(PE-39577) Optimise legacy compiler support

This commit: - Adds the `node_group_unpin` task. - `node_group_unpin` task is called in the convert plan to remove legacy compilers from from the PE Master node group. - Legacy compilers `pp_auth_role` changed to `legacy_compiler`. - Changes the PEADM config to use the PE Certificate Authority node group. - Removes peadm_legacy_compiler extension.
puppetlabs · Jan 30, 2025 · 9b36382 · 9b36382
1 parent 26c3ddf
commit 9b36382
Show file tree

Hide file tree

Showing 12 changed files with 198 additions and 76 deletions.
diff --git a/manifests/setup/legacy_compiler_group.pp b/manifests/setup/legacy_compiler_group.pp
@@ -1,72 +1,71 @@
 # @api private
 class peadm::setup::legacy_compiler_group (
   String[1] $primary_host,
-  Optional[String]                  $internal_compiler_a_pool_address = undef,
-  Optional[String]                  $internal_compiler_b_pool_address = undef,
+  Optional[String] $internal_compiler_a_pool_address = undef,
+  Optional[String] $internal_compiler_b_pool_address = undef,
 ) {
   Node_group {
     purge_behavior => none,
   }
 
   node_group { 'PE Legacy Compiler':
-    parent  => 'PE Master',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-    ],
-    classes => {
-      'puppet_enterprise::profile::master'   => {
-        'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
-        'puppetdb_port' => [8081],
+    ensure         => 'present',
+    parent         => 'PE Master',
+    purge_behavior => 'classes',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+    classes        => {
+      'puppet_enterprise::profile::master' => {
+        'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
+        'puppetdb_port'               => [8081],
+        'replication_mode'            => 'none',
+        'code_manager_auto_configure' => true,
       },
     },
   }
 
   node_group { 'PE Legacy Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'classes',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
-      'puppet_enterprise::profile::master'   => {
+    classes        => {
+      'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
-      # Workaround for GH-118
+    data           => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
     },
   }
 
   node_group { 'PE Legacy Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'classes',
+    rule           => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
-    classes => {
-      'puppet_enterprise::profile::master'   => {
+    classes        => {
+      'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
-      # Workaround for GH-118
+    data           => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
     },
   }
 
   node_group { 'PE Compiler':
-    rule   => ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false']],
+    rule => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
   }
 }
diff --git a/manifests/setup/node_manager.pp b/manifests/setup/node_manager.pp
@@ -77,12 +77,16 @@
     parent    => 'PE Infrastructure',
     data      => $compiler_pool_address_data,
     variables => { 'pe_master' => true },
+    rule      => ['or',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    ],
   }
 
   # PE Compiler group comes from default PE and already has the pe compiler role
   node_group { 'PE Compiler':
     parent => 'PE Master',
-    rule   => ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false']],
+    rule   => ['and', ['=', ['trusted', 'extensions', peadm::oid('pp_auth_role')], 'pe_compiler']],
   }
 
   # This group should pin the primary, and also map to any pe-postgresql nodes
@@ -121,7 +125,6 @@
     rule    => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false'],
     ],
     classes => {
       'puppet_enterprise::profile::puppetdb' => {
@@ -180,7 +183,6 @@
     rule    => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'false'],
     ],
     classes => {
       'puppet_enterprise::profile::puppetdb' => {
@@ -203,10 +205,7 @@
 
   node_group { 'PE Legacy Compiler':
     parent  => 'PE Master',
-    rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
-    ],
+    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
     classes => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
@@ -221,9 +220,8 @@
     ensure  => 'present',
     parent  => 'PE Legacy Compiler',
     rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
     classes => {
       'puppet_enterprise::profile::master'   => {
@@ -245,9 +243,8 @@
     ensure  => 'present',
     parent  => 'PE Legacy Compiler',
     rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
-      ['=', ['trusted', 'extensions', peadm::oid('peadm_legacy_compiler')], 'true'],
     ],
     classes => {
       'puppet_enterprise::profile::master'   => {

