I’ve revisited the way that we at ResNet deploy our web applications to web servers. We decided to store the application code in a Git repository. As part of our release process, we create a tag in Gitlab.
Rather than check the code out manually, we are using a Forge module called puppetlabs/vcsrepo
to clone a tagged release and deploy it. Our app repos do not permit anonymous cloning so the Puppet deployment mechanism must be able to authenticate. I found the documentation for puppetlabs/vcsrepo
to be a bit lacking and had spend a while figuring out what to do to make it work properly.
I recommend you generate a separate SSH key for each app you want to deploy. I generated my key with ssh-keygen
and added it to Gitlab as a deploy key which has read-only access to the repo – no need to make a phantom user.
Here’s a worked example with some extra detail about how to deploy an app from git:
# Define docroot $docroot = '/var/www/app' # Deploy SSH key to authenticate git file { '/etc/pki/id_rsa': source => 'puppet:///modules/app/id_rsa', owner => 'root', group => 'root', mode => '0600', } file { '/etc/pki/id_rsa.pub': source => 'puppet:///modules/app/id_rsa.pub', owner => 'root', group => 'root', mode => '0644', } # Clone the app from git vcsrepo { 'app': ensure => present, path => $docparent, provider => git, source => 'git@gitlab.resnet.bris.ac.uk:resnet/app.git', identity => '/etc/pki/git_id_rsa', revision => '14.0.01', owner => 'apache', # User the local clone will be created as group => 'apache', require => File['/etc/pki/id_rsa', '/etc/pki/id_rsa.pub'], } # Configure Apache vhost apache::vhost { 'app' servername => 'app.resnet.bris.ac.uk', docroot => $docroot, require => Vcsrepo['app'], docroot_owner => 'apache', # Must be the same as 'owner' above docroot_group => 'apache', ... }
To deploy a new version of the app, you just need to create a new tagged release of the app in Git and update the revision
parameter in your Puppet code. This also gives you easy rollback if you deploy a broken version of your app. But you’d never do that, right? 😉