Merge pull request #121 from m0dular/SUP-2539-terminology-refactor

MartyEwings · web-flow · commit f100c658c1a7 · 2021-08-20T14:52:43.000+01:00
(SUP-2539) Update terminology and refactor
diff --git a/tasks/st0299_regen_primary_server_cert.json b/tasks/st0299_regen_primary_server_cert.json
@@ -1,11 +1,16 @@
 {
-  "puppet_task_version": 1,
   "supports_noop": false,
   "description": "ST0299 Regen Primary Server Cert - This Task to be used in conjunction with Puppet Enterprise Knowledge Base Article KB0299 - https://support.puppet.com/hc/en-us/articles/360008505193",
-  "parameters": {
-    "dnsaltname_override": {
-      "description": "Override to prevent existing DNS alt name carryover.  Will force the use of only the DNS alt names present in pe.conf.",
-      "type": "Optional[Boolean]"
+  "implementations": [
+    {
+      "name": "st0299_regen_primary_server_cert.sh",
+      "requirements": [
+        "shell"
+      ],
+      "files": [
+        "support_tasks/files/common.sh"
+      ],
+      "input_method": "environment"
     }
-  }
+  ]
 }
diff --git a/tasks/st0299_regen_primary_server_cert.sh b/tasks/st0299_regen_primary_server_cert.sh
@@ -1,85 +1,23 @@
 #!/bin/bash
-# shellcheck disable=2181
-# shellcheck disable=2013
-declare PT_dnsaltname_override
-CERTNAME="$(puppet config print certname)"
-PUPPET_BIN_DIR="/opt/puppetlabs/bin"
-PUPPETCMD="${PUPPET_BIN_DIR}/puppet"
-PUPPETSERVERCMD="${PUPPET_BIN_DIR}/puppetserver"
-PATH="${PUPPET_BIN_DIR}":"${PATH}"
 
-backup_ssl() {
-  tar -cvf "/etc/puppetlabs/puppet/ssl_$(date +%Y-%m-%d-%M-%S).tar.gz" /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppetdb/ssl /opt/puppetlabs/server/data/console-services/certs /opt/puppetlabs/server/data/postgresql/9.6/data/certs /etc/puppetlabs/orchestration-services/ssl
-}
+declare PT__installdir
+source "$PT__installdir/support_tasks/files/common.sh"
 
-exit_if_compile_master() {
-  grep reverse-proxy-ca-service /etc/puppetlabs/puppetserver/bootstrap.cfg 2>&1 /dev/null
-  if [ $? -eq 0 ]; then
-    echo "Target server appears to be a PE compile master.  This script is intended to be targeted only at a PE Master of Masters.  Exiting."
-    exit 255
-  elif [ $? -eq 2 ]; then
-    echo "Target server does not appear to be a PE master.  This script is intended to be targeted only at a PE Master of Masters.  Exiting."
-    exit 255
-  fi
-}
+PUPPET_BIN='/opt/puppetlabs/puppet/bin'
+ssldir="$($PUPPET_BIN/puppet config print ssldir)"
+cadir="$($PUPPET_BIN/puppet config print cadir)"
+certname="$($PUPPET_BIN/puppet config print certname).pem"
+# Starting in 2021, the CA directory may or may not be under the ssldir
+# Add cadir and ssldir to an array and pass them to find to ensure we delete all necessary files
+ca_dirs=("$ssldir" "$cadir")
 
-check_dns_alt_names() {
-  if [ "${PUPPET_6}" = true ]; then
-    str=$(/opt/puppetlabs/bin/puppetserver ca list --all |grep "${CERTNAME}")
-  else
-    str=$(puppet cert list "${CERTNAME}")
-  fi
+[[ -d $cadir ]] || fail 'ERROR: could not find cadir.  Please ensure this task is run on the primary Puppet server'
 
-  for host in $(grep -oP '(?<="DNS:)(.*?)(?<=")' <<<"${str}"); do
-    tmphost="$(echo "${host}"|cut -d'"' -f 1)"
-    if [ "$tmphost" == "$CERTNAME" ] || [ "$tmphost" == "puppet" ]
-    then
-      continue
-    fi
-    if ! grep "pe_install::puppet_master_dnsaltname.*${tmphost}" /etc/puppetlabs/enterprise/conf.d/pe.conf > /dev/null 2>&1
-    then
-      echo "'${tmphost}' is set up as a DNS alt name in the existing certificate, but is not present in the 'pe_install::puppet_master_dnsaltnames' setting of '/etc/puppetlabs/enterprise/conf.d/pe.conf'.  Please add it to continue, or use the 'dnsaltname_override' task parameter to skip this check."
-      exit 255
-    fi
-  done
-}
+mkdir -p /var/puppetlabs/backups/
+cp -aR "$ssldir" /var/puppetlabs/backups || fail "Error backing up ssldir"
 
