PE-38801 Task added to fetch rules for PE Infrastructure Agent group and warn user that they will be replaced during convert and upgrade (#510)

Author: AaronShannon

REFERENCE.md

@@ -64,6 +64,7 @@
 * [`download`](#download): Download a file using curl
 * [`enable_replica`](#enable_replica): Execute the enable replica puppet command
 * [`filesize`](#filesize): Return the size of a file in bytes
+* [`get_group_rules`](#get_group_rules): Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group
 * [`get_peadm_config`](#get_peadm_config): Run on a PE primary node to return the currently configured PEAdm parameters
 * [`get_psql_version`](#get_psql_version): Run on a PE PSQL node to return the major version of the PSQL server currently installed
 * [`infrastatus`](#infrastatus): Runs puppet infra status and returns the output
@@ -1185,6 +1186,12 @@ Data type: `String`
 
 Path to the file to return the size of
 
+### <a name="get_group_rules"></a>`get_group_rules`
+
+Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group
+
+**Supports noop?** false
+
 ### <a name="get_peadm_config"></a>`get_peadm_config`
 
 Run on a PE primary node to return the currently configured PEAdm parameters

plans/convert.pp

@@ -261,6 +261,10 @@
     # the existing groups are correct enough to function until the upgrade is
     # performed.
     if (versioncmp($pe_version, '2019.7.0') >= 0) {
+      $rules = run_task('peadm::get_group_rules', $primary_target).first.value['_output']
+      $rules_formatted = stdlib::to_json_pretty(parsejson($rules))
+      out::message("WARNING: The following existing rules on the PE Infrastructure Agent group will be overwritten with default values:\n ${rules_formatted}")
+
       apply($primary_target) {
         class { 'peadm::setup::node_manager_yaml':
           primary_host => $primary_target.peadm::certname(),

plans/upgrade.pp

@@ -326,6 +326,10 @@
       default                                      => $primary_postgresql_target.peadm::certname(),
     }
 
+    $rules = run_task('peadm::get_group_rules', $primary_target).first.value['_output']
+    $rules_formatted = stdlib::to_json_pretty(parsejson($rules))
+    out::message("WARNING: The following existing rules on the PE Infrastructure Agent group will be overwritten with default values:\n ${rules_formatted}")
+
     apply($primary_target) {
       class { 'peadm::setup::node_manager_yaml':
         primary_host => $primary_target.peadm::certname(),

spec/plans/convert_spec.rb

@@ -20,6 +20,7 @@
 
     expect_task('peadm::cert_data').return_for_targets('primary' => trustedjson)
     expect_task('peadm::read_file').always_return({ 'content' => '2021.7.9' })
+    expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
 
     # For some reason, expect_plan() was not working??
     allow_plan('peadm::modify_certificate').always_return({})

spec/plans/upgrade_spec.rb

@@ -22,6 +22,7 @@ def allow_standard_non_returning_calls
 
   it 'minimum variables to run' do
     allow_standard_non_returning_calls
+    expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
 
     expect_task('peadm::read_file')
       .with_params('path' => '/opt/puppetlabs/server/pe_build')
@@ -36,6 +37,7 @@ def allow_standard_non_returning_calls
 
   it 'runs with a primary, compilers, but no replica' do
     allow_standard_non_returning_calls
+    expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
 
     expect_task('peadm::read_file')
       .with_params('path' => '/opt/puppetlabs/server/pe_build')
@@ -92,6 +94,7 @@ def allow_standard_non_returning_calls
         .always_return({ 'content' => installed_version })
 
       expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary)
+      expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
     end
 
     it 'updates pe.conf if r10k_known_hosts is set' do

tasks/get_group_rules.json

@@ -0,0 +1,5 @@
+{
+  "description": "Run on a PE primary node to return the rules currently applied to the PE Infrastructure Agent group",
+  "parameters": { },
+  "input_method": "stdin"
+}

tasks/get_group_rules.rb

@@ -0,0 +1,42 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/http'
+require 'puppet'
+
+# GetInfrastructureAgentGroupRules task class
+class GetInfrastructureAgentGroupRules
+  def execute!
+    infrastructure_agent_group = groups.find { |obj| obj['name'] == 'PE Infrastructure Agent' }
+    if infrastructure_agent_group
+      puts JSON.pretty_generate(infrastructure_agent_group['rule'])
+    else
+      puts JSON.pretty_generate({ 'error' => 'PE Infrastructure Agent group does not exist' })
+    end
+  end
+
+  def groups
+    net = https(4433)
+    res = net.get('/classifier-api/v1/groups')
+    JSON.parse(res.body)
+  end
+
+  def https(port)
+    https = Net::HTTP.new(Puppet.settings[:certname], port)
+    https.use_ssl = true
+    https.cert = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    https.key = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    https.ca_file = Puppet.settings[:localcacert]
+    https
+  end
+end
+
+# Run the task unless an environment flag has been set, signaling not to. The
+# environment flag is used to disable auto-execution and enable Ruby unit
+# testing of this task.
+unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
+  GetInfrastructureAgentGroupRules.new.execute!
+end