From 8ddec1e81e0ce7f70ca9d63e255fdf6ef670616b Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Wed, 2 Jun 2021 16:19:26 +0200 Subject: [PATCH 1/6] Add add_compiler plan --- plans/add_compiler.pp | 86 +++++++++++++++++++++ plans/util/insert_csr_extension_requests.pp | 2 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 plans/add_compiler.pp diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp new file mode 100644 index 00000000..efecd3ce --- /dev/null +++ b/plans/add_compiler.pp @@ -0,0 +1,86 @@ +# @summary Add a new compiler to a PE architecture or replace an existing one with new configuration. +# @param avail_group_letter _ Either A or B; whichever of the two letter designations the compiler is being assigned to +# @param compiler_host _ The hostname and certname of the new compiler +# @param dns_alt_names _ A comma_separated list of DNS alt names for the compiler +# @param primary_server_host _ The hostname and certname of the primary Puppet server +# @param postgresql_server_host _ The hostname and certname of the PE-PostgreSQL server with availability group $avail_group_letter +plan peadm::add_compiler( + Enum['A', 'B'] $avail_group_letter, + Optional[String[1]] $dns_alt_names = undef, + Peadm::SingleTargetSpec $compiler_host, + Peadm::SingleTargetSpec $primary_host, + Peadm::SingleTargetSpec $postgresql_server_host, +){ + $compiler_target = peadm::get_targets($compiler_host, 1) + $primary_target = peadm::get_targets($primary_host, 1) + $postgresql_server_target = peadm::get_targets($postgresql_server_host, 1) + + # Stop puppet.service + run_command('systemctl stop puppet.service', $postgresql_server_target) + + # Add the following two lines to /opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf + # + # pe-puppetdb-pe-puppetdb-map pe-puppetdb + # pe-puppetdb-pe-puppetdb-migrator-map pe-puppetdb-migrator + + apply($postgresql_server_target) { + file_line { 'pe-puppetdb-pe-puppetdb-map': + path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf', + line => "pe-puppetdb-pe-puppetdb-map ${compiler_target.peadm::target_name()} pe-puppetdb", + } + file_line { 'pe-puppetdb-pe-puppetdb-migrator-map': + path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf', + line => "pe-puppetdb-pe-puppetdb-migrator-map ${compiler_target.peadm::target_name()} pe-puppetdb-migrator", + } + } + + # Reload pe-postgresql.service + run_command('systemctl reload pe-postgresql.service', $postgresql_server_target) + + # Install the puppet agent making sure to specify an availability group letter, A or B, as an extension request. + $dns_alt_names_flag = $dns_alt_names? { + undef => [], + default => "main:dns_alt_names=${dns_alt_names}", + } + + # we first assume that there is no agent installed on the node. If there is, nothing will happen. + run_task('peadm::agent_install', $compiler_target, + server => $primary_target.peadm::target_name(), + install_flags => $dns_alt_names_flag + [ + "extension_requests:${peadm::oid('pp_auth_role')}=pe_compiler", + "extension_requests:${peadm::oid('peadm_availability_group')}=${avail_group_letter}", + "main:certname=${compiler_target.peadm::target_name()}", + ], + ) + + # On , run the puppet agent + run_task('peadm::puppet_runonce', $compiler_target, {'_catch_errors' => true}) + + # If necessary, manually submit a CSR + run_task('peadm::submit_csr', $compiler_target, {'_catch_errors' => true}) + + # On primary, if necessary, sign the certificate request + run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$compiler_target.peadm::target_name()] } ) + + # On , run the puppet agent + run_task('peadm::puppet_runonce', $compiler_target) + + # If there was already a signed cert, force the certificate extensions we want + # TODO: update peadm::util::add_cert_extensions to take care of dns alt names + run_plan('peadm::util::add_cert_extensions', $compiler_target, + primary_host => $primary_target.peadm::target_name(), + extensions => { + peadm::oid('pp_auth_role') => 'pe_compiler', + peadm::oid('peadm_availability_group') => $avail_group_letter, + }, + ) + + # On run the puppet agent + run_task('peadm::puppet_runonce', $postgresql_server_target) + + # On start puppet.service + run_command('systemctl start puppet.service', $postgresql_server_target) + + return("Adding or replacing compiler ${$compiler_target.peadm::target_name()} succeeded.") + +} diff --git a/plans/util/insert_csr_extension_requests.pp b/plans/util/insert_csr_extension_requests.pp index c0739314..b7272c3d 100644 --- a/plans/util/insert_csr_extension_requests.pp +++ b/plans/util/insert_csr_extension_requests.pp @@ -13,7 +13,7 @@ # If we're merging extension requests, existing requests will be preserved. # If we're not merging, only ours will be used; existing requests will be - # overritten. + # overwritten. $csr_file_data = $merge ? { true => $csr_attributes_data.deep_merge({'extension_requests' => $extension_requests}), false => ($csr_attributes_data + {'extension_requests' => $extension_requests}), From 89c6414cd5ec6426178d14c372b4f11a003247ce Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Tue, 8 Jun 2021 16:36:51 +0200 Subject: [PATCH 2/6] change target_name() to certname() --- plans/add_compiler.