-# main
+find "${ca_dirs[@]}" -name "$certname" -delete
+# shellcheck disable=SC2154
+PATH="${PATH}:/opt/puppetlabs/bin" puppet infrastructure configure --no-recover &>"$_tmp" || fail "Error running 'puppet infrastructure configure'"
 
-puppet_version=$("${PUPPET_BIN_DIR?}/puppet" --version)
-if [[ ${puppet_version%%.*} -ge 6 ]];then
-  PUPPET_6=true
-else
-  PUPPET_6=false
-fi
-
-exit_if_compile_master
-
-if ! "$PT_dnsaltname_override"
-then
-  check_dns_alt_names
-fi
-
-if [ ! -x $PUPPETCMD ]; then
-  echo "Unable to locate executable Puppet command at ${PUPPETCMD}"
-  exit 255
-fi
-
-# Back up the SSL directories
-backup_ssl
-
-rm -f "/opt/puppetlabs/puppet/cache/client_data/catalog/${CERTNAME}.json"
-
-if [ ${PUPPET_6} = true ]; then
-  "${PUPPETSERVERCMD}" ca clean --certname "${CERTNAME}"
-  find /etc/puppetlabs/puppet/ssl -name "${CERTNAME}".pem -delete
-else
-  "${PUPPETCMD}" cert clean "${CERTNAME}"
-fi
-
-"${PUPPETCMD}" infrastructure configure --no-recover
-"${PUPPETCMD}" agent -t
-
-if [ $? -eq 2 ]; then
-  exit 0
-fi
+success '{ "status": "success" }'
diff --git a/tasks/st0317a_clean_cert.rb b/tasks/st0317a_clean_cert.rb
@@ -15,14 +15,14 @@
 
 Puppet.initialize_settings
 
-def pe_master?
+def pe_primary?
   !Facter.value('pe_build').nil?
 end
 
 # This task only works when running against your Puppet CA server, so let's check for that.
 # In Puppetserver, that means the configs contain 'certificate-authority-service', uncommented.
 # The puppetserver config file differs between PE and open-source puppetserver.
-ca_cfg = pe_master? ? '/etc/puppetlabs/puppetserver/bootstrap.cfg' : '/etc/puppetlabs/puppetserver/services.d/ca.cfg'
+ca_cfg = pe_primary? ? '/etc/puppetlabs/puppetserver/bootstrap.cfg' : '/etc/puppetlabs/puppetserver/services.d/ca.cfg'
 
 if !File.exist?(ca_cfg) || File.readlines(ca_cfg).grep(%r{^[^#].+certificate-authority-service$}).empty?
   puts 'This task can only be run on your certificate authority Puppetserver'
diff --git a/tasks/st1096_db_commands.sh b/tasks/st1096_db_commands.sh
@@ -9,7 +9,7 @@ psql_options=("-d" "$database")
   fail 'pe-postgresql service not found'
 }
 
-case "$command" in
+case "${command?}" in
   resource_events_per_resource)
     query='select certname, containing_class, file, count(*) from resource_events join certnames on certnames.id = resource_events.certname_id group by certname, containing_class, file order by count desc limit 20;'
     psql_options+=("-c" "$query")
@@ -36,7 +36,7 @@ case "$command" in
     ;;
   database_sizes)
     # Hard-coded to pe-puppetdb
-    query_file="$_installdir/support_tasks/files/db_sizes.sql"
+    query_file="${_installdir?}/support_tasks/files/db_sizes.sql"
     # To avoid quoting issues, putting complicated queries in files makes sense
     # But, _installdir is created as the --run-as user, so allow pe-postgres to read a copy of the file
     tmp_query="$(mktemp)"; cp "$query_file" "$tmp_query"; chmod 644 "$tmp_query"
@@ -49,5 +49,7 @@ chmod +r "$_installdir"
 runuser -u pe-postgres -- /opt/puppetlabs/server/bin/psql "${psql_options[@]}" || {
   fail "Error running query"
 }
-# Use || true to avoid exiting 1 if the tmp file doesn't exist
-[[ -e $tmp_query ]] && rm -- "$tmp_query" || true
+
+[[ -e $tmp_query ]] && rm -- "$tmp_query"
+# Include a noop so we don't exit 1 if the temp file doesn't exist
+:
