Feature custom csr attributes

manifests/setup/node_manager.pp

@@ -15,6 +15,11 @@
   String[1] $master_host,
   String[1] $puppetdb_database_host,
   String[1] $compiler_pool_address,
+  String[1] $pp_application_compiler,
+  String[1] $pp_application_master,
+  String[1] $pp_application_puppetdb,
+  String[1] $pp_cluster_a,
+  String[1] $pp_cluster_b,
 
   Optional[String[1]] $master_replica_host            = undef,
   Optional[String[1]] $puppetdb_database_replica_host = undef,
@@ -39,7 +44,7 @@
   # We modify this group's rule such that all PE infrastructure nodes will be
   # members.
   node_group { 'PE Infrastructure Agent':
-    rule => ['and', ['~', ['trusted', 'extensions', 'pp_application'], '^puppet/']],
+    rule => ['and', ['~', ['trusted', 'extensions', 'pp_application'], "^${pp_application_compiler}|^${pp_application_master}|^${pp_application_puppetdb}"]], # lint:ignore:140chars
   }
 
   # We modify this group to add, as data, the compiler_pool_address only.
@@ -48,7 +53,7 @@
   node_group { 'PE Master':
     parent    => 'PE Infrastructure',
     rule      => ['or',
-      ['and', ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/compiler']],
+      ['and', ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_compiler]],
       ['=', 'name', $master_host],
     ],
     data      => {
@@ -67,7 +72,7 @@
       parent               => 'PE Infrastructure',
       environment          => 'production',
       override_environment => false,
-      rule                 => ['and', ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/puppetdb-database']],
+      rule                 => ['and', ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_puppetdb]],
       classes              => {
         'puppet_enterprise::profile::database' => { },
       },
@@ -76,12 +81,12 @@
 
   # Create data-only groups to store PuppetDB PostgreSQL database configuration
   # information specific to the master and master replica nodes.
-  node_group { 'PE Master A':
+  node_group { "PE Master ${pp_cluster_a}":
     ensure => present,
     parent => 'PE Infrastructure',
     rule   => ['and',
-      ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/master'],
-      ['=', ['trusted', 'extensions', 'pp_cluster'], 'A'],
+      ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_master],
+      ['=', ['trusted', 'extensions', 'pp_cluster'], $pp_cluster_a],
     ],
     data   => {
       'puppet_enterprise::profile::primary_master_replica' => {
@@ -95,12 +100,12 @@
 
   # Configure the A pool for compilers. There are up to two pools for HA, each
   # having an affinity for one "availability zone" or the other.
-  node_group { 'PE Compiler Group A':
+  node_group { "PE Compiler Group ${pp_cluster_a}":
     ensure  => 'present',
     parent  => 'PE Master',
     rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/compiler'],
-      ['=', ['trusted', 'extensions', 'pp_cluster'], 'A'],
+      ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_compiler],
+      ['=', ['trusted', 'extensions', 'pp_cluster'], $pp_cluster_a],
     ],
     classes => {
       'puppet_enterprise::profile::puppetdb' => {
@@ -132,12 +137,12 @@
   }
 
   if $puppetdb_database_replica_host {
-    node_group { 'PE Master B':
+    node_group { "PE Master ${pp_cluster_b}":
       ensure => present,
       parent => 'PE Infrastructure',
       rule   => ['and',
-        ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/master'],
-        ['=', ['trusted', 'extensions', 'pp_cluster'], 'B'],
+        ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_master],
+        ['=', ['trusted', 'extensions', 'pp_cluster'], $pp_cluster_b],
       ],
       data   => {
         'puppet_enterprise::profile::primary_master_replica' => {
@@ -148,13 +153,15 @@
         },
       },
     }
+  }
 
-    node_group { 'PE Compiler Group B':
+  if ($puppetdb_database_replica_host) {
+    node_group { "PE Compiler Group ${pp_cluster_b}":
       ensure  => 'present',
       parent  => 'PE Master',
       rule    => ['and',
-        ['=', ['trusted', 'extensions', 'pp_application'], 'puppet/compiler'],
-        ['=', ['trusted', 'extensions', 'pp_cluster'], 'B'],
+        ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_compiler],
+        ['=', ['trusted', 'extensions', 'pp_cluster'], $pp_cluster_b],
       ],
       classes => {
         'puppet_enterprise::profile::puppetdb' => {
@@ -167,6 +174,25 @@
       },
       data    => $compiler_data,
     }
+  } elsif ($master_replica_host) {
+    node_group { "PE Compiler Group ${pp_cluster_b}":
+      ensure  => 'present',
+      parent  => 'PE Master',
+      rule    => ['and',
+        ['=', ['trusted', 'extensions', 'pp_application'], $pp_application_compiler],
+        ['=', ['trusted', 'extensions', 'pp_cluster'], $pp_cluster_b],
+      ],
+      classes => {
+        'puppet_enterprise::profile::puppetdb' => {
+          'database_host' => $puppetdb_database_host,
+        },
+        'puppet_enterprise::profile::master'   => {
+          'puppetdb_host' => ['${clientcert}', $master_host], # lint:ignore:single_quote_string_with_variables
+          'puppetdb_port' => [8081],
+        }
+      },
+      data    => $compiler_data,
+    }
   }
 
