From 69a4a16efa4357386d9123ae07ab32d9e49c6638 Mon Sep 17 00:00:00 2001 From: Reid Vandewiele Date: Fri, 18 Sep 2020 15:27:35 -0700 Subject: [PATCH 1/2] Bug fixes to convert --- plans/convert.pp | 22 ++++++++++++++++------ plans/util/add_cert_extensions.pp | 13 +++++++------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/plans/convert.pp b/plans/convert.pp index 7747e3b1..ca5aa416 100644 --- a/plans/convert.pp +++ b/plans/convert.pp @@ -76,16 +76,26 @@ if $arch['high-availability'] { $compiler_a_targets = $compiler_targets.filter |$index,$target| { $exts = $cert_extensions[$target.peadm::target_name()] - $exts[peadm::oid('peadm_availability_group')] in ['A', 'B'] ? { - true => $exts[peadm::oid('peadm_availability_group')] == 'A', - false => $index % 2 == 0, + if ($exts[peadm::oid('peadm_availability_group')] in ['A', 'B']) { + $exts[peadm::oid('peadm_availability_group')] == 'A' + } + elsif ($exts[peadm::oid('pp_cluster')] in ['A', 'B']) { + $exts[peadm::oid('pp_cluster')] == 'A' + } + else { + $index % 2 == 0 } } $compiler_b_targets = $compiler_targets.filter |$index,$target| { $exts = $cert_extensions[$target.peadm::target_name()] - $exts[peadm::oid('peadm_availability_group')] in ['A', 'B'] ? { - true => $exts[peadm::oid('peadm_availability_group')] == 'B', - false => $index % 2 != 0, + if ($exts[peadm::oid('peadm_availability_group')] in ['A', 'B']) { + $exts[peadm::oid('peadm_availability_group')] == 'B' + } + elsif ($exts[peadm::oid('pp_cluster')] in ['A', 'B']) { + $exts[peadm::oid('pp_cluster')] == 'B' + } + else { + $index % 2 != 0 } } } diff --git a/plans/util/add_cert_extensions.pp b/plans/util/add_cert_extensions.pp index b534e2b5..a2fd4d44 100644 --- a/plans/util/add_cert_extensions.pp +++ b/plans/util/add_cert_extensions.pp @@ -44,18 +44,19 @@ # This will be the new trusted fact data for this node $extension_requests = $certdata[$target]['extensions'] + $extensions - # Make sure the csr_attributes.yaml file on the node matches - run_plan('peadm::util::insert_csr_extension_requests', $target, - extension_requests => $extension_requests, - merge => false, - ) - # Everything starts the same; we always stop the agent and revoke the # existing cert. We use `run_command` in case the master is 2019.x but # the agent is only 2018.x. In that scenario `run_task(service, ...)` # doesn't work. $was_running = run_command('systemctl is-active puppet.service', $target, _catch_errors => true)[0].ok if ($was_running) { run_command('systemctl stop puppet.service', $target) } + + # Make sure the csr_attributes.yaml file on the node matches + run_plan('peadm::util::insert_csr_extension_requests', $target, + extension_requests => $extension_requests, + merge => false, + ) + run_command("${pserver} ca clean --certname ${certname}", $master_target) # Then things get crazy... From dbeec01ad332f17919f22bdddb0ff0048f4dd823 Mon Sep 17 00:00:00 2001 From: Reid Vandewiele Date: Tue, 22 Sep 2020 10:38:44 -0700 Subject: [PATCH 2/2] Run on primary, then the rest, at end of convert So that if the puppetserver process restarts it doesn't impact agent runs on any of the rest of the nodes --- plans/convert.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plans/convert.pp b/plans/convert.pp index ca5aa416..92a5ef60 100644 --- a/plans/convert.pp +++ b/plans/convert.pp @@ -203,8 +203,10 @@ } # Run Puppet on all targets to ensure catalogs and exported resources fully - # up-to-date - run_task('peadm::puppet_runonce', $all_targets) + # up-to-date. Run on master first in case puppet server restarts, 'cause + # that would cause the runs to fail on all the rest. + run_task('peadm::puppet_runonce', $master_target) + run_task('peadm::puppet_runonce', $all_targets - $master_target) return("Conversion to peadm Puppet Enterprise ${arch['architecture']} succeeded.") }