CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [19.1.0](https://github.com/theforeman/puppet-puppet/tree/19.1.0) (2024-02-20)
+
+[Full Changelog](https://github.com/theforeman/puppet-puppet/compare/19.0.0...19.1.0)
+
+**Implemented enhancements:**
+
+- Add puppet8 certificate renewal endpoint. [\#905](https://github.com/theforeman/puppet-puppet/pull/905) ([jcpunk](https://github.com/jcpunk))
+- Add support for OracleLinux/AlmaLinux/Rocky 9 [\#900](https://github.com/theforeman/puppet-puppet/pull/900) ([evgeni](https://github.com/evgeni))
+
+**Fixed bugs:**
+
+- Replace File.exists? with File.exist? for Ruby 3.2 compatibility [\#906](https://github.com/theforeman/puppet-puppet/pull/906) ([tuxmea](https://github.com/tuxmea))
+
 ## [19.0.0](https://github.com/theforeman/puppet-puppet/tree/19.0.0) (2023-11-14)
 
 [Full Changelog](https://github.com/theforeman/puppet-puppet/compare/18.0.0...19.0.0)

manifests/init.pp

@@ -539,6 +539,12 @@
 # $server_ca_enable_infra_crl::             Enable the separate CRL for Puppet infrastructure nodes
 #                                           Defaults to false
 #
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
+#
 # $server_max_open_files::                  Increase the max open files limit for Puppetserver.
 #                                           Defaults to undef
 #
@@ -748,6 +754,8 @@
   Boolean $server_ca_allow_sans = $puppet::params::server_ca_allow_sans,
   Boolean $server_ca_allow_auth_extensions = $puppet::params::server_ca_allow_auth_extensions,
   Boolean $server_ca_enable_infra_crl = $puppet::params::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::params::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::params::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,

manifests/params.pp

@@ -406,6 +406,8 @@
   $server_ca_allow_sans                   = false
   $server_ca_allow_auth_extensions        = false
   $server_ca_enable_infra_crl             = false
+  $server_ca_allow_auto_renewal           = false
+  $server_ca_allow_auto_renewal_cert_ttl  = '60d'
   $server_max_open_files                  = undef
   $server_environment_vars                = {}
 

manifests/server.pp

@@ -302,6 +302,11 @@
 #
 # $ca_enable_infra_crl::               Enable the separate CRL for Puppet infrastructure nodes
 #                                      Defaults to false
+# $server_ca_allow_auto_renewal::           Enable the auto renewal for client certificates
+#                                           Defaults to false
+#
+# $server_ca_allow_auto_renewal_cert_ttl::  Set the auto renewal interval for client certificates
+#                                           Defaults to 60d
 #
 # $acceptor_threads::                  This sets the number of threads that the webserver will dedicate to accepting
 #                                      socket connections for unencrypted HTTP traffic. If not provided, the webserver
@@ -454,6 +459,8 @@
   Boolean $ca_allow_sans = $puppet::server_ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server_ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server_ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server_max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server_versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,

manifests/server/puppetserver.pp

@@ -73,6 +73,7 @@
 #   }
 #
 class puppet::server::puppetserver (
+  Optional[Pattern[/^[\d]\.[\d]+\.[\d]+$/]] $puppetserver_version = $puppet::server::puppetserver_version,
   String $config = $puppet::server::jvm_config,
   String $java_bin = $puppet::server::jvm_java_bin,
   Variant[String, Array[String]] $jvm_extra_args = $puppet::server::real_jvm_extra_args,
@@ -139,6 +140,8 @@
   Boolean $ca_allow_sans = $puppet::server::ca_allow_sans,
   Boolean $ca_allow_auth_extensions = $puppet::server::ca_allow_auth_extensions,
   Boolean $ca_enable_infra_crl = $puppet::server::ca_enable_infra_crl,
+  Boolean $server_ca_allow_auto_renewal = $puppet::server::server_ca_allow_auto_renewal,
+  String $server_ca_allow_auto_renewal_cert_ttl = $puppet::server::server_ca_allow_auto_renewal_cert_ttl,
   Optional[Integer[1]] $max_open_files = $puppet::server::max_open_files,
   Optional[Stdlib::Absolutepath] $versioned_code_id = $puppet::server::versioned_code_id,
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server::versioned_code_content,
@@ -147,6 +150,17 @@
 ) {
   include puppet::server
 
+  # For Puppetserver, certain configuration parameters are version specific.
+  # We need a method to determine what version is installed.
+  if $puppetserver_version {
+    $real_puppetserver_version = $puppetserver_version
+  } elsif versioncmp($facts['puppetversion'], '8.0.0') >= 0 {
+    $real_puppetserver_version = '8.0.0'
+  } else {
+    # our minimum supported version of puppet server
+    $real_puppetserver_version = '7.0.0'
+  }
+
   $puppetserver_package = pick($puppet::server::package, 'puppetserver')
 
   $jvm_heap_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}"]

