.github/workflows/mend.yml

@@ -2,24 +2,26 @@ name: "mend"
 
 on:
   pull_request:
+    types:
+      - closed
     branches:
       - "main"
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
 jobs:
-
   mend:
-    if: github.event.pull_request.head.repo.full_name == github.repository
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && github.ref == 'refs/heads/main')
     runs-on: "ubuntu-latest"
 
     steps:
-
       - name: "checkout"
         uses: "actions/checkout@v3"
         with:
           fetch-depth: 1
+          repository: "puppetlabs/puppetlabs-peadm"
+          ref: "main"
 
       - name: "setup ruby"
         uses: "ruby/setup-ruby@v1"
@@ -43,5 +45,5 @@ jobs:
           WS_APIKEY: ${{ secrets.MEND_API_KEY }}
           WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
           WS_USERKEY: ${{ secrets.MEND_TOKEN }}
-          WS_PRODUCTNAME: "Puppet Enterprise"
-          WS_PROJECTNAME: ${{  github.event.repository.name }}
+          WS_PRODUCTNAME: InsTalleR
+          WS_PROJECTNAME: ${{  github.event.repository.name }}

.github/workflows/test-fips-install-matrix.yaml

@@ -44,7 +44,7 @@ jobs:
         version:
           - 2019.8.12
           - 2021.7.5
-          - 2023.4.0
+          - 2023.5.0
         image:
           - rhel-8
         fips:

.github/workflows/test-install-matrix.yaml

@@ -44,7 +44,7 @@ jobs:
         version:
           - 2019.8.12
           - 2021.7.5
-          - 2023.4.0
+          - 2023.5.0
         image:
           - centos-7
           - almalinux-cloud/almalinux-8

.vscode/extensions.json

@@ -1,6 +1,6 @@
 {
   "recommendations": [
     "puppet.puppet-vscode",
-    "rebornix.Ruby"
+    "Shopify.ruby-lsp",
   ]
-}
+}

CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
+## [v3.16.0](https://github.com/puppetlabs/puppetlabs-peadm/tree/v3.16.0) - 2023-11-08
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-peadm/compare/v3.15.1...v3.16.0)
+
+### Added
+
+- (PE-35906) Adding plans for backing up and restoring CA [#400](https://github.com/puppetlabs/puppetlabs-peadm/pull/400) ([ragingra](https://github.com/ragingra))
+
+### Fixed
+
+- peadm::install: Depend code-manager setup on r10k remote presence, not r10k ssh key [#401](https://github.com/puppetlabs/puppetlabs-peadm/pull/401) ([bastelfreak](https://github.com/bastelfreak))
+
 ## [v3.15.1](https://github.com/puppetlabs/puppetlabs-peadm/tree/v3.15.1) - 2023-10-10
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-peadm/compare/v3.15.0...v3.15.1)

README.md

@@ -16,6 +16,7 @@ The peadm module is able to deploy and manage Puppet Enterprise 2019.7 and highe
   - [Usage](#usage)
   - [Reference](#reference)
   - [Getting Help](#getting-help)
+  - [License](#license)
 
 ## Expectations and support
 
@@ -83,3 +84,7 @@ Documentation pertaining to additional uses of peadm.
 
 * If you find bugs with this module, please make use of [issues](https://github.com/puppetlabs/puppetlabs-peadm/issues) in the project on GitHub
 * If you are a Puppet Enterprise (PE) customer that uses peadm to manage a deployment of PE and are currently having an outage or need assistance troubleshooting another issue, e.g. upgrades, contact the [Support Team](https://support.puppet.com)
+
+## License
+
+This codebase is licensed under Apache 2.0. However, the open source dependencies included in this codebase might be subject to other software licenses such as AGPL, GPL2.0, and MIT.

REFERENCE.md

@@ -85,9 +85,11 @@
 #### Public Plans
 
 * [`peadm::add_database`](#peadm--add_database)
+* [`peadm::backup_ca`](#peadm--backup_ca)
 * [`peadm::convert`](#peadm--convert): Convert an existing PE cluster to a PEAdm-managed cluster
 * [`peadm::install`](#peadm--install): Install a new PE cluster
 * [`peadm::modify_certificate`](#peadm--modify_certificate): Modify the certificate of one or more targets
+* [`peadm::restore_ca`](#peadm--restore_ca)
 * [`peadm::status`](#peadm--status): Return status information from one or more PE clusters in a table format
 * [`peadm::upgrade`](#peadm--upgrade): Upgrade a PEAdm-managed cluster
 
