CHANGELOG.md

@@ -1,13 +1,38 @@
 # Changelog
 
+## [12.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/12.0.0) (2019-07-30)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/11.1.0...12.0.0)
+
+Version 12.0.0 drops support for the Puppet 3 plugins in Foreman Proxy. This follows Foreman 1.23 but in practice this would have been nearly impossible to deploy with this module since it dropped support for running under Puppet 3 a long time ago.
+
+It also changes the installation the Ansible plugin. It no longer installs python-requests but relies on packaging to do so. Doing this in packaging avoids the need for platform specific knowledge such as Python 2 or Python 3.
+
+Lastly it installs ansible-runner by default when using the Ansible plugin. This is optional in Foreman 1.23 but the authors are looking to make this default in 1.24. Note that this installs an external repository since it's not present in EPEL nor Debian. The repository also includes a major new version of python2-psutil (5.x) compared to EPEL7 (2.x). There's an option to disable the repository management or the installation altogether.
+
+**Breaking changes:**
+
+- Fixes [\#27264](https://projects.theforeman.org/issues/27264) - Install ansible-runner package [\#515](https://github.com/theforeman/puppet-foreman_proxy/pull/515) ([ezr-ondrej](https://github.com/ezr-ondrej))
+- Fixes [\#27053](https://projects.theforeman.org/issues/27053) - Drop Puppet 3 support from the proxy [\#514](https://github.com/theforeman/puppet-foreman_proxy/pull/514) ([ekohl](https://github.com/ekohl))
+- Move python-requests to packaging for ansible [\#508](https://github.com/theforeman/puppet-foreman_proxy/pull/508) ([ehelms](https://github.com/ehelms))
+
+**Implemented enhancements:**
+
+- Fixes [\#27196](https://projects.theforeman.org/issues/27196) - Add roles\_path to ansible.cfg [\#518](https://github.com/theforeman/puppet-foreman_proxy/pull/518) ([xprazak2](https://github.com/xprazak2))
+- Add support for external Dynflow core  [\#512](https://github.com/theforeman/puppet-foreman_proxy/pull/512) ([adamruzicka](https://github.com/adamruzicka))
+
+**Fixed bugs:**
+
+- Fixes [\#25481](https://projects.theforeman.org/issues/25481) - Set ProxyCommand=none for Ansible [\#511](https://github.com/theforeman/puppet-foreman_proxy/pull/511) ([ekohl](https://github.com/ekohl))
+
 ## [11.1.0](https://github.com/theforeman/puppet-foreman_proxy/tree/11.1.0) (2019-06-13)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/11.0.0...11.1.0)
 
 **Implemented enhancements:**
 
 - Allow for non tfm- packages on Fedora and RHEL8 [\#510](https://github.com/theforeman/puppet-foreman_proxy/pull/510) ([ehelms](https://github.com/ehelms))
-- Fixes [\#26839](https://projects.theforeman.org/issues/26839) - add dns\_view option [\#507](https://github.com/theforeman/puppet-foreman_proxy/pull/507) ([lzap](https://github.com/lzap))
+- Fixes [\#26839](https://projects.theforeman.org/issues/26839) - add dns\_view option to plugin::dns::infoblox [\#507](https://github.com/theforeman/puppet-foreman_proxy/pull/507) ([lzap](https://github.com/lzap))
 