diff --git a/plans/convert.pp b/plans/convert.pp
@@ -214,7 +214,6 @@
           add_extensions => {
             peadm::oid('pp_auth_role')             => 'pe_compiler',
             peadm::oid('peadm_availability_group') => 'A',
-            peadm::oid('peadm_legacy_compiler')    => 'false',
           },
         )
       },
@@ -224,27 +223,24 @@
           add_extensions => {
             peadm::oid('pp_auth_role')             => 'pe_compiler',
             peadm::oid('peadm_availability_group') => 'B',
-            peadm::oid('peadm_legacy_compiler')    => 'false',
           },
         )
       },
       background('modify-compilers-a-certs') || {
         run_plan('peadm::modify_certificate', $legacy_compiler_a_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'pe_compiler',
+            peadm::oid('pp_auth_role')             => 'legacy_compiler',
             peadm::oid('peadm_availability_group') => 'A',
-            peadm::oid('peadm_legacy_compiler')    => 'true',
           },
         )
       },
       background('modify-compilers-b-certs') || {
         run_plan('peadm::modify_certificate', $legacy_compiler_b_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'pe_compiler',
+            peadm::oid('pp_auth_role')             => 'legacy_compiler',
             peadm::oid('peadm_availability_group') => 'B',
-            peadm::oid('peadm_legacy_compiler')    => 'true',
           },
         )
       },
@@ -283,6 +279,16 @@
 
         include peadm::setup::convert_node_manager
       }
+
+      # Unpin legacy compilers from PE Master group
+      if $legacy_compiler_targets {
+        $legacy_compiler_targets.each |$target| {
+          run_task('peadm::node_group_unpin', $primary_target,
+            node_certname => $target.peadm::certname(),
+            group_name    => 'PE Master',
+          )
+        }
+      }
     }
     else {
 # lint:ignore:strict_indent

diff --git a/plans/convert_compiler_to_legacy.pp b/plans/convert_compiler_to_legacy.pp
@@ -102,27 +102,25 @@
         run_plan('peadm::modify_certificate', $compiler_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('peadm_legacy_compiler')    => 'false',
+            peadm::oid('pp_auth_role')    => 'legacy_compiler',
           },
         )
       },
       background('modify-compilers-a-certs') || {
         run_plan('peadm::modify_certificate', $legacy_compiler_a_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'pe_compiler',
+            peadm::oid('pp_auth_role')             => 'legacy_compiler',
             peadm::oid('peadm_availability_group') => 'A',
-            peadm::oid('peadm_legacy_compiler')    => 'true',
           },
         )
       },
       background('modify-compilers-b-certs') || {
         run_plan('peadm::modify_certificate', $legacy_compiler_b_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'pe_compiler',
+            peadm::oid('pp_auth_role')             => 'legacy_compiler',
             peadm::oid('peadm_availability_group') => 'B',
-            peadm::oid('peadm_legacy_compiler')    => 'true',
           },
         )
       },

diff --git a/plans/subplans/component_install.pp b/plans/subplans/component_install.pp
@@ -21,13 +21,11 @@
     $certificate_extensions = {
       peadm::oid('pp_auth_role')             => 'pe_compiler',
       peadm::oid('peadm_availability_group') => $avail_group_letter,
-      peadm::oid('peadm_legacy_compiler')    => false,
     }
   } elsif $role == 'pe_compiler_legacy' {
     $certificate_extensions = {
-      peadm::oid('pp_auth_role')             => 'pe_compiler',
+      peadm::oid('pp_auth_role')             => 'legacy_compiler',
       peadm::oid('peadm_availability_group') => $avail_group_letter,
-      peadm::oid('peadm_legacy_compiler')    => true,
     }
   } else {
     $certificate_extensions = {

diff --git a/plans/subplans/install.pp b/plans/subplans/install.pp
@@ -287,7 +287,6 @@
         extension_requests => {
           peadm::oid('pp_auth_role')             => 'pe_compiler',
           peadm::oid('peadm_availability_group') => 'A',
-          peadm::oid('peadm_legacy_compiler')    => 'false',
         }
       )
     },
@@ -296,25 +295,22 @@
         extension_requests => {
           peadm::oid('pp_auth_role')             => 'pe_compiler',
           peadm::oid('peadm_availability_group') => 'B',
-          peadm::oid('peadm_legacy_compiler')    => 'false',
         }
       )
     },
     background('compiler-a-csr.yaml') || {
       run_plan('peadm::util::insert_csr_extension_requests', $legacy_a_targets,
         extension_requests => {
-          peadm::oid('pp_auth_role')             => 'pe_compiler',
+          peadm::oid('pp_auth_role')             => 'legacy_compiler',
           peadm::oid('peadm_availability_group') => 'A',
-          peadm::oid('peadm_legacy_compiler')    => 'true',
         }
       )
     },
     background('compiler-b-csr.yaml') || {
       run_plan('peadm::util::insert_csr_extension_requests', $legacy_b_targets,
         extension_requests => {
-          peadm::oid('pp_auth_role')             => 'pe_compiler',
+          peadm::oid('pp_auth_role')             => 'legacy_compiler',
           peadm::oid('peadm_availability_group') => 'B',
-          peadm::oid('peadm_legacy_compiler')    => 'true',
         }
       )
     },

diff --git a/plans/update_compiler_extensions.pp b/plans/update_compiler_extensions.pp
@@ -7,11 +7,6 @@
   $primary_target            = peadm::get_targets($primary_host, 1)
   $host_targets              = peadm::get_targets($compiler_hosts)
 
