(PE-40379) fix issue on RBAC restore (#579)

Author: davidmalloncares

REFERENCE.md

@@ -2476,6 +2476,7 @@ The following parameters are available in the `peadm::restore` plan:
 * [`restore_type`](#-peadm--restore--restore_type)
 * [`restore`](#-peadm--restore--restore)
 * [`input_file`](#-peadm--restore--input_file)
+* [`console_password`](#-peadm--restore--console_password)
 
 ##### <a name="-peadm--restore--targets"></a>`targets`
 
@@ -2505,6 +2506,14 @@ Data type: `Pattern[/.*\.tar\.gz$/]`
 
 The file containing the backup to restore from
 
+##### <a name="-peadm--restore--console_password"></a>`console_password`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `undef`
+
 ### <a name="peadm--restore_ca"></a>`peadm::restore_ca`
 
 The peadm::restore_ca class.

functions/migration_opts_default.pp

@@ -7,6 +7,6 @@ function peadm::migration_opts_default () {
     'config'       => false,
     'orchestrator' => true,
     'puppetdb'     => true,
-    'rbac'         => false,
+    'rbac'         => true,
   }
 }

plans/migrate.pp

@@ -77,9 +77,10 @@
   })
 
   run_plan('peadm::restore', {
-      targets => $new_primary_host,
-      restore_type => 'migration',
-      input_file => $remote_backup_path,
+      targets          => $new_primary_host,
+      restore_type     => 'migration',
+      input_file       => $remote_backup_path,
+      console_password => $old_primary_password,
   })
 
   $node_types = {

plans/restore.pp

@@ -19,6 +19,9 @@
 
   # Path to the recovery tarball
   Pattern[/.*\.tar\.gz$/] $input_file,
+
+  # Console password for restored system
+  Optional[String] $console_password = undef,
 ) {
   peadm::assert_supported_bolt_version()
 
@@ -194,8 +197,8 @@
   # Restore secrets/keys.json if it exists
   out::message('# Restoring ldap secret key if it exists')
   run_command(@("CMD"/L), $primary_target)
-    test -f ${shellquote($recovery_directory)}/rbac/keys.json \
-      && cp -rp ${shellquote($recovery_directory)}/keys.json /etc/puppetlabs/console-services/conf.d/secrets/ \
+    test -f ${shellquote($recovery_directory)}/rbac/secrets/keys.json \
+      && cp -rp ${shellquote($recovery_directory)}/rbac/secrets/keys.json /etc/puppetlabs/console-services/conf.d/secrets/ \
       || echo secret ldap key doesnt exist
     | CMD
 # lint:ignore:140chars
@@ -296,6 +299,11 @@
   # TODO: consider adding a heuristic to skip when innappropriate due to size
   #       or other factors.
   if getvar('recovery_opts.puppetdb') and $restore_type == 'migration' {
+    # ensure there is a valid token on the new primary host
+    run_task('peadm::rbac_token', $primary_target,
+      password       => $console_password,
+      token_lifetime => '1y',
+    )
     run_command(@("CMD"/L), $primary_target)
       /opt/puppetlabs/bin/puppet-db import \
       --cert=$(/opt/puppetlabs/bin/puppet config print hostcert) \

spec/plans/restore_spec.rb

@@ -64,7 +64,7 @@
     expect_command("umask 0077   && cd /input   && tar -xzf /input/file.tar.gz\n")
     expect_command("/opt/puppetlabs/bin/puppet-backup restore   --scope=certs,code,config   --tempdir=/input/file   --force   /input/file/recovery/pe_backup-*tgz\n")
     expect_command("systemctl stop pe-console-services pe-nginx pxp-agent pe-puppetserver                pe-orchestration-services puppet pe-puppetdb\n")
-    expect_command("test -f /input/file/rbac/keys.json   && cp -rp /input/file/keys.json /etc/puppetlabs/console-services/conf.d/secrets/   || echo secret ldap key doesnt exist\n")
+    expect_command("test -f /input/file/rbac/secrets/keys.json   && cp -rp /input/file/rbac/secrets/keys.json /etc/puppetlabs/console-services/conf.d/secrets/   || echo secret ldap key doesnt exist\n")
     expect_command("su - pe-postgres -s /bin/bash -c   \"/opt/puppetlabs/server/bin/psql      --tuples-only      -d 'pe-puppetdb'      -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"\n").be_called_times(2)
     expect_command("su - pe-postgres -s /bin/bash -c   \"/opt/puppetlabs/server/bin/psql      -d 'pe-puppetdb'      -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public;'\"\n")
     expect_command('su - pe-postgres -s /bin/bash -c   "/opt/puppetlabs/server/bin/psql      -d \'pe-puppetdb\'      -c \'ALTER USER \\"pe-puppetdb\\" WITH SUPERUSER;\'"' + "\n")