.fixtures.yml

@@ -19,6 +19,7 @@ fixtures:
     sudo:     'https://github.com/saz/puppet-sudo'
     systemd:  'https://github.com/camptocamp/puppet-systemd'
     tftp:     'https://github.com/theforeman/puppet-tftp'
+    translate: 'https://github.com/puppetlabs/puppetlabs-translate'
     xinetd:   'https://github.com/puppetlabs/puppetlabs-xinetd'
     yumrepo_core:
       repo: "https://github.com/puppetlabs/puppetlabs-yumrepo_core"

.github/workflows/acceptance.yml

@@ -23,6 +23,7 @@ jobs:
           bundle config path vendor/bundle
           bundle config without 'development test'
           bundle install --jobs 4 --retry 3
+
   acceptance:
     needs: build_cache
     runs-on: ubuntu-latest
@@ -34,7 +35,6 @@ jobs:
           - centos8-64{hostname=centos8-64.example.com}
           - debian10-64{hostname=debian10-64.example.com}
           - ubuntu1804-64{hostname=ubuntu1804-64.example.com}
-
         puppet:
           - "6"
           - "5"

.github/workflows/cron.yml

@@ -2,7 +2,7 @@ name: Nightly tests
 
 on:
   schedule:
-    - cron: '4 * * * *'
+    - cron: '4 4 * * *'
 
 jobs:
   unit:
@@ -71,6 +71,7 @@ jobs:
           bundle config path vendor/bundle
           bundle config without 'development test'
           bundle install --jobs 4 --retry 3
+
   acceptance:
     if: github.repository == 'theforeman/puppet-foreman_proxy'
     needs: build_cache
@@ -81,6 +82,8 @@ jobs:
         setfile:
           - centos7-64{hostname=centos7-64.example.com}
           - centos8-64{hostname=centos8-64.example.com}
+          - debian10-64{hostname=debian10-64.example.com}
+          - ubuntu1804-64{hostname=ubuntu1804-64.example.com}
         puppet:
           - "6"
           - "5"

.sync.yml

@@ -1,13 +1,4 @@
 ---
-.travis.yml:
-  beaker_sets:
-    - centos7-64
-    - centos8-64
-    - debian10-64
-    - ubuntu1804-64
-  env:
-    global:
-      - PARALLEL_TEST_PROCESSORS=8
 spec/spec_helper.rb:
   custom_facts:
     - name: sudoversion

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [17.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/17.0.0) (2021-01-28)
+
+[Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/16.0.0...17.0.0)
+
+**Breaking changes:**
+
+- Fixes [\#30449](https://projects.theforeman.org/issues/30449) - Do not require TFTP for HTTPBoot [\#608](https://github.com/theforeman/puppet-foreman_proxy/pull/608) ([ekohl](https://github.com/ekohl))
+
+**Implemented enhancements:**
+
+- Fixes [\#31415](https://projects.theforeman.org/issues/31415) - Expose DHCP's ping\_free\_ip option [\#635](https://github.com/theforeman/puppet-foreman_proxy/pull/635) ([ekohl](https://github.com/ekohl))
+
+**Fixed bugs:**
+
+- Fixes [\#31430](https://projects.theforeman.org/issues/31430) - use correct key and server for ansible-runner deb  [\#637](https://github.com/theforeman/puppet-foreman_proxy/pull/637) ([evgeni](https://github.com/evgeni))
+
 ## [16.0.0](https://github.com/theforeman/puppet-foreman_proxy/tree/16.0.0) (2020-10-30)
 
 [Full Changelog](https://github.com/theforeman/puppet-foreman_proxy/compare/15.3.0...16.0.0)

Gemfile

@@ -3,15 +3,16 @@
 
 source 'https://rubygems.org'
 
-gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5'
+gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5', groups: ['development', 'test']
+gem 'rake'
 
-gem 'kafo_module_lint'
-gem 'puppet-lint-empty_string-check'
-gem 'puppet-lint-file_ensure-check'
-gem 'puppet-lint-param-docs', '>= 1.3.0'
-gem 'puppet-lint-spaceship_operator_without_tag-check'
-gem 'puppet-lint-strict_indent-check'
-gem 'puppet-lint-undef_in_function-check'
+gem 'kafo_module_lint', {"groups"=>["test"]}
+gem 'puppet-lint-empty_string-check', {"groups"=>["test"]}
+gem 'puppet-lint-file_ensure-check', {"groups"=>["test"]}
+gem 'puppet-lint-param-docs', '>= 1.3.0', {"groups"=>["test"]}
+gem 'puppet-lint-spaceship_operator_without_tag-check', {"groups"=>["test"]}
+gem 'puppet-lint-strict_indent-check', {"groups"=>["test"]}
+gem 'puppet-lint-undef_in_function-check', {"groups"=>["test"]}
 gem 'voxpupuli-test', '~> 1.4'
 gem 'github_changelog_generator', '>= 1.15.0', {"groups"=>["development"]}
 gem 'puppet-blacksmith', '>= 6.0.0', {"groups"=>["development"]}

