Customize Code Manager configuration in Hiera
Set parameters in Hiera to customize your Code Manager configuration.
- In your control repo, open the
data/common.yaml
file. - Add parameters to the
puppet_enterprise::master::code_manager
class. Use the following format:puppet_enterprise::master::code_manager::<PARAMETER>: <SETTING>
For example, these parameters increase the size of the default worker pool and reduce the maximum time allowed to deploy a single environment:puppet_enterprise::master::code_manager::deploy_pool_size: 4 puppet_enterprise::master::code_manager::timeouts_deploy: 300
Some parameters are described in detail below, along with a list of all Code Manager parameters.
- Run Puppet on the primary server. The
Puppet run updates the Code Manager configuration file.Important: Do not manually edit the Code Manager configuration file. Puppet automatically manages this file, and it overwrites or discards any manual changes you make.
Configuring post-environment hooks
Post-environment hooks can trigger custom actions after deploying an environment.
To configure a list of hooks to run after Code Manager deploys
code to an environment, specify the post_environment_hook
parameter in
Hiera. This parameter accepts an array of hashes with
the url
and use-client-ssl
keys.
url
key specifies an HTTPS URL to send a POST
request to. The request includes a JSON-formatted body
containing information about the environment deployment, such
as:{
"deploy-signature":"482f8d3adc76b5197306c5d4c8aa32aa8315694b",
"file-sync":{
"environment-commit":"6939889b679fdb1449545c44f26aa06174d25c21",
"code-commit":"ce5f7158615759151f77391c7b2b8b497aaebce1"},
"environment":"production",
"id":3,
"status":"complete"
}
The use-client-ssl
key is a Boolean specifying whether to
use the client's SSL configuration for HTTPS connections.
use-client-ssl
is set to false
, which means that when the HTTP client makes a
request, it uses certificates from the Puppet Enterprise Java trust store file, which is located at:
/opt/puppetlabs/server/apps/java/lib/jvm/java/jre/lib/security/cacerts)
Set use-client-ssl
to true
only if the url
destination is a
server that uses the Puppet certificate
authority.
puppet_enterprise::master::code_manager::post_environment_hooks:
- url: 'https://console.example.com:4433/classifier-api/v1/update-classes'
use-client-ssl: true
If you wanted to configure multiple
post-environment hooks, you would add more hashes to the array.Configuring garbage collection
By default, Code Manager retains environment deployments in memory for one hour. You can adjust this by configuring garbage collection.
deploy_ttl
parameter in Hiera. This parameter accepts a string that includes one of the following suffixes:-
d
: Days -
h
: Hours -
m
: Minutes -
s
: Seconds -
ms
: Milliseconds
For example, deploy_ttl: '30d'
configures Code Manager to keep deployments in memory for 30 days.
Similarly, deploy_ttl: '48h'
retains deployments in memory for 48
hours.
The default setting is 1h
(one hour).
deploy-ttl
is less than the combined
values of timeouts_fetch
, timeouts_sync
, and
timeouts_deploy
, then all completed deployments are retained
indefinitely. This could significantly slow Code Manager's
performance over time. Refer to Code Manager parameters for information
about the timeouts_*
parameters.Configuring module deployment scope
By default, Code Manager performs incremental
deployments of module code. You can use the full_deploy
parameter to change the module code deployment scope.
Incremental deploys only sync modules whose definitions (in the environment's Puppetfile) allow their version to "float" (such as Git branches) and modules whose definitions have been added or changed since the environment's last deployment. Incremental deploys do not support SVN modules.
true
:puppet_enterprise::master::code_manager::full_deploy
To re-enable incremental deploys, set the full_deploy
parameter to false
.
Configuring Forge settings
To configure how Code Manager
downloads modules from the Forge, specify the
forge_settings
parameter in Hiera.
forge_settings
parameter accepts a hash that can use
the following keys: -
baseurl
: Indicate where Forge modules are installed from. The default ishttps://forgeapi.puppetlabs.com
. -
authorization_token
: Specify the token for authenticating to a custom Forge server. -
proxy
: Set the proxy for all Forge interactions.
puppet_enterprise::master::code_manager::forge_settings:
baseurl: 'https://private-forge.example'
baseurl
and authorization_token
. You must format authorization_token
as a string prepended with Bearer
, particularly if you use Artifactory as your Forge server. For
example:puppet_enterprise::master::code_manager::forge_settings:
baseurl: 'https://private-forge.example'
authorization_token: 'Bearer <TOKEN>'
proxy
parameter sets a proxy for all Forge interactions. This setting overrides the global
proxy
setting but only for Forge operations (refer to the global proxy
setting for more information). You can set an unauthenticated
proxy or an authenticated proxy with either Basic or Digest authentication. For
example:puppet_enterprise::master::code_manager::forge_settings:
proxy: 'http://proxy.example.com:3128'
proxy
, but you don't
want Forge operations to use a proxy, under the forge_settings
parameter, set proxy
to an empty string.Configuring Git settings
To configure Code Manager to use a private key, a proxy, or
multiple Git source repositories, specify the
git_settings
parameter in Hiera.
git_settings
parameter with the default Code Manager
r10k_private_key
settings. To avoid errors, remove the
r10k_private_key
parameter from the puppet_enterprise::profile::master
class.The git_settings
parameter accepts a hash that can use the private-key
, proxy
, and
repositories
keys.
private-key
The private-key
setting is required, and, if it is
not specified, it gets a default value from the puppet_enterprise::profile::master
class.
private-key
to specify the path to the file containing the
default private key that you want Code Manager to use to
access control repos, for
example:/etc/puppetlabs/puppetserver/ssh/id-control_repo.ed25519
pe-puppet
user must have
read permissions for the private key file, and the SSH key can't require a
password.proxy
proxy
key sets a proxy specifically for Git operations that use an HTTP(S) transport. This
setting overrides the global proxy
setting but only for Git operations (For more information, refer to the
global proxy
setting). You can set an unauthenticated proxy or an
authenticated proxy with either Basic or Digest authentication. For
example:proxy: 'http://proxy.example.com:3128'
To set a proxy for only one specific Git
repository (or when you have multiple control repos), set proxy
within the repositories
key.
If you set a global proxy
, but you don't want Git operations to use a proxy, under the git_settings
parameter, set proxy
to an empty string.
repositories
repositories
key specifies a list of repositories
and their respective private keys or proxies. Use repositories
if:- You need to configure different proxy settings for specific repos, instead of all Git operations.
- You have multiple control repos.Important: If you have multiple control repos, the
sources
setting and therepositories
setting must match.
The repositories
setting accepts an array of hashes that use the
remote
, private-key
, and proxy
keys.
The remote
key specifies the repository to which the
subsequent private-key
or proxy
setting applies. The private-key
and proxy
settings have the same requirements and
functions as described above, except that, when inside repositories
, these settings only apply to a single repository.
repositories
hash specifies unique
private keys for two repos and a unique proxy for a third
repo:repositories:
- remote: "jfkennedy@gitserver.puppetlabs.net:repositories/repo_one.git"
private-key: "/test_keys/jfkennedy"
- remote: "whtaft@gitserver.puppetlabs.net:repositories/repo_two.git"
private-key: "/test_keys/whtaft"
- remote: "https://git.example.com/git_repos/environments.git"
proxy: "https://proxy.example.com:3128"
git_settings
proxy, but you don't want a specific repo to use a proxy,
in the repositories
hash, set that specific repo's
proxy
to an empty string.Configuring proxies
If you need Code Manager to use a proxy connection, use the
proxy
parameter. You can set a global proxy for all
HTTP(S) operations, proxies for Git or Forge operations, or proxies for individual Git repositories.
proxy
parameter depends on how you
want to apply the setting:- To set a proxy for all Code Manager operations
occurring over an HTTP(S) transport, set the global
proxy
setting. - To set proxies only for Git operations or
individual Git repos, set the appropriate
proxy
key under thegit_settings
parameter. - To set a proxy only for Forge operations, set the
proxy
key under theforge_settings
parameter.
proxy: 'http://proxy.example.com:3128'
Whereas
this setting is for a password-authenticated
proxy:proxy: 'http://user:password@proxy.example.com:3128'
Override proxy settings
proxy
setting if you want to:- Set a different proxy setting for Git or Forge operations.
- Specify a different proxy setting for an individual Git repo.
- Specify a mix of proxy and non-proxy connections.
proxy
key under the git_settings
or forge_settings
parameters.To set a proxy for an individual Git repository (or if
you have multiple control repos), set the proxy
key
in the repositories
hash under the git_settings
parameter.
proxy
parameter to
an empty string. For example, if you set a global proxy
, but you don't want Forge
operations to use a proxy, you would specify an empty string under the forge_settings
parameter, such
as:puppet_enterprise::master::code_manager::forge_settings:
proxy: ''
curl --proxy "<YOUR_PROXY_URI>" --head "https://github.com"
curl --proxy "<YOUR_PROXY_URI>" --head "https://forgeapi.puppet.com"
For general information about forming curl commands, authentication in commands, and Windows modifications, go to Using example commands.
Configuring sources
If you are managing multiple control repos with Code Manager, you must use the sources
parameter to specify a map
of your source repositories.
The sources
parameter is necessary when Code Manager is managing multiple control
repos. For example, your Puppet environments
are in one control repo and your Hiera data is
in a separate control repo.
The sources
setting and the
repositories
setting (under git_settings
) must match.
