Add task to update PE Master group rules

This commit introduces a new private task to update the AND conditional for the pe_compiler auth role in the PE Master node group, changing it to regex match for any *_compiler role. The task ensures that the group rules are simplified and display more correctly on the PE console.
puppetlabs · Feb 7, 2025 · 81e986a · 81e986a
1 parent a0db439
commit 81e986a
Show file tree

Hide file tree

Showing 11 changed files with 156 additions and 31 deletions.
diff --git a/manifests/setup/legacy_compiler_group.pp b/manifests/setup/legacy_compiler_group.pp
@@ -9,11 +9,10 @@
   }
 
   node_group { 'PE Legacy Compiler':
-    ensure         => 'present',
-    parent         => 'PE Master',
-    purge_behavior => 'classes',
-    rule           => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
-    classes        => {
+    ensure  => 'present',
+    parent  => 'PE Infrastructure',
+    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
+    classes => {
       'puppet_enterprise::profile::master' => {
         'puppetdb_host'               => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
         'puppetdb_port'               => [8081],
@@ -24,20 +23,19 @@
   }
 
   node_group { 'PE Legacy Compiler Group A':
-    ensure         => 'present',
-    parent         => 'PE Legacy Compiler',
-    purge_behavior => 'classes',
-    rule           => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+    ensure  => 'present',
+    parent  => 'PE Legacy Compiler',
+    rule    => ['and',
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
     ],
-    classes        => {
+    classes => {
       'puppet_enterprise::profile::master' => {
         'puppetdb_host' => [$internal_compiler_b_pool_address, $internal_compiler_a_pool_address].filter |$_| { $_ },
         'puppetdb_port' => [8081],
       },
     },
-    data           => {
+    data    => {
       'puppet_enterprise::profile::master::puppetdb' => {
         'ha_enabled_replicas' => [],
       },
@@ -49,7 +47,7 @@
     parent         => 'PE Legacy Compiler',
     purge_behavior => 'classes',
     rule           => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
     ],
     classes        => {

diff --git a/manifests/setup/node_manager.pp b/manifests/setup/node_manager.pp
@@ -77,10 +77,6 @@
     parent    => 'PE Infrastructure',
     data      => $compiler_pool_address_data,
     variables => { 'pe_master' => true },
-    rule      => ['or',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler'],
-    ],
   }
 
   # PE Compiler group comes from default PE and already has the pe compiler role
@@ -205,7 +201,7 @@
 
   node_group { 'PE Legacy Compiler':
     parent  => 'PE Master',
-    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+    rule    => ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
     classes => {
       'puppet_enterprise::profile::master'   => {
         'puppetdb_host' => [$internal_compiler_a_pool_address, $internal_compiler_b_pool_address].filter |$_| { $_ },
@@ -220,7 +216,7 @@
     ensure  => 'present',
     parent  => 'PE Legacy Compiler',
     rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'A'],
     ],
     classes => {
@@ -243,7 +239,7 @@
     ensure  => 'present',
     parent  => 'PE Legacy Compiler',
     rule    => ['and',
-      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'legacy_compiler'],
+      ['=', ['trusted', 'extensions', 'pp_auth_role'], 'pe_compiler_legacy'],
       ['=', ['trusted', 'extensions', peadm::oid('peadm_availability_group')], 'B'],
     ],
     classes => {

diff --git a/plans/convert.pp b/plans/convert.pp
@@ -230,7 +230,7 @@
         run_plan('peadm::modify_certificate', $legacy_compiler_a_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'legacy_compiler',
+            peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
             peadm::oid('peadm_availability_group') => 'A',
           },
         )
@@ -239,7 +239,7 @@
         run_plan('peadm::modify_certificate', $legacy_compiler_b_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'legacy_compiler',
+            peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
             peadm::oid('peadm_availability_group') => 'B',
           },
         )
@@ -333,5 +333,7 @@
 # lint:endignore
   }
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }
diff --git a/plans/convert_compiler_to_legacy.pp b/plans/convert_compiler_to_legacy.pp
@@ -102,15 +102,15 @@
         run_plan('peadm::modify_certificate', $compiler_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')    => 'legacy_compiler',
+            peadm::oid('pp_auth_role')    => 'pe_compiler_legacy',
           },
         )
       },
       background('modify-compilers-a-certs') || {
         run_plan('peadm::modify_certificate', $legacy_compiler_a_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'legacy_compiler',
+            peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
             peadm::oid('peadm_availability_group') => 'A',
           },
         )
@@ -119,7 +119,7 @@
         run_plan('peadm::modify_certificate', $legacy_compiler_b_targets,
           primary_host   => $primary_target,
           add_extensions => {
-            peadm::oid('pp_auth_role')             => 'legacy_compiler',
+            peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
             peadm::oid('peadm_availability_group') => 'B',
           },
         )

