Drop Puppet 6 support

.fixtures.yml

@@ -1,12 +1,8 @@
 fixtures:
   repositories:
-    augeas_core:
-      repo: 'https://github.com/puppetlabs/puppetlabs-augeas_core'
-      puppet_version: '>= 6.0.0'
+    augeas_core: 'https://github.com/puppetlabs/puppetlabs-augeas_core'
     concat:   'https://github.com/puppetlabs/puppetlabs-concat.git'
-    cron_core:
-      repo: 'https://github.com/puppetlabs/puppetlabs-cron_core'
-      puppet_version: '>= 6.0.0'
+    cron_core: 'https://github.com/puppetlabs/puppetlabs-cron_core'
     extlib:               'https://github.com/voxpupuli/puppet-extlib.git'
     git:                  'https://github.com/theforeman/puppet-git.git'
     inifile:              'https://github.com/puppetlabs/puppetlabs-inifile.git'

README.md

@@ -7,26 +7,15 @@ Installs and configures the Puppet agent and optionally a Puppet server (when
 `server` is true).  Part of the [Foreman installer](https://github.com/theforeman/foreman-installer)
 or to be used as a Puppet module.
 
-When using Puppet Server (version 5.3.6 is the lowest version, this module supports),
-the module supports and assumes you will be installing the latest version.
-If you know you'll be installing an earlier or specific version, you will
-need to override `server_puppetserver_version`. More information in the Puppet
-Server section below.
-
 Many puppet.conf options for agents, servers and other are parameterized, with
 class documentation provided at the top of the manifests. In addition, there
 are hash parameters for each configuration section that can be used to supply
 any options that are not explicitly supported.
 
-## Upgrading from Puppetserver 6 to 7
-
-Puppetserver 7 moves the CA files from ssldir to its own. To move the existing
-files, `puppetserver ca migrate` can be used but this requires the puppetserver
-to be stopped. The module does run this command if needed, but doesn't stop the
-service so the application will fail.
+## Compatibility
 
-It is recommended to run this command directly after updating the packages. It
-leaves a symlink so the old config should continue to work.
+See the module metadata for supported operating systems and compatible Puppet
+versions. The Puppetserver version should also match this.
 
 ## Environments support
 
@@ -178,14 +167,6 @@ class { '::puppet':
 }
 ```
 
-## Puppet Server configuration
-
-Puppet Server requires slightly different configuration between different
-versions, which this module supports. It's recommended that you set the
-`server_puppetserver_version` parameter to the MAJOR.MINOR.PATCH version
-you have installed. By default the module will configure for the latest
-version available.
-
 # Contributing
 
 * Fork the project

manifests/config.pp

@@ -4,7 +4,6 @@
   # lint:ignore:parameter_types
   $allow_any_crl_auth    = $puppet::allow_any_crl_auth,
   $auth_allowed          = $puppet::auth_allowed,
-  $auth_template         = $puppet::auth_template,
   $ca_server             = $puppet::ca_server,
   $ca_port               = $puppet::ca_port,
   $dns_alt_names         = $puppet::dns_alt_names,
@@ -101,15 +100,4 @@
       }
     }
   }
-
-  if versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
-    file { "${puppet_dir}/auth.conf":
-      ensure => absent,
-    }
-  } else {
-    file { "${puppet_dir}/auth.conf":
-      ensure  => file,
-      content => template($auth_template),
-    }
-  }
 }

manifests/init.pp

@@ -152,8 +152,6 @@
 #                                           Windows and ['systemd.timer'] on other
 #                                           systems.
 #
-# $auth_template::                          Use a custom template for /etc/puppetlabs/puppet/auth.conf
-#
 # $pluginsource::                           URL to retrieve Puppet plugins from during pluginsync
 #
 # $pluginfactsource::                       URL to retrieve Puppet facts from during pluginsync
@@ -406,7 +404,6 @@
 #                                           'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
 #
 # $server_ruby_load_paths::                 List of ruby paths
-#                                           Defaults based on $::puppetversion
 #
 # $server_ca_client_whitelist::             The whitelist of client certificates that
 #                                           can query the certificate-status endpoint
@@ -425,10 +422,6 @@
 # $server_ca_client_self_delete::           Adds a rule to auth.conf, that allows a client to delete its own certificate
 #                                           Defaults to false
 #
-# $server_use_legacy_auth_conf::            Should the puppetserver use the legacy puppet auth.conf?
-#                                           Defaults to false (the puppetserver will use its own conf.d/auth.conf)
-#                                           Note that Puppetserver 7 has dropped this option.
-#
 # $server_check_for_updates::               Should the puppