(PE-36789) R10k Known hosts upgrade path

Adding optional parameter for r10k known hosts
Alerting user to set known hosts if they are upgrading to or past 2023.3

Author: ragingra

documentation/upgrade.md

@@ -4,13 +4,15 @@ Puppet Enterprise deployments provisioned using the peadm module can also be upg
 
 ## Usage
 
-The `peadm::upgrade` plan requires as input the version of PE to upgrade to, and the names of each PE infrastructure host. Primary, replica, compilers, etc.
+The `peadm::upgrade` plan requires as input the version of PE to upgrade to, and the names of each PE infrastructure host. Primary, replica, compilers, etc. 
 
-The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2021.0.1 to PE 2021.7.4.
+Please note that when upgrading from before 2023.3 to 2023.3 or above and you are using code manager, it is nessesary to provide known hosts for r10k. r10k_known_hosts is an optional parameter and is only required one time when upgrading to 2023.3 or beyond. Subsequent upgrades will already have this and wont be required again.
+
+The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2023.2.0 to PE 2023.3.0.
 
 ```json
 {
-  "version": "2021.7.4",
+  "version": "2023.3.0",
   "primary_host": "pe-master-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "primary_postgresql_host": "pe-psql-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "replica_host": "pe-master-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
@@ -20,6 +22,10 @@ The following is an example parameters file for upgrading an Extra Large archite
     "pe-compiler-09a40c-1.us-west1-b.c.reidmv-peadm.internal",
     "pe-compiler-09a40c-2.us-west1-c.c.reidmv-peadm.internal",
     "pe-compiler-09a40c-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "r10k_known_hosts": [
+     {"name": "remotehostname", "type": "ssh-rsa", "key": "hash"},
+     {"name": "remotehostname2", "type": "ssh-rsa", "key": "hash"}
   ]
 }
 ```
@@ -115,20 +121,20 @@ Note: it is assumed that the Puppet primary is in cluster A when the upgrade sta
 1. Shut down the `pe-puppetdb` service on the compilers in cluster B
 2. If different from the primary (replica), run the `install-puppet-enterprise` script for the new PE version on the PuppetDB PostgreSQL node for cluster B
 3. If different from the primary (replica), Run `puppet agent -t` on the PuppetDB PostgreSQL node for cluster B
-5. Run `puppet agent -t` on the primary to ensure orchestration services are configured and restarted before the next steps
-6. Perform the replica upgrade using `puppet infra upgrade replica` for the primary (replica)
-7. Perform the compiler upgrade using `puppet infra upgrade compiler` for the compilers in cluster B
+4. Run `puppet agent -t` on the primary to ensure orchestration services are configured and restarted before the next steps
+5. Perform the replica upgrade using `puppet infra upgrade replica` for the primary (replica)
+6. Perform the compiler upgrade using `puppet infra upgrade compiler` for the compilers in cluster B
 
 **If Upgrading from 2019.5**
 
 The following steps apply _only_ if upgrading from 2019.5 or older
 
 1. Run `puppet infra run convert_legacy_compiler` for all compilers
 2. Modify the peadm node groups "PE Compiler Group A" and "PE Compiler Group B" as follows:
-    * Re-parent the groups. They should be children of "PE Compiler"
-    * Remove configuration data (Hiera data). Leave the classes and class parameters
-    * Add the rule `trusted.extensions.pp_auth_role = pe_compiler`
-    * Remove the rule `trusted.extensions."1.3.6.1.4.1.34380.1.1.9812" = puppet/compiler`
+   * Re-parent the groups. They should be children of "PE Compiler"
+   * Remove configuration data (Hiera data). Leave the classes and class parameters
+   * Add the rule `trusted.extensions.pp_auth_role = pe_compiler`
+   * Remove the rule `trusted.extensions."1.3.6.1.4.1.34380.1.1.9812" = puppet/compiler`
 
