(SOLARCH-581) Refactor backup plan

This commit refactors the peadm::backup plan for clarity. A commit to
refactor the peadm::restore plan will follow.

Note that for now, it is impossible to backup the CA. This is because we
need to invest more time making that process work correctly. At the
moment, it mostly destroys servers.

Author: reidmv

plans/backup.pp

@@ -1,77 +1,118 @@
 # @summary Backup the core user settings for puppet infrastructure
 #
-# This plan can backup data as outlined at insert doc 
+# This plan can backup data as outlined at insert doc
 # 
 plan peadm::backup (
-  Peadm::SingleTargetSpec $primary_host,
+  # This plan should be run on the primary server
+  Peadm::SingleTargetSpec $targets,
 
   # Which data to backup
-  Boolean                 $backup_orchestrator    = true,
-  Boolean                 $backup_rbac            = true,
-  Boolean                 $backup_activity        = true,
-  Boolean                 $backup_ca_ssl          = true,
-  Boolean                 $backup_puppetdb        = false,
-  Boolean                 $backup_classification  = true,
-  String                  $output_directory       = '/tmp',
+  Peadm::Recovery_opts    $backup = {},
+
+  # Where to put the backup folder
+  String                  $output_directory = '/tmp',
 ) {
   peadm::assert_supported_bolt_version()
-  $cluster = run_task('peadm::get_peadm_config', $primary_host).first
+
+  $recovery_opts = (peadm::recovery_opts_default() + $backup)
+  $cluster = run_task('peadm::get_peadm_config', $targets).first.value
   $arch = peadm::assert_supported_architecture(
-    $primary_host,
-    $cluster['replica_host'],
-    $cluster['primary_postgresql_host'],
-    $cluster['replica_postgresql_host'],
-    $cluster['compiler_hosts'],
+    getvar('cluster.params.primary_host'),
+    getvar('cluster.params.replica_host'),
+    getvar('cluster.params.primary_postgresql_host'),
+    getvar('cluster.params.replica_postgresql_host'),
+    getvar('cluster.params.compiler_hosts'),
   )
 
-  $timestamp = Timestamp.new().strftime('%F_%T')
+  $timestamp = Timestamp.new().strftime('%Y-%m-%dT%H%M%SZ')
   $backup_directory = "${output_directory}/pe-backup-${timestamp}"
 
-  # Create backup folder
-  apply($primary_host){
+  $primary_target = getvar('cluster.params.primary_host')
+  $puppetdb_postgresql_target = getvar('cluster.params.primary_postgresql_host') ? {
+    undef   => getvar('cluster.params.primary_host'),
+    default => getvar('cluster.params.primary_postgresql_host'),
+  }
+
+  $backup_databases = {
+    'orchestrator' => $primary_target,
+    'activity'     => $primary_target,
+    'rbac'         => $primary_target,
+    'puppetdb'     => $puppetdb_postgresql_target,
+  }.filter |$key,$_| {
+    $recovery_opts[$key] == true
+  }
+
+  # Create backup folders
+  apply($primary_target) {
     file { $backup_directory :
       ensure => 'directory',
       owner  => 'root',
-      group  => 'pe-postgres',
-      mode   => '0770'
+      group  => 'root',
+      mode   => '0700'
     }
-  }
 
-  # Create an array of the names of databases and whether they have to be backed up to use in a lambda later
-  $database_to_backup = [ $backup_orchestrator, $backup_activity, $backup_rbac, $backup_puppetdb]
-  $database_names     = [ 'pe-orchestrator' , 'pe-activity' , 'pe-rbac' , 'pe-puppetdb' ]
+    # Create a subdir for each backup type selected
+    $recovery_opts.filter |$_,$val| { $val == true }.each |$dir,$_| {
+      file { "${backup_directory}/${dir}":
+        ensure => 'directory',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0700'
+      }
+    }
+  }
 
-  if $backup_classification {
+  if getvar('recovery_opts.classifier') {
     out::message('# Backing up classification')
-    run_task('peadm::backup_classification', $primary_host,
-    directory => $backup_directory,
+    run_task('peadm::backup_classification', $primary_target,
+      directory => "${backup_directory}/classifier",
     )
   }
 
-  if $backup_ca_ssl {
+  if getvar('recovery_opts.ca') {
     out::message('# Backing up ca and ssl certificates')
-    run_command("/opt/puppetlabs/bin/puppet-backup create --dir=${backup_directory} --scope=certs", $primary_host)
+    run_command(@("CMD"), $primary_target)
+      /opt/puppetlabs/bin/puppet-backup create --dir=${shellquote($backup_directory)}/ca --scope=certs
+      | CMD
   }
 
