Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove insecure pe_installer_source parameter #524

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 0 additions & 24 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -2022,7 +2022,6 @@ The following parameters are available in the `peadm::install` plan:
* [`compiler_pool_address`](#-peadm--install--compiler_pool_address)
* [`internal_compiler_a_pool_address`](#-peadm--install--internal_compiler_a_pool_address)
* [`internal_compiler_b_pool_address`](#-peadm--install--internal_compiler_b_pool_address)
* [`pe_installer_source`](#-peadm--install--pe_installer_source)
* [`ldap_config`](#-peadm--install--ldap_config)
* [`final_agent_state`](#-peadm--install--final_agent_state)
* [`stagingdir`](#-peadm--install--stagingdir)
Expand Down Expand Up @@ -2078,17 +2077,6 @@ architectures.

Default value: `undef`

##### <a name="-peadm--install--pe_installer_source"></a>`pe_installer_source`

Data type: `Optional[Stdlib::HTTPSUrl]`

The URL to download the Puppet Enterprise installer media from. If not
specified, PEAdm will attempt to download PE installation media from its
standard public source. When specified, PEAdm will download directly from the
URL given.

Default value: `undef`

##### <a name="-peadm--install--ldap_config"></a>`ldap_config`

Data type: `Optional[Peadm::Ldap_config]`
Expand Down Expand Up @@ -2503,7 +2491,6 @@ The following parameters are available in the `peadm::upgrade` plan:
* [`compiler_pool_address`](#-peadm--upgrade--compiler_pool_address)
* [`internal_compiler_a_pool_address`](#-peadm--upgrade--internal_compiler_a_pool_address)
* [`internal_compiler_b_pool_address`](#-peadm--upgrade--internal_compiler_b_pool_address)
* [`pe_installer_source`](#-peadm--upgrade--pe_installer_source)
* [`final_agent_state`](#-peadm--upgrade--final_agent_state)
* [`r10k_known_hosts`](#-peadm--upgrade--r10k_known_hosts)
* [`stagingdir`](#-peadm--upgrade--stagingdir)
Expand Down Expand Up @@ -2548,17 +2535,6 @@ architectures.

Default value: `undef`

##### <a name="-peadm--upgrade--pe_installer_source"></a>`pe_installer_source`

Data type: `Optional[Stdlib::HTTPSUrl]`

The URL to download the Puppet Enterprise installer media from. If not
specified, PEAdm will attempt to download PE installation media from its
standard public source. When specified, PEAdm will download directly from the
URL given.

Default value: `undef`

##### <a name="-peadm--upgrade--final_agent_state"></a>`final_agent_state`

Data type: `Enum['running', 'stopped']`
Expand Down
7 changes: 0 additions & 7 deletions plans/install.pp
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,6 @@
# A load balancer address directing traffic to any of the "B" pool
# compilers. This is used for DR configuration in large and extra large
# architectures.
# @param pe_installer_source
# The URL to download the Puppet Enterprise installer media from. If not
# specified, PEAdm will attempt to download PE installation media from its
# standard public source. When specified, PEAdm will download directly from the
# URL given.
# @param ldap_config
# If specified, configures PE RBAC DS with the supplied configuration hash.
# The parameter should be set to a valid set of connection settings as
Expand Down Expand Up @@ -47,7 +42,6 @@
# Common Configuration
String $console_password,
Peadm::Pe_version $version = '2021.7.9',
Optional[Stdlib::HTTPSUrl] $pe_installer_source = undef,
Optional[Array[String]] $dns_alt_names = undef,
Optional[String] $compiler_pool_address = undef,
Optional[String] $internal_compiler_a_pool_address = undef,
Expand Down Expand Up @@ -94,7 +88,6 @@

# Common Configuration
version => $version,
pe_installer_source => $pe_installer_source,
console_password => $console_password,
dns_alt_names => $dns_alt_names,
pe_conf_data => $pe_conf_data,
Expand Down
16 changes: 2 additions & 14 deletions plans/subplans/install.pp
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,6 @@
# Config data to plane into pe.conf when generated on all hosts, this can be
# used for tuning data etc.
#
# @param pe_installer_source
# The URL to download the Puppet Enterprise installer media from. If not
# specified, PEAdm will attempt to download PE installation media from its
# standard public source. When specified, PEAdm will download directly from the
# URL given.
#
plan peadm::subplans::install (
# Standard
Peadm::SingleTargetSpec $primary_host,
Expand All @@ -50,7 +44,6 @@
# Common Configuration
String $console_password,
Peadm::Pe_version $version,
Optional[Stdlib::HTTPSUrl] $pe_installer_source = undef,
Array[String] $dns_alt_names = [],
Hash $pe_conf_data = {},

Expand Down Expand Up @@ -237,13 +230,8 @@
)
}

if $pe_installer_source {
$pe_tarball_name = $pe_installer_source.split('/')[-1]
$pe_tarball_source = $pe_installer_source
} else {
$pe_tarball_name = "puppet-enterprise-${version}-${platform}.tar.gz"
$pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"
}
$pe_tarball_name = "puppet-enterprise-${version}-${platform}.tar.gz"
$pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"

$upload_tarball_path = "${uploaddir}/${pe_tarball_name}"

Expand Down
23 changes: 5 additions & 18 deletions plans/upgrade.pp
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,6 @@
# A load balancer address directing traffic to any of the "B" pool
# compilers. This is used for DR configuration in large and extra large
# architectures.
# @param pe_installer_source
# The URL to download the Puppet Enterprise installer media from. If not
# specified, PEAdm will attempt to download PE installation media from its
# standard public source. When specified, PEAdm will download directly from the
# URL given.
# @param final_agent_state
# Configures the state the puppet agent should be in on infrastructure nodes
# after PE is upgraded successfully.
Expand Down Expand Up @@ -46,7 +41,6 @@

