Skip to content

Commit

Permalink
Fix master version check used by pe_agent
Browse files Browse the repository at this point in the history
This commit updates the certificate provisioning and cleanup routines
used by the `pe_agent` provisioner to read the master's PE version
directly rather than assuming it is the same as the agent's. This
prevents the default string "current" from being mis-interpreted
as a version number.

Fixes #147
Closes #148
  • Loading branch information
Sharpie committed Jun 5, 2019
1 parent fab2f4b commit a38eaab
Showing 1 changed file with 18 additions and 3 deletions.
21 changes: 18 additions & 3 deletions lib/pe_build/provisioner/pe_agent.rb
Original file line number Diff line number Diff line change
Expand Up @@ -190,14 +190,21 @@ def provision_agent_cert
# This method will raise an error if commands can't be run on the
# master VM.
ensure_reachable(master_vm)
master_version = ''
err_code = master_vm.communicate.sudo('cat /opt/puppetlabs/server/pe_version', error_check: false) do |type, output|
master_version << output if type == :stdout
end
# Check for unrecognized PE file layouts, which are assumed to be older
# than 2019.0.
master_version = '0.0' if (err_code != 0)

agent_certname = facts['certname']

# Return if the cert has already been signed. The return code is
# inverted as `grep -q` will exit with 1 if the certificate is not
# found.
# TODO: Extend paths to PE 3.x masters.
csr_check = PEBuild::Util::VersionString.compare(config.version, '2019.0.0') < 0 ?
csr_check = PEBuild::Util::VersionString.compare(master_version, '2019.0') < 0 ?
"/opt/puppetlabs/bin/puppet cert list | grep -q -F #{agent_certname}" :
"/opt/puppetlabs/bin/puppetserver ca list | grep -q -F #{agent_certname}"
if not master_vm.communicate.test(csr_check, :sudo => true)
Expand All @@ -217,7 +224,7 @@ def provision_agent_cert

# TODO: Extend paths to PE 3.x masters.
# NOTE: 2019.0.0 has Cert SAN allowed by default
sign_cert = PEBuild::Util::VersionString.compare(config.version, '2019.0.0') < 0 ?
sign_cert = PEBuild::Util::VersionString.compare(master_version, '2019.0') < 0 ?
"/opt/puppetlabs/bin/puppet cert --allow-dns-alt-names sign #{agent_certname}" :
"/opt/puppetlabs/bin/puppetserver ca sign --certname #{agent_certname}"
shell_provision_commands(master_vm, sign_cert)
Expand All @@ -237,9 +244,17 @@ def cleanup_agent_cert
return
end

master_version = ''
err_code = master_vm.communicate.sudo('cat /opt/puppetlabs/server/pe_version', error_check: false) do |type, output|
master_version << output if type == :stdout
end
# Check for unrecognized PE file layouts, which are assumed to be older
# than 2019.0.
master_version = '0.0' if (err_code != 0)

# TODO: Extend paths to PE 3.x masters.
# TODO: Find a way to query an individual certificate through puppetserver ca.
cert_check = PEBuild::Util::VersionString.compare(config.version, '2019.0.0') < 0 ?
cert_check = PEBuild::Util::VersionString.compare(master_version, '2019.0') < 0 ?
"/opt/puppetlabs/bin/puppet cert list #{agent_certname}" :
"/opt/puppetlabs/bin/puppetserver ca list --all| grep -q -F #{agent_certname}"
unless master_vm.communicate.test(cert_check, :sudo => true)
Expand Down

0 comments on commit a38eaab

Please sign in to comment.