webhook: Make service user configureable

Author: bastelfreak

README.md

@@ -585,7 +585,14 @@ class { 'r10k::webhook':
 
 ### Ignore deploying some environments
 
-Webhook Go does not support this yet, but will in the future.
+Since [2.10.0](https://github.com/voxpupuli/webhook-go/releases/tag/v2.10.0) the webhook has support for ignoring certain branches.
+This is not yet configureable via the puppet module.
+
+### configuring the webservice/deploy user
+
+For historic reasons, webhook-go runs as root and executes r10k with the same user.
+Via `r10k::webhook::service_user` you can change the user.
+With the 15.0.0 release the default will switch from root to puppet.
 
 ## Reference
 

REFERENCE.md

@@ -525,6 +525,7 @@ install and configure the webhook-go package as local webhook receiver to trigge
 
 The following parameters are available in the `r10k::webhook` class:
 
+* [`service_user`](#-r10k--webhook--service_user)
 * [`install_method`](#-r10k--webhook--install_method)
 * [`ensure`](#-r10k--webhook--ensure)
 * [`version`](#-r10k--webhook--version)
@@ -539,6 +540,14 @@ The following parameters are available in the `r10k::webhook` class:
 * [`r10k`](#-r10k--webhook--r10k)
 * [`config`](#-r10k--webhook--config)
 
+##### <a name="-r10k--webhook--service_user"></a>`service_user`
+
+Data type: `Optional`
+
+the user that should run the service
+
+Default value: `undef`
+
 ##### <a name="-r10k--webhook--install_method"></a>`install_method`
 
 Data type: `Enum['package', 'repo', 'none']`

manifests/webhook.pp

@@ -1,5 +1,6 @@
 # @summary install and configure the webhook-go package as local webhook receiver to trigger r10k runs
 #
+# @param service_user the user that should run the service
 # @param install_method
 #   how the package should be installed
 # @param ensure
@@ -16,6 +17,7 @@
 # @param config
 #
 class r10k::webhook (
+  Optional $service_user = undef,
   Enum['package', 'repo', 'none'] $install_method = 'package',
   Boolean $ensure = false,
   String[1] $version = '2.10.0',

manifests/webhook/config.pp

@@ -7,5 +7,8 @@
     ensure  => $r10k::webhook::config_ensure,
     path    => $r10k::webhook::config_path,
     content => stdlib::to_yaml($r10k::webhook::config),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
   }
 }

manifests/webhook/service.pp

@@ -2,8 +2,14 @@
 #
 #
 class r10k::webhook::service () {
-  service { 'webhook-go':
+  service { 'webhook-go.service':
     ensure => $r10k::webhook::service_ensure,
     enable => $r10k::webhook::service_enabled,
   }
+  if $r10k::webhook::service_user {
+    systemd::dropin_file { 'user.conf':
+      unit    => 'webhook-go.service',
+      content => "[Service]\nUser=${r10k::webhook::service_user}\n",
+    }
+  }
 }

spec/acceptance/r10k_webhook_spec.rb

@@ -35,4 +35,44 @@ class { 'r10k': }
       its(:stdout) { is_expected.to match(%r{webhook-go}) }
     end
   end
+
+  context 'with service_user = puppet' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        user { 'puppet':
+          ensure => 'present',
+        }
+        -> group { 'puppet':
+          ensure => 'present',
+        }
+        -> class { 'r10k': }
+        -> class { 'r10k::webhook':
+          service_user => 'puppet',
+        }
+        PUPPET
+      end
+    end
+
+    describe package('webhook-go') do
+      it { is_expected.to be_installed }
+    end
+
+    describe file('/etc/voxpupuli/webhook.yml') do
+      it 'exists' do
+        expect(subject).to exist
+        expect(subject).to be_owned_by 'root'
+        expect(subject).to be_grouped_into 'root'
+      end
+    end
+
+    describe service('webhook-go') do
+      it { is_expected.to be_enabled }
+      it { is_expected.to be_running }
+    end
+
+    describe command('systemctl cat webhook-go') do
+      its(:stdout) { is_expected.to match(%r{User=puppet}) }
+    end
+  end
 end

spec/classes/webhook_spec.rb

@@ -18,7 +18,7 @@
           it { is_expected.to contain_class('r10k::webhook::service') }
           it { is_expected.to contain_class('r10k::webhook::config') }
           it { is_expected.to contain_package('webhook-go').with_ensure('present') }
-          it { is_expected.to contain_service('webhook-go').with_ensure('running') }
+          it { is_expected.to contain_service('webhook-go.service').with_ensure('running') }
         end
       end
 
@@ -106,7 +106,8 @@
             it { is_expected.to contain_class('r10k::webhook::service') }
             it { is_expected.to contain_class('r10k::webhook::config') }
             it { is_expected.to contain_package('webhook-go').with_ensure('present') }
-            it { is_expected.to contain_service('webhook-go').with_ensure('running') }
+            it { is_expected.to contain_service('webhook-go.service').with_ensure('running') }
+            it { is_expected.not_to contain_systemd__dropin_file('user.conf') }
             it { is_expected.to contain_file('webhook.yml').with_content(content) }
 
             if os_facts[:os]['family'] == 'RedHat'
@@ -126,6 +127,18 @@
 
           it { is_expected.to compile.with_all_deps }
         end
+
+        context 'with service_user = puppet' do
+          let :params do
+            super().merge({ service_user: 'puppet' })
+          end
+
+          if %w[archlinux-rolling-x86_64 archlinux-6-x86_64 gentoo-2-x86_64].include?(os)
+            it { is_expected.not_to compile }
+          else
+            it { is_expected.to contain_systemd__dropin_file('user.conf').with_content("[Service]\nUser=puppet\n") }
+          end
+        end
       end
     end
   end