Add convert plan; replaces upgrade_trusted_facts

TODO: test/fix

The convert plan serves to upgrade peadm deployments created using 0.5.x
of the module, as well as to adopt manually deployed PE infrastructure
for management with peadm.

Author: reidmv

documentation/convert.md

@@ -0,0 +1,26 @@
+# Convert infrastructure for use with the peadm module
+
+The peadm::convert plan can be used to adopt manually deployed infrastructure for use with peadm, or to adopt infrastructure deployed with a version of peadm older than 1.0.0.
+
+## Convert an Existing Deployment
+
+Prepare to run the plan against all servers in the PE infrastructure, using a params.json file such as this one:
+
+```json
+{
+  "master_host": "pe-xl-core-0.lab1.puppet.vm",
+  "master_replica_host": "pe-xl-core-1.lab1.puppet.vm",
+  "compiler_hosts": [
+    "pe-xl-compiler-0.lab1.puppet.vm",
+    "pe-xl-compiler-1.lab1.puppet.vm"
+  ],
+
+  "compiler_pool_address": "puppet.lab1.puppet.vm",
+}
+```
+
+See the [provision](provision.md#reference-architectures) documentation for a list of supported architectures. Note that for convert, *all infrastructure being converted must already be functional*; you cannot use convert to add new systems to the infrastructure, nor can you use it to change your architecture.
+
+```
+bolt plan run peadm::convert --params @params.json 
+```

documentation/old_versions_of_peadm.md

@@ -0,0 +1,16 @@
+class peadm::setup::node_manager_yaml (
+  String $master_host,
+) {
+
+  # Necessary to give the sandboxed Puppet executor the configuration
+  # necessary to connect to the classifier`
+  file { 'node_manager.yaml':
+    ensure  => file,
+    mode    => '0644',
+    path    => Deferred('peadm::node_manager_yaml_location'),
+    content => epp('peadm/node_manager.yaml.epp', {
+      server => $master_host,
+    }),
+  }
+
+}

manifests/setup/node_manager_yaml.pp

@@ -56,37 +56,19 @@
 
   # Set up the console node groups to configure the various hosts in their roles
 
-  # Pending resolution of Bolt GH-1244, Target objects and their methods are
-  # not accessible inside apply() blocks. Work around the limitation for now
-  # by using string variables calculated outside the apply block. The
-  # commented-out values should be used once GH-1244 is resolved.
-
-  # WORKAROUND: GH-1244
-  $master_host_string = $master_target.peadm::target_name()
-  $master_replica_host_string = $master_replica_target.peadm::target_name()
-  $puppetdb_database_host_string = $puppetdb_database_target.peadm::target_name()
-  $puppetdb_database_replica_host_string = $puppetdb_database_replica_target.peadm::target_name()
-
   apply($master_target) {
-    # Necessary to give the sandboxed Puppet executor the configuration
-    # necessary to connect to the classifier`
-    file { 'node_manager.yaml':
-      ensure  => file,
-      mode    => '0644',
-      path    => Deferred('peadm::node_manager_yaml_location'),
-      content => epp('peadm/node_manager.yaml.epp', {
-        server => $master_host_string,
-      }),
+    class { 'peadm::setup::node_manager_yaml':
+      master_host => $master_target.peadm::target_name(),
     }
 
     class { 'peadm::setup::node_manager':
       # WORKAROUND: GH-1244
-      master_host                    => $master_host_string, # $master_target.peadm::target_name(),
-      master_replica_host            => $master_replica_host_string, # $master_replica_target.peadm::target_name(),
-      puppetdb_database_host         => $puppetdb_database_host_string, # $puppetdb_database_target.peadm::target_name(),
-      puppetdb_database_replica_host => $puppetdb_database_replica_host_string, # $puppetdb_database_replica_target.peadm::target_name(),
+      master_host                    => $master_target.peadm::target_name(),
+      master_replica_host            => $master_replica_target.peadm::target_name(),
+      puppetdb_database_host         => $puppetdb_database_target.peadm::target_name(),
+      puppetdb_database_replica_host => $puppetdb_database_replica_target.peadm::target_name(),
       compiler_pool_address          => $compiler_pool_address,
-      require                        => File['node_manager.yaml'],
+      require                        => Class['peadm::setup::node_manager_yaml'],
     }
   }
 