 **Merged pull requests:**
 

HISTORY.md

@@ -1,3 +1,42 @@
+## [12.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/12.0.0) (2019-07-30)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/11.1.0...12.0.0)
+
+Version 12.0.0 drops support for the Puppet 3 plugins in Foreman Proxy. This follows Foreman 1.23 but in practice this would have been nearly impossible to deploy with this module since it dropped support for running under Puppet 3 a long time ago.
+
+It also changes the installation the Ansible plugin. It no longer installs python-requests but relies on packaging to do so. Doing this in packaging avoids the need for platform specific knowledge such as Python 2 or Python 3.
+
+Lastly it installs ansible-runner by default when using the Ansible plugin. This is optional in Foreman 1.23 but the authors are looking to make this default in 1.24. Note that this installs an external repository since it's not present in EPEL nor Debian. The repository also includes a major new version of python2-psutil (5.x) compared to EPEL7 (2.x). There's an option to disable the repository management or the installation altogether.
+
+**Breaking changes:**
+
+- Fixes [\#27264](https://projects.theforeman.org/issues/27264) - Install ansible-runner package [\#515](https://github.com/theforeman/puppet-foreman_proxy/pull/515) ([ezr-ondrej](https://github.com/ezr-ondrej))
+- Fixes [\#27053](https://projects.theforeman.org/issues/27053) - Drop Puppet 3 support from the proxy [\#514](https://github.com/theforeman/puppet-foreman_proxy/pull/514) ([ekohl](https://github.com/ekohl))
+- Move python-requests to packaging for ansible [\#508](https://github.com/theforeman/puppet-foreman_proxy/pull/508) ([ehelms](https://github.com/ehelms))
+
+**Implemented enhancements:**
+
+- Fixes [\#27196](https://projects.theforeman.org/issues/27196) - Add roles\_path to ansible.cfg [\#518](https://github.com/theforeman/puppet-foreman_proxy/pull/518) ([xprazak2](https://github.com/xprazak2))
+- Add support for external Dynflow core  [\#512](https://github.com/theforeman/puppet-foreman_proxy/pull/512) ([adamruzicka](https://github.com/adamruzicka))
+
+**Fixed bugs:**
+
+- Fixes [\#25481](https://projects.theforeman.org/issues/25481) - Set ProxyCommand=none for Ansible [\#511](https://github.com/theforeman/puppet-foreman_proxy/pull/511) ([ekohl](https://github.com/ekohl))
+
+## [11.1.0](https://github.com/theforeman/puppet-foreman_proxy/tree/11.1.0) (2019-06-13)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/11.0.0...11.1.0)
+
+**Implemented enhancements:**
+
+- Allow for non tfm- packages on Fedora and RHEL8 [\#510](https://github.com/theforeman/puppet-foreman_proxy/pull/510) ([ehelms](https://github.com/ehelms))
+- Fixes [\#26839](https://projects.theforeman.org/issues/26839) - add dns\_view option to plugin::dns::infoblox [\#507](https://github.com/theforeman/puppet-foreman_proxy/pull/507) ([lzap](https://github.com/lzap))
+
+**Merged pull requests:**
+
+- allow newer extlib version [\#509](https://github.com/theforeman/puppet-foreman_proxy/pull/509) ([mmoll](https://github.com/mmoll))
+- Allow `puppetlabs/stdlib` 6.x [\#506](https://github.com/theforeman/puppet-foreman_proxy/pull/506) ([alexjfisher](https://github.com/alexjfisher))
+
 ## [11.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/11.0.0) (2019-04-17)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/10.1.0...11.0.0)

README.md

@@ -74,6 +74,24 @@ It will manage the user, (by default `foreman_ssh`), install/update the ssh
 keys and manage the sudo rules (using [saz/sudo](https://forge.puppet.com/saz/sudo)
 if available in your environment).
 
+### Ansible integration
+
+The Foreman Proxy Ansible plugin installs the optional package for
+[ansible-runner](https://github.com/ansible/ansible-runner) by default.
+Additional repositories are enabled since this isn't present in the
+repositories we depend on (base OS and EPEL). There is a parameter to disable
+this behavior in which case the user is expected to ensure an `ansible-runner`
+package can be installed. There is also an option to fully disable installing.
+The plugin authors consider ansible-runner the preferred way to run so
+disabling is discouraged.
+
+```puppet
+class { 'foreman_proxy::plugin::ansible':
+  install_runner     => false, # defaults to true
+  manage_runner_repo => false, # defaults to true, redundant when install_runner is false
+}
+```
+
 ## Contributing
 
 * Fork the project

examples/basic.pp

@@ -0,0 +1,32 @@
+$directory = '/etc/foreman-proxy'
+$certificate = "${directory}/certificate.pem"
+$key = "${directory}/key.pem"
+
+# Install a proxy
+class { 'foreman_proxy':
+  repo                => 'nightly',
+  puppet_group        => 'root',
+  register_in_foreman => false,
+  ssl_ca              => $certificate,
+  ssl_cert            => $certificate,
+  ssl_key             => $key,
+}
+
+# Create the certificates - this is after the proxy because we need the user variable
+exec { 'Create certificate directory':
+  command => "mkdir -p ${directory}",
+  path    => ['/bin', '/usr/bin'],
+  creates => $directory,
+}
+-> exec { 'Generate certificate':
+  command => "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['fqdn']}' -keyout '${key}' -out '${certificate}' -days 365",
+  path    => ['/bin', '/usr/bin'],
+  creates => $certificate,
+  umask   => '0022',
+}
+-> file { [$key, $certificate]:
+  owner  => $foreman_proxy::user,
+  group  => $foreman_proxy::user,
+  mode   => '0640',
+  before => Class['foreman_proxy::service'],
+}