diff --git a/plans/install.pp b/plans/install.pp
@@ -143,6 +143,8 @@
     final_agent_state                => $final_agent_state,
   )
 
+  run_task('peadm::update_pe_master_rules', $primary_host)
+
   # Return a string banner reporting on what was done
   return([$install_result, $configure_result])
 }
diff --git a/plans/subplans/component_install.pp b/plans/subplans/component_install.pp
@@ -24,7 +24,7 @@
     }
   } elsif $role == 'pe_compiler_legacy' {
     $certificate_extensions = {
-      peadm::oid('pp_auth_role')             => 'legacy_compiler',
+      peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
       peadm::oid('peadm_availability_group') => $avail_group_letter,
     }
   } else {

diff --git a/plans/subplans/install.pp b/plans/subplans/install.pp
@@ -301,15 +301,15 @@
     background('compiler-a-csr.yaml') || {
       run_plan('peadm::util::insert_csr_extension_requests', $legacy_a_targets,
         extension_requests => {
-          peadm::oid('pp_auth_role')             => 'legacy_compiler',
+          peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
           peadm::oid('peadm_availability_group') => 'A',
         }
       )
     },
     background('compiler-b-csr.yaml') || {
       run_plan('peadm::util::insert_csr_extension_requests', $legacy_b_targets,
         extension_requests => {
-          peadm::oid('pp_auth_role')             => 'legacy_compiler',
+          peadm::oid('pp_auth_role')             => 'pe_compiler_legacy',
           peadm::oid('peadm_availability_group') => 'B',
         }
       )

diff --git a/plans/upgrade.pp b/plans/upgrade.pp
@@ -440,5 +440,7 @@
 
   peadm::check_version_and_known_hosts($current_pe_version, $_version, $r10k_known_hosts)
 
+  run_task('peadm::update_pe_master_rules', $primary_target)
+
   return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
 }
diff --git a/spec/plans/convert_spec.rb b/spec/plans/convert_spec.rb
@@ -9,7 +9,7 @@
   end
 
   let(:params) do
-    { 'primary_host' => 'primary', 'legacy_compilers' => ['legacy_compiler'] }
+    { 'primary_host' => 'primary', 'legacy_compilers' => ['pe_compiler_legacy'] }
   end
 
   it 'single primary no dr valid' do
@@ -21,8 +21,8 @@
     expect_task('peadm::cert_data').return_for_targets('primary' => trustedjson)
     expect_task('peadm::read_file').always_return({ 'content' => '2021.7.9' })
     expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
-    expect_task('peadm::node_group_unpin').with_targets('primary').with_params({ 'node_certnames' => ['legacy_compiler'], 'group_name' => 'PE Master' })
-    expect_task('peadm::check_legacy_compilers').with_targets('primary').with_params({ 'legacy_compilers' => 'legacy_compiler' }).return_for_targets('primary' => { '_output' => '' })
+    expect_task('peadm::node_group_unpin').with_targets('primary').with_params({ 'node_certnames' => ['pe_compiler_legacy'], 'group_name' => 'PE Master' })
+    expect_task('peadm::check_legacy_compilers').with_targets('primary').with_params({ 'legacy_compilers' => 'pe_compiler_legacy' }).return_for_targets('primary' => { '_output' => '' })
 