 }

plans/action/configure.pp

@@ -19,6 +19,11 @@
 
   # Other
   String           $stagingdir = '/tmp',
+  String           $pp_application_compiler = 'puppet/compiler',
+  String           $pp_application_master = 'puppet/master',
+  String           $pp_application_puppetdb = 'puppet/puppetdb-database',
+  String           $pp_cluster_a = 'A',
+  String           $pp_cluster_b = 'B',
 ) {
   # Convert inputs into targets.
   $master_target                    = peadm::get_targets($master_host, 1)
@@ -89,6 +94,11 @@
       puppetdb_database_host         => $puppetdb_database_host_string, # $puppetdb_database_target.peadm::target_name(),
       puppetdb_database_replica_host => $puppetdb_database_replica_host_string, # $puppetdb_database_replica_target.peadm::target_name(),
       compiler_pool_address          => $compiler_pool_address,
+      pp_application_compiler        => $pp_application_compiler,
+      pp_application_master          => $pp_application_master,
+      pp_application_puppetdb        => $pp_application_puppetdb,
+      pp_cluster_a                   => $pp_cluster_a,
+      pp_cluster_b                   => $pp_cluster_b,
       require                        => File['node_manager.yaml'],
     }
   }

plans/action/install.pp

@@ -47,6 +47,11 @@
 
   # Other
   String               $stagingdir   = '/tmp',
+  String               $pp_application_compiler = 'puppet/compiler',
+  String               $pp_application_master = 'puppet/master',
+  String               $pp_application_puppetdb = 'puppet/puppetdb-database',
+  String               $pp_cluster_a = 'A',
+  String               $pp_cluster_b = 'B',
 ) {
   # Convert inputs into targets.
   $master_target                    = peadm::get_targets($master_host, 1)
@@ -170,35 +175,53 @@
   $pp_application = '1.3.6.1.4.1.34380.1.1.8'
   $pp_cluster     = '1.3.6.1.4.1.34380.1.1.16'
 
-  run_task('peadm::mkdir_p_file', $master_target,
-    path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
-    content => @("HEREDOC"),
-      ---
-      extension_requests:
-        ${pp_application}: "puppet/master"
-        ${pp_cluster}: "A"
-      | HEREDOC
+  $master_check = run_task('peadm::existing_csr_check',
+    $master_target,
+    '_catch_errors' => true
   )
+  if $master_check.ok {
+    run_task('peadm::mkdir_p_file', $master_target,
+      path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
+      content => @("HEREDOC"),
+        ---
+        extension_requests:
+          ${pp_application}: "${pp_application_master}"
+          ${pp_cluster}: "${pp_cluster_a}"
+        | HEREDOC
+    )
+  }
 
-  run_task('peadm::mkdir_p_file', $puppetdb_database_target,
-    path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
-    content => @("HEREDOC"),
-      ---
-      extension_requests:
-        ${pp_application}: "puppet/puppetdb-database"
-        ${pp_cluster}: "A"
-      | HEREDOC
+  $puppetdb_check = run_task('peadm::existing_csr_check',
+    $puppetdb_database_target,
+    '_catch_errors' => true
   )
+  if $puppetdb_check.ok {
+    run_task('peadm::mkdir_p_file', $puppetdb_database_target,
+      path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
+      content => @("HEREDOC"),
+        ---
+        extension_requests:
+          ${pp_application}: "${pp_application_puppetdb}"
+          ${pp_cluster}: "${pp_cluster_a}"
+        | HEREDOC
+    )
+  }
 
-  run_task('peadm::mkdir_p_file', $puppetdb_database_replica_target,
-    path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
-    content => @("HEREDOC"),
-      ---
-      extension_requests:
-        ${pp_application}: "puppet/puppetdb-database"
-        ${pp_cluster}: "B"
-      | HEREDOC
+  $puppetdb_replica_check = run_task('peadm::existing_csr_check',
+    $puppetdb_database_replica_target,
+    '_catch_errors' => true
   )
+  if $puppetdb_replica_check.ok {
+    run_task('peadm::mkdir_p_file', $puppetdb_database_replica_target,
+      path    => '/etc/puppetlabs/puppet/csr_attributes.yaml',
+      content => @("HEREDOC"),
+        ---
+        extension_requests:
+          ${pp_application}: "${pp_application_puppetdb}"
+          ${pp_cluster}: "${pp_cluster_b}"
+        | HEREDOC
+    )
+  }
 