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "theforeman-puppet",
-  "version": "19.0.0",
+  "version": "19.1.0",
   "author": "theforeman",
   "summary": "Puppet agent and server configuration",
   "license": "GPL-3.0+",
@@ -55,6 +55,24 @@
         "9"
       ]
     },
+    {
+      "operatingsystem": "OracleLinux",
+      "operatingsystemrelease": [
+        "9"
+      ]
+    },
+    {
+      "operatingsystem": "AlmaLinux",
+      "operatingsystemrelease": [
+        "9"
+      ]
+    },
+    {
+      "operatingsystem": "Rocky",
+      "operatingsystemrelease": [
+        "9"
+      ]
+    },
     {
       "operatingsystem": "Scientific",
       "operatingsystemrelease": [

spec/classes/puppet_agent_spec.rb

@@ -94,7 +94,7 @@
 
         it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) }
         case os
-        when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux)-/
+        when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux|oraclelinux|almalinux|rocky)-/
           it do
             is_expected.to contain_service('puppet-run.timer')
               .with_ensure(false)
@@ -171,7 +171,7 @@
           case os
           when /\A(windows|archlinux)/
             it { is_expected.to raise_error(Puppet::Error, /Runmode of cron not supported on #{facts[:kernel]} operating systems!/) }
-          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles)-/
+          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|oraclelinux|almalinux|rocky)-/
             it { is_expected.to compile.with_all_deps }
             it { is_expected.to contain_concat__fragment('puppet.conf_agent') }
             it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) }
@@ -219,7 +219,7 @@
           case os
           when /\A(windows|archlinux)/
             it { is_expected.to raise_error(Puppet::Error, /Runmode of cron not supported on #{facts[:kernel]} operating systems!/) }
-          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles)-/
+          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|oraclelinux|almalinux|rocky)-/
             it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(true) }
             it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) }
             it do
@@ -260,7 +260,7 @@
           end
 
           case os
-          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux)-/
+          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux|oraclelinux|almalinux|rocky)-/
             it { is_expected.to compile.with_all_deps }
             it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) }
             it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) }
@@ -303,7 +303,7 @@
           end
 
           case os
-          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux)-/
+          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux|oraclelinux|almalinux|rocky)-/
             it { is_expected.to compile.with_all_deps }
             it { is_expected.to contain_class('puppet::agent::service::daemon').with_enabled(false) }
             it { is_expected.to contain_class('puppet::agent::service::cron').with_enabled(false) }
@@ -351,7 +351,7 @@
           it { is_expected.to contain_class('puppet::agent::service::systemd').with_enabled(false) }
 
           case os
-          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux)-/
+          when /\A(debian|redhat|centos|scientific|fedora|ubuntu|sles|archlinux|oraclelinux|almalinux|rocky)-/
             it { is_expected.to contain_service('puppet-run.timer').with_ensure(false) }
           else
             it { is_expected.not_to contain_service('puppet-run.timer') }

templates/server/post-receive.erb

@@ -100,7 +100,7 @@ $stdin.each_line do |line|
       Dir.chdir environment_path
       do_cmd("git fetch --all")
       do_cmd("git reset --hard 'origin/#{branchname}'")
-      if File.exists? "#{environment_path}/.gitmodules"
+      if File.exist? "#{environment_path}/.gitmodules"
         # ensure that we remove deleted sub modules too
         do_cmd("git status --short").split("\n").each do |file|
           # ?? old_submodule/

templates/server/puppetserver/conf.d/auth.conf.erb

@@ -77,6 +77,20 @@ authorization: {
             name: "puppetlabs csr"
         },
 <%- if @server_ca -%>
+<%- if scope.function_versioncmp([@real_puppetserver_version, '8.0.0']) >= 0 -%>
+        {
+            # Allow nodes to renew their certificate
+            match-request: {
+                path: "/puppet-ca/v1/certificate_renewal"
+                type: path
+                method: post
+            }
+            # this endpoint should never be unauthenticated, as it requires the cert to be provided.
+            allow: "*"
+            sort-order: 500
+            name: "puppetlabs certificate renewal"
+        },
+<%- end -%>
         {
             # Allow the CA CLI to access the certificate_status endpoint
             match-request: {

templates/server/puppetserver/conf.d/ca.conf.erb

@@ -7,4 +7,11 @@ certificate-authority: {
 
     # enable the separate CRL for Puppet infrastructure nodes
     enable-infra-crl: <%= @ca_enable_infra_crl %>
+
+    # Setup auto renewal of certs
+    allow-auto-renewal: <%= @server_ca_allow_auto_renewal %>
+    # This value determines the lifetime of the cert if auto-renewal is enabled
+    auto-renewal-cert-ttl: <%= @server_ca_allow_auto_renewal_cert_ttl %>
+    # Default cert expiration time. If the value is set here, it will take precedence over ca-ttl setting in puppet.conf
+    #ca-ttl: "60d"
 }