 **Phase 4: resume puppet service**
 

functions/check_version_and_known_hosts.pp

@@ -0,0 +1,13 @@
+function peadm::check_version_and_known_hosts(
+  String $target_version,
+  Optional[Peadm::Known_hosts]      $r10k_known_hosts         = undef,
+) {
+  $version_check = SemVer($target_version) >= SemVer('2023.3.0')
+
+  out::message("Version check: ${version_check}")
+
+  # If the version is 2023.3 or greater and known_hosts is undef, print a message
+  if ($version_check and $r10k_known_hosts == undef) {
+    out::message("URGENT UPGRADE NOTICE:\nWhen you are upgrading to PE 2023.3 or later, it's crucial to ensure that the 'known_hosts' parameter for R10k is populated. Starting from PE 2023.3, Code Manager will not operate correctly without this. For more information, see https://puppet.com/docs/pe/2023.3/code_mgr_config.html#known-hosts-parameter")
+  }
+}

plans/upgrade.pp

@@ -19,7 +19,12 @@
 # @param final_agent_state
 #   Configures the state the puppet agent should be in on infrastructure nodes
 #   after PE is upgraded successfully.
-#
+# @param r10k_known_hosts
+#   Puppet Enterprise 2023.3+ requires host key verification for the
+#   r10k_remote host when using ssh. you must provide \$r10k_known_hosts
+#   information in the form of an array of hashes with 'name', 'type' and 'key'
+#   information for hostname, key-type and public key.
+# 
 plan peadm::upgrade (
   # Standard
   Peadm::SingleTargetSpec           $primary_host,
@@ -33,11 +38,12 @@
   Optional[Peadm::SingleTargetSpec] $replica_postgresql_host = undef,
 
   # Common Configuration
-  Optional[Peadm::Pe_version] $version                          = undef,
-  Optional[String]            $pe_installer_source              = undef,
-  Optional[String]            $compiler_pool_address            = undef,
-  Optional[String]            $internal_compiler_a_pool_address = undef,
-  Optional[String]            $internal_compiler_b_pool_address = undef,
+  Optional[Peadm::Pe_version]  $version                          = undef,
+  Optional[String]             $pe_installer_source              = undef,
+  Optional[String]             $compiler_pool_address            = undef,
+  Optional[String]             $internal_compiler_a_pool_address = undef,
+  Optional[String]             $internal_compiler_b_pool_address = undef,
+  Optional[Peadm::Known_hosts] $r10k_known_hosts                 = undef,
 
   # Other
   Optional[String]           $token_file             = undef,
@@ -210,6 +216,25 @@
 
       write_file($pe_conf, '/etc/puppetlabs/enterprise/conf.d/pe.conf', $target)
     }
+
+    if $r10k_known_hosts != undef {
+      peadm::flatten_compact([
+          $primary_target,
+      ]).each |$target| {
+        $current_pe_conf = run_task('peadm::read_file', $target,
+          path => '/etc/puppetlabs/enterprise/conf.d/pe.conf',
+        ).first['content']
+
+        $pe_conf = stdlib::to_json_pretty($current_pe_conf ? {
+            undef   => {},
+            default => stdlib::parsehocon($current_pe_conf),
+          } + {
+            'puppet_enterprise::profile::master::r10k_known_hosts'                => $r10k_known_hosts,
+        })
+
+        write_file($pe_conf, '/etc/puppetlabs/enterprise/conf.d/pe.conf', $target)
+      }
+    }
   }
 
   peadm::plan_step('upgrade-primary') || {
@@ -391,5 +416,7 @@
     )
   }
 
+  peadm::check_version_and_known_hosts($_version, $r10k_known_hosts)
+
   return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
 }

types/known_hosts.pp

@@ -0,0 +1,10 @@
+type Peadm::Known_hosts = Array[
+  Struct[
+    'title'        => Optional[String[1]],
+    'ensure'       => Optional[Enum['present','absent']],
+    'name'         => String[1],
+    'type'         => String[1],
+    'key'          => String[1],
+    'host_aliases' => Optional[Variant[String[1],Array[String[1]]]],
+  ]
+]