     # For some reason, expect_plan() was not working??
     allow_plan('peadm::modify_certificate').always_return({})

diff --git a/tasks/update_pe_master_rules.json b/tasks/update_pe_master_rules.json
@@ -0,0 +1,8 @@
+{
+  "description": "Updates the PE Master group rules to replace pe_compiler with a regex match for any pe_compiler role",
+  "input_method": "stdin",
+  "private": true,
+  "implementations": [
+    {"name": "update_pe_master_rules.rb"}
+  ]
+} 
diff --git a/tasks/update_pe_master_rules.rb b/tasks/update_pe_master_rules.rb
@@ -0,0 +1,117 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'net/https'
+require 'puppet'
+
+# UpdatePeMasterRules task class
+class UpdatePeMasterRules
+  def initialize(params)
+    @params = params
+  end
+
+  def https_client
+    client = Net::HTTP.new(Puppet.settings[:certname], 4433)
+    client.use_ssl = true
+    client.cert = @cert ||= OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+    client.key = @key ||= OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]))
+    client.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    client.ca_file = Puppet.settings[:localcacert]
+    client
+  end
+
+  def get_pe_master_group_id
+    net = https_client
+    res = net.get('/classifier-api/v1/groups')
+
+    unless res.code == '200'
+      raise "Failed to fetch groups: HTTP #{res.code} - #{res.body}"
+    end
+
+    groups = JSON.parse(res.body)
+    pe_master_group = groups.find { |group| group['name'] == 'PE Master' }
+
+    raise "Could not find PE Master group" unless pe_master_group
+    pe_master_group['id']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching PE Master group ID: #{e.message}"
+  end
+
+  def get_current_rules(group_id)
+    net = https_client
+    url = "/classifier-api/v1/groups/#{group_id}/rules"
+    req = Net::HTTP::Get.new(url)
+    res = net.request(req)
+
+    unless res.code == '200'
+      raise "Failed to fetch rules: HTTP #{res.code} - #{res.body}"
+    end
+
+    JSON.parse(res.body)['rule']
+  rescue JSON::ParserError => e
+    raise "Invalid JSON response from server: #{e.message}"
+  rescue StandardError => e
+    raise "Error fetching rules: #{e.message}"
+  end
+
+  def transform_rule(rule)
+    return rule unless rule.is_a?(Array)
+
+    if rule[0] == '=' && 
+       rule[1].is_a?(Array) && 
+       rule[1] == ['trusted', 'extensions', 'pp_auth_role'] && 
+       rule[2] == 'pe_compiler'
+      return ['~', ['trusted', 'extensions', 'pp_auth_role'], '^pe_compiler(?:_legacy)?$']
+    end
+
+    # Recursively transform nested rules
+    rule.map { |element| transform_rule(element) }
+  end
+
+  def update_rules(group_id)
+    net = https_client
+    begin
+      current_rules = get_current_rules(group_id)
+
+      # Transform rules recursively to handle nested structures
+      new_rules = transform_rule(current_rules)
+
+      # Update the group with the modified rules
+      url = "/classifier-api/v1/groups/#{group_id}"
+      req = Net::HTTP::Post.new(url)
+      req['Content-Type'] = 'application/json'
+      req.body = { rule: new_rules }.to_json
+
+      res = net.request(req)
+
+      case res.code
+      when '200', '201', '204'
+        puts "Successfully transformed pe_compiler rule to use regex match for *_compiler roles in group #{group_id}"
+      else
+        begin
+          error_body = JSON.parse(res.body.to_s)
+          raise "Failed to update rules: #{error_body['kind'] || error_body}"
+        rescue JSON::ParserError
+          raise "Invalid response from server (status #{res.code}): #{res.body}"
+        end
+      end
+    rescue StandardError => e
+      raise "Error during rules update: #{e.message}"
+    end
+  end
+
+  def execute!
+    group_id = get_pe_master_group_id
+    update_rules(group_id)
+  end
+end
+
+# Run the task unless an environment flag has been set
+unless ENV['RSPEC_UNIT_TEST_MODE']
+  Puppet.initialize_settings
+  task = UpdatePeMasterRules.new(JSON.parse(STDIN.read))
+  task.execute!
+end