New changes

petergmurphy · petergmurphy · commit ec4a2f17085c · 2025-03-12T14:02:31.000Z
diff --git a/manifests/setup/legacy_compiler_group.pp b/manifests/setup/legacy_compiler_group.pp
@@ -10,15 +10,13 @@
 
   node_group { 'PE Legacy Compiler':
     ensure         => 'present',
-    parent         => 'PE Infrastructure',
+    parent         => 'PE Master',
     purge_behavior => 'rule',
     rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
     classes        => {
-      'puppet_enterprise::profile::master' => {
-        'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
-        'puppetdb_port'               => [8081],
-        'replication_mode'            => 'none',
-        'code_manager_auto_configure' => true,
+      'puppet_enterprise::profile::master'   => {
+        'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
+        'puppetdb_port' => [8081],
       },
     },
   }
diff --git a/plans/convert.pp b/plans/convert.pp
@@ -60,6 +60,48 @@
 
   out::message('# Gathering information')
 
+  $cert_extensions_temp = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
+    $memo + { $result.target.peadm::certname() => $result['extensions'] }
+  }
+
+  # Add legacy compiler role to compilers that are missing it
+  $compilers_with_legacy_compiler_flag = $cert_extensions_temp.filter |$name,$exts| {
+    ($name in $compiler_targets.map |$t| { $t.name } or $name in $legacy_compiler_targets.map |$t| { $t.name }) and
+    ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
+  }
+
+  if $compilers_with_legacy_compiler_flag.size > 0 {
+    $legacy_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
+    }.keys
+
+    $modern_compilers_with_flag = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
+    }.keys
+
+    if $modern_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $modern_compilers_with_flag,
+        primary_host   => $primary_target,
+        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
+      )
+    }
+
+    if $legacy_compilers_with_flag.size > 0 {
+      run_plan('peadm::modify_certificate', $legacy_compilers_with_flag,
+        primary_host   => $primary_target,
+        add_extensions => {
+          'pp_auth_role' => 'pe_compiler_legacy',
+        },
+        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
+      )
+    }
+
+    run_task('peadm::puppet_runonce', peadm::flatten_compact([
+          $compiler_targets,
+          $legacy_compiler_targets,
+    ]))
+  }
+
   # Get trusted fact information for all compilers. Use peadm::certname() as
   # the hash key because the apply block below will break trying to parse the
   # $compiler_extensions variable if it has Target-type hash keys.
@@ -318,6 +360,9 @@
       run_command('systemctl restart pe-puppetserver.service pe-puppetdb.service', $compiler_targets)
     }
 
+    # Update PE Master rules to support legacy compilers
+    run_task('peadm::update_pe_master_rules', $primary_target)
+
     # Run puppet on all targets again to ensure everything is fully up-to-date
     run_task('peadm::puppet_runonce', $all_targets)
   }
@@ -333,7 +378,5 @@
 # lint:endignore
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }
diff --git a/plans/install.pp b/plans/install.pp
@@ -143,8 +143,6 @@
     final_agent_state                => $final_agent_state,
   )
 
-  run_task('peadm::update_pe_master_rules', $primary_host)
-
   # Return a string banner reporting on what was done
   return([$install_result, $configure_result])
 }
diff --git a/plans/subplans/configure.pp b/plans/subplans/configure.pp
@@ -174,5 +174,9 @@
         $legacy_compiler_targets,
   ]))
 
