This is a puppet module for cutting an agent over from one master/ca infrastructure to another. It currently supports all operating systems that Puppet Enterprise supports, and should also work with Puppet Open Source.
It depends on recent versions of puppetlabs-inifile and puppetlabs-stdlib.
Essentially it does the following:
- Optionally changes the
serverparameter inpuppet.confon the agent. - Optionally changes the
ca_serverparameter inpuppet.confon the agent. - ALWAYS removes the ssldir on the agent.
- Finally, restarts the puppet agent.
Install this module on the "old" master, e.g. the master you are moving agents AWAY from.
Classify the agents you would like to migrate as per the below examples.
class { 'cutover':
manage_server => true,
server => 'newmaster.puppetlabs.com'
}The above will change the agent's server paramter from whatever it currently, to newmaster.puppetlabs.com, and then remove the ssldir.
class { 'cutover':
manage_server => true,
server => 'newmaster.puppetlabs.com',
server_section => 'main'
manage_ca_server => true,
ca_server => 'newcaserver.puppetlabs.com',
ca_server_section => 'agent',
ssldir => '/weird/unusual/ssldir/location',
puppet_conf => '/werd/unusual/location/for/puppet.conf',
}The above will:
- Make the
severparameter in themainsection ofpuppet.confnewmaster.puppetlabs.com - Make the
ca_serverparameter of theagentsection ofpuppet.confnewcaserver.puppetlabs.com - Assume the
ssldiris/weird/unusual/ssldir/locationand remove it. - Assume that
puppet.confis located at/werd/unusual/location/for/puppet.conf, and make changes to the values in those files as per the above.
Both the ssldir and puppet_conf parameters have reasonable defaults for both PE and POSS, via logic in params.
If neither manage_server nor manage_ca_server are set to true, the cutover::ssldir class will abort catalog compilation, because just blowing away the ssldir on its own isn't useful. If you need to do that for whatever reason, it's one file resource.
You will get an error like this one at the end of the run, because once the ssldir is gone the agent cannot submit a report to the original master:
Error: Could not send report: Error 500 on SERVER: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
You may also experience other random resource errors, depending on what order the resources are enforced in, as once the ssldir is removed, the agent will no longer be able to contact the original master for things like puppet:///-style URIs in file resources, etc. You can avoid this by assigning the cutover class to a stage that is enforced after the main stage. For more on stages, see https://docs.puppetlabs.com/puppet/latest/reference/lang_run_stages.html.