Fixes #29194 - Support EL8

[wbclark]

No description provided.

[wbclark]

Currently failing on Error: /Stage[main]/Candlepin::Install/Package[candlepin]/ensure: change from 'purged' to 'present' failed: Execution of '/usr/bin/dnf -d 0 -e 1 -y install candlepin' returned 1: Error: Unable to find a match

I verified that the we are getting the el8 repository on the test VM:

[root@centos8-64-1 ~]# cat /etc/yum.repos.d/candlepin.repo 
[candlepin]
name=Candlepin: an open source entitlement management system.
baseurl=https://fedorapeople.org/groups/katello/releases/yum/nightly/candlepin/el8/$basearch/
enabled=True
gpgcheck=False

Assuming the package is built but not yet available in that repository, I'll next try to manually install it to move forward.

[wbclark]

After dnf -y install http://koji.katello.org/kojifiles/packages/candlepin/3.1.3/1.el8/noarch/candlepin-3.1.3-1.el8.noarch.rp, when I run the tests again I'm seeing:

Error: Execution of '/usr/bin/dnf -d 0 -e 1 -y install candlepin-selinux' returned 1: Error: Unable to find a match

But I'm not finding candlepin-selinux anywhere in Koji (not even for el7, apparently?). @ehelms are we waiting for that to be built or am I missing something?

[ehelms]

Use the Koji repository for now similar to pulpcore:

http://koji.katello.org/releases/yum/katello-nightly/candlepin/el8/x86_64/

[wbclark]

After my latest changes, the module applies with no errors:

centos8-64-1 executed in 170.00 seconds
Exited: 2
  applies with no errors

[ Idempotence is still failing due to the same relabeling seen on el7 (my other open PR would resolve that, but needs a tweak) ]

However Candlepin itself is not working:

centos8-64-1 12:27:10$ /bin/sh -c curl\ -k\ -s\ -o\ /dev/null\ -w\ \'\%\{http_code\}\'\ https://localhost:8443/candlepin/status
  000
centos8-64-1 executed in 300.26 seconds
Exited: 28
      is expected to eq "200" (FAILED - 2)

Checking logs for more details:

[root@centos8-64-1 ~]# cat /var/log/tomcat/catalina.2020-03-23.log 
23-Mar-2020 16:26:51.699 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1.1,TLSv1.2' did not find a matching property.
23-Mar-2020 16:26:51.759 WARNING [main] org.apache.tomcat.util.net.SSLHostConfig.setProtocols The protocol [TLSv1.2] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
23-Mar-2020 16:26:51.823 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property.
23-Mar-2020 16:26:51.823 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property.
23-Mar-2020 16:26:51.827 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
23-Mar-2020 16:26:51.952 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-127.0.0.1-8443"]
23-Mar-2020 16:26:52.180 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: /etc/candlepin/certs/keystore (Permission denied)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
	... 13 more
Caused by: java.io.FileNotFoundException: /etc/candlepin/certs/keystore (Permission denied)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:80)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:132)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
	... 19 more

