New changes

Author: petergmurphy

REFERENCE.md

@@ -60,6 +60,7 @@
 * [`backup_classification`](#backup_classification): A task to call the classification api and write to file
 * [`cert_data`](#cert_data): Return certificate data related to the Puppet agent
 * [`cert_valid_status`](#cert_valid_status): Check primary for valid state of a certificate
+* [`check_pe_master_rules`](#check_pe_master_rules): Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role
 * [`classify_compilers`](#classify_compilers): Classify compilers as legacy or non-legacy
 * [`code_manager`](#code_manager): Perform various code manager actions
 * [`code_manager_enabled`](#code_manager_enabled): Run on a PE primary node to check if Code Manager is enabled.
@@ -91,6 +92,7 @@
 * [`ssl_clean`](#ssl_clean): Clean an agent's certificate
 * [`submit_csr`](#submit_csr): Submit a certificate signing request
 * [`transform_classification_groups`](#transform_classification_groups): Transform the user groups from a source backup to a list of groups on the target server
+* [`update_pe_master_rules`](#update_pe_master_rules): Updates the PE Master group rules to replace pe_compiler with a regex match for any pe_compiler role
 * [`validate_rbac_token`](#validate_rbac_token): Check an RBAC token stored in a file is valid
 * [`wait_until_service_ready`](#wait_until_service_ready): Return when the orchestrator service is healthy, or timeout after 15 seconds
 
@@ -130,7 +132,6 @@ Supported use cases:
 * `peadm::subplans::modify_certificate`
 * `peadm::subplans::prepare_agent`
 * `peadm::uninstall`: Single-entry-point plan for uninstalling Puppet Enterprise
-* `peadm::update_compiler_extensions`
 * `peadm::util::code_sync_status`
 * `peadm::util::copy_file`
 * `peadm::util::db_disable_pglogical`
@@ -1111,6 +1112,12 @@ Data type: `String`
 
 The certifcate name to check validation of
 
+### <a name="check_pe_master_rules"></a>`check_pe_master_rules`
+
+Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role
+
+**Supports noop?** false
+
 ### <a name="classify_compilers"></a>`classify_compilers`
 
 Classify compilers as legacy or non-legacy
@@ -1643,6 +1650,12 @@ Data type: `String`
 
 Location of target node group yaml file and where to create the transformed file
 
+### <a name="update_pe_master_rules"></a>`update_pe_master_rules`
+
+Updates the PE Master group rules to replace pe_compiler with a regex match for any pe_compiler role
+
+**Supports noop?** false
+
 ### <a name="validate_rbac_token"></a>`validate_rbac_token`
 
 Check an RBAC token stored in a file is valid

manifests/setup/legacy_compiler_group.pp

@@ -10,15 +10,13 @@
 
   node_group { 'PE Legacy Compiler':
     ensure         => 'present',
-    parent         => 'PE Infrastructure',
+    parent         => 'PE Master',
     purge_behavior => 'rule',
     rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
     classes        => {
-      'puppet_enterprise::profile::master' => {
-        'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
-        'puppetdb_port'               => [8081],
-        'replication_mode'            => 'none',
-        'code_manager_auto_configure' => true,
+      'puppet_enterprise::profile::master'   => {
+        'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
+        'puppetdb_port' => [8081],
       },
     },
   }

plans/add_compilers.pp

@@ -16,6 +16,12 @@
   $compiler_targets          = peadm::get_targets($compiler_hosts)
   $primary_target            = peadm::get_targets($primary_host, 1)
 
+  # Check if PE Master rules have been updated to support pe_compiler_legacy
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_host).first.value
+  unless $rules_check['updated'] {
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
+  }
+
   # Get current peadm config to determine where to setup additional rules for
   # compiler's secondary PuppetDB instances
   $peadm_config = run_task('peadm::get_peadm_config', $primary_target).first.value

plans/convert.pp

@@ -60,6 +60,48 @@
 
   out::message('# Gathering information')
 
