Ensure using correct primary

ody · ody · commit d9df0388b556 · 2022-05-31T20:50:14.000Z
When reusing failed infrastructure components they may be configured for
a different primary then is current and have an old certificate
revacation list. Commit ensures that agent configuration is updated for
the current primary and fetches CRL from that primary.

Includes a little cleanup lifted from the add_compiler plan.
diff --git a/plans/add_replica.pp b/plans/add_replica.pp
@@ -26,6 +26,11 @@
   $replica_target             = peadm::get_targets($replica_host, 1)
   $replica_postgresql_target  = peadm::get_targets($replica_postgresql_host, 1)
 
+  run_command('systemctl stop puppet.service', peadm::flatten_compact([
+    $primary_target,
+    $replica_postgresql_target,
+  ]))
+
   $certdata = run_task('peadm::cert_data', $primary_target).first.value
   $primary_avail_group_letter = $certdata['extensions'][peadm::oid('peadm_availability_group')]
   $replica_avail_group_letter = $primary_avail_group_letter ? { 'A' => 'B', 'B' => 'A' }
@@ -51,27 +56,22 @@
   #  pe-puppetdb-pe-puppetdb-map <replacement-replica-fqdn> pe-puppetdb
   #  pe-puppetdb-pe-puppetdb-migrator-map <replacement-replica-fqdn> pe-puppetdb-migrator
   apply($replica_postgresql_target) {
-    service { 'puppet':
-      ensure => stopped,
-      before => File_line['puppetdb-map', 'migrator-map'],
-    }
-
-    file_line { 'puppetdb-map':
+    file_line { 'pe-puppetdb-pe-puppetdb-map':
       path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
       line => "pe-puppetdb-pe-puppetdb-map ${replica_target.peadm::certname()} pe-puppetdb",
     }
-
-    file_line { 'migrator-map':
+    file_line { 'pe-puppetdb-pe-puppetdb-migrator-map':
       path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
       line => "pe-puppetdb-pe-puppetdb-migrator-map ${replica_target.peadm::certname()} pe-puppetdb-migrator",
     }
-
-    service { 'pe-postgresql':
-      ensure    => running,
-      subscribe => File_line['puppetdb-map', 'migrator-map'],
+    file_line { 'pe-puppetdb-pe-puppetdb-read-map':
+      path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
+      line => "pe-puppetdb-pe-puppetdb-read-map ${replica_target.peadm::certname()} pe-puppetdb-read",
     }
   }
 
+  run_command('systemctl reload pe-postgresql.service', $replica_postgresql_target)
+
   run_plan('peadm::util::update_classification', $primary_target,
     server_a_host                    => $replica_avail_group_letter ? { 'A' => $replica_host, default => undef },
     server_b_host                    => $replica_avail_group_letter ? { 'B' => $replica_host, default => undef },
@@ -90,8 +90,12 @@
     legacy     => true,
   )
 
-  # start puppet service on postgresql host
-  run_command('systemctl start puppet.service', $replica_postgresql_target)
+  # start puppet service
+  run_command('systemctl start puppet.service', peadm::flatten_compact([
+    $primary_target,
+    $replica_postgresql_target,
+    $replica_target
+  ]))
 
   return("Added replica ${replica_target}")
 }
diff --git a/plans/subplans/modify_certificate.pp b/plans/subplans/modify_certificate.pp
@@ -34,6 +34,7 @@
       ($desired_alt_names == $existing_alt_names) and
       ($desired_exts.all |$key,$val| { $existing_exts[$key] == $val }) and
       !($remove_extensions.any |$key| { $key in $existing_exts.keys }) and
+      !$certdata['certificate-revoked'] and
       !$force_regenerate)
   {
     out::message("${certname} already has requested modifications; certificate will not be re-issued")
diff --git a/plans/subplans/prepare_agent.pp b/plans/subplans/prepare_agent.pp
@@ -29,6 +29,11 @@
         "main:certname=${agent_target.peadm::certname()}",
       ],
     )
+  } else {
+    run_command('systemctl stop puppet.service', $agent_target)
+    out::message('Ensuring node is set to query current primary for Puppet Agent operations')
+    run_command("/opt/puppetlabs/bin/puppet config set --section main server ${primary_target.peadm::certname()}", $agent_target)
+    run_command('/opt/puppetlabs/bin/puppet config delete --section agent server_list', $agent_target)
   }
 
   # Ensures scenarios where agent was pre-installed but never on-boarding and

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@`
`34`	`34`	`($desired_alt_names == $existing_alt_names) and`
`35`	`35`	`($desired_exts.all \|$key,$val\| { $existing_exts[$key] == $val }) and`
`36`	`36`	`!($remove_extensions.any \|$key\| { $key in $existing_exts.keys }) and`
	`37`	`+ !$certdata['certificate-revoked'] and`
`37`	`38`	`!$force_regenerate)`
`38`	`39`	`{`
`39`	`40`	`out::message("${certname} already has requested modifications; certificate will not be re-issued")`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,11 @@`
`29`	`29`	`"main:certname=${agent_target.peadm::certname()}",`
`30`	`30`	`],`
`31`	`31`	`)`
	`32`	`+ } else {`
	`33`	`+ run_command('systemctl stop puppet.service', $agent_target)`
	`34`	`+ out::message('Ensuring node is set to query current primary for Puppet Agent operations')`
	`35`	`+ run_command("/opt/puppetlabs/bin/puppet config set --section main server ${primary_target.peadm::certname()}", $agent_target)`
	`36`	`+ run_command('/opt/puppetlabs/bin/puppet config delete --section agent server_list', $agent_target)`
`32`	`37`	`}`
`33`	`38`
`34`	`39`	`# Ensures scenarios where agent was pre-installed but never on-boarding and`