23-Mar-2020 16:26:52.181 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 961 ms
23-Mar-2020 16:26:52.247 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
23-Mar-2020 16:26:52.248 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/9.0.7
23-Mar-2020 16:26:52.251 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/var/lib/tomcat/webapps/candlepin]
23-Mar-2020 16:27:02.234 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
23-Mar-2020 16:27:07.386 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public org.candlepin.model.Persisted org.candlepin.model.OwnerCurator.create(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.475 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.ProductCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.475 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public org.candlepin.model.Persisted org.candlepin.model.ProductCurator.create(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.475 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public org.candlepin.model.Persisted org.candlepin.model.ProductCurator.merge(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.547 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.EntitlementCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.585 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.ConsumerCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.585 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public org.candlepin.model.Persisted org.candlepin.model.ConsumerCurator.create(org.candlepin.model.Persisted,boolean)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.722 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.CdnCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.735 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.PoolCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.880 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.ContentCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.909 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.RulesCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:07.909 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public org.candlepin.model.Persisted org.candlepin.model.RulesCurator.create(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:08.126 WARNING [main] com.google.inject.internal.ProxyFactory.<init> Method [public void org.candlepin.model.EntitlementCertificateCurator.delete(org.candlepin.model.Persisted)] is synthetic and is being intercepted by [com.google.inject.persist.jpa.JpaLocalTxnInterceptor@626a4cfa]. This could indicate a bug.  The method may be intercepted twice, or may not be intercepted at all.
23-Mar-2020 16:27:15.171 SEVERE [main] org.apache.catalina.core.StandardContext.startInternal One or more listeners failed to start. Full details will be found in the appropriate container log file
23-Mar-2020 16:27:15.250 SEVERE [main] org.apache.catalina.core.StandardContext.startInternal Context [/candlepin] startup failed due to previous errors
23-Mar-2020 16:27:15.279 WARNING [main] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesJdbc The web application [candlepin] registered the JDBC driver [org.postgresql.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
23-Mar-2020 16:27:15.280 WARNING [main] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [candlepin] appears to have started a thread named [C3P0PooledConnectionPoolManager[identityToken->z8kflta92a3n8v6nrkzh|5ecfa2a4]-AdminTaskTimer] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.lang.Object.wait(Native Method)
 java.util.TimerThread.mainLoop(Timer.java:552)
 java.util.TimerThread.run(Timer.java:505)
23-Mar-2020 16:27:15.281 WARNING [main] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [candlepin] appears to have started a thread named [C3P0PooledConnectionPoolManager[identityToken->z8kflta92a3n8v6nrkzh|5ecfa2a4]-HelperThread-#0] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.lang.Object.wait(Native Method)
 com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:683)
23-Mar-2020 16:27:15.281 WARNING [main] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [candlepin] appears to have started a thread named [C3P0PooledConnectionPoolManager[identityToken->z8kflta92a3n8v6nrkzh|5ecfa2a4]-HelperThread-#1] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.lang.Object.wait(Native Method)
 com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:683)
23-Mar-2020 16:27:15.283 WARNING [main] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [candlepin] appears to have started a thread named [C3P0PooledConnectionPoolManager[identityToken->z8kflta92a3n8v6nrkzh|5ecfa2a4]-HelperThread-#2] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 java.lang.Object.wait(Native Method)
 com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:683)
23-Mar-2020 16:27:15.287 SEVERE [main] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [candlepin] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@4f7b52ad]) and a value of type [org.hibernate.internal.SessionImpl] (value [SessionImpl(1550231274<open>)]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.
23-Mar-2020 16:27:15.308 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/var/lib/tomcat/webapps/candlepin] has finished in [23,056] ms
23-Mar-2020 16:27:15.310 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 23128 ms
23-Mar-2020 16:32:11.223 INFO [C3P0PooledConnectionPoolManager[identityToken->z8kflta92a3n8v6nrkzh|5ecfa2a4]-AdminTaskTimer] org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading Illegal access: this web application instance has been stopped already. Could not load [com.mchange.v2.resourcepool.BasicResourcePool$AsyncTestIdleResourceTask]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
 java.lang.IllegalStateException: Illegal access: this web application instance has been stopped already. Could not load [com.mchange.v2.resourcepool.BasicResourcePool$AsyncTestIdleResourceTask]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
	at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1313)
	at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1301)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1160)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1122)
	at com.mchange.v2.resourcepool.BasicResourcePool.checkIdleResources(BasicResourcePool.java:1673)
	at com.mchange.v2.resourcepool.BasicResourcePool.access$2000(BasicResourcePool.java:44)
	at com.mchange.v2.resourcepool.BasicResourcePool$CheckIdleResourcesTask.run(BasicResourcePool.java:2214)
	at java.util.TimerThread.mainLoop(Timer.java:555)
	at java.util.TimerThread.run(Timer.java:505)

[ekohl]

What's in the pki-core module? Does that mean we need that module enabled on every candlepin install?

[wbclark]

[root@centos8-64-1 ~]# dnf module info pki-core
Last metadata expiration check: 0:04:02 ago on Mon 23 Mar 2020 05:04:27 PM UTC.
Name        : pki-core
Stream      : 10.6 [e] [a]
Version     : 8010020191120041437
Context     : 8ba0ffbe
Repo        : AppStream
Summary     : PKI Core module for PKI 10.6 or later
Description : A module for PKI Core packages for PKI version 10.6 or later.
Artifacts   : jss-0:4.6.0-5.module_el8.1.0+238+005506d1.src
            : jss-0:4.6.0-5.module_el8.1.0+238+005506d1.x86_64
            : jss-debuginfo-0:4.6.0-5.module_el8.1.0+238+005506d1.x86_64
            : jss-debugsource-0:4.6.0-5.module_el8.1.0+238+005506d1.x86_64
            : jss-javadoc-0:4.6.0-5.module_el8.1.0+238+005506d1.x86_64
            : ldapjdk-0:4.21.0-1.module_el8.1.0+238+005506d1.noarch
            : ldapjdk-0:4.21.0-1.module_el8.1.0+238+005506d1.src
            : ldapjdk-javadoc-0:4.21.0-1.module_el8.1.0+238+005506d1.noarch
            : pki-base-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : pki-base-java-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : pki-ca-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : pki-core-0:10.7.3-1.module_el8.1.0+238+005506d1.src
            : pki-kra-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : pki-server-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : pki-symkey-0:10.7.3-1.module_el8.1.0+238+005506d1.x86_64
            : pki-symkey-debuginfo-0:10.7.3-1.module_el8.1.0+238+005506d1.x86_64
            : pki-tools-0:10.7.3-1.module_el8.1.0+238+005506d1.x86_64
            : pki-tools-debuginfo-0:10.7.3-1.module_el8.1.0+238+005506d1.x86_64
            : python3-pki-0:10.7.3-1.module_el8.1.0+238+005506d1.noarch
            : tomcatjss-0:7.4.1-1.module_el8.1.0+238+005506d1.noarch
            : tomcatjss-0:7.4.1-1.module_el8.1.0+238+005506d1.src

