Puppet module aio install type fails to add CSR extended attributes

[Stefvanderpoel]

Bug report

When I add valid extension_requests and custom_attributes to the puppet module in userdata I expect these values to be present in the CSR that is send to the Puppet Enterprise server. This is not the case. The CSR does not contain the extension_requests and custom_attributes configured in userdata.

• This happens using the install_type: aio.
• If the (incomplete) CSR is rejected and resubmitted the extension_requests and custom_attributes are added to the CSR.
• It seems to be caused by the fact that the install script called by the aio install method starts the puppet service (which in its turn triggers the CSR). If all moves fast, the service is started before the csr_attributes are written into the csr_attributes.yaml file by cc_puppet

Steps to reproduce the problem

the userdata content used for the deployment:

#cloud-config
prefer_fqdn_over_hostname: true
ssh_pwauth: True
ssh_deletekeys: true
ssh_genkeytypes:
  - ed25519
  - rsa
  - ecdsa
ssh_authorized_keys: [ssh-rsa %myrsakey]
ca_certs:
  trusted:
  - |
    -----BEGIN CERTIFICATE-----
    %cert
    -----END CERTIFICATE-----
  - |
    -----BEGIN CERTIFICATE-----
    %cert
    -----END CERTIFICATE-----
puppet:
  install: true
  install_type: aio
  aio_install_url: https://example.domain.local:8140/packages/current/install.bash
  cleanup: false
  start_service: False
  csr_attributes:
    extension_requests:
      1.3.6.1.4.1.34380.1.1.12: development
      1.3.6.1.4.1.34380.1.1.13: test
  conf:
    agent:
      server: "papi-pe.oudijzer.local"
      certname: "%f"
    ca_cert: |
      -----BEGIN CERTIFICATE-----
      %cert
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      %cert
      -----END CERTIFICATE-----
  exec: false
  exec_args: ['--test']

Environment details

• Cloud-init version:

  cca@cloud-0-9f:~$ cloud-init --version
  /usr/bin/cloud-init 24.3.1-0ubuntu0~22.04.1

• Operating System Distribution: Ubuntu 22.04.5 LTS
• Cloud provider, platform or installer type: vsphere

Snippets from the Puppet Enterprise install scripts (aio):

# Create global variables to track the desired state of the puppet service.
# Default state will be running and enabled unless changed in the
# custom_puppet_configuration function. These variables are used in the
# manage_puppet_agent function after installation.
PUPPET_SERVICE_ENSURE='running'
PUPPET_SERVICE_ENABLE='true'
PUPPET_SERVICE_DEBUG=''

manage_puppet_agent() {
  # If the state of the puppet service should be changed from its default of running and enabled,
  # print a message that indicates we will be doing so.
  if [[ $PUPPET_SERVICE_ENSURE != "running" ]] || [[ $PUPPET_SERVICE_ENABLE != "true" ]]; then
    echo "Setting the puppet service to ensure=$PUPPET_SERVICE_ENSURE and enable=$PUPPET_SERVICE_ENABLE"
  fi

  "$(puppet_bin_dir)/puppet" resource ${PUPPET_SERVICE_DEBUG} service puppet ensure="$PUPPET_SERVICE_ENSURE" enable="$PUPPET_SERVICE_ENABLE"
}

cloud-init logs

cloud-init.tar.gz

[Stefvanderpoel]

After some investigation I found out that this is not a bug: I was looking at the install.bash script that the Puppet Enterprise server provides. The cc_puppet module is assuming the .sh script provided by puppetlabs: https://raw.githubusercontent.com/puppetlabs/install-puppet/main/install.sh

The PE install script (install.bash) is a totally different script.

When I use https://raw.githubusercontent.com/puppetlabs/install-puppet/main/install.sh the content of csr_attributes.yaml is correclty added to the CSR.