Puppet Plan: peadm::add_compiler
- Defined in:
- plans/add_compiler.pp
Summary
Add a new compiler to a PE architecture or replace an existing one with new configuration.Overview
This plan is in development and currently considered experimental.
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'plans/add_compiler.pp', line 11
plan peadm::add_compiler(
Enum['A', 'B'] $avail_group_letter,
Optional[String[1]] $dns_alt_names = undef,
Peadm::SingleTargetSpec $compiler_host,
Peadm::SingleTargetSpec $primary_host,
Peadm::SingleTargetSpec $primary_postgresql_host,
) {
$compiler_target = peadm::get_targets($compiler_host, 1)
$primary_target = peadm::get_targets($primary_host, 1)
$primary_postgresql_target = peadm::get_targets($primary_postgresql_host, 1)
# Get current peadm config to determine where to setup additional rules for
# compiler's secondary PuppetDB instances
$peadm_config = run_task('peadm::get_peadm_config', $primary_target).first.value
# Return the opposite server than the compiler to be added so it can be
# configured with the appropriate rules for Puppet Server access from
# compiler
$replica_avail_group_letter = $avail_group_letter ? { 'A' => 'B', 'B' => 'A' }
$replica_puppetdb = $peadm_config['role-letter']['server'][$replica_avail_group_letter]
$replica_puppetdb_target = peadm::get_targets($replica_puppetdb, 1)
# Stop puppet.service
run_command('systemctl stop puppet.service', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target
]))
apply($replica_puppetdb_target) {
file_line { 'pe-puppetdb-compiler-cert-allow':
path => '/etc/puppetlabs/puppetdb/certificate-allowlist',
line => $compiler_target.peadm::certname(),
}
}
# Add the following two lines to /opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf
#
# pe-puppetdb-pe-puppetdb-map <new-compiler-host> pe-puppetdb
# pe-puppetdb-pe-puppetdb-migrator-map <new-compiler-host> pe-puppetdb-migrator
apply($primary_postgresql_target) {
file_line { 'pe-puppetdb-pe-puppetdb-map':
path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
line => "pe-puppetdb-pe-puppetdb-map ${compiler_target.peadm::certname()} pe-puppetdb",
}
file_line { 'pe-puppetdb-pe-puppetdb-migrator-map':
path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
line => "pe-puppetdb-pe-puppetdb-migrator-map ${compiler_target.peadm::certname()} pe-puppetdb-migrator",
}
file_line { 'pe-puppetdb-pe-puppetdb-read-map':
path => '/opt/puppetlabs/server/data/postgresql/11/data/pg_ident.conf',
line => "pe-puppetdb-pe-puppetdb-read-map ${compiler_target.peadm::certname()} pe-puppetdb-read",
}
}
# Reload pe-postgresql.service
run_command('systemctl reload pe-postgresql.service', $primary_postgresql_target)
# Install the puppet agent making sure to specify an availability group letter, A or B, as an extension request.
$dns_alt_names_flag = $dns_alt_names? {
undef => [],
default => ["main:dns_alt_names=${dns_alt_names}"],
}
# Check for and merge csr_attributes.
run_plan('peadm::util::insert_csr_extension_requests', $compiler_target,
extension_requests => {
peadm::oid('pp_auth_role') => 'pe_compiler',
peadm::oid('peadm_availability_group') => $avail_group_letter
}
)
# we first assume that there is no agent installed on the node. If there is, nothing will happen.
run_task('peadm::agent_install', $compiler_target,
server => $primary_target.peadm::certname(),
install_flags => $dns_alt_names_flag + [
'--puppet-service-ensure', 'stopped',
"main:certname=${compiler_target.peadm::certname()}",
],
)
# If necessary, manually submit a CSR
# ignoring errors to simplify logic
run_task('peadm::submit_csr', $compiler_target, {'_catch_errors' => true})
# On primary, if necessary, sign the certificate request
run_task('peadm::sign_csr', $primary_target, { 'certnames' => [$compiler_target.peadm::certname()] } )
# If there was already a signed cert, force the certificate extensions we want
# TODO: update peadm::util::add_cert_extensions to take care of dns alt names
run_plan('peadm::modify_certificate', $compiler_target,
primary_host => $primary_target.peadm::certname(),
add_extensions => {
peadm::oid('pp_auth_role') => 'pe_compiler',
peadm::oid('peadm_availability_group') => $avail_group_letter,
},
)
# Source the global hiera.yaml from Primary and synchronize to new compiler
run_plan('peadm::util::sync_global_hiera', $compiler_target,
primary_host => $primary_target
)
# On <compiler-host>, run the puppet agent
run_task('peadm::puppet_runonce', $compiler_target)
# On <primary_postgresql_host> run the puppet agent
run_task('peadm::puppet_runonce', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target
]))
# On <primary_postgresql_host> start puppet.service
run_command('systemctl start puppet.service', peadm::flatten_compact([
$primary_postgresql_target,
$replica_puppetdb_target,
$compiler_target,
]))
return("Adding or replacing compiler ${$compiler_target.peadm::certname()} succeeded.")
}
|