examples/ansible.pp

@@ -0,0 +1,33 @@
+$directory = '/etc/foreman-proxy'
+$certificate = "${directory}/certificate.pem"
+$key = "${directory}/key.pem"
+
+# Install a proxy
+class { 'foreman_proxy':
+  puppet_group        => 'root',
+  register_in_foreman => false,
+  ssl_ca              => $certificate,
+  ssl_cert            => $certificate,
+  ssl_key             => $key,
+}
+class { 'foreman_proxy::plugin::ansible':
+}
+
+# Create the certificates - this is after the proxy because we need the user variable
+exec { 'Create certificate directory':
+  command => "mkdir -p ${directory}",
+  path    => ['/bin', '/usr/bin'],
+  creates => $directory,
+}
+-> exec { 'Generate certificate':
+  command => "openssl req -nodes -x509 -newkey rsa:2048 -subj '/CN=${facts['networking']['fqdn']}' -keyout '${key}' -out '${certificate}' -days 365",
+  path    => ['/bin', '/usr/bin'],
+  creates => $certificate,
+  umask   => '0022',
+}
+-> file { [$key, $certificate]:
+  owner  => $foreman_proxy::user,
+  group  => $foreman_proxy::user,
+  mode   => '0640',
+  before => Class['foreman_proxy::service'],
+}

manifests/init.pp

@@ -61,6 +61,8 @@
 #
 # $ssldir::                     Puppet CA SSL directory
 #
+# $httpboot::                   Enable HTTPBoot feature. In most deployments this requires HTTP to be enabled as well.
+#
 # $puppetdir::                  Puppet var directory
 #
 # $puppetca_cmd::               Puppet CA command to be allowed in sudoers
@@ -130,6 +132,10 @@
 #
 # $dhcp_subnets::               Subnets list to restrict DHCP management to
 #
+# $dhcp_ping_free_ip::          Perform ICMP and TCP ping when searching free IPs from the pool. This makes
+#                               sure that active IP address is not suggested as free, however in locked down
+#                               network environments this can cause no free IPs.
+#
 # $dhcp_option_domain::         DHCP use the dhcpd config option domain-name
 #
 # $dhcp_search_domains::        DHCP search domains option
@@ -269,8 +275,6 @@
 #
 # $dhcp_manage_acls::           Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750.
 #
-# $httpboot::                   Enable HTTPBoot feature
-#
 # $httpboot_listen_on::         HTTPBoot proxy to listen on https, http, or both
 #
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
@@ -351,6 +355,7 @@
   Boolean $dhcp_managed = $foreman_proxy::params::dhcp_managed,
   String $dhcp_provider = $foreman_proxy::params::dhcp_provider,
   Array[String] $dhcp_subnets = $foreman_proxy::params::dhcp_subnets,
+  Boolean $dhcp_ping_free_ip = $foreman_proxy::params::dhcp_ping_free_ip,
   Array[String] $dhcp_option_domain = $foreman_proxy::params::dhcp_option_domain,
   Optional[Array[String]] $dhcp_search_domains = $foreman_proxy::params::dhcp_search_domains,
   String $dhcp_interface = $foreman_proxy::params::dhcp_interface,

manifests/module/httpboot.pp

@@ -6,19 +6,11 @@
 # @param listen_on
 #   Where to listen on.
 class foreman_proxy::module::httpboot (
-  Optional[Boolean] $enabled = $foreman_proxy::httpboot,
+  Boolean $enabled = $foreman_proxy::httpboot,
   Foreman_proxy::ListenOn $listen_on = $foreman_proxy::httpboot_listen_on,
 ) {
-  $real_enabled = pick($enabled, $foreman_proxy::tftp)
-  if $real_enabled {
-    include foreman_proxy::module::tftp
-    unless $foreman_proxy::module::tftp::enabled {
-      fail('The HTTPBoot module depends on the TFTP module to be enabled')
-    }
-  }
-
   foreman_proxy::module { 'httpboot':
-    enabled   => $real_enabled,
+    enabled   => $enabled,
     feature   => 'HTTPBoot',
     listen_on => $listen_on,
   }

manifests/params.pp

@@ -225,8 +225,8 @@
   $logs           = true
   $logs_listen_on = 'https'
 
-  # HTTPBoot settings - requires optional httpboot puppet module
-  $httpboot           = undef
+  # HTTPBoot settings
+  $httpboot           = false
   $httpboot_listen_on = 'both'
 
