Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set additional rules on replica when adding compiler #270

Merged
merged 3 commits into from
Jun 21, 2022
Merged

Set additional rules on replica when adding compiler #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c8d956b
Set allow list rules on replica PuppetDB
ody Jun 13, 2022
cb206d6
Sync global hiera
ody Jun 13, 2022
f5ae8a8
Fix tests for add_compiler
ody Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 34 additions & 3 deletions plans/add_compiler.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,35 @@
Peadm::SingleTargetSpec $compiler_host,
Peadm::SingleTargetSpec $primary_host,
Peadm::SingleTargetSpec $primary_postgresql_host,
){
) {
$compiler_target = peadm::get_targets($compiler_host, 1)
$primary_target = peadm::get_targets($primary_host, 1)
$primary_postgresql_target = peadm::get_targets($primary_postgresql_host, 1)

# Get current peadm config to determine where to setup additional rules for
# compiler's secondary PuppetDB instances
$peadm_config = run_task('peadm::get_peadm_config', $primary_target).first.value

# Return the opposite server than the compiler to be added so it can be
# configured with the appropriate rules for Puppet Server access from
# compiler
$replica_avail_group_letter = $avail_group_letter ? { 'A' => 'B', 'B' => 'A' }
$replica_puppetdb = $peadm_config['role-letter']['server'][$replica_avail_group_letter]

$replica_puppetdb_target = peadm::get_targets($replica_puppetdb, 1)

# Stop puppet.service
run_command('systemctl stop puppet.service', $primary_postgresql_target)
run_command('systemctl stop puppet.service', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target
]))

apply($replica_puppetdb_target) {
file_line { 'pe-puppetdb-compiler-cert-allow':
path => '/etc/puppetlabs/puppetdb/certificate-allowlist',
line => $compiler_target.peadm::certname(),
}
}

# Add the following two lines to /opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf
#
Expand Down Expand Up @@ -85,15 +107,24 @@
},
)

# Source the global hiera.yaml from Primary and synchronize to new compiler
run_plan('peadm::util::sync_global_hiera', $compiler_target,
primary_host => $primary_target
)

# On <compiler-host>, run the puppet agent
run_task('peadm::puppet_runonce', $compiler_target)

# On <primary_postgresql_host> run the puppet agent
run_task('peadm::puppet_runonce', $primary_postgresql_target)
run_task('peadm::puppet_runonce', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target
]))

# On <primary_postgresql_host> start puppet.service
run_command('systemctl start puppet.service', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target,
$compiler_target,
]))

Expand Down
18 changes: 17 additions & 1 deletion spec/plans/add_compiler_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,24 @@ def allow_standard_non_returning_calls
}
end

let(:cfg) do
{
'params' => {
'primary_host' => 'primary'
},
'role-letter' => {
'server' => {
'A' => 'server_a',
'B' => 'server_b'
}
}
}
end
let(:certdata) { { 'certname' => 'primary', 'extensions' => { '1.3.6.1.4.1.34380.1.1.9813' => 'A' } } }

it 'runs successfully when no alt-names are specified' do
allow_standard_non_returning_calls
expect_task('peadm::get_peadm_config').always_return(cfg)
expect_plan('peadm::modify_certificate').always_return('mock' => 'mock')
expect_task('peadm::agent_install')
.with_params({ 'server' => 'primary',
Expand All @@ -35,6 +49,7 @@ def allow_standard_non_returning_calls
# ["--puppet-service-ensure", "stopped",
# "extension_requests:1.3.6.1.4.1.34380.1.3.13=pe_compiler", "extension_requests:1.3.6.1.4.1.34380.1.1.9813=A", "main:certname=compiler"], "server"=>"primary"}

expect_plan('peadm::util::sync_global_hiera').be_called_times(1)
expect(run_plan('peadm::add_compiler', params)).to be_ok
end

Expand All @@ -45,6 +60,7 @@ def allow_standard_non_returning_calls

it 'runs successfully when alt-names are specified' do
allow_standard_non_returning_calls
expect_task('peadm::get_peadm_config').always_return(cfg)
expect_plan('peadm::modify_certificate').always_return('mock' => 'mock')
expect_task('peadm::agent_install')
.with_params({ 'server' => 'primary',
Expand All @@ -53,7 +69,7 @@ def allow_standard_non_returning_calls
'--puppet-service-ensure', 'stopped',
'main:certname=compiler'
] })

expect_plan('peadm::util::sync_global_hiera').be_called_times(1)
expect(run_plan('peadm::add_compiler', params2)).to be_ok
end
end
Expand Down