+  $cert_extensions_temp = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
+    $memo + { $result.target.peadm::certname() => $result['extensions'] }
+  }
+
+  # Add legacy compiler role to compilers that are missing it
+  $compilers_with_legacy_compiler_flag = $cert_extensions_temp.filter |$name,$exts| {
+    ($name in $compiler_targets.map |$t| { $t.name } or $name in $legacy_compiler_targets.map |$t| { $t.name }) and
+    ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
+  }
+
+  if $compilers_with_legacy_compiler_flag.size > 0 {
+    $legacy_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
+    }.keys
+
+    $modern_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
+    }.keys
+
+    if $modern_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $modern_compilers_with_flag,
+        primary_host   => $primary_target,
+        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
+      )
+    }
+
+    if $legacy_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $legacy_compilers_with_flag,
+        primary_host   => $primary_target,
+        add_extensions => {
+          'pp_auth_role' => 'pe_compiler_legacy',
+        },
+        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
+      )
+    }
+
+    run_task('peadm::puppet_runonce', peadm::flatten_compact([
+          $compiler_targets,
+          $legacy_compiler_targets,
+    ]))
+  }
+
   # Get trusted fact information for all compilers. Use peadm::certname() as
   # the hash key because the apply block below will break trying to parse the
   # $compiler_extensions variable if it has Target-type hash keys.
@@ -318,6 +360,9 @@
       run_command('systemctl restart pe-puppetserver.service pe-puppetdb.service', $compiler_targets)
     }
 
+    # Update PE Master rules to support legacy compilers
+    run_task('peadm::update_pe_master_rules', $primary_target)
+
     # Run puppet on all targets again to ensure everything is fully up-to-date
     run_task('peadm::puppet_runonce', $all_targets)
   }
@@ -333,7 +378,5 @@
 # lint:endignore
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }

plans/convert_compiler_to_legacy.pp

@@ -7,6 +7,12 @@
   $primary_target            = peadm::get_targets($primary_host, 1)
   $convert_legacy_compiler_targets   = peadm::get_targets($legacy_hosts)
 
+  # Check if PE Master rules have been updated to support pe_compiler_legacy
+  $rules_check = run_task('peadm::check_pe_master_rules', $primary_target).first.value
+  unless $rules_check['updated'] {
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
+  }
+
   $cluster = run_task('peadm::get_peadm_config', $primary_host).first.value
   $error = getvar('cluster.error')
   if $error {

plans/install.pp

@@ -143,8 +143,6 @@
     final_agent_state                => $final_agent_state,
   )
 
-  run_task('peadm::update_pe_master_rules', $primary_host)
-
   # Return a string banner reporting on what was done
   return([$install_result, $configure_result])
 }

plans/subplans/configure.pp

@@ -174,5 +174,9 @@
         $legacy_compiler_targets,
   ]))
 
+  # Update PE Master rules to support legacy compilers
+  run_task('peadm::update_pe_master_rules', $primary_host)
+  run_task('peadm::puppet_runonce', $legacy_compiler_targets)
+
   return("Configuration of Puppet Enterprise ${arch['architecture']} succeeded.")
 }

plans/update_compiler_extensions.pp

@@ -146,41 +146,12 @@
     ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   if $compilers_with_legacy_compiler_flag.size > 0 {
-    $legacy_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
-    }.keys
-
-    $modern_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
-    }.keys
-
-    if $modern_compilers.size > 0 {
-      out::message('MODERN COMPILERS: Beginning removal of legacy compiler flag')
-      out::message($modern_compilers)
-      run_plan('peadm::modify_certificate', $modern_compilers,
-        primary_host   => $primary_target,
-        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
-      )
-      out::message('MODERN COMPILERS: Removed legacy compiler flag')
-    }
-
-    if $legacy_compilers.size > 0 {
-      out::message('LEGACY COMPILERS: Beginning addition of legacy compiler role and removal of legacy compiler flag')
-      out::message($legacy_compilers)
-      run_plan('peadm::modify_certificate', $legacy_compilers,
-        primary_host   => $primary_target,
-        add_extensions => {
-          'pp_auth_role' => 'pe_compiler_legacy',
-        },
-        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
-      )
-      out::message('LEGACY COMPILERS: Added legacy compiler role and removed legacy compiler flag')
-    }
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by this version of PEADM.')
   }
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
     $memo + { $result.target.peadm::certname => $result['extensions'] }

plans/upgrade.pp

@@ -0,0 +1,24 @@
+{
+  "description": "Checks if the PE Master group rules have already been updated to support 'pe_compiler_legacy' as a pp_auth_role",
+  "input_method": "stdin",
+  "private": true,
+  "implementations": [
+    {"name": "check_pe_master_rules.rb"}
+  ],
+  "parameters": {},
+  "supports_noop": false,
+  "output": {
+    "updated": {
+      "description": "Whether the PE Master rules have already been updated",
+      "type": "Boolean"
+    },
+    "message": {
+      "description": "A message describing the current state of the PE Master rules",
+      "type": "String"
+    },
+    "error": {
+      "description": "Error message if the task failed",
+      "type": "Optional[String]"
+    }
+  }
+}