...
To verify that the puppet7-master works you can start to direct puppetrequests to it. Update for some nodes in your environment the profile::puppet::hostname
to the puppet7 master and see everything works as expected. Remeber to deploy the needed environments to it first.
Code Block |
---|
Shftleader might not pick up the new puppetmaster. In that case, run this on the new puppetmaster:
/opt/shiftleader/manage.py puppet_env2update tulleenv
It will throw an error, but also register the register it in Shiftleader at the same time.. /o\ |
Point the rest of the puppet-masters (including the CA) to the puppet7-master, add the two following keys to hiera node-files, and then run puppet to upgrade the puppet-agent:
...
Code Block |
---|
...
{
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put, delete]
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
allow: PUPPETCA-FQDN
sort-order: 500
name: "puppetlabs cert status"
},
...
{
# Allow the CA CLI to access the certificate_statuses endpoint
match-request: {
path: "/puppet-ca/v1/certificate_statuses"
type: path
method: get
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
allow: PUPPETCA-FQDN
sort-order: 500
name: "puppetlabs cert statuses"
},
... |
Also ensure there is something like this in /etc/hosts. It won't work with only the localhost definitions
Code Block |
---|
<ip-address> PUPPETCA-FQDN |
After restarting the puppetserver service you should be able to use commands like "puppetserver ca list --all
".
Later, to create a client cert with the pp_cli_auth extension added (typically when you install a new CA), do the following:
Code Block |
---|
Install a new server with role::base On new CA: # systemctl stop puppet # rm /etc/puppetlabs/puppet/ssl/certs/FQDN.pem /etc/puppetlabs/puppet/ssl/private_keys/FQDN.pem On old CA: # systemctl stop puppetserver # puppetserver ca generate --ca-client --certname NEW-CA-FQDN --subject-alt-names cool.name.foo,cooler.name.foo That command will tell you that it has some existing files. Delete all of thoses, and re-run the command Finally: Copy the generated /etc/puppetlabs/puppet/ssl/private_keys/NEW-CA-FQDN.pem to the same folder on the new CA, and re-run puppet on the new CA. You should se something like this from "puppetserver ca list --all": (pp_cli_auth: true is the key part here) puppetca3.infra.pile.it.ntnu.no (SHA256) 9C:22:1F:89:C4:C8:C3:BF:F9:59:64:2D:CA:5A:F8:A9:12:02:9C:3E:DB:3D:F7:BD:03:D1:15:F7:BC:6F:84:2E alt names: ["DNS:puppet.pile.it.ntnu.no", "DNS:puppetca.pile.it.ntnu.no", "DNS:puppetca3.infra.pile.it.ntnu.no"] authorization extensions: [pp_cli_auth: true] |
Upgrading puppet-agent
To upgrade the puppet-agents in the infrastructure, add the following two keys to global hiera (and if you want, remove them from the puppetmaster node-files) and wait for two puppet-runs.
Code Block |
---|
profile::puppet::collection: 'puppet7'
puppet_agent::package_version: 'auto' |
Upgrading postgres-servers
...
- Reinstall one of the postgres-slaves with 18.04 with role::base
- In the node-file of this postgres-slave, set the following keys:
profile::postgres::keepalived::enable: false
profile::postgres::version: '13'
profile::postgres::masterserver: '<fqdn-of-the-new-postgres-master>'
- Install
role::postgres::master
on the postgres-machine - Take a backup from the old postgres-master machine using the command
sudo -u postgres pg_dumpall > postgresdb.pgsql
- Move this backup to the new postgres-master, and restore it to the server using the command
sudo -u postgres psql -f /tmp/postgresdb.pgsql
- Stop puppet on the old postgres master before next step. Just to be sure it does not use the new postgres master's IP for keepalived.
- Change the global
hiera-key profile::postgres::ipv4
to point to the IP of the new postgres master, and run puppet on the puppetdb servers. - Install Ubuntu 18.04 with the role
role::postgres::slave
on the rest of the postgres-machines. While this installation is going, move the hiera-keys in step 2 from the node-file to a global file (key c already exist, so make sure that there is no duplicate). - Use postgres-joinMaster.sh on the slaves to have them replicating their master.
Upgrading puppetdb
At this point, with postgres13 running and puppet7 agents, upgrading the puppetdb-machines are simply a dist-upgrade and restart of the service (or host to get new kernels as well).