plans/action/configure.pp

@@ -0,0 +1,114 @@
+plan peadm::convert (
+  # Standard
+  Peadm::SingleTargetSpec           $master_host,
+  Optional[Peadm::SingleTargetSpec] $master_replica_host = undef,
+
+  # Large
+  Optional[TargetSpec]              $compiler_hosts = undef,
+
+  # Extra Large
+  Optional[Peadm::SingleTargetSpec] $puppetdb_database_host         = undef,
+  Optional[Peadm::SingleTargetSpec] $puppetdb_database_replica_host = undef,
+
+  # Common Configuration
+  Optional[Array[String]]           $dns_alt_names         = undef,
+  Optional[String]                  $compiler_pool_address = undef,
+) {
+  # Convert inputs into targets.
+  $master_target                    = peadm::get_targets($master_host, 1)
+  $master_replica_target            = peadm::get_targets($master_replica_host, 1)
+  $puppetdb_database_replica_target = peadm::get_targets($puppetdb_database_replica_host, 1)
+  $compiler_targets                 = peadm::get_targets($compiler_hosts)
+  $puppetdb_database_target         = peadm::get_targets($puppetdb_database_host, 1)
+
+  # Ensure input valid for a supported architecture
+  $arch = peadm::validate_architecture(
+    $master_host,
+    $master_replica_host,
+    $puppetdb_database_host,
+    $puppetdb_database_replica_host,
+    $compiler_hosts,
+  )
+
+  # Clusters A and B are used to divide PuppetDB availability for compilers
+  if $arch['high-availability'] {
+    $compiler_a_targets = $compiler_targets.filter |$index,$target| { $index % 2 == 0 }
+    $compiler_b_targets = $compiler_targets.filter |$index,$target| { $index % 2 != 0 }
+  }
+  else {
+    $compiler_a_targets = $compiler_targets
+    $compiler_b_targets = []
+  }
+
+  # Modify csr_attributes.yaml and insert the peadm-specific OIDs to identify
+  # each server's role and availability group
+
+  run_plan('peadm::util::add_cert_extensions', $master_target,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/master',
+      peadm::oid('peadm_availability_group') => 'A',
+    },
+  )
+
+  run_plan('peadm::util::add_cert_extensions', $master_replica_target,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/master',
+      peadm::oid('peadm_availability_group') => 'B',
+    },
+  )
+
+  run_plan('peadm::util::add_cert_extensions', $puppetdb_database_target,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/puppetdb-database',
+      peadm::oid('peadm_availability_group') => 'A',
+    },
+  )
+
+  run_plan('peadm::util::add_cert_extensions', $puppetdb_database_replica_target,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/puppetdb-database',
+      peadm::oid('peadm_availability_group') => 'B',
+    },
+  )
+
+  run_plan('peadm::util::add_cert_extensions', $compiler_a_targets,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/compiler',
+      peadm::oid('peadm_availability_group') => 'A',
+    },
+  )
+
+  run_plan('peadm::util::add_cert_extensions', $compiler_b_targets,
+    master_host => $master_target,
+    extensions  => {
+      peadm::oid('peadm_role')               => 'puppet/compiler',
+      peadm::oid('peadm_availability_group') => 'B',
+    },
+  )
+
+  # Create the necessary node groups in the console
+
+  apply($master_target) {
+    class { 'peadm::setup::node_manager_yaml':
+      master_host => $master_target.peadm::target_name(),
+    }
+
+    class { 'peadm::setup::node_manager':
+      master_host                    => $master_target.peadm::target_name(),
+      master_replica_host            => $master_replica_target.peadm::target_name(),
+      puppetdb_database_host         => $puppetdb_database_target.peadm::target_name(),
+      puppetdb_database_replica_host => $puppetdb_database_replica_target.peadm::target_name(),
+      compiler_pool_address          => $compiler_pool_address,
+      require                        => Class['peadm::setup::node_manager_yaml'],
+    }
+  }
+
+  # TODO: consider extending to ensure HA replica is provisioned/enabled
+
+  return("Conversion to peadm Puppet Enterprise ${arch['architecture']} succeeded.")
+}

plans/convert.pp

@@ -58,8 +58,7 @@
     fail_plan(@(HEREDOC/L))
       Required trusted facts are not present; upgrade cannot be completed. If \
       this infrastructure was provisioned with an old version of peadm, you may \
-      need to run the peadm::misc::upgrade_trusted_facts plan against each of the \
-      infrastructure nodes.
+      need to run the peadm::convert plan\
       | HEREDOC
   }
 

plans/upgrade.pp

@@ -1,9 +1,8 @@
-plan peadm::misc::upgrade_trusted_facts (
-  TargetSpec              $targets,
-  Peadm::SingleTargetSpec $master_host,
+plan peadm::util::add_cert_extensions (
+  TargetSpec $targets,
+  TargetSpec $master_host,
+  Hash       $extensions,
 ) {
-
-  # Convert input into array of Targets
   $all_targets   = peadm::get_targets($targets)
   $master_target = peadm::get_targets($master_host, 1)
 
@@ -35,15 +34,12 @@
   $all_targets.map |$target| {
 
     # This will be the new trusted fact data for this node
-    $new_trusted = $certdata[$target]['extensions'] + {
-      peadm::oid('peadm_role') => $certdata[$target]['extensions'][peadm::oid('pp_application')],
-      peadm::oid('peadm_availability_group') => $certdata[$target]['extensions'][peadm::oid('pp_cluster')],
-    }
+    $extension_requests = $certdata[$target]['extensions'] + $extensions
 
     # Make sure the csr_attributes.yaml file on the node matches
-    run_plan('peadm::util::insert_csr_extensions', $target,
-      extensions => $new_trusted,
-      merge      => false,
+    run_plan('peadm::util::insert_csr_extension_requests', $target,
+      extension_requests => $extension_requests,
+      merge              => false,
     )
 
     # Everything starts the same; we always revoke the existing cert

plans/misc/upgrade_trusted_facts.pp plans/util/add_cert_extensions.pp

@@ -1,6 +1,6 @@
-plan peadm::util::insert_csr_extensions (
+plan peadm::util::insert_csr_extension_requests (
   TargetSpec $targets,
-  Hash       $extensions,
+  Hash       $extension_requests,
   Boolean    $merge = true,
 ) {
   get_targets($targets).each |$target| {
@@ -15,8 +15,8 @@
     # If we're not merging, only ours will be used; existing requests will be
     # overritten.
     $csr_file_data = $merge ? {
-      true  => $csr_attributes_data.deep_merge({'extension_requests' => $extensions}),
-      false => ($csr_attributes_data + {'extension_requests' => $extensions}),
+      true  => $csr_attributes_data.deep_merge({'extension_requests' => $extension_requests}),
+      false => ($csr_attributes_data + {'extension_requests' => $extension_requests}),
     }
 
     run_task('peadm::mkdir_p_file', $target,