If sources
is set, you can't use Code Manager's global
remote
parameter.
sources
parameter consists of a list of source names along with a
hash containing the remote
and prefix
key for each source. For
example:myorg:
remote: "git://git-server.site/myorg/main-modules"
prefix: true
mysource:
remote: "git://git-server.site/mysource/main-modules"
prefix: "testing"
The remote
parameter specifies the location from which to
fetch the source repo. Code Manager must be
able to fetch the remote without any interactive input. This means fetching the source
can't require inputting a user name or password. You must supply a valid URL, as a
string, that Code Manager can use to clone the
repo, such as: "git://git-server.site/myorg/main-modules"
The prefix
parameter specifies a string to use as a
prefix for the names of environments derived from the specified source. Set this to a
specific string if you want to use a specific prefix, such as "testing"
. Set this to true
to use the
source's name as the prefix. The prefix
parameter
prevents collisions (and confusion) when multiple sources with identical branch names
are deployed into the same directory.
main-modules
environments deployed to the same
base directory:myorg:
remote: "git://git-server.site/myorg/main-modules"
prefix: true
mysource:
remote: "git://git-server.site/mysource/main-modules"
prefix: true
prefix
to "testing"
, the two environments become more distinct, since the directory
would now have a main-modules
environment and a testing-main-modules
environment:myorg:
remote: "git://git-server.site/myorg/main-modules"
prefix: true
mysource:
remote: "git://git-server.site/mysource/main-modules"
prefix: "testing"
Code Manager parameters
Parameter | Description | Type | Default value |
---|---|---|---|
r10k_remote (also referred to as Code Manager's global remote ) |
A valid SSH URL specifying the location of your Git control repository, if you have only one
control repo. If you have multiple Git repos,
specify |
String | If r10k_remote is specified in the puppet_enterprise::profile::master class, that value is used here.
Otherwise, there is no default value. |
authenticate_webhook |
Indicates whether to enable RBAC authentication for the POST /v1/webhook endpoint. | Boolean | true |
cachedir |
The file path to the location where Code Manager caches Git repositories. | String | /opt/puppetlabs/server/data/code-manager/cache |
certname |
The certname of the Puppet signed certs to use for SSL | String or string variable | $::clientcert |
data |
The file path to the directory where Code Manager stores internal file content. | String | /opt/puppetlabs/server/data/code-manager |
deploy_pool_cleanup_interval |
Specifies how often workers pause to clean their on-disk caches. If cleanup takes too long, increase this value so that cleanup happens less often. | Integer indicating a 1 out of n percent chance. |
100 (Cleanup occurs after 1 of every 100
code deployments, or after 1% of code deployments.) |
deploy_pool_size |
Specifies the number of threads in the worker pool, which determines how many deployment processes can run in parallel. | Integer | 2 |
download_pool_size |
Specifies the number of threads used to download modules. | Integer | 4 |
deploy_ttl |
For Configuring garbage collection. | String with a required suffix | 1h |
full_deploy |
For Configuring module deployment scope. | Boolean | false |
hostcrl |
The file path to the SSL CRL. | String or string variable | $puppet_enterprise::params::hostcrl |
localcacert |
The file path to the SSL CA cert. | String or string variable | $puppet_enterprise::params::localcacert |
post_environment_hooks |
For Configuring post-environment hooks, which are hooks that you want to run after Code Manager deploys an environment. | Array of hashes | No default. |
timeouts_deploy |
Maximum execution time (in seconds) allowed for deploying a single environment. | Integer | 600 |
timeouts_fetch |
Maximum execution time (in seconds) allowed for updating the control repo state. | Integer | 30 |
timeouts_hook |
Maximum time (in seconds) to wait for a single post-environment hook URL to respond. Controls both the socket connect timeout and the read timeout; therefore, the longest total timeout is twice the specified value. | Integer | 30 |
timeouts_shutdown |
Maximum time (in seconds) to wait for in-progress deployments to complete when shutting down the service. | Integer | 610 |
timeouts_wait |
Maximum time (in seconds) to wait for the environment's deployment to
finish before timing out. Only applies to requests sent with the
wait key. |
Integer | 700 |
timeouts_sync |
Maximum time (in seconds) to wait for all compilers to receive deployed
code before timing out. Only applies to requests sent with the
wait key. |
Integer | 300 |
webserver_ssl_host |
The IP address of the host that Code Manager listens on. | IP address | 0.0.0.0 |
webserver_ssl_port |
The port that Code Manager listens on.
Important: Port 8170 must be open if you're using Code Manager.
|
Integer | 8170 |
r10k-specific parameters
Parameter | Description | Type | Default value |
---|---|---|---|
environmentdir |
The file path to the single directory where Code Manager deploys all sources. | String | If file_sync_auto_commit is set to
true , then this defaults to:
/etc/puppetlabs/code-staging/environments
|
forge_settings |
For Configuring Forge settings. | Hash | No default. |
invalid_branches |
Specifies how you want Code Manager to handle branch names that can't cleanly map to Puppet environment names. | Either of these strings:
|
'error' |
git_settings |
For Configuring Git settings. | Hash | Can use the default private-key value set in
console. Otherwise, there are no default settings. |
proxy |
For Configuring proxies. Can be global
(all HTTP(s) transports) or part of the git_settings or
forge_settings hashes. |
An empty string or a string indicating a proxy server (with or without authentication) | No default. |
sources |
For Configuring sources when you have multiple control repos. | Hash | No default. |