@@ -1527,6 +1529,31 @@ Optional[Enum[
 
 Default value: `undef`
 
+### <a name="peadm--backup_ca"></a>`peadm::backup_ca`
+
+The peadm::backup_ca class.
+
+#### Parameters
+
+The following parameters are available in the `peadm::backup_ca` plan:
+
+* [`target`](#-peadm--backup_ca--target)
+* [`output_directory`](#-peadm--backup_ca--output_directory)
+
+##### <a name="-peadm--backup_ca--target"></a>`target`
+
+Data type: `Peadm::SingleTargetSpec`
+
+
+
+##### <a name="-peadm--backup_ca--output_directory"></a>`output_directory`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `'/tmp'`
+
 ### <a name="peadm--convert"></a>`peadm::convert`
 
 This plan sets required certificate extensions on PE nodes, and configures
@@ -1965,6 +1992,38 @@ Data type: `Boolean`
 
 Default value: `false`
 
+### <a name="peadm--restore_ca"></a>`peadm::restore_ca`
+
+The peadm::restore_ca class.
+
+#### Parameters
+
+The following parameters are available in the `peadm::restore_ca` plan:
+
+* [`target`](#-peadm--restore_ca--target)
+* [`file_path`](#-peadm--restore_ca--file_path)
+* [`recovery_directory`](#-peadm--restore_ca--recovery_directory)
+
+##### <a name="-peadm--restore_ca--target"></a>`target`
+
+Data type: `Peadm::SingleTargetSpec`
+
+
+
+##### <a name="-peadm--restore_ca--file_path"></a>`file_path`
+
+Data type: `String`
+
+
+
+##### <a name="-peadm--restore_ca--recovery_directory"></a>`recovery_directory`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `'/tmp/peadm_recovery'`
+
 ### <a name="peadm--status"></a>`peadm::status`
 
 Return status information from one or more PE clusters in a table format

documentation/backup_restore_ca.md

@@ -0,0 +1,39 @@
+# Backup and Restore Puppet Enterprise CA
+
+## Overview
+Backup and restore plans for the Puppet Enterprise CA. This utilises the [puppet_backup](https://www.puppet.com/docs/pe/2023.4/backing_up_and_restoring_pe.html) tool. This plan has scope set to only CERTS, and will backup CA and SSL certificates. The backup plan will create a tarball of the CA and store it by default in the `/tmp` directory. The restore plan will restore the CA from the tarball at the path you provide.
+
+## Notes
+There can be some downtime associated with the restore process. Restore will stop PE services, restore the CA, and then start the PE services. This can take a few minutes.
+
+## Usage
+
+### Backup
+
+```bash
+peadm backup_ca target=primary.example.com
+```
+
+Backup will output the path to a timestamped folder containing the backup file. The backup file will be named `backup_ca.tgz`. At this stage the backup file can be copied to a safe location.
+
+Optionaly "output_directory" can be specified to change the location of the backup file.
+
+```bash
+peadm::backup_ca target=primary.example.com output_directory=/custompath
+```
+
+### Restore
+
+```bash
+peadm::restore_ca target=primary2.example.com path=/tmp/backup_ca.tgz file_path=/tmp/backup_ca.tgz
+```
+
+Restore will stop PE services, restore the CA, and then start the PE services. This can take a few minutes.
+
+Optionaly "recovery_directory" can be specified to change the temporary location where the backup file will be unzipped.
+
+```bash
+peadm::restore_ca target=primary2.example.com path=/tmp/backup_ca.tgz file_path=/tmp/backup_ca.tgz recovery_directory=/custompath
+```
+
+

documentation/upgrade.md

@@ -8,11 +8,11 @@ The `peadm::upgrade` plan requires as input the version of PE to upgrade to, and
 
 Please note that when upgrading from before 2023.4 to 2023.4 or above and you are using code manager, it is nessesary to provide known hosts for r10k. r10k_known_hosts is an optional parameter and is only required one time when upgrading to 2023.4 or beyond. But if you currently use the SSH protocol to allow r10k to access your remote Git repository, your Code manager or r10k code management tool cannot function until you define the r10k_known_hosts parameter. Subsequent upgrades will already have this and it won't be required again. Please refer to the Puppet Enterprise 2023.4 Upgrade cautions for more details.
 