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp index efecd3ce..4f4b8db4 100644 --- a/plans/add_compiler.pp +++ b/plans/add_compiler.pp @@ -11,9 +11,9 @@ Peadm::SingleTargetSpec $primary_host, Peadm::SingleTargetSpec $postgresql_server_host, ){ - $compiler_target = peadm::get_targets($compiler_host, 1) - $primary_target = peadm::get_targets($primary_host, 1) - $postgresql_server_target = peadm::get_targets($postgresql_server_host, 1) + $compiler_target = peadm::get_targets($compiler_host, 1) + $primary_target = peadm::get_targets($primary_host, 1) + $postgresql_server_target = peadm::get_targets($postgresql_server_host, 1) # Stop puppet.service run_command('systemctl stop puppet.service', $postgresql_server_target) @@ -26,11 +26,11 @@ apply($postgresql_server_target) { file_line { 'pe-puppetdb-pe-puppetdb-map': path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf', - line => "pe-puppetdb-pe-puppetdb-map ${compiler_target.peadm::target_name()} pe-puppetdb", + line => "pe-puppetdb-pe-puppetdb-map ${compiler_target.peadm::certname()} pe-puppetdb", } file_line { 'pe-puppetdb-pe-puppetdb-migrator-map': path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf', - line => "pe-puppetdb-pe-puppetdb-migrator-map ${compiler_target.peadm::target_name()} pe-puppetdb-migrator", + line => "pe-puppetdb-pe-puppetdb-migrator-map ${compiler_target.peadm::certname()} pe-puppetdb-migrator", } } @@ -45,11 +45,11 @@ # we first assume that there is no agent installed on the node. If there is, nothing will happen. run_task('peadm::agent_install', $compiler_target, - server => $primary_target.peadm::target_name(), + server => $primary_target.peadm::certname(), install_flags => $dns_alt_names_flag + [ "extension_requests:${peadm::oid('pp_auth_role')}=pe_compiler", "extension_requests:${peadm::oid('peadm_availability_group')}=${avail_group_letter}", - "main:certname=${compiler_target.peadm::target_name()}", + "main:certname=${compiler_target.peadm::certname()}", ], ) @@ -60,7 +60,7 @@ run_task('peadm::submit_csr', $compiler_target, {'_catch_errors' => true}) # On primary, if necessary, sign the certificate request - run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$compiler_target.peadm::target_name()] } ) + run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$compiler_target.peadm::certname()] } ) # On , run the puppet agent run_task('peadm::puppet_runonce', $compiler_target) @@ -68,7 +68,7 @@ # If there was already a signed cert, force the certificate extensions we want # TODO: update peadm::util::add_cert_extensions to take care of dns alt names run_plan('peadm::util::add_cert_extensions', $compiler_target, - primary_host => $primary_target.peadm::target_name(), + primary_host => $primary_target.peadm::certname(), extensions => { peadm::oid('pp_auth_role') => 'pe_compiler', peadm::oid('peadm_availability_group') => $avail_group_letter, @@ -81,6 +81,6 @@ # On start puppet.service run_command('systemctl start puppet.service', $postgresql_server_target) - return("Adding or replacing compiler ${$compiler_target.peadm::target_name()} succeeded.") + return("Adding or replacing compiler ${$compiler_target.peadm::certname()} succeeded.") } From a03c6e99a0d351f9f50ef470a988a6c3d5ed2c3c Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Tue, 8 Jun 2021 16:41:20 +0200 Subject: [PATCH 3/6] doc fixes --- plans/add_compiler.