(PE-36789) R10k Known hosts upgrade path

Adding optional parameter for r10k known hosts
Alerting user to set known hosts if they are upgrading to or past 2023.3

Author: ragingra

documentation/upgrade.md

@@ -4,13 +4,15 @@ Puppet Enterprise deployments provisioned using the peadm module can also be upg
 
 ## Usage
 
-The `peadm::upgrade` plan requires as input the version of PE to upgrade to, and the names of each PE infrastructure host. Primary, replica, compilers, etc.
+The `peadm::upgrade` plan requires as input the version of PE to upgrade to, and the names of each PE infrastructure host. Primary, replica, compilers, etc. 
 
-The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2021.0.1 to PE 2021.7.4.
+Please note that when upgrading from before 2023.3 to 2023.3 or above and you are using code manager, it is nessesary to provide known hosts for r10k. r10k_known_hosts is an optional parameter and is only required one time when upgrading to 2023.3 or beyond. Subsequent upgrades will already have this and wont be required again.
+
+The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2023.2.0 to PE 2023.3.0.
 
 ```json
 {
-  "version": "2021.7.4",
+  "version": "2023.3.0",
   "primary_host": "pe-master-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "primary_postgresql_host": "pe-psql-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "replica_host": "pe-master-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
@@ -20,6 +22,10 @@ The following is an example parameters file for upgrading an Extra Large archite
     "pe-compiler-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
     "pe-compiler-09a40c-2.us-west1-c.c.reidmv-peadm.internal",
     "pe-compiler-09a40c-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "r10k_known_hosts": [
+     {"name": "remotehostname", "type": "ssh-rsa", "key": "hash"},
+     {"name": "remotehostname2", "type": "ssh-rsa", "key": "hash"}
   ]
 }
 ```
@@ -115,20 +121,20 @@ Note: it is assumed that the Puppet primary is in cluster A when the upgrade sta
 1. Shut down the `pe-puppetdb` service on the compilers in cluster B
 2. If different from the primary (replica), run the `install-puppet-enterprise` script for the new PE version on the PuppetDB PostgreSQL node for cluster B
 3. If different from the primary (replica), Run `puppet agent -t` on the PuppetDB PostgreSQL node for cluster B
-5. Run `puppet agent -t` on the primary to ensure orchestration services are configured and restarted before the next steps
-6. Perform the replica upgrade using `puppet infra upgrade replica` for the primary (replica)
-7. Perform the compiler upgrade using `puppet infra upgrade compiler` for the compilers in cluster B
+4. Run `puppet agent -t` on the primary to ensure orchestration services are configured and restarted before the next steps
+5. Perform the replica upgrade using `puppet infra upgrade replica` for the primary (replica)
+6. Perform the compiler upgrade using `puppet infra upgrade compiler` for the compilers in cluster B
 
 **If Upgrading from 2019.5**
 
 The following steps apply _only_ if upgrading from 2019.5 or older
 
 1. Run `puppet infra run convert_legacy_compiler` for all compilers
 2. Modify the peadm node groups "PE Compiler Group A" and "PE Compiler Group B" as follows:
-    * Re-parent the groups. They should be children of "PE Compiler"
-    * Remove configuration data (Hiera data). Leave the classes and class parameters
-    * Add the rule `trusted.extensions.pp_auth_role = pe_compiler`
-    * Remove the rule `trusted.extensions."1.3.6.1.4.1.34380.1.1.9812" = puppet/compiler`
+   * Re-parent the groups. They should be children of "PE Compiler"
+   * Remove configuration data (Hiera data). Leave the classes and class parameters
+   * Add the rule `trusted.extensions.pp_auth_role = pe_compiler`
+   * Remove the rule `trusted.extensions."1.3.6.1.4.1.34380.1.1.9812" = puppet/compiler`
 
 **Phase 4: resume puppet service**
 

examples/upgrade.json

@@ -0,0 +1,17 @@
+{
+    "version": "2023.3.0",
+    "primary_host": "pe-master-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
+    "primary_postgresql_host": "pe-psql-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
+    "replica_host": "pe-master-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
+    "replica_postgresql_host": "pe-psql-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
+    "compiler_hosts": [
+        "pe-compiler-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
+        "pe-compiler-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
+        "pe-compiler-09a40c-2.us-west1-c.c.reidmv-peadm.internal",
+        "pe-compiler-09a40c-3.us-west1-a.c.reidmv-peadm.internal"
+    ],
+    "r10k_known_hosts": [
+        {"name": "remotehostname", "type": "ssh-rsa", "key": "hash"},
+        {"name": "remotehostname2", "type": "ssh-rsa", "key": "hash"}
+    ]
+}