# Common Configuration
Optional[Peadm::Pe_version] $version = undef,
Optional[Stdlib::HTTPSUrl] $pe_installer_source = undef,
Optional[String] $compiler_pool_address = undef,
Optional[String] $internal_compiler_a_pool_address = undef,
Optional[String] $internal_compiler_b_pool_address = undef,
Expand Down Expand Up @@ -119,21 +113,14 @@

$platform = run_task('peadm::precheck', $primary_target).first['platform']

if $pe_installer_source {
$pe_tarball_name = $pe_installer_source.split('/')[-1]
$pe_tarball_source = $pe_installer_source
$_version = $pe_tarball_name.split('-')[2]
} else {
$_version = $version
$pe_tarball_name = "puppet-enterprise-${_version}-${platform}.tar.gz"
$pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${_version}/${pe_tarball_name}"
}
$pe_tarball_name = "puppet-enterprise-${version}-${platform}.tar.gz"
$pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"

$upload_tarball_path = "${uploaddir}/${pe_tarball_name}"

peadm::assert_supported_bolt_version()

peadm::assert_supported_pe_version($_version, $permit_unsafe_versions)
peadm::assert_supported_pe_version($version, $permit_unsafe_versions)

# Gather certificate extension information from all systems
$cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
Expand Down Expand Up @@ -386,7 +373,7 @@
# doesn't deal well with the PuppetDB database being on a separate node.
# So, move it aside before running the upgrade.
$pdbapps = '/opt/puppetlabs/server/apps/puppetdb/cli/apps'
$workaround_delete_reports = $arch['disaster-recovery'] and $_version =~ SemVerRange('>= 2019.8')
$workaround_delete_reports = $arch['disaster-recovery'] and $version =~ SemVerRange('>= 2019.8')
if $workaround_delete_reports {
# lint:ignore:strict_indent
run_command(@("COMMAND"/$), $replica_target)
Expand Down Expand Up @@ -438,7 +425,7 @@
)
}

peadm::check_version_and_known_hosts($current_pe_version, $_version, $r10k_known_hosts)
peadm::check_version_and_known_hosts($current_pe_version, $version, $r10k_known_hosts)

return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
}
27 changes: 22 additions & 5 deletions spec/acceptance/peadm_spec/plans/install_test_cluster.pp
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,10 @@
download_mode => $download_mode,
code_manager_auto_configure => $code_manager_auto_configure,
version => $version,
pe_installer_source => $pe_installer_source,
permit_unsafe_versions => $permit_unsafe_versions,
}

$arch_params =
case $architecture {
$arch_params = case $architecture {
'standard': {{
primary_host => $t.filter |$n| { $n.vars['role'] == 'primary' },
} }
Expand Down Expand Up @@ -76,8 +74,27 @@
default: { fail('Invalid architecture!') }
}

$install_result =
run_plan('peadm::install', $arch_params + $common_params)
if $pe_installer_source {
$targets = $arch_params.values.flatten
$platform = run_task('peadm::precheck', $arch_params['primary_host']).first['platform']
$pe_tarball_name = "puppet-enterprise-${version}-${platform}.tar.gz"
$upload_tarball_path = "/tmp/${pe_tarball_name}"

if $download_mode == 'bolthost' {
run_plan('peadm::util::retrieve_and_upload', $targets,
source => $pe_installer_source,
local_path => "/tmp/${pe_tarball_name}",
upload_path => $upload_tarball_path,
)
} else {
run_task('peadm::download', $targets,
source => $pe_installer_source,
path => $upload_tarball_path,
)
}
}

$install_result = run_plan('peadm::install', $arch_params + $common_params)

return($install_result)
}
24 changes: 21 additions & 3 deletions spec/acceptance/peadm_spec/plans/upgrade_test_cluster.pp
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,10 @@
$common_params = {
download_mode => $download_mode,
version => $version,
pe_installer_source => $pe_installer_source,
permit_unsafe_versions => $permit_unsafe_versions,
}

$arch_params =
case $architecture {
$arch_params = case $architecture {
'standard': {{
primary_host => $t.filter |$n| { $n.vars['role'] == 'primary' },
} }
Expand Down Expand Up @@ -53,6 +51,26 @@
default: { fail('Invalid architecture!') }
}

if $pe_installer_source {
$targets = $arch_params.values.flatten
$platform = run_task('peadm::precheck', $arch_params['primary_host']).first['platform']
$pe_tarball_name = "puppet-enterprise-${version}-${platform}.tar.gz"
$upload_tarball_path = "/tmp/${pe_tarball_name}"

if $download_mode == 'bolthost' {
run_plan('peadm::util::retrieve_and_upload', $targets,
source => $pe_installer_source,
local_path => "/tmp/${pe_tarball_name}",
upload_path => $upload_tarball_path,
)
} else {
run_task('peadm::download', $targets,
source => $pe_installer_source,
path => $upload_tarball_path,
)
}
}

$params = $arch_params + $common_params
run_plan('peadm::upgrade', $params)
}
3 changes: 2 additions & 1 deletion tasks/download.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@
"implementations": [
{"name": "download.sh", "requirements": ["shell"], "input_method": "environment"},
{"name": "download.ps1", "requirements": ["powershell"], "input_method": "powershell"}
]
],
"private": true
}
Loading