Update version to 1.0.0; add docs for conversion

This commit adds documentation for converting a stack deployed with
peadm 0.5.x to be compatible with changes in the 1.x version of the
module.

Author: reidmv

README.md

@@ -22,3 +22,4 @@ Reference:
 * [Classification](documentation/classification.md)
 * [Architectures](documentation/architectures.md)
 * [Testing](documentation/pre_post_checks.md)
+* [Converting From Old Versions of peadm](documentation/old_versions_of_peadm.md)

documentation/old_versions_of_peadm.md

@@ -0,0 +1,56 @@
+# Old Versions of Puppet Enterprise (pe) Administration (adm) Module
+
+Prior to the 1.0.0 release of peadm, the pp\_application and pp\_cluster trusted facts were used to identify peadm server roles and availability groups. In order to avoid conflict with customer use of these trusted facts, in 1.0.0 peadm switched to using its own custom OID trusted facts for the purpose instead.
+
+Puppet Enterprise systems deployed with peadm 1.0.0 will use the correct trusted facts, but any system deployed with peadm 0.5.x or older will still be relying on pp\_application and pp\_cluster. It is recommended that for these systems, you either A) continue to use an older version of peadm to perform upgrades; B) deploy new PE infrastructure using a 1.0.0 version of peadm or newer; or C) use the peadm::misc::upgrade\_trusted\_facts plan to re-issue certificates for each server to include the new custom OID trusted facts.
+
+
+Prepare to run the plan against all servers in the PE infrastructure, using a params.json file such as this one:
+
+```json
+{
+  "master_host": "pe-xl-core-0.lab1.puppet.vm",
+  "targets": [
+    "pe-xl-core-0.lab1.puppet.vm",
+    "pe-xl-core-1.lab1.puppet.vm",
+    "pe-xl-core-2.lab1.puppet.vm",
+    "pe-xl-core-3.lab1.puppet.vm",
+    "pe-xl-compiler-0.lab1.puppet.vm",
+    "pe-xl-compiler-1.lab1.puppet.vm"
+  ],
+}
+```
+
+Run the plan. Note that this cannot be done using the Orchestrator transport; it must be performed over ssh.
+
+```
+bolt plan run peadm::misc::upgrade_trusted_facts --params @params.json 
+```
+
+To complete the conversion, the PE node groups in the console should be updated to use the new trusted fact OIDs, and not pp\_application or pp\_cluster anymore. This can be accomplished by re-applying the peadm::setup::node\_manager class to the master.
+
+Tip: use the `--noop` flag to validate that the changes which will be made are the changes expected before applying the configuration change.
+
+```
+bolt apply --target pe-xl-core-0.lab1.puppet.vm -e <<EOF
+
+  file { 'node_manager.yaml':
+    ensure  => file,
+    mode    => '0644',
+    path    => Deferred('peadm::node_manager_yaml_location'),
+    content => epp('peadm/node_manager.yaml.epp', {
+      server => 'pe-xl-core-0.lab1.puppet.vm',,
+    }),
+  }
+
+  class { 'peadm::setup::node_manager':
+    master_host                    => 'pe-xl-core-0.lab1.puppet.vm',
+    master_replica_host            => 'pe-xl-core-2.lab1.puppet.vm',
+    puppetdb_database_host         => 'pe-xl-core-1.lab1.puppet.vm',
+    puppetdb_database_replica_host => 'pe-xl-core-3.lab1.puppet.vm',
+    compiler_pool_address          => 'puppet.lab1.puppet.vm',
+    require                        => File['node_manager.yaml'],
+  }
+
+EOF
+```

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-peadm",
-  "version": "0.5.2",
+  "version": "1.0.0",
   "author": "Puppet Labs Solutions Architecture",
   "summary": "Bolt plans used to deploy an at-scale Puppet Enterprise architecture",
   "license": "Apache-2.0",

plans/misc/upgrade_trusted_facts.pp

@@ -1,49 +1,95 @@
 plan peadm::misc::upgrade_trusted_facts (
   TargetSpec              $targets,
   Peadm::SingleTargetSpec $master_host,
-  Boolean                 $autosign = false,
 ) {
 
   # Convert input into array of Targets
   $all_targets   = peadm::get_targets($targets)
   $master_target = peadm::get_targets($master_host, 1)
 
+  # This plan doesn't work over the orchestrator due to certificates being revoked.
+  $all_targets.peadm::fail_on_transport('pcp')
+
+  # The master is treated differently than a standard node, so we need to be
+  # able to identify it if it's in the target list
+  $master_certname = run_task('peadm::trusted_facts', $master_target)[0]['certname']
+
+  # Get trusted fact information for all targets
   $certdata = run_task('peadm::trusted_facts', $all_targets).reduce({}) |$memo,$result| {
     # Keep the the OID-form trusted fact key/value pairs. If we accidentally
     # include an OID and also a shortname that resolves to the same OID,
     # there'll be a problem trying to sign the cert.
     $memo + { $result.target => ($result.value + {
       'extensions' => ($result['extensions'].filter |$k,$v| {
-        $k =~ /^1\.3\.6\.1\.4\.1\.34380\.1/
+        $k =~ /^1\.3\.6\.1\.4\.1\.34380\.1(?!\.3\.39)/
       })
     })}
   }
 