   # Get the master installation up and running. The installer will
   # "fail" because PuppetDB can't start, if puppetdb_database_target
@@ -291,8 +314,8 @@
     install_flags => [
       '--puppet-service-ensure', 'stopped',
       "main:dns_alt_names=${dns_alt_names_csv}",
-      "extension_requests:${pp_application}=puppet/master",
-      "extension_requests:${pp_cluster}=B",
+      "extension_requests:${pp_application}=${pp_application_master}",
+      "extension_requests:${pp_cluster}=${pp_cluster_b}",
     ],
   )
 
@@ -301,8 +324,8 @@
     install_flags => [
       '--puppet-service-ensure', 'stopped',
       "main:dns_alt_names=${dns_alt_names_csv}",
-      "extension_requests:${pp_application}=puppet/compiler",
-      "extension_requests:${pp_cluster}=A",
+      "extension_requests:${pp_application}=${pp_application_compiler}",
+      "extension_requests:${pp_cluster}=${pp_cluster_a}",
     ],
   )
 
@@ -311,8 +334,8 @@
     install_flags => [
       '--puppet-service-ensure', 'stopped',
       "main:dns_alt_names=${dns_alt_names_csv}",
-      "extension_requests:${pp_application}=puppet/compiler",
-      "extension_requests:${pp_cluster}=B",
+      "extension_requests:${pp_application}=${pp_application_compiler}",
+      "extension_requests:${pp_cluster}=${pp_cluster_b}",
     ],
   )
 

plans/provision.pp

@@ -33,6 +33,11 @@
 
   # Other
   Optional[String]                  $stagingdir = undef,
+  Optional[String]                  $pp_application_compiler = 'puppet/compiler',
+  Optional[String]                  $pp_application_master = 'puppet/master',
+  Optional[String]                  $pp_application_puppetdb = 'puppet/puppetdb-database',
+  Optional[String]                  $pp_cluster_a = 'A',
+  Optional[String]                  $pp_cluster_b = 'B',
 ) {
 
   $install_result = run_plan('peadm::action::install',
@@ -64,6 +69,11 @@
 
     # Other
     stagingdir                     => $stagingdir,
+    pp_application_compiler        => $pp_application_compiler,
+    pp_application_master          => $pp_application_master,
+    pp_application_puppetdb        => $pp_application_puppetdb,
+    pp_cluster_a                   => $pp_cluster_a,
+    pp_cluster_b                   => $pp_cluster_b,
   )
 
   $configure_result = run_plan('peadm::action::configure',
@@ -84,6 +94,11 @@
 
     # Other
     stagingdir                     => $stagingdir,
+    pp_application_compiler        => $pp_application_compiler,
+    pp_application_master          => $pp_application_master,
+    pp_application_puppetdb        => $pp_application_puppetdb,
+    pp_cluster_a                   => $pp_cluster_a,
+    pp_cluster_b                   => $pp_cluster_b,
   )
 
   # Return a string banner reporting on what was done

tasks/agent_install.sh

@@ -4,4 +4,16 @@ set -e
 
 flags=$(echo $PT_install_flags | sed -e 's/^\["//' -e 's/\"]$//' -e 's/", *"/ /g')
 
+if [ -f /etc/puppetlabs/puppet/csr_attributes.yaml ]; then
+  # csr_attributes is already installed on the server, exclude those
+  # options from the command line flags.
+  read -a flags_array <<< $flags
+  for member in "${flags_array[@]}"; do
+    if [[ $member =~ ^extension ]]; then
+      flags_array=("${flags_array[@]/$member}")
+    fi
+  done
+  flags="${flags_array[@]}"
+fi
+
 curl -k "https://${PT_server}:8140/packages/current/install.bash" | bash -s -- $flags

tasks/existing_csr_check.json

@@ -0,0 +1,7 @@
+{
+  "puppet_task_version": 1,
+  "supports_noop": false,
+  "description": "This script checks for the existence of a csr_attributes file.",
+  "parameters": {
+  }
+}

tasks/existing_csr_check.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Puppet Task Name: existing_csr_check
+#
+
+if [ -f /etc/puppetlabs/puppet/csr_attributes.yaml ]; then
+  exit 1
+else
+  exit 0
+fi