+  # Update PE Master rules to support legacy compilers
+  run_task('peadm::update_pe_master_rules', $primary_host)
+  run_task('peadm::puppet_runonce', $legacy_compiler_targets)
+
   return("Configuration of Puppet Enterprise ${arch['architecture']} succeeded.")
 }
diff --git a/plans/upgrade.pp b/plans/upgrade.pp
@@ -146,41 +146,12 @@
     ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
   }
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   if $compilers_with_legacy_compiler_flag.size > 0 {
-    $legacy_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
-    }.keys
-
-    $modern_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
-      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
-    }.keys
-
-    if $modern_compilers.size > 0 {
-      out::message('MODERN COMPILERS: Beginning removal of legacy compiler flag')
-      out::message($modern_compilers)
-      run_plan('peadm::modify_certificate', $modern_compilers,
-        primary_host   => $primary_target,
-        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
-      )
-      out::message('MODERN COMPILERS: Removed legacy compiler flag')
-    }
-
-    if $legacy_compilers.size > 0 {
-      out::message('LEGACY COMPILERS: Beginning addition of legacy compiler role and removal of legacy compiler flag')
-      out::message($legacy_compilers)
-      run_plan('peadm::modify_certificate', $legacy_compilers,
-        primary_host   => $primary_target,
-        add_extensions => {
-          'pp_auth_role' => 'pe_compiler_legacy',
-        },
-        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
-      )
-      out::message('LEGACY COMPILERS: Added legacy compiler role and removed legacy compiler flag')
-    }
+    fail_plan('Please run the Convert plan to convert your Puppet infrastructure to be managed by PEADM.')
   }
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
     $memo + { $result.target.peadm::certname => $result['extensions'] }
diff --git a/tasks/update_pe_master_rules.rb b/tasks/update_pe_master_rules.rb
@@ -31,8 +31,8 @@ def get_pe_master_group_id
 
     groups = JSON.parse(res.body)
     pe_master_group = groups.find { |group| group['name'] == 'PE Master' }
-    
-    raise "Could not find PE Master group" unless pe_master_group
+
+    raise 'Could not find PE Master group' unless pe_master_group
     pe_master_group['id']
   rescue JSON::ParserError => e
     raise "Invalid JSON response from server: #{e.message}"
@@ -57,28 +57,30 @@ def get_current_rules(group_id)
     raise "Error fetching rules: #{e.message}"
   end
 
-  def transform_rule(rule)
-    return rule unless rule.is_a?(Array)
-    
-    if rule[0] == '=' && 
-       rule[1].is_a?(Array) && 
-       rule[1] == ['trusted', 'extensions', 'pp_auth_role'] && 
-       rule[2] == 'pe_compiler'
-      return ['~', ['trusted', 'extensions', 'pp_auth_role'], '^pe_compiler(?:_legacy)?$']
-    end
-    
-    # Recursively transform nested rules
-    rule.map { |element| transform_rule(element) }
+  def modify_pe_master_rules(rules)
+    # If not an array, return as is
+    return rules unless rules.is_a?(Array)
+
+    # Make a copy of the rules to avoid modifying the original
+    result = rules.dup
+
+    result[1] = [
+      'or',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy']
+    ]
+
+    result
   end
 
   def update_rules(group_id)
     net = https_client
     begin
       current_rules = get_current_rules(group_id)
-      
+
       # Transform rules recursively to handle nested structures
-      new_rules = transform_rule(current_rules)
-      
+      new_rules = modify_pe_master_rules(current_rules)
+
       # Update the group with the modified rules
       url = "/classifier-api/v1/groups/#{group_id}"
       req = Net::HTTP::Post.new(url)
@@ -114,4 +116,4 @@ def execute!
   Puppet.initialize_settings
   task = UpdatePeMasterRules.new(JSON.parse(STDIN.read))
   task.execute!
-end 
+end

Original file line number	Diff line number	Diff line change
`@@ -143,8 +143,6 @@`
`143`	`143`	`final_agent_state => $final_agent_state,`
`144`	`144`	`)`
`145`	`145`
`146`		`- run_task('peadm::update_pe_master_rules', $primary_host)`
`147`		`-`
`148`	`146`	`# Return a string banner reporting on what was done`
`149`	`147`	`return([$install_result, $configure_result])`
`150`	`148`	`}`
Original file line number	Diff line number	Diff line change
`@@ -174,5 +174,9 @@`
`174`	`174`	`$legacy_compiler_targets,`
`175`	`175`	`]))`
`176`	`176`
	`177`	`+ # Update PE Master rules to support legacy compilers`
	`178`	`+ run_task('peadm::update_pe_master_rules', $primary_host)`
	`179`	`+ run_task('peadm::puppet_runonce', $legacy_compiler_targets)`
	`180`	`+`
`177`	`181`	`return("Configuration of Puppet Enterprise ${arch['architecture']} succeeded.")`
`178`	`182`	`}`