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp index 4f4b8db4..96a1ceda 100644 --- a/plans/add_compiler.pp +++ b/plans/add_compiler.pp @@ -2,7 +2,7 @@ # @param avail_group_letter _ Either A or B; whichever of the two letter designations the compiler is being assigned to # @param compiler_host _ The hostname and certname of the new compiler # @param dns_alt_names _ A comma_separated list of DNS alt names for the compiler -# @param primary_server_host _ The hostname and certname of the primary Puppet server +# @param primary_host _ The hostname and certname of the primary Puppet server # @param postgresql_server_host _ The hostname and certname of the PE-PostgreSQL server with availability group $avail_group_letter plan peadm::add_compiler( Enum['A', 'B'] $avail_group_letter, @@ -54,9 +54,11 @@ ) # On , run the puppet agent + # ignoring errors to simplify logic run_task('peadm::puppet_runonce', $compiler_target, {'_catch_errors' => true}) # If necessary, manually submit a CSR + # ignoring errors to simplify logic run_task('peadm::submit_csr', $compiler_target, {'_catch_errors' => true}) # On primary, if necessary, sign the certificate request From 3805e2895a42f125791292af7d367021542ea551 Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Tue, 8 Jun 2021 17:41:54 +0200 Subject: [PATCH 4/6] rename postgresql_server_host --- plans/add_compiler.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp index 96a1ceda..0e2e1741 100644 --- a/plans/add_compiler.pp +++ b/plans/add_compiler.pp @@ -3,20 +3,20 @@ # @param compiler_host _ The hostname and certname of the new compiler # @param dns_alt_names _ A comma_separated list of DNS alt names for the compiler # @param primary_host _ The hostname and certname of the primary Puppet server -# @param postgresql_server_host _ The hostname and certname of the PE-PostgreSQL server with availability group $avail_group_letter +# @param puppetdb_database_host _ The hostname and certname of the PE-PostgreSQL server with availability group $avail_group_letter plan peadm::add_compiler( Enum['A', 'B'] $avail_group_letter, Optional[String[1]] $dns_alt_names = undef, Peadm::SingleTargetSpec $compiler_host, Peadm::SingleTargetSpec $primary_host, - Peadm::SingleTargetSpec $postgresql_server_host, + Peadm::SingleTargetSpec $puppetdb_database_host, ){ $compiler_target = peadm::get_targets($compiler_host, 1) $primary_target = peadm::get_targets($primary_host, 1) - $postgresql_server_target = peadm::get_targets($postgresql_server_host, 1) + $postgresql_server_target = peadm::get_targets($puppetdb_database_host, 1) # Stop puppet.service - run_command('systemctl stop puppet.service', $postgresql_server_target) + run_command('systemctl stop puppet.service', $puppetdb_database_target) # Add the following two lines to /opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf # @@ -35,7 +35,7 @@ } # Reload pe-postgresql.service - run_command('systemctl reload pe-postgresql.service', $postgresql_server_target) + run_command('systemctl reload pe-postgresql.service', $puppetdb_database_target) # Install the puppet agent making sure to specify an availability group letter, A or B, as an extension request. $dns_alt_names_flag = $dns_alt_names? { @@ -77,11 +77,11 @@ }, ) - # On run the puppet agent - run_task('peadm::puppet_runonce', $postgresql_server_target) + # On run the puppet agent + run_task('peadm::puppet_runonce', $puppetdb_database_target) - # On start puppet.service - run_command('systemctl start puppet.service', $postgresql_server_target) + # On start puppet.service + run_command('systemctl start puppet.service', $puppetdb_database_target) return("Adding or replacing compiler ${$compiler_target.peadm::certname()} succeeded.") From 7fee64b8482459210c6bf9536464379b07c423ae Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Tue, 8 Jun 2021 17:43:03 +0200 Subject: [PATCH 5/6] missed one search/replace --- plans/add_compiler.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp index 0e2e1741..bb6a5c3f 100644 --- a/plans/add_compiler.pp +++ b/plans/add_compiler.pp @@ -13,7 +13,7 @@ ){ $compiler_target = peadm::get_targets($compiler_host, 1) $primary_target = peadm::get_targets($primary_host, 1) - $postgresql_server_target = peadm::get_targets($puppetdb_database_host, 1) + $puppetdb_database_target = peadm::get_targets($puppetdb_database_host, 1) # Stop puppet.service run_command('systemctl stop puppet.service', $puppetdb_database_target) From c95c9babf628662919a00924bd28ebdf733894c6 Mon Sep 17 00:00:00 2001 From: Dimitri Tischenko Date: Tue, 8 Jun 2021 17:43:27 +0200 Subject: [PATCH 6/6] forgot another one --- plans/add_compiler.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plans/add_compiler.pp b/plans/add_compiler.pp index bb6a5c3f..56690e85 100644 --- a/plans/add_compiler.pp +++ b/plans/add_compiler.pp @@ -23,7 +23,7 @@ # pe-puppetdb-pe-puppetdb-map pe-puppetdb # pe-puppetdb-pe-puppetdb-migrator-map pe-puppetdb-migrator - apply($postgresql_server_target) { + apply($puppetdb_database_target) { file_line { 'pe-puppetdb-pe-puppetdb-map': path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf', line => "pe-puppetdb-pe-puppetdb-map ${compiler_target.peadm::certname()} pe-puppetdb",