+  # We'll use these when running commands
   $pserver = '/opt/puppetlabs/bin/puppetserver'
   $puppet  = '/opt/puppetlabs/bin/puppet'
 
-  $upgrade_results = $all_targets.map |$target| {
+  # Loop through and recert each target one at at time, because Bolt lacks
+  # real parallelism
+  $all_targets.map |$target| {
+
+    # This will be the new trusted fact data for this node
     $new_trusted = $certdata[$target]['extensions'] + {
       peadm::oid('peadm_role') => $certdata[$target]['extensions'][peadm::oid('pp_application')],
       peadm::oid('peadm_availability_group') => $certdata[$target]['extensions'][peadm::oid('pp_cluster')],
     }
 
+    # Make sure the csr_attributes.yaml file on the node matches
     run_plan('peadm::util::insert_csr_extensions', $target,
       extensions => $new_trusted,
       merge      => false,
     )
 
+    # Everything starts the same; we always revoke the existing cert
     run_command("${pserver} ca clean --certname ${certdata[$target]['certname']}", $master_target)
-    run_command("${puppet} ssl clean --certname ${certdata[$target]['certname']}", $target)
-    run_command("${puppet} ssl submit_request --certname ${certdata[$target]['certname']}", $target)
 
-    ctrl::sleep(2) # some lag sometimes before the cert is available to sign
+    # Then things get crazy...
 
-    if !$autosign {
-      run_command("${pserver} ca sign --certname ${certdata[$target]['certname']}", $master_target)
+    # The procedure for regenerating an agent's cert
+    if ($certdata[$target]['certname'] != $master_certname) {
+      run_command("${puppet} ssl clean --certname ${certdata[$target]['certname']}", $target)
+      run_command("${puppet} ssl submit_request --certname ${certdata[$target]['certname']}", $target)
+      ctrl::sleep(2) # some lag sometimes before the cert is available to sign
+      run_command(@("HEREDOC"/L), $master_target)
+        ${pserver} ca sign --certname ${certdata[$target]['certname']} || \
+        ${pserver} ca list --certname ${certdata[$target]['certname']} \
+        | HEREDOC
+      run_command("${puppet} ssl download_cert --certname ${certdata[$target]['certname']}", $target)
     }
 
-    run_command("${puppet} ssl download_cert --certname ${certdata[$target]['certname']}", $target)
+    # The procedure for regenerating the master's cert
+    else {
+      # Store the node's current dns-alt-names, for use as a flag restoring
+      # them later
+      $alt_names_flag = $certdata[$target]['dns-alt-names'] ? {
+        undef   => '',
+        default => "--subject-alt-names ${certdata[$target]['dns-alt-names'].join(',')}",
+      }
+
+      # The docs are broken, and the process is unclean. Sadface.
+      run_command(@("HEREDOC"/L), $target)
+        rm -f \
+          /etc/puppetlabs/puppet/ssl/certs/${certdata[$target]['certname']}.pem \
+          /etc/puppetlabs/puppet/ssl/private_keys/${certdata[$target]['certname']}.pem \
+          /etc/puppetlabs/puppet/ssl/public_keys/${certdata[$target]['certname']}.pem \
+          /etc/puppetlabs/puppet/ssl/certificate_requests/${certdata[$target]['certname']}.pem \
+        | HEREDOC
+      run_task('service', $target, {action => 'stop', name => 'pe-puppetserver'})
+      run_command(@("HEREDOC"/L), $target)
+        ${pserver} ca generate \
+          --certname ${certdata[$target]['certname']} \
+          ${alt_names_flag} \
+          --ca-client \
+        | HEREDOC
+      run_task('service', $target, {action => 'start', name => 'pe-puppetserver'})
+    }
   }
 
+  run_command("${puppet} facts upload", $all_targets)
 }

plans/upgrade.pp

@@ -53,6 +53,16 @@
     $memo + { $result.target => $result['extensions'] }
   }
 
+  # Ensure needed trusted facts are available
+  if $trusted_facts.any |$t,$ext| { $ext[peadm::oid('peadm_role')] == undef } {
+    fail_plan(@(HEREDOC/L))
+      Required trusted facts are not present; upgrade cannot be completed. If \
+      this infrastructure was provisioned with an old version of peadm, you may \
+      need to run the peadm::misc::upgrade_trusted_facts plan against each of the \
+      infrastructure nodes.
+      | HEREDOC
+  }
+
   # Determine which compilers are associated with which HA group
   $compiler_m1_targets = $compiler_targets.filter |$target| {
     ($trusted_facts[$target][peadm::oid('peadm_availability_group')]