-The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2023.2.0 to PE 2023.4.0.
+The following is an example parameters file for upgrading an Extra Large architecture deployment of PE 2023.2.0 to PE 2023.5.0.
 
 ```json
 {
-  "version": "2023.4.0",
+  "version": "2023.5.0",
   "primary_host": "pe-master-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "primary_postgresql_host": "pe-psql-09a40c-0.us-west1-a.c.reidmv-peadm.internal",
   "replica_host": "pe-master-09a40c-1.us-west1-b.c.reidmv-peadm.internal",

functions/assert_supported_pe_version.pp

@@ -6,7 +6,7 @@ function peadm::assert_supported_pe_version (
   Boolean $permit_unsafe_versions = false,
 ) >> Struct[{ 'supported' => Boolean }] {
   $oldest = '2019.7'
-  $newest = '2023.4'
+  $newest = '2023.5'
   $supported = ($version =~ SemVerRange(">= ${oldest} <= ${newest}"))
 
   if $permit_unsafe_versions {

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-peadm",
-  "version": "3.15.1",
+  "version": "3.16.0",
   "author": "puppetlabs",
   "summary": "Bolt plans used to deploy an at-scale Puppet Enterprise architecture",
   "license": "Apache-2.0",

plans/backup_ca.pp

@@ -0,0 +1,26 @@
+plan peadm::backup_ca(
+  Peadm::SingleTargetSpec $target,
+  Optional[String]                  $output_directory = '/tmp',
+) {
+  out::message('# Backing up ca and ssl certificates')
+  # lint:ignore:strict_indent
+
+  $timestamp = Timestamp.new().strftime('%Y-%m-%dT%H%M%SZ')
+  $backup_directory = "${output_directory}/pe-backup-${timestamp}"
+
+  # Create backup folder
+  apply($target) {
+    file { $backup_directory :
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+  }
+
+  run_command(@("CMD"), $target)
+    /opt/puppetlabs/bin/puppet-backup create --dir=${shellquote($backup_directory)} --name=ca_backup.tgz --scope=certs
+    | CMD
+  # lint:endignore
+  return({ 'path' => "${backup_directory}/ca_backup.tgz" })
+}

plans/restore_ca.pp

@@ -0,0 +1,16 @@
+plan peadm::restore_ca(
+  Peadm::SingleTargetSpec $target,
+  String                  $file_path,
+  Optional[String]                  $recovery_directory = '/tmp/peadm_recovery',
+) {
+  out::message('# Restoring ca and ssl certificates')
+
+  # lint:ignore:strict_indent
+  run_command(@("CMD"/L), $target)
+    /opt/puppetlabs/bin/puppet-backup restore \
+    --scope=certs \
+    --tempdir=${shellquote($recovery_directory)} \
+    --force \
+    ${shellquote($file_path)}
+  | CMD
+}

plans/subplans/install.pp

@@ -136,10 +136,10 @@
   $r10k_private_key = peadm::file_or_content('r10k_private_key', $r10k_private_key_file, $r10k_private_key_content)
 
   # enable code manager if:
-  # * it isn't explicitly disabled *and* the user provided r10k repo+key
+  # * it isn't explicitly disabled *and* the user provided r10k repo (key is optional, repo could be a local absolute path or https URL)
   # * a replica is present
   # * one or multiple compiler are present
-  $_code_manager_auto_configure = if $r10k_private_key and $code_manager_auto_configure {
+  $_code_manager_auto_configure = if $r10k_remote and $code_manager_auto_configure {
     true
   } elsif $replica_host {
     true

spec/plans/backup_ca_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe 'peadm::backup_ca' do
+  include BoltSpec::Plans
+
+  let(:params) { { 'target' => 'myserver.example.com' } }
+
+  it 'will create backup directory and run puppet-backup command' do
+    allow_apply
+    expect_out_message.with_params('# Backing up ca and ssl certificates')
+    allow_any_command
+    expect(run_plan('peadm::backup_ca', params)).to be_ok
+  end
+end

spec/plans/restore_ca_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe 'peadm::restore_ca' do
+  include BoltSpec::Plans
+
+  let(:params) do
+    {
+      'target' => 'myserver.example.com',
+      'file_path' => '/tmp/backup_ca.tgz'
+    }
+  end
+
+  it 'will run puppet-backup command' do
+    expect_out_message.with_params('# Restoring ca and ssl certificates')
+    allow_any_command
+    expect(run_plan('peadm::restore_ca', params)).to be_ok
+  end
+end