temp commit

petergmurphy · petergmurphy · commit bba2ae03d3c9 · 2025-03-11T17:01:24.000Z
diff --git a/manifests/setup/legacy_compiler_group.pp b/manifests/setup/legacy_compiler_group.pp
@@ -9,10 +9,11 @@
   }
 
   node_group { 'PE Legacy Compiler':
-    ensure  => 'present',
-    parent  => 'PE Infrastructure',
-    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
-    classes => {
+    ensure         => 'present',
+    parent         => 'PE Infrastructure',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
+    classes        => {
       'puppet_enterprise::profile::master' => {
         'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port'               => [8081],
@@ -23,19 +24,20 @@
   }
 
   node_group { 'PE Legacy Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
@@ -45,7 +47,7 @@
   node_group { 'PE Legacy Compiler Group B':
     ensure         => 'present',
     parent         => 'PE Legacy Compiler',
-    purge_behavior => 'classes',
+    purge_behavior => 'rule',
     rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
@@ -64,6 +66,8 @@
   }
 
   node_group { 'PE Compiler':
-    rule => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
   }
 }
diff --git a/manifests/setup/node_manager.pp b/manifests/setup/node_manager.pp
@@ -81,8 +81,9 @@
 
   # PE Compiler group comes from default PE and already has the pe compiler role
   node_group { 'PE Compiler':
-    parent => 'PE Master',
-    rule   => ['and', ['=', ['trusted', 'extensions', peadm::oid('pp_auth_role')], 'pe_compiler']],
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['and', ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler']],
   }
 
   # This group should pin the primary, and also map to any pe-postgresql nodes
@@ -116,13 +117,14 @@
   # Configure the A pool for compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    purge_behavior => 'rule',
+    parent         => 'PE Compiler',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::puppetdb' => {
         'database_host' => pick($postgresql_a_host, $notconf),
       },
@@ -133,7 +135,7 @@
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -174,13 +176,14 @@
   }
 
   node_group { 'PE Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    purge_behavior => 'rule',
+    parent         => 'PE Compiler',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::puppetdb' => {
         'database_host' => pick($postgresql_b_host, $notconf),
       },
@@ -191,7 +194,7 @@
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -200,9 +203,10 @@
   }
 
   node_group { 'PE Legacy Compiler':
-    parent  => 'PE Master',
-    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
-    classes => {
+    parent         => 'PE Master',
+    purge_behavior => 'rule',
+    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
@@ -213,19 +217,20 @@
   # Configure the A pool for legacy compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Legacy Compiler Group A':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
@@ -236,19 +241,20 @@
   # Configure the B pool for legacy compilers. There are up to two pools for DR, each
   # having an affinity for one "availability zone" or the other.
   node_group { 'PE Legacy Compiler Group B':
-    ensure  => 'present',
-    parent  => 'PE Legacy Compiler',
-    rule    => ['and',
+    ensure         => 'present',
+    parent         => 'PE Legacy Compiler',
+    purge_behavior => 'rule',
+    rule           => ['and',
       ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
     ],
-    classes => {
+    classes        => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data    => {
+    data           => {
       # Workaround for GH-118
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
diff --git a/plans/upgrade.pp b/plans/upgrade.pp
@@ -141,19 +141,45 @@
   }
 
   # Add legacy compiler role to compilers that are missing it
-  $legacy_compiler_targets = $cert_extensions_temp.filter |$name,$exts| {
+  $compilers_with_legacy_compiler_flag = $cert_extensions_temp.filter |$name,$exts| {
     ($name in $compiler_targets.map |$t| { $t.name }) and
-    ($exts[peadm::oid('peadm_legacy_compiler')] != undef) and
-    ($exts[peadm::oid('peadm_legacy_compiler')] == 'true') and
-    ($exts['pp_auth_role'] != 'pe_compiler_legacy')
-  }.keys
+    ($exts[peadm::oid('peadm_legacy_compiler')] != undef)
+  }
 
-  run_plan('peadm::modify_certificate', $legacy_compiler_targets,
-    primary_host   => $primary_target,
-    add_extensions => {
-      'pp_auth_role' => 'pe_compiler_legacy',
-    },
-  )
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
+  if $compilers_with_legacy_compiler_flag.size > 0 {
+    $legacy_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'true'
+    }.keys
+
+    $modern_compilers = $compilers_with_legacy_compiler_flag.filter |$name,$exts| {
+      $exts[peadm::oid('peadm_legacy_compiler')] == 'false'
+    }.keys
+
+    if $modern_compilers.size > 0 {
+      out::message('MODERN COMPILERS: Beginning removal of legacy compiler flag')
+      out::message($modern_compilers)
+      run_plan('peadm::modify_certificate', $modern_compilers,
+        primary_host   => $primary_target,
+        remove_extensions => [peadm::oid('peadm_legacy_compiler')],
+      )
+      out::message('MODERN COMPILERS: Removed legacy compiler flag')
+    }
+
+    if $legacy_compilers.size > 0 {
+      out::message('LEGACY COMPILERS: Beginning addition of legacy compiler role and removal of legacy compiler flag')
+      out::message($legacy_compilers)
+      run_plan('peadm::modify_certificate', $legacy_compilers,
+        primary_host   => $primary_target,
+        add_extensions => {
+          'pp_auth_role' => 'pe_compiler_legacy',
+        },
+        remove_extensions => [peadm::oid('peadm_legacy_compiler'), peadm::oid('pp_auth_role')],
+      )
+      out::message('LEGACY COMPILERS: Added legacy compiler role and removed legacy compiler flag')
+    }
+  }
 
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
@@ -460,7 +486,5 @@
 
   peadm::check_version_and_known_hosts($current_pe_version, $_version, $r10k_known_hosts)
 
-  run_task('peadm::update_pe_master_rules', $primary_target)
-
   return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
 }
