Skip to content

Commit 39e7708

Browse files
odyody
committed
Provide more more comments for clarity
1 parent feedad6 commit 39e7708

File tree

1 file changed

+13
-0
lines changed

1 file changed

+13
-0
lines changed

plans/subplans/prepare_agent.pp

+13
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@
3131
)
3232
} else {
3333
run_command('systemctl stop puppet.service', $agent_target)
34+
# If re-using a node which was previously part of the infrastructure then it
35+
# might have a bad configuration which will prevent it from reconfiguring. Best
36+
# example of this is a failed primary being added back into infrastructure as
37+
# a replica
3438
out::message('Ensuring node is set to query current primary for Puppet Agent operations')
3539
run_command("/opt/puppetlabs/bin/puppet config set --section main server ${primary_target.peadm::certname()}", $agent_target)
3640
run_command('/opt/puppetlabs/bin/puppet config delete --section agent server_list', $agent_target)
@@ -43,10 +47,17 @@
4347
# Obtain data about certificate from agent
4448
$certdata = run_task('peadm::cert_data', $agent_target).first.value
4549

50+
# The invalid status is primarily serves as a way to catch revoked certificates.
51+
# A primary server is the only thing that can reliably identify if agent
52+
# certificates are revoked, if it is then skip the submit and sign process and
53+
# just got directly to forcing a regeneration.
4654
if ($certstatus['certificate-status'] == 'invalid') {
4755
$force_regenerate = true
4856
$skip_csr = true
4957
} else {
58+
# When the primary can't validate a certificate because it is missing but the
59+
# agent claims it has one, clean the agent to get to an agreed upon state
60+
# before moving onto the submit and sign process.
5061
if $certdata['certificate-exists'] and $certstatus['reason'] =~ /The private key is missing from/ {
5162
out::message("Agent: ${agent_target.peadm::certname()} has a local cert but Primary: ${primary_target.peadm::certname()} does not, force agent clean")
5263
run_task('peadm::ssl_clean', $agent_target, certname => $agent_target.peadm::certname())
@@ -68,6 +79,8 @@
6879
run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$agent_target.peadm::certname()] } )
6980
}
7081
82+
# If agent certificate is good but lacks appropriate extensions, plan will still
83+
# regenerate certificate
7184
run_plan('peadm::modify_certificate', $agent_target,
7285
primary_host => $primary_target.peadm::certname(),
7386
add_extensions => $certificate_extensions,

0 commit comments

Comments
 (0)