Showing with 41 additions and 12 deletions.

+13 −0 CHANGELOG.md

+13 −4 README.md

+1 −1 metadata.json

+3 −5 plans/convert.pp

+11 −2 plans/util/add_cert_extensions.pp
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # PEADM module
 
+## 2.4.0
+### Summary
+
+Readme updates and further convert plan efficiency improvements
+
+### Features
+
+- In the peadm::convert plan, certificates which already contain requested extensions will not be re-issued. This will accelerate the convert process, or allow re-runs of the convert process to move more quickly.
+
+### Improvements
+
+- The README now provides more detailed information on how customers using the peadm module should go about getting support for it.
+
 ## 2.3.0
 ### Summary
 

diff --git a/README.md b/README.md
@@ -6,19 +6,28 @@ The peadm module is able to deploy and manage Puppet Enterprise 2019.x Standard,
 
 #### Table of Contents
 
-1. [Expectations](#expectations)
-1. [Overview](#overview)
+1. [Expectations and support](#expectations-and-support)
+2. [Overview](#overview)
     * [What peadm affects](#what-peadm-affects)
     * [What peadm does not affect](#what-peadm-does-not-affect)
     * [Requirements](#requirements)
 3. [Usage](#usage)
 4. [Reference](#reference)
 5. [Getting Help](#getting-help)
 
-## Expectations
+## Expectations and support
 
 The peadm module is intended to be used only by Puppet Enterprise customers actively working with and being guided by Puppet Customer Success teams—specifically, the Professional Services and Solutions Architecture teams. Independent use is not recommended for production environments without a comprehensive understanding of the peadm module.
 
+The peadm module is a services-led tool, and is **NOT** supported through Puppet Enterprise's standard or premium [support.puppet.com](https://support.puppet.com) service.
+
+As a services-led tool, Puppet Enterprise customers who are advised to start using this tool should get support for it through the following general process.
+
+1. Be introduced to the tool through a services engagement or by their Technical Account Manager (TAM).
+2. During Professional Services (PS) engagements, the Puppet PS team will aid and instruct in use of the tool.
+3. Outside of PS engagements, use TAM services to request assistance with problems encountered when using the tool, and to inform Puppet Customer Success (CS) teams of planned major maintenance or upgrades for which advisory services are needed.
+4. In the absence of a TAM, your Puppet account management team (Account Executive and Solutions Engineer) may be a fallback communication option for requesting assistance, or for informing CS teams of planned major maintenance for which advisory services are needed.
+
 ## Overview
 
 The normal usage pattern for peadm is as follows.
@@ -66,4 +75,4 @@ Additional documentation and information pertaining to various aspects or elemen
 
 ## Getting Help
 
-To get help with issues concerning this module, please make use of [issues](https://github.com/puppetlabs/puppetlabs-peadm/issues) in the project on GitHub.
+To get help with issues concerning this module, please make use of [issues](https://github.com/puppetlabs/puppetlabs-peadm/issues) in the project on GitHub.
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-peadm",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "author": "puppetlabs",
   "summary": "Bolt plans used to deploy an at-scale Puppet Enterprise architecture",
   "license": "Apache-2.0",

diff --git a/plans/convert.pp b/plans/convert.pp
@@ -177,9 +177,8 @@
   peadm::plan_step('convert-compilers-a') || {
     run_plan('peadm::util::add_cert_extensions', $compiler_a_targets,
       master_host => $master_target,
-      remove      => ['1.3.6.1.4.1.34380.1.3.13'], # OID form of pp_auth_role
       extensions  => {
-        'pp_auth_role'                         => 'pe_compiler',
+        peadm::oid('pp_auth_role')             => 'pe_compiler',
         peadm::oid('peadm_availability_group') => 'A',
       },
     )
@@ -188,9 +187,8 @@
   peadm::plan_step('convert-compilers-b') || {
     run_plan('peadm::util::add_cert_extensions', $compiler_b_targets,
       master_host => $master_target,
-      remove      => ['1.3.6.1.4.1.34380.1.3.13'], # OID form of pp_auth_role
       extensions  => {
-        'pp_auth_role'                         => 'pe_compiler',
+        peadm::oid('pp_auth_role')             => 'pe_compiler',
         peadm::oid('peadm_availability_group') => 'B',
       },
     )
@@ -236,5 +234,5 @@
     run_task('peadm::puppet_runonce', $all_targets - $master_target)
   }
 
-  return("Conversion to peadm Puppet Enterprise ${arch['architecture']} succeeded.")
+  return("Conversion to peadm Puppet Enterprise ${arch['architecture']} completed.")
 }
diff --git a/plans/util/add_cert_extensions.pp b/plans/util/add_cert_extensions.pp
@@ -38,11 +38,20 @@
 
   # Loop through and recert each target one at at time, because Bolt lacks
   # real parallelism
-  $all_targets.map |$target| {
+  $all_targets.each |$target| {
     $certname = $certdata[$target]['certname']
+    $existing_exts = $certdata[$target]['extensions']
 
     # This will be the new trusted fact data for this node
-    $extension_requests = $certdata[$target]['extensions'] + $extensions
+    $extension_requests = $existing_exts + $extensions
+
+    # If the existing certificate meets all the requirements, there's no need
+    # to regenerate it. Skip it and move on to the next.
+    if (($extension_requests.all |$key,$val| { $existing_exts[$key] == $val }) and
+        !($remove.any |$key| { $key in $existing_exts.keys })) {
+      out::message("${certname} already has requested extensions; certificate will not be re-issued")
+      next()
+    }
 
     # Everything starts the same; we always stop the agent and revoke the
     # existing cert. We use `run_command` in case the master is 2019.x but