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive]

The important part above is the tomcatjss -- without it, we get:

An error occurred in a `before(:suite)` hook.
Failure/Error: on host, 'yum -y install candlepin-selinux'
Beaker::Host::CommandFailure:
  Host 'centos8-64-1' exited with 1 running:
   yum -y install candlepin-selinux
  Last 10 lines of output were:
  	Repository 'candlepin' is missing name in configuration, using id.
  	candlepin                                        12 kB/s |  13 kB     00:01    
  	Extra Packages for Enterprise Linux Modular 8 -  50 kB/s | 117 kB     00:02    
  	Extra Packages for Enterprise Linux 8 - x86_64  1.8 MB/s | 6.1 MB     00:03    
  	(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
  	Error: 
  	 Problem: package candlepin-selinux-3.1.3-1.el8.noarch requires candlepin = 3.1.3-1.el8, but none of the providers can be installed
  	  - package candlepin-3.1.3-1.el8.noarch requires tomcatjss >= 7.2.1-7.1, but none of the providers can be installed
  	  - conflicting requests
  	  - package tomcatjss-7.4.1-1.module_el8.1.0+238+005506d1.noarch is excluded

Thinking about it, I am not sure if the pki-core module can be installed as an RPM dependency... do you think it makes better sense to tackle it here rather than in packaging, @ekohl ?

[ekohl]

I'm not familiar enough with modularity to say, but this should at least be on the list of things to be aware of.

[ekohl]

Please submit this to the template.
https://github.com/theforeman/foreman-installer-modulesync/blob/1b9f93ba4c701387945e279968c491bb26470009/moduleroot/spec/spec_helper_acceptance.rb.erb#L30

[wbclark]

Will do shortly, thanks

[ehelms]

Can we tie this to the Redmine issue for puppet-candlepin?

I think based on the errors, we should just drop https://github.com/theforeman/puppet-candlepin/blob/master/manifests/database/postgresql.pp#L41-L42

You are also going to hit certificate permission errors if I recall from past testing. The example (https://github.com/theforeman/puppet-candlepin/blob/master/examples/basic_candlepin.pp) used in testing deploys certificate with root:root ownership. The EL8 version of tomcat requires them to be readable by the tomcat user so the example needs updating to do such (and thus also the creation of a tomcat group as part of the seutp).

[ehelms]

Here is a diff of the changes I had to make to get the certs working with tomcat correctly:

+package { ['java']: } ->
+exec { 'add ca cert':
+  command => "/usr/bin/keytool -import -trustcacerts -v -keystore /etc/candlepin/certs/keystore -storepa
ss secret -alias candlepin-ca -file /etc/candlepin/certs/candlepin-ca.crt -noprompt",
+  unless  => "/usr/bin/keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias candle
pin-ca | grep $(openssl x509 -noout -fingerprint -in ${ca_cert} | cut -d '=' -f 2)",
+} ->
+group { 'tomcat':
+} ->
+file { $ca_key:
+  mode  => '0440',
+  group => 'tomcat',
+} ->
+file { $ca_cert:
+  mode  => '0440',
+  group => 'tomcat',
+} ->
+file { $keystore:
+  mode  => '0440',
+  group => 'tomcat',
+} ->
 class { 'candlepin':
-  manage_repo       => true,
-  ca_key            => $ca_key,
-  ca_cert           => $ca_cert,
-  keystore_file     => $keystore,
-  keystore_password => $keystore_password,
+  ca_key              => $ca_key,
+  ca_cert             => $ca_cert,
+  keystore_file       => $keystore,
+  keystore_password   => $keystore_password,
+  truststore_password => $keystore_password,
 }

[ehelms]

Try dropping these two lines https://github.com/theforeman/puppet-candlepin/blob/master/manifests/database/postgresql.pp#L41-L42

[ekohl]

You forgot metadata.json

[ekohl]

General note that I normally write something like Support EL8 since that's what you're actually doing. The current title reads more like an issue title.

[wbclark]

@ekohl I've updated metadata.json and commit message. Thanks!

[ekohl]

Now that the unit tests run with EL8, the repo assertion fails. Other than that 👍

[ekohl]

I've added a change, this should be squashed on merge.