   # Check if /etc/puppetlabs/console-services/conf.d/secrets/keys.json exists and if so back it up
-  out::message('# Backing up ldap secret key if it exists')
-  run_command("test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json && cp -rp /etc/puppetlabs/console-services/conf.d/secrets/keys.json ${backup_directory} || echo secret ldap key doesnt exist" , $primary_host) # lint:ignore:140chars
+  if getvar('recovery_opts.rbac') {
+    out::message('# Backing up ldap secret key if it exists')
+    run_command(@("CMD"/L), $primary_target)
+      test -f /etc/puppetlabs/console-services/conf.d/secrets/keys.json \
+        && cp -rp /etc/puppetlabs/console-services/conf.d/secrets ${shellquote($backup_directory)}/rbac/ \
+        || echo secret ldap key doesnt exist
+      | CMD
+  }
 
   # IF backing up orchestrator back up the secrets too /etc/puppetlabs/orchestration-services/conf.d/secrets/
-  if $backup_orchestrator {
+  if getvar('recovery_opts.orchestrator') {
     out::message('# Backing up orchestrator secret keys')
-    run_command("cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${backup_directory}/", $primary_host)
+    run_command(@("CMD"), $primary_target)
+      cp -rp /etc/puppetlabs/orchestration-services/conf.d/secrets ${shellquote($backup_directory)}/orchestrator/
+      | CMD
   }
 
-  $database_to_backup.each |Integer $index, Boolean $value | {
-    if $value {
-    out::message("# Backing up database ${database_names[$index]}")
-      # If the primary postgresql host is set then pe-puppetdb needs to be remotely backed up to primary.
-      if $database_names[$index] == 'pe-puppetdb' and $cluster['primary_postgresql_host'] {
-        run_command("sudo -u pe-puppetdb /opt/puppetlabs/server/bin/pg_dump \"sslmode=verify-ca host=${cluster['primary_postgresql_host']} sslcert=/etc/puppetlabs/puppetdb/ssl/${primary_host}.cert.pem sslkey=/etc/puppetlabs/puppetdb/ssl/${primary_host}.private_key.pem sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem dbname=pe-puppetdb\" -f /tmp/puppetdb_$(date +%F_%T).bin" , $primary_host) # lint:ignore:140chars
-      } else {
-        run_command("sudo -u pe-postgres /opt/puppetlabs/server/bin/pg_dump -Fc \"${database_names[$index]}\" -f \"${backup_directory}/${database_names[$index]}_$(date +%F_%T).bin\"" , $primary_host) # lint:ignore:140chars
-      }
-    }
+  $backup_databases.each |$name,$database_target| {
+    run_command(@("CMD"/L), $primary_target)
+      /opt/puppetlabs/server/bin/pg_dump -Fd -Z3 -j4 \
+        -f ${shellquote($backup_directory)}/${shellquote($name)}/pe-${shellquote($name)}.dump.d \
+        "sslmode=verify-ca \
+         host=${shellquote($database_target.peadm::certname())} \
+         user=pe-${shellquote($name)} \
+         sslcert=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.cert.pem \
+         sslkey=/etc/puppetlabs/puppetdb/ssl/${shellquote($primary_target.peadm::certname())}.private_key.pem \
+         sslrootcert=/etc/puppetlabs/puppet/ssl/certs/ca.pem \
+         dbname=pe-${shellquote($name)}"
+      | CMD
   }
+
+  run_command(@("CMD"/L), $primary_target)
+    umask 0077 \
+      && tar -czf ${shellquote($backup_directory)}.tar.gz ${shellquote($backup_directory)} \
+      && rm -rf ${shellquote($backup_directory)}
+    | CMD
+
+  return({'path' => "${backup_directory}.tar.gz"})
 }

spec/plans/backup_spec.rb

@@ -6,10 +6,12 @@
 
   it 'runs with default params' do
     allow_apply
+    pending('a lack of support for functions requires a workaround to be written')
     expect_task('peadm::get_peadm_config').always_return({ 'primary_postgresql_host' => 'postgres' })
     expect_out_message.with_params('# Backing up ca and ssl certificates')
-    # The commands all have a timestamp in them and frankly its prooved to hard with bolt spec to work this out
+    # The commands all have a timestamp in them and frankly its proved to hard with bolt spec to work this out
     allow_any_command
+    allow_apply
     expect_out_message.with_params('# Backing up database pe-orchestrator')
     expect_out_message.with_params('# Backing up database pe-activity')
     expect_out_message.with_params('# Backing up database pe-rbac')