examples/dual.pp

@@ -0,0 +1,33 @@
+$directory = '/etc/foreman-proxy'
+$certificate = "${directory}/certificate.pem"
+$key = "${directory}/key.pem"
+
+# Install a proxy
+class { 'foreman_proxy':
+  repo                => 'nightly',
+  puppet_group        => 'root',
+  register_in_foreman => false,
+  ssl_ca              => $certificate,
+  ssl_cert            => $certificate,
+  ssl_key             => $key,
+  http                => true,
+}
+
+# Create the certificates - this is after the proxy because we need the user variable
+exec { 'Create certificate directory':
+  command => "mkdir -p ${directory}",
+  path    => ['/bin', '/usr/bin'],
+  creates => $directory,
+}
+-> exec { 'Generate certificate':
+  command => "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['fqdn']}' -keyout '${key}' -out '${certificate}' -days 365",
+  path    => ['/bin', '/usr/bin'],
+  creates => $certificate,
+  umask   => '0022',
+}
+-> file { [$key, $certificate]:
+  owner  => $foreman_proxy::user,
+  group  => $foreman_proxy::user,
+  mode   => '0640',
+  before => Class['foreman_proxy::service'],
+}

manifests/config.pp

@@ -84,17 +84,22 @@
   }
   foreman_proxy::settings_file { [
       'puppet_proxy_customrun',
-      'puppet_proxy_legacy',
       'puppet_proxy_mcollective',
       'puppet_proxy_puppet_api',
-      'puppet_proxy_puppetrun',
       'puppet_proxy_salt',
       'puppet_proxy_ssh',
       'puppetca_hostname_whitelisting',
       'puppetca_token_whitelisting',
     ]:
       module => false,
   }
+  foreman_proxy::settings_file { [
+      'puppet_proxy_legacy',
+      'puppet_proxy_puppetrun',
+    ]:
+      ensure => 'absent',
+      module => false,
+  }
   foreman_proxy::settings_file { 'puppetca':
     enabled   => $::foreman_proxy::puppetca,
     feature   => 'Puppet CA',
@@ -134,9 +139,7 @@
   }
 
   if $foreman_proxy::puppetca or $foreman_proxy::puppet {
-    $puppetca_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
-    $puppetrun_sudo = $foreman_proxy::puppet and $foreman_proxy::puppetrun_provider == 'puppetrun'
-    $uses_sudo = $puppetrun_sudo or $puppetca_sudo
+    $uses_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
 
     if $foreman_proxy::use_sudoersd {
       if $uses_sudo and $foreman_proxy::manage_sudoersd {

