Solarch-564 adding plan to backup data (#226)

davidsandilands · reidmv · web-flow · commit f5cef7a76cb4 · 2022-01-24T08:44:09.000-08:00
* (SOLARCH-564) first shot at returning node classification * (SOLARCH-564) mistake on default string * (SOLARCH-564) extra bracket * (SOLARCH-564) cat walked over keyboard and added S to line * (SOLARCH-564) missed out the unless which actually runs it * (SOLARCH-564) missing an end * (SOLARCH-564) adjusting message string to sub in variavble correctly * (SOLARCH-564) changing variable choice to directory and not file name for simplicity * (SOLARCH-564) correcting the string * (SOLARCH-564) correcting variable name * (SOLARCH-564) correcting variable * (SOLARCH-564) correcting string * (SOLARCH-564) correcting comment * (SOLARCH-564) changing to a patter to check it starts and ends with a / * (SOLARCH-564) first draft of plan * SOLARCH-564 test running simply classification and cert backup * SOLARCH-564 removing over complication of type * SOLARCH-564 correcting linting error and variable error * SOLARCH-564 testing database backup command * (SOLARCH-564) missing a target * (SOLARCH-564) testing a lamda of database selection and names * SOLARCH-564 corrected database to backup array * SOLARCH-564 correcting type * SOLARCH-564 changing to allow backup on postgres external db * SOLARCH-564 correcting primary host * (SOLARCH-564) changing directory to not end with a slash * (SOLARCH-564) changing path to absolutepath to check its a valid directory * (SOLARCH-564) wasn't thinking just keep it as a string * (SOLARCH-564) adding basic plan testing and correcting a lint error * (SOLARCH-716) updated default version to latest LTS .8 * (SOLARCH-716) updated peadm to be compatible with 2.x puppetlabs/service * Fix failing table output tests The gem was updated and the output format changed slightly. These tests should probably just be removed; they are too exact and finicky. * Update plans/backup.pp Change backup to output directory for better naming Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * (SOLARCH-564) first shot at returning node classification * (SOLARCH-564) mistake on default string * (SOLARCH-564) extra bracket * (SOLARCH-564) cat walked over keyboard and added S to line * (SOLARCH-564) missed out the unless which actually runs it * (SOLARCH-564) missing an end * (SOLARCH-564) adjusting message string to sub in variavble correctly * (SOLARCH-564) changing variable choice to directory and not file name for simplicity * (SOLARCH-564) correcting the string * (SOLARCH-564) correcting variable name * (SOLARCH-564) correcting variable * (SOLARCH-564) correcting string * (SOLARCH-564) correcting comment * (SOLARCH-564) changing to a patter to check it starts and ends with a / * (SOLARCH-564) first draft of plan * SOLARCH-564 test running simply classification and cert backup * SOLARCH-564 removing over complication of type * SOLARCH-564 correcting linting error and variable error * SOLARCH-564 testing database backup command * (SOLARCH-564) missing a target * (SOLARCH-564) testing a lamda of database selection and names * SOLARCH-564 corrected database to backup array * SOLARCH-564 correcting type * SOLARCH-564 changing to allow backup on postgres external db * SOLARCH-564 correcting primary host * (SOLARCH-564) changing directory to not end with a slash * (SOLARCH-564) changing path to absolutepath to check its a valid directory * (SOLARCH-564) wasn't thinking just keep it as a string * (SOLARCH-564) adding basic plan testing and correcting a lint error * Update plans/backup.pp Change backup to output directory for better naming Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * Update plans/backup.pp Changing variable name Co-authored-by: Reid Vandewiele <reid@puppet.com> * (SOLARCH-564) adding in creation of backup directory via apply * (SOLARCH-564) updating for all backups to go to backup directory * (SOLARCH-564) add time to allow multiple backups on a day * (SOLARCH-564) making dates consistent * (SOLARCH-564) updated with secret keys for ldap and orchestrator and fixed remote puppetdb backup * (SOLARCH-564) updating to output if test failed * (SOLARCH-564) removing needless comma * (SOLARCH-564) dropped part of key names in error * (SOLARCH-564) inserting deliberate error to test exit code * (SOLARCH-564) changing approach so it exits properly * (SOLARCH-564) test succesful for failure correcting to correct certificate * (SOLARCH-564) fixing plan spec with limitiation of timestamps * (SOLARCH-564) backup classification was in error using server status API * (solarch-564) removing parsing Co-authored-by: Reid Vandewiele <reid@puppet.com>
diff --git a/plans/backup.pp b/plans/backup.pp
@@ -0,0 +1,87 @@
+# @summary Backup the core user settings for puppet infrastructure
+#
+# This plan can backup data as outlined at insert doc 
+# 
+plan peadm::backup (
+  # Standard
+  Peadm::SingleTargetSpec           $primary_host,
+  Optional[Peadm::SingleTargetSpec] $replica_host            = undef,
+
+  # Large
+  Optional[TargetSpec]              $compiler_hosts          = undef,
+
+  # Extra Large
+  Optional[Peadm::SingleTargetSpec] $primary_postgresql_host = undef,
+  Optional[Peadm::SingleTargetSpec] $replica_postgresql_host = undef,
+
+  # Which data to backup
+  Boolean                            $backup_orchestrator    = true,
+  Boolean                            $backup_rbac            = true,
+  Boolean                            $backup_activity        = true,
+  Boolean                            $backup_ca_ssl          = true,
+  Boolean                            $backup_puppetdb        = false,
+  Boolean                            $backup_classification  = true,
+  String                             $output_directory       = '/tmp',
+){
+
