Merge pull request #238 from bwilcox/csr_fix

reidmv · web-flow · commit ee611d752bbe · 2022-03-04T08:30:31.000-08:00
Allow compilers and replicas to merge csr_attributes.
diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp
@@ -47,13 +47,19 @@
     default => ["main:dns_alt_names=${dns_alt_names}"],
   }
 
+  # Check for and merge csr_attributes.
+  run_plan('peadm::util::insert_csr_extension_requests', $compiler_target,
+      extension_requests => {
+        peadm::oid('pp_auth_role')             => 'pe_compiler',
+        peadm::oid('peadm_availability_group') => $avail_group_letter
+      }
+    )
+
   # we first assume that there is no agent installed on the node. If there is, nothing will happen.
   run_task('peadm::agent_install', $compiler_target,
     server        => $primary_target.peadm::certname(),
     install_flags => $dns_alt_names_flag + [
       '--puppet-service-ensure', 'stopped',
-      "extension_requests:${peadm::oid('pp_auth_role')}=pe_compiler",
-      "extension_requests:${peadm::oid('peadm_availability_group')}=${avail_group_letter}",
       "main:certname=${compiler_target.peadm::certname()}",
     ],
   )
diff --git a/plans/add_replica.pp b/plans/add_replica.pp
@@ -37,12 +37,18 @@
   # This has the effect of revoking the node's certificate, if it exists
   run_command("puppet infrastructure forget ${replica_target.peadm::certname()}", $primary_target, _catch_errors => true)
 
+  # Check for and merge csr_attributes.
+  run_plan('peadm::util::insert_csr_extension_requests', $replica_target,
+      extension_requests => {
+        peadm::oid('peadm_role')               => 'puppet/server',
+        peadm::oid('peadm_availability_group') => $replica_avail_group_letter
+      }
+    )
+
   run_task('peadm::agent_install', $replica_target,
     server        => $primary_target.peadm::certname(),
     install_flags => [
       '--puppet-service-ensure', 'stopped',
-      "extension_requests:${peadm::oid('peadm_role')}=puppet/server",
-      "extension_requests:${peadm::oid('peadm_availability_group')}=${replica_avail_group_letter}",
       "main:certname=${replica_target.peadm::certname()}",
       "main:dns_alt_names=${dns_alt_names.join(',')}",
     ],
diff --git a/plans/subplans/install.pp b/plans/subplans/install.pp
@@ -221,6 +221,30 @@
         }
       )
     },
+    background('replica-csr.yaml') || {
+      run_plan('peadm::util::insert_csr_extension_requests', $replica_target,
+        extension_requests => {
+          peadm::oid('peadm_role')               => 'puppet/server',
+          peadm::oid('peadm_availability_group') => 'B'
+        }
+      )
+    },
+    background('compiler-a-csr.yaml') || {
+      run_plan('peadm::util::insert_csr_extension_requests', $compiler_a_targets,
+        extension_requests => {
+          peadm::oid('pp_auth_role')             => 'pe_compiler',
+          peadm::oid('peadm_availability_group') => 'A'
+        }
+      )
+    },
+    background('compiler-b-csr.yaml') || {
+      run_plan('peadm::util::insert_csr_extension_requests', $compiler_b_targets,
+        extension_requests => {
+          peadm::oid('pp_auth_role')             => 'pe_compiler',
+          peadm::oid('peadm_availability_group') => 'B'
+        }
+      )
+    },
     background('primary-postgresql-csr.yaml') || {
       run_plan('peadm::util::insert_csr_extension_requests', $primary_postgresql_target,
         extension_requests => {
@@ -323,24 +347,10 @@
       "main:certname=${target.peadm::certname()}",
     ]
 
-    $role_and_group =
-      if ($target in $compiler_a_targets) {[
-        "extension_requests:${peadm::oid('pp_auth_role')}=pe_compiler",
-        "extension_requests:${peadm::oid('peadm_availability_group')}=A",
-      ]}
-      elsif ($target in $compiler_b_targets) {[
-        "extension_requests:${peadm::oid('pp_auth_role')}=pe_compiler",
-        "extension_requests:${peadm::oid('peadm_availability_group')}=B",
-      ]}
-      elsif ($target in $replica_target) {[
-        "extension_requests:${peadm::oid('peadm_role')}=puppet/server",
-        "extension_requests:${peadm::oid('peadm_availability_group')}=B",
-      ]}
-
     # Get an agent installed and cert signed
     run_task('peadm::agent_install', $target,
       server        => $primary_target.peadm::certname(),
-      install_flags => $common_install_flags + $role_and_group,
+      install_flags => $common_install_flags,
     )
 
     # Ensure certificate requests have been submitted, then run Puppet
diff --git a/spec/plans/add_compiler_spec.rb b/spec/plans/add_compiler_spec.rb
@@ -28,8 +28,6 @@ def allow_standard_non_returning_calls
         .with_params({ 'server'        => 'primary',
                        'install_flags' => [
                          '--puppet-service-ensure', 'stopped',
-                         'extension_requests:1.3.6.1.4.1.34380.1.3.13=pe_compiler',
-                         'extension_requests:1.3.6.1.4.1.34380.1.1.9813=A',
                          'main:certname=compiler'
                        ] })
 
@@ -53,8 +51,6 @@ def allow_standard_non_returning_calls
                          'install_flags' => [
                            'main:dns_alt_names=foo,bar',
                            '--puppet-service-ensure', 'stopped',
-                           'extension_requests:1.3.6.1.4.1.34380.1.3.13=pe_compiler',
-                           'extension_requests:1.3.6.1.4.1.34380.1.1.9813=A',
                            'main:certname=compiler'
                          ] })
 
diff --git a/spec/plans/add_replica_spec.rb b/spec/plans/add_replica_spec.rb
@@ -20,8 +20,6 @@ def allow_standard_non_returning_calls
         .with_params({ 'server'        => 'primary',
                        'install_flags' => [
                          '--puppet-service-ensure', 'stopped',
-                         'extension_requests:1.3.6.1.4.1.34380.1.1.9812=puppet/server',
-                         'extension_requests:1.3.6.1.4.1.34380.1.1.9813=B',
                          'main:certname=replica',
                          'main:dns_alt_names=replica'
                        ] })
@@ -36,8 +34,6 @@ def allow_standard_non_returning_calls
         .with_params({ 'server'        => 'primary',
                        'install_flags' => [
                          '--puppet-service-ensure', 'stopped',
-                         'extension_requests:1.3.6.1.4.1.34380.1.1.9812=puppet/server',
-                         'extension_requests:1.3.6.1.4.1.34380.1.1.9813=B',
                          'main:certname=replica',
                          'main:dns_alt_names=replica,alt'
                        ] })
