Expand scenario where clean failure is acceptable

ody · ody · commit ebb96d16797f · 2022-05-31T20:50:14.000Z
Acceptable failures when running clean on a primary expanded to address
scenarios where an infrastructure component is cleaned by another
process, e.g. puppet infrastructure forget
diff --git a/plans/subplans/modify_certificate.pp b/plans/subplans/modify_certificate.pp
@@ -21,8 +21,6 @@
   $certdata = run_task('peadm::cert_data', $target).first.value
   $certname = $certdata['certname']
 
-
-
   $target_is_primary = ($certname == $primary_certname)
 
   # These vars represent what the extensions currently are, vs. what they should be
@@ -68,13 +66,13 @@
     # fail the plan unless it's a known circumstance in which it's okay to proceed.
     # Scenario 1: the primary's cert can't be cleaned because it's already revoked.
     # Scenario 2: the primary's cert can't be cleaned because it's been deleted.
-    # Scenario 3: a component's cert can't be cleaned because it was previously by some other function.
+    # Scenario 3: any component's cert can't be cleaned because it's been deleted.
     unless ($target_is_primary and
             ($ca_clean_result[merged_output] =~ /certificate revoked/ or
-              $ca_clean_result[merged_output] =~ /Could not find 'hostcert'/ or
-                $ca_clean_result[merged_output] =~ /Could not find files to clean/))
+              $ca_clean_result[merged_output] =~ /Could not find 'hostcert'/)) or
+                ($ca_clean_result[merged_output] =~ /Could not find files to clean/)
     {
-      fail_plan($ca_clean_result)
+      fail_plan($ca_clean_result[merged_output])
     }
   }
 
diff --git a/plans/subplans/prepare_agent.pp b/plans/subplans/prepare_agent.pp
@@ -40,13 +40,19 @@
   $certstatus = run_task('peadm::cert_valid_status', $primary_target,
     certname => $agent_target.peadm::certname()).first.value
 
+  # Obtain data about certificate from agent
+  $certdata = run_task('peadm::cert_data', $agent_target).first.value
+
   if ($certstatus['certificate-status'] == 'invalid') {
     $force_regenerate = true
     $skip_csr = true
   } else {
+    if $certdata['certificate-exists'] and $certstatus['reason'] =~ /The private key is missing from/ {
+      out::message("Agent: ${agent_target.peadm::certname()} has a local cert but Primary: ${primary_target.peadm::certname()} does not, force agent clean")
+      run_task('peadm::ssl_clean', $agent_target, certname => $agent_target.peadm::certname())
+    }
     $force_regenerate = false
     $skip_csr = false
-
   }
 
   # Ensures scenarios where agent was pre-installed but never on-boarding and