+  $timestamp = Timestamp.new().strftime('%F_%T')
+  $backup_directory = "${output_directory}/pe-backup-${timestamp}"
+  # Create backup folder
+  apply_prep($primary_host)
+  apply($primary_host){
+    file { $backup_directory :
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'pe-postgres',
+      mode   => '0770'
+    }
+  }
+  # Create an array of the names of databases and whether they have to be backed up to use in a lambda later
+  $database_to_backup = [ $backup_orchestrator, $backup_activity, $backup_rbac, $backup_puppetdb]
+  $database_names     = [ 'pe-orchestrator' , 'pe-activity' , 'pe-rbac' , 'pe-puppetdb' ]
+
+  peadm::assert_supported_bolt_version()
+
+  # Ensure input valid for a supported architecture
+  $arch = peadm::assert_supported_architecture(
+    $primary_host,
+    $replica_host,
+    $primary_postgresql_host,
+    $replica_postgresql_host,
+    $compiler_hosts,
+  )
+
+  if $backup_classification {
+    out::message('# Backing up classification')
+    run_task('peadm::backup_classification', $primary_host,
+    directory => $backup_directory,
+    )
+  }
+
+  if $backup_ca_ssl {
+    out::message('# Backing up ca and ssl certificates')
+    run_command("/opt/puppetlabs/bin/puppet-backup create --dir=${backup_directory} --scope=certs", $primary_host)
+  }
+
+  # Check if /etc/puppetlabs/console-services/conf.d/secrets/keys.json exists and if so back it up
+  out::message('# Backing up ldap secret key if it exists')
+  run_command("test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json && cp -rp /etc/puppetlabs/console-services/conf.d/secrets/keys.json ${backup_directory} || echo secret ldap key doesnt exist" , $primary_host) # lint:ignore:140chars
+
+  # IF backing up orchestrator back up the secrets too /etc/puppetlabs/orchestration-services/conf.d/secrets/
+  if $backup_orchestrator {
+    out::message('# Backing up orchestrator secret keys')
+    run_command("cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${backup_directory}/", $primary_host)
+  }
+
+  $database_to_backup.each |Integer $index, Boolean $value | {
+    if $value {
+    out::message("# Backing up database ${database_names[$index]}")
+      # If the primary postgresql host is set then pe-puppetdb needs to be remotely backed up to primary.
+      if $database_names[$index] == 'pe-puppetdb' and $primary_postgresql_host {
+        run_command("sudo -u pe-puppetdb /opt/puppetlabs/server/bin/pg_dump \"sslmode=verify-ca host=${primary_postgresql_host} sslcert=/etc/puppetlabs/puppetdb/ssl/${primary_host}.cert.pem sslkey=/etc/puppetlabs/puppetdb/ssl/${primary_host}.private_key.pem sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem dbname=pe-puppetdb\" -f /tmp/puppetdb_$(date +%F_%T).bin" , $primary_host) # lint:ignore:140chars
+      } else {
+        run_command("sudo -u pe-postgres /opt/puppetlabs/server/bin/pg_dump -Fc \"${database_names[$index]}\" -f \"${backup_directory}/${database_names[$index]}_$(date +%F_%T).bin\"" , $primary_host) # lint:ignore:140chars
+      }
+    }
+  }
+}
diff --git a/spec/plans/backup_spec.rb b/spec/plans/backup_spec.rb
@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe 'peadm::backup' do
+  include BoltSpec::Plans
+  let(:params) { { 'primary_host' => 'primary' } }
+
+  it 'runs with default params' do
+    allow_apply_prep
+    allow_apply
+    expect_out_message.with_params('# Backing up ca and ssl certificates')
+    # The commands all have a timestamp in them and frankly its prooved to hard with bolt spec to work this out
+    allow_any_command
+    expect_out_message.with_params('# Backing up database pe-orchestrator')
+    expect_out_message.with_params('# Backing up database pe-activity')
+    expect_out_message.with_params('# Backing up database pe-rbac')
+    expect_out_message.with_params('# Backing up classification')
+    expect_task('peadm::backup_classification')
+    expect(run_plan('peadm::backup', params)).to be_ok
+  end
+end
diff --git a/tasks/backup_classification.json b/tasks/backup_classification.json
@@ -0,0 +1,13 @@
+{
+  "puppet_task_version": 1,
+  "supports_noop": false,
+  "description": "A task to call the classification api and write to file",
+  "parameters": {
+    "directory": {
+      "type": "String",
+      "description": "The directory to write the classification output to. Directory must exist",
+      "default": "/tmp"
+    }
+  },
+  "input_method": "stdin"
+}
diff --git a/tasks/backup_classification.rb b/tasks/backup_classification.rb
@@ -0,0 +1,45 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+
+# Puppet Task Name: backup_classification
+require 'net/https'
+require 'uri'
+require 'json'
+require 'puppet'
+
+# BackupClassiciation task class
+class BackupClassification
+  def initialize(params)
+    @params = params
+  end
+
+  def execute!
+    File.write("#{@params['directory']}/classification_backup.json", return_classification)
+    puts "Classification written to #{@params['directory']}/classification_backup.json"
+  end
+
+  private
+
+  def https_client
+    client = Net::HTTP.new('localhost', '4433')
+    client.use_ssl = true
+    client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    client.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    client
+  end
+
+  def return_classification
+    classification = https_client
+    classification_request = Net::HTTP::Get.new('/classifier-api/v1/groups')
+
+    classification.request(classification_request).body
+  end
+end
+# Run the task unless an environment flag has been set, signaling not to. The
+# environment flag is used to disable auto-execution and enable Ruby unit
+# testing of this task.
+unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
+  task = BackupClassification.new(JSON.parse(STDIN.read))
+  task.execute!
+end
