Merge pull request #18 from opus-codium/decommission-tasks

Switch to tasks for decommissioning nodes
opus-codium · Jul 5, 2022 · de3deaa · de3deaa
2 parents 137cd67 + 7151e3e
commit de3deaa
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 9 deletions.
diff --git a/plans/decommission.pp b/plans/decommission.pp
@@ -1,7 +1,10 @@
 # Decommission a node and disconnect it from the Puppet infrastructure
 #
 # @param nodes The nodes to decommission
-plan commission::decommission(TargetSpec $nodes, String[1] $puppetserver = undef) {
+plan commission::decommission(
+  TargetSpec $nodes,
+  Optional[String[1]] $puppetserver = undef,
+) {
   $puppetserver_node = $puppetserver.lest || { prompt('puppetserver') }
 
   upload_file('commission/motd.decommissioned', '/etc/motd', $nodes, '_run_as' => 'root')
@@ -16,10 +19,8 @@
 
   run_script('commission/clean-cron-jobs.sh', $nodes, '_run_as' => 'root')
 
-  get_targets($nodes).each |$node| {
-    run_command("/opt/puppetlabs/bin/puppetserver ca revoke --certname ${node.name}", $puppetserver_node, '_run_as' => 'root')
-    run_command("/opt/puppetlabs/bin/puppet node deactivate ${node.name}", $puppetserver_node, '_run_as' => 'root')
-  }
+  run_task('commission::revoke_certificates', $puppetserver_node, '_run_as' => 'root', 'certificates' => $nodes.get_targets().map |$n| { $n.name })
+  run_task('commission::deactivate_nodes', $puppetserver_node, '_run_as' => 'root', 'nodes' => $nodes.get_targets().map |$n| { $n.name })
 
   run_task('package', $nodes, 'Uninstalling puppet-agent', '_run_as' => 'root', 'action' => 'uninstall', 'name' => 'puppet-agent')
 }
diff --git a/tasks/deactivate_nodes.json b/tasks/deactivate_nodes.json
@@ -0,0 +1,11 @@
+{
+  "description": "Deactivate nodes in PuppetDB",
+  "files": ["ruby_task_helper/files/task_helper.rb"],
+  "input_method": "stdin",
+  "parameters": {
+    "nodes": {
+      "description": "The nodes to deactivate",
+      "type": "Array[String[1]]"
+    }
+  }
+}
diff --git a/tasks/deactivate_nodes.rb b/tasks/deactivate_nodes.rb
@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../../ruby_task_helper/files/task_helper'
+
+class DeactivateNodes < TaskHelper
+  def task(nodes:, **_kwargs)
+    # Prepend AIO path if it exist and is not in $PATH
+    if File.directory?('/opt/puppetlabs/puppet/bin') &&
+       !ENV['PATH'].split(':').include?('/opt/puppetlabs/puppet/bin')
+      ENV['PATH'] = "/opt/puppetlabs/puppet/bin:#{ENV['PATH']}"
+    end
+
+    system('puppet', 'node', 'deactivate', *nodes) || raise(TaskHelper::Error.new('Failed to deactivate nodes', 'deactivate_nodes', 'puppet exited with a non-null error code'))
+
+    nil
+  end
+end
+
+DeactivateNodes.run if $PROGRAM_NAME == __FILE__
diff --git a/tasks/revoke_certificates.json b/tasks/revoke_certificates.json
@@ -0,0 +1,11 @@
+{
+  "description": "Revoke certificates on the Puppet Server",
+  "files": ["ruby_task_helper/files/task_helper.rb"],
+  "input_method": "stdin",
+  "parameters": {
+    "certificates": {
+      "description": "The certificates to revoke",
+      "type": "Array[String[1]]"
+    }
+  }
+}
diff --git a/tasks/revoke_certificates.rb b/tasks/revoke_certificates.rb
@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../../ruby_task_helper/files/task_helper'
+
+class RevokeCertificates < TaskHelper
+  def task(certificates:, **_kwargs)
+    # Prepend AIO path if it exist and is not in $PATH
+    if File.directory?('/opt/puppetlabs/puppet/bin') &&
+       !ENV['PATH'].split(':').include?('/opt/puppetlabs/puppet/bin')
+      ENV['PATH'] = "/opt/puppetlabs/puppet/bin:#{ENV['PATH']}"
+    end
+
+    system('puppetserver', 'ca', 'revoke', '--certname', certificates.join(',')) || raise(TaskHelper::Error.new('Failed to revoke certificates', 'revoke_certificates', 'puppetserver exited with a non-null error code'))
+
+    nil
+  end
+end
+
+RevokeCertificates.run if $PROGRAM_NAME == __FILE__
diff --git a/tasks/set_puppet_config.rb b/tasks/set_puppet_config.rb
@@ -1,8 +1,6 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require 'open3'
-
 require_relative '../../ruby_task_helper/files/task_helper'
 
 class SetPuppetConfig < TaskHelper
@@ -14,7 +12,7 @@ def task(settings:, **_kwargs)
     end
 
     settings.each do |setting_name, setting_value|
-      Open3.capture3('puppet', 'config', 'set', setting_name.to_s, setting_value.to_s)
+      system('puppet', 'config', 'set', setting_name.to_s, setting_value.to_s) || raise(TaskHelper::Error.new('Failed to set setting', 'set_puppet_config', 'puppet exited with a non-null error code'))
     end
 
     nil

diff --git a/tasks/sign_certificate_requests.rb b/tasks/sign_certificate_requests.rb
@@ -13,7 +13,7 @@ def task(certificate_requests:, **_kwargs)
 
     certificate_requests.each do |node, details|
       if pending_requests[node] == details
-        system('puppetserver', 'ca', 'sign', node)
+        system('puppetserver', 'ca', 'sign', node) || raise(TaskHelper::Error.new('Failed to sign certificate requests', 'sign_certificate_requests', 'puppetserver exited with a non-null error code'))
       else
         raise TaskHelper::Error.new('Certificate Request not fournd',
                                     'sign_agent_certificate/certificate_request_not_found',