLab repo we created in the previous section. Please change the URL accordingly.
    $ git remote add origin git@gitlab.com:hiriumi/control-repo.git
  5. Push the code to the GitLab repo.
    $ git push --set-upstream origin production
  6. Alternatively, you can check the URL of the remote by executing the following command.
    $ git remote get-url origin
  7. When you open the GitLab UI, you can see production branch was created automatically because the original repo has production branch. All code must be pushed to the production branch for it to take effect.

Configure Puppet Master

Now we need to tell Puppet master where to pull the source code from. We will do this from the UI.

  1. Login to https://puppet (or wherever your Puppet is installed).
  2. Click Classification on the menu.
  3. Expand PE Infrastructure and click PE Master.
  4. Click Configuration tab.
  5. Navigate to Class:puppet_enterprise::profile::master and select r10k_remote from the dropdown list. Paste the SSH URL for the GitLab repo configured in the previous section. Click Add parameter.
  6. From the same dropdown list under Class:puppet_enterprise::profile::master, select r10k_private_key and enter /etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa.
  7. From the same dropdown list, select code_manager_auto_configure and set the value to true. Click Commit 3 change button at the lower right corner of the screen.
  8. Let’s test the configuration by executing the following command.
    # puppet agent -t
  9. You will see an output like the following.
  10. Login to get a token to execute puppet-code.
    # puppet-access login --lifetime 2h
    This means the token to execute puppet-code will last for 2 hours.
  11. Next deploy the environment with puppet-code.
    # puppet-code deploy production
  12. The command above should show an output like this.

  13. Execute puppet agent -t again.
  14. All the code pulled from the source control can be located at /etc/puppetlabs/code/environments.

Recap

This document explained how to copy the existing template repo and apply it to your own environment. Puppet now can talk to the Git server. However, we need to understand how we can create groups and different environments for testing. I will talk more about it in my blog later.

Author: admin

A software engineer in greater Seattle area

6 thoughts on “How to Integrate Puppet Master with Git”

  1. Hello Hayato,
    Was looking for a documentation that explains the puppet and git integration. Thanks for publishing this one. However dont see the production code being deployed to the master. Have followed the documentation as is and something seems to be missing. Below is what i get but i dont see the production branch files getting replicated over to the master.
    root@pmenon531c:~# puppet-code deploy productionFound 1 environments.[{“environment”: “production”,”id”: 1,”status”: “queued”}
    ]

  2. Hi, Pradeep.

    I have been away from dealing with Puppet for a while but as far as I remember, you should have production branch in your Git and Puppet sync the code with the production branch. And if you have different environment, you would create different branch for it.

    Why don’t you try to change branch to production in your terminal?

    $ git checkout production

    Make some changes to production branch, stage, push, commit and push the change to the server side and see what happens there.

  3. I was searching in google all time. How puppet and gitlab connected or any integration is connected for it. I donot find much information anywhere as you said. Know i understand by reading your article. Thanks for sharing your knowledge

  4. Hi Hayato,

    One of my client uses github for code dev and merge the code using api into the application prod server. They use puppet server build automation system which scan the app prod server every 5 minutes and if server is not configured exactly as is defined in the configuration files, then the existing server will be destroyed and replaced by a new server. My question is how to see the configuration of puppet administrator which user can build / modify delete this settings? which screenshot or path shall I seek for from my client to check this?

Leave a Reply

Your email address will not be published. Required fields are marked *