   # TFTP settings - requires optional TFTP puppet module
@@ -244,6 +244,7 @@
   $dhcp_managed            = true
   $dhcp_provider           = 'isc'
   $dhcp_subnets            = []
+  $dhcp_ping_free_ip       = true
   $dhcp_interface          = pick(fact('networking.primary'), 'eth0')
   $dhcp_additional_interfaces = []
   $dhcp_gateway            = undef

manifests/plugin/ansible/runner.pp

@@ -17,12 +17,13 @@
           repos    => 'main',
           location => 'https://releases.ansible.com/ansible-runner/deb',
           key      => {
-            id     => 'AC48AC71DA695CA15F2D39C4B84E339C442667A9',
-            source => 'https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub',
+            id     => 'B7196EFF934FBC94FBCDF40DD430849D3DD29021',
+            server => 'keyserver.ubuntu.com',
           },
           include  => {
             src => false,
           },
+          before   => Package[$package_name],
         }
       }
       'RedHat': {
@@ -32,6 +33,7 @@
           gpgcheck => true,
           gpgkey   => 'https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub',
           enabled  => '1',
+          before   => Package[$package_name],
         }
       }
       default: {

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-foreman_proxy",
-  "version": "16.0.0",
+  "version": "17.0.0",
   "author": "theforeman",
   "summary": "Foreman Smart Proxy configuration",
   "license": "GPL-3.0+",

spec/acceptance/ansible_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper_acceptance'
+
+describe 'Scenario: install foreman-proxy with ansible plugin'  do
+  before(:context) { purge_installed_packages }
+
+  include_examples 'the example', 'ansible.pp'
+
+  it_behaves_like 'the default foreman proxy application'
+
+  describe package('ansible-runner') do
+    it { is_expected.to be_installed }
+  end
+end

spec/acceptance/journald_spec.rb

@@ -11,9 +11,8 @@
     it { is_expected.to be_installed }
   end
 
-  # Logging to the journal is broken on Travis and EL7 but works in Vagrant VMs
-  # and regular docker containers
-  describe command('journalctl -u foreman-proxy'), unless: ENV['TRAVIS'] == 'true' && os[:family] == 'redhat' && os[:release] =~ /^7\./ do
+  # Logging to the journal is broken on Docker with EL7
+  describe command('journalctl -u foreman-proxy'), unless: default[:hypervisor] == 'docker' && os[:family] == 'redhat' && os[:release] =~ /^7\./ do
     its(:stdout) { is_expected.to match(%r{WEBrick::HTTPServer#start}) }
   end
 end

spec/classes/foreman_proxy__plugin__ansible_spec.rb

@@ -17,9 +17,10 @@
               .with_location('https://releases.ansible.com/ansible-runner/deb')
               .with_repos('main')
               .with_key(
-                'id' => 'AC48AC71DA695CA15F2D39C4B84E339C442667A9',
-                'source' => 'https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub'
+                'id' => 'B7196EFF934FBC94FBCDF40DD430849D3DD29021',
+                'server' => 'keyserver.ubuntu.com'
               )
+              .that_comes_before('Package[ansible-runner]')
           end
         when 'redhat-7-x86_64'
           it 'should include ansible-runner upstream repo' do
@@ -28,6 +29,7 @@
                    .with_gpgcheck(true)
                    .with_gpgkey('https://releases.ansible.com/keys/RPM-GPG-KEY-ansible-release.pub')
                    .with_enabled('1')
+                   .that_comes_before('Package[ansible-runner]')
           end
         end
 

spec/classes/foreman_proxy__spec.rb

@@ -163,6 +163,7 @@
             ':enabled: false',
             ':use_provider: dhcp_isc',
             ':server: 127.0.0.1',
+            ':ping_free_ip: true',
           ])
         end
 
@@ -439,7 +440,7 @@
         it 'should generate correct httpboot.yml' do
           verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/httpboot.yml", [
             '---',
-            ':enabled: true',
+            ':enabled: false',
             ":root_dir: #{tftp_root}",
           ])
         end
@@ -856,6 +857,7 @@
               ':enabled: https',
               ':use_provider: dhcp_isc',
               ':server: 127.0.0.1',
+              ':ping_free_ip: true',
             ])
           end
 
@@ -903,6 +905,7 @@
               ':enabled: https',
               ':use_provider: dhcp_libvirt',
               ':server: 127.0.0.1',
+              ':ping_free_ip: true',
             ])
 
             verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/dhcp_libvirt.yml", [

spec/setup_acceptance_node.pp

@@ -11,3 +11,9 @@
 package { $dig_package:
   ensure => installed,
 }
+
+if $facts['os']['name'] == 'CentOS' {
+  package { 'centos-release-ansible-29':
+    ensure => present,
+  }
+}

templates/dhcp.yml.erb

@@ -20,3 +20,8 @@
 #  - 192.168.205.0/255.255.255.128
 #  - 192.168.205.128/255.255.255.128
 <% end -%>
+
+# Perform ICMP and TCP ping when searching free IPs from the pool. This makes
+# sure that active IP address is not suggested as free, however in locked down
+# network environments this can cause no free IPs. Enabled by default
+:ping_free_ip: <%= scope.lookupvar("foreman_proxy::dhcp_ping_free_ip") %>