-  run_plan('peadm::modify_certificate', $host_targets,
-    primary_host   => $primary_target,
-    add_extensions => { peadm::oid('peadm_legacy_compiler') => String($legacy) },
-  )
-
   run_task('peadm::puppet_runonce', $primary_target)
   run_task('peadm::puppet_runonce', $host_targets)
 

diff --git a/plans/upgrade.pp b/plans/upgrade.pp
@@ -172,8 +172,8 @@
   $compiler_m1_nonlegacy_targets = $compiler_targets.filter |$target| {
     ($cert_extensions.dig($target.peadm::certname, peadm::oid('peadm_availability_group'))
     == $cert_extensions.dig($primary_target[0].peadm::certname, peadm::oid('peadm_availability_group'))) and
-    ($cert_extensions.dig($target.peadm::certname, peadm::oid('peadm_legacy_compiler'))
-    == 'false')
+    ($cert_extensions.dig($target.peadm::certname, peadm::oid('pp_auth_role'))
+    == 'pe_compiler')
   }
 
   $compiler_m2_targets = $compiler_targets.filter |$target| {
@@ -184,8 +184,8 @@
   $compiler_m2_nonlegacy_targets = $compiler_targets.filter |$target| {
     ($cert_extensions.dig($target.peadm::certname, peadm::oid('peadm_availability_group'))
     == $cert_extensions.dig($replica_target[0].peadm::certname, peadm::oid('peadm_availability_group'))) and
-    ($cert_extensions.dig($target.peadm::certname, peadm::oid('peadm_legacy_compiler'))
-    == 'false')
+    ($cert_extensions.dig($target.peadm::certname, peadm::oid('pp_auth_role'))
+    == 'pe_compiler')
   }
 
   peadm::plan_step('preparation') || {

diff --git a/spec/plans/convert_spec.rb b/spec/plans/convert_spec.rb
@@ -9,7 +9,7 @@
   end
 
   let(:params) do
-    { 'primary_host' => 'primary' }
+    { 'primary_host' => 'primary', 'legacy_compilers' => 'legacy_compiler' }
   end
 
   it 'single primary no dr valid' do
@@ -21,6 +21,7 @@
     expect_task('peadm::cert_data').return_for_targets('primary' => trustedjson)
     expect_task('peadm::read_file').always_return({ 'content' => '2021.7.9' })
     expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
+    expect_task('peadm::node_group_unpin').with_targets('primary').with_params({ 'node_certname' => 'legacy_compiler', 'group_name' => 'PE Master' })
 
     # For some reason, expect_plan() was not working??
     allow_plan('peadm::modify_certificate').always_return({})

diff --git a/tasks/get_peadm_config.rb b/tasks/get_peadm_config.rb
@@ -22,7 +22,7 @@ def execute!
 
   def config
     # Compute values
-    primary = groups.pinned('PE Master')
+    primary = groups.pinned('PE Certificate Authority')
     replica = groups.pinned('PE HA Replica')
     server_a = server('puppet/server', 'A', [primary, replica].compact)
     server_b = server('puppet/server', 'B', [primary, replica].compact)
@@ -94,8 +94,7 @@ def groups
   def compilers
     @compilers ||=
       pdb_query('inventory[certname,trusted.extensions] {
-            trusted.extensions.pp_auth_role = "pe_compiler" and
-            trusted.extensions."1.3.6.1.4.1.34380.1.1.9814" = "false"
+            trusted.extensions.pp_auth_role = "pe_compiler"
           }').map do |c|
         {
           'certname' => c['certname'],
@@ -108,8 +107,7 @@ def compilers
   def legacy_compilers
     @legacy_compilers ||=
       pdb_query('inventory[certname,trusted.extensions] {
-          trusted.extensions.pp_auth_role = "pe_compiler" and
-          trusted.extensions."1.3.6.1.4.1.34380.1.1.9814" = "true"
+          trusted.extensions.pp_auth_role = "legacy_compiler"
         }').map do |c|
         {
           'certname' => c['certname'],