manifests/init.pp

@@ -86,8 +86,6 @@
 #
 # $puppetrun_provider::         Provider for running/kicking Puppet agents
 #
-# $puppetrun_cmd::              Puppet run/kick command to be allowed in sudoers
-#
 # $customrun_cmd::              Puppet customrun command
 #
 # $customrun_args::             Puppet customrun command arguments
@@ -117,9 +115,6 @@
 #
 # $puppet_ssl_key::             SSL private key used when accessing the Puppet master API
 #
-# $puppet_use_environment_api:: Override use of Puppet's API to list environments.  When unset, the proxy will
-#                               try to determine this automatically.
-#
 # $puppet_api_timeout::         Timeout in seconds when accessing Puppet environment classes API
 #
 # $templates::                  Enable templates feature
@@ -277,8 +272,6 @@
 #
 # $oauth_consumer_secret::      OAuth secret to be used for REST interaction
 #
-# $puppet_use_cache::           Whether to enable caching of puppet classes
-#
 # === Advanced parameters:
 #
 # $repo::                       Which repository to use. Can be a specific version or nightly. Will not configure anything when undefined.
@@ -362,8 +355,7 @@
   Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
   Boolean $puppet = $::foreman_proxy::params::puppet,
   Foreman_proxy::ListenOn $puppet_listen_on = $::foreman_proxy::params::puppet_listen_on,
-  String $puppetrun_cmd = $::foreman_proxy::params::puppetrun_cmd,
-  Optional[Enum['puppetrun', 'mcollective', 'ssh', 'salt', 'customrun']] $puppetrun_provider = $::foreman_proxy::params::puppetrun_provider,
+  Optional[Enum['mcollective', 'ssh', 'salt', 'customrun']] $puppetrun_provider = $::foreman_proxy::params::puppetrun_provider,
   String $customrun_cmd = $::foreman_proxy::params::customrun_cmd,
   String $customrun_args = $::foreman_proxy::params::customrun_args,
   String $mcollective_user = $::foreman_proxy::params::mcollective_user,
@@ -378,7 +370,6 @@
   Stdlib::Absolutepath $puppet_ssl_ca = $::foreman_proxy::params::ssl_ca,
   Stdlib::Absolutepath $puppet_ssl_cert = $::foreman_proxy::params::ssl_cert,
   Stdlib::Absolutepath $puppet_ssl_key = $::foreman_proxy::params::ssl_key,
-  Optional[Boolean] $puppet_use_environment_api = $::foreman_proxy::params::puppet_use_environment_api,
   Integer[0] $puppet_api_timeout = $::foreman_proxy::params::puppet_api_timeout,
   Boolean $templates = $::foreman_proxy::params::templates,
   Foreman_proxy::ListenOn $templates_listen_on = $::foreman_proxy::params::templates_listen_on,
@@ -466,7 +457,6 @@
   String $oauth_effective_user = $::foreman_proxy::params::oauth_effective_user,
   String $oauth_consumer_key = $::foreman_proxy::params::oauth_consumer_key,
   String $oauth_consumer_secret = $::foreman_proxy::params::oauth_consumer_secret,
-  Optional[Boolean] $puppet_use_cache = $::foreman_proxy::params::puppet_use_cache,
 ) inherits foreman_proxy::params {
   if $bind_host =~ String {
     warning('foreman_proxy::bind_host should be changed to an array, support for string only is deprecated')

manifests/params.pp

@@ -196,8 +196,6 @@
 
   # puppet settings
   $puppet_url                 = "https://${::fqdn}:8140"
-  $puppet_use_environment_api = undef
-  $puppet_use_cache           = undef
   $puppet_api_timeout         = 30
 
   # puppetca settings
@@ -220,7 +218,6 @@
   $puppet = true
   $puppet_listen_on = 'https'
 
-  $puppetrun_cmd       = "${puppet_cmd} kick"
   $puppetrun_provider  = undef
   $customrun_cmd       = $shell
   $customrun_args      = '-ay -f -s'

manifests/plugin/ansible.pp

@@ -22,13 +22,25 @@
 #
 # $stdout_callback:: Ansible's stdout_callback setting
 #
+# $roles_path:: Paths where we look for ansible roles.
+#
+# $ssh_args::          The ssh_args parameter in ansible.cfg under [ssh_connection]
+#
+# $install_runner:: If true, installs ansible-runner package to support running ansible by ansible-runner
+#
+# $manage_runner_repo:: If true, adds upstream repositories to install ansible-runner package from
+#
 class foreman_proxy::plugin::ansible (
   Boolean $enabled = $::foreman_proxy::plugin::ansible::params::enabled,
   Foreman_proxy::ListenOn $listen_on = $::foreman_proxy::plugin::ansible::params::listen_on,
   Stdlib::Absolutepath $ansible_dir = $::foreman_proxy::plugin::ansible::params::ansible_dir,
   Optional[Stdlib::Absolutepath] $working_dir = $::foreman_proxy::plugin::ansible::params::working_dir,
   Boolean $host_key_checking = $::foreman_proxy::plugin::ansible::params::host_key_checking,
   String $stdout_callback = $::foreman_proxy::plugin::ansible::params::stdout_callback,
+  Array[Stdlib::Absolutepath] $roles_path = $::foreman_proxy::plugin::ansible::params::roles_path,
+  String $ssh_args = $::foreman_proxy::plugin::ansible::params::ssh_args,
+  Boolean $install_runner = $::foreman_proxy::plugin::ansible::params::install_runner,
+  Boolean $manage_runner_repo = $::foreman_proxy::plugin::ansible::params::manage_runner_repo,
 ) inherits foreman_proxy::plugin::ansible::params {
   $foreman_url = $::foreman_proxy::foreman_base_url
   $foreman_ssl_cert = pick($::foreman_proxy::foreman_ssl_cert, $::foreman_proxy::ssl_cert)
@@ -48,6 +60,9 @@
   }
 