functions/check_version_and_known_hosts.pp

@@ -0,0 +1,25 @@
+# @summary Checks PE verison and warns about setting r10k_known_hosts
+# Checks if the current PE version is less than 2023.3.0 and the target version is greater than or equal to 2023.3.0
+# If both conditions are true and the r10k_known_hosts parameter is not defined, a warning message is displayed.
+# @param $current_version [String] The current PE version
+# @param $target_version [String] The target PE version
+# @param $r10k_known_hosts [Optional[Peadm::Known_hosts]] The r10k_known_hosts parameter
+function peadm::check_version_and_known_hosts(
+  String $current_version,
+  String $target_version,
+  Optional[Peadm::Known_hosts]      $r10k_known_hosts         = undef,
+) {
+  $version = '2023.3.0'
+  $current_check = SemVer($current_version) < SemVer($version)
+  $target_check = SemVer($target_version) >= SemVer($version)
+
+  # lint:ignore:140chars
+  if ($current_check and $target_check and $r10k_known_hosts == undef) {
+    out::message( @(HEREDOC/n)
+\nWARNING: Starting in PE 2023.3, SSH host key verification is required for Code Manager and r10k.\n
+To enable host key verification, you must define the puppet_enterprise::profile::master::r10k_known_hosts parameter with an array of hashes containing "name", "type", and "key" to specify your hostname, key type, and public key.\n
+If you currently use SSH protocol to allow r10k to access your remote Git repository, your Code Manager or r10k code management tool cannot function until you define the r10k_known_hosts parameter.\n
+HEREDOC
+    )# lint:endignore
+  }
+}

functions/get_pe_conf.pp

@@ -0,0 +1,11 @@
+# @summary Returns the current pe.conf content as a hash
+# @param Target $target The target to run the task on
+function peadm::get_pe_conf(Target $target) {
+  $current_pe_conf_content = run_task('peadm::read_file', $target, path => '/etc/puppetlabs/enterprise/conf.d/pe.conf').first['content']
+
+  # Parse the current pe.conf content and return the hash
+  return $current_pe_conf_content ? {
+    undef   => {},
+    default => stdlib::parsehocon($current_pe_conf_content),
+  }
+}

functions/update_pe_conf.pp

@@ -0,0 +1,10 @@
+# @summary Update the pe.conf file on a target with the provided hash
+# @param target [Bolt::Target] The target to update the pe.conf file on
+# @param updated_pe_conf_hash [Hash] The hash to update the pe.conf file with
+function peadm::update_pe_conf(Target $target, Hash $updated_pe_conf_hash) {
+  # Convert the updated hash back to a pretty JSON string
+  $updated_pe_conf_content = stdlib::to_json_pretty($updated_pe_conf_hash)
+
+  # Write the updated content back to pe.conf on the target
+  write_file($updated_pe_conf_content, '/etc/puppetlabs/enterprise/conf.d/pe.conf', $target)
+}

plans/upgrade.pp

@@ -19,7 +19,12 @@
 # @param final_agent_state
 #   Configures the state the puppet agent should be in on infrastructure nodes
 #   after PE is upgraded successfully.
-#
+# @param r10k_known_hosts
+#   Puppet Enterprise 2023.3+ requires host key verification for the
+#   r10k_remote host when using ssh. you must provide \$r10k_known_hosts
+#   information in the form of an array of hashes with 'name', 'type' and 'key'
+#   information for hostname, key-type and public key.
+# 
 plan peadm::upgrade (
   # Standard
   Peadm::SingleTargetSpec           $primary_host,
@@ -33,11 +38,12 @@
   Optional[Peadm::SingleTargetSpec] $replica_postgresql_host = undef,
 
   # Common Configuration
-  Optional[Peadm::Pe_version] $version                          = undef,
-  Optional[String]            $pe_installer_source              = undef,
-  Optional[String]            $compiler_pool_address            = undef,
-  Optional[String]            $internal_compiler_a_pool_address = undef,
-  Optional[String]            $internal_compiler_b_pool_address = undef,
+  Optional[Peadm::Pe_version]  $version                          = undef,
+  Optional[String]             $pe_installer_source              = undef,
+  Optional[String]             $compiler_pool_address            = undef,
+  Optional[String]             $internal_compiler_a_pool_address = undef,
+  Optional[String]             $internal_compiler_b_pool_address = undef,
+  Optional[Peadm::Known_hosts] $r10k_known_hosts                 = undef,
 
   # Other
   Optional[String]           $token_file             = undef,
@@ -210,6 +216,17 @@
 
       write_file($pe_conf, '/etc/puppetlabs/enterprise/conf.d/pe.conf', $target)
     }
+
+    if $r10k_known_hosts != undef {
+      $current_pe_conf = peadm::get_pe_conf($primary_target)
+
+      # Append the r10k_known_hosts entry
+      $updated_pe_conf = $current_pe_conf + {
+        'puppet_enterprise::profile::master::r10k_known_hosts' => $r10k_known_hosts,
+      }
+
+      peadm::update_pe_conf($primary_target, $updated_pe_conf)
+    }
   }
 
   peadm::plan_step('upgrade-primary') || {
@@ -391,5 +408,7 @@
     )
   }
 
+  peadm::check_version_and_known_hosts($current_pe_version, $_version, $r10k_known_hosts)
+
   return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
 }

types/known_hosts.pp

@@ -0,0 +1,10 @@
+type Peadm::Known_hosts = Array[
+  Struct[
+    'title'        => Optional[String[1]],
+    'ensure'       => Optional[Enum['present','absent']],
+    'name'         => String[1],
+    'type'         => String[1],
+    'key'          => String[1],
+    'host_aliases' => Optional[Variant[String[1],Array[String[1]]]],
+  ]
+]