   include ::foreman_proxy::plugin::dynflow
+  if $install_runner {
+    include ::foreman_proxy::plugin::ansible::runner
+  }
 
   foreman_proxy::plugin { 'ansible':
   }
@@ -61,6 +76,4 @@
   if $::osfamily == 'RedHat' and $::operatingsystem != 'Fedora' {
     Foreman_proxy::Settings_file['ansible'] ~> Service['smart_proxy_dynflow_core']
   }
-
-  ensure_packages(['python-requests'], { ensure => 'present', })
 }

manifests/plugin/ansible/params.pp

@@ -6,4 +6,8 @@
   $working_dir = '/tmp'
   $host_key_checking = false
   $stdout_callback = 'yaml'
+  $roles_path = ['/etc/ansible/roles', '/usr/share/ansible/roles']
+  $ssh_args = '-o ProxyCommand=none'
+  $install_runner = true
+  $manage_runner_repo = true
 }

manifests/plugin/ansible/runner.pp

@@ -0,0 +1,47 @@
+# = Ansible runner package installation
+#
+# $manage_runner_repo:: If true, adds upstream repositories to install ansible-runner package from
+#
+# $package_name:: Name of the package to install to provide 'ansible-runner' command
+#
+class foreman_proxy::plugin::ansible::runner(
+  Boolean $manage_runner_repo = $foreman_proxy::plugin::ansible::manage_runner_repo,
+  String  $package_name = 'ansible-runner',
+) {
+
+  if $manage_runner_repo {
+    case $facts['os']['family'] {
+      'Debian': {
+        include ::apt
+        apt::source { 'ansible-runner':
+          repos    => 'main',
+          location => 'https://releases.ansible.com/ansible-runner/deb',
+          key      => {
+            id     => 'AC48AC71DA695CA15F2D39C4B84E339C442667A9',
+            source => 'https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub',
+          },
+          include  => {
+            src => false,
+          },
+        }
+      }
+      'RedHat': {
+        yumrepo { 'ansible-runner':
+          descr    => 'Ansible runner',
+          baseurl  => "https://releases.ansible.com/ansible-runner/rpm/epel-${facts['os']['release']['major']}-\$basearch/",
+          gpgcheck => true,
+          gpgkey   => 'https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub',
+          enabled  => '1',
+        }
+      }
+      default: {
+        fail("Repository containing 'ansible-runner' not known for '${facts['os']['family']}'")
+      }
+    }
+  }
+
+  package { $package_name:
+    ensure => 'installed',
+  }
+
+}

manifests/plugin/dynflow.pp

@@ -24,6 +24,7 @@
 #
 # $open_file_limit::       Limit number of open files - Only Red Hat Operating Systems with Software Collections.
 #
+# $external_core::         Forces usage of external/internal Dynflow core
 class foreman_proxy::plugin::dynflow (
   Boolean $enabled = $::foreman_proxy::plugin::dynflow::params::enabled,
   Foreman_proxy::ListenOn $listen_on = $::foreman_proxy::plugin::dynflow::params::listen_on,
@@ -34,6 +35,7 @@
   Optional[Array[String]] $ssl_disabled_ciphers = $::foreman_proxy::plugin::dynflow::params::ssl_disabled_ciphers,
   Optional[Array[String]] $tls_disabled_versions = $::foreman_proxy::plugin::dynflow::params::tls_disabled_versions,
   Integer[1] $open_file_limit = $::foreman_proxy::plugin::dynflow::params::open_file_limit,
+  Optional[Boolean] $external_core = $::foreman_proxy::plugin::dynflow::params::external_core,
 ) inherits foreman_proxy::plugin::dynflow::params {
   if $::foreman_proxy::ssl {
     $core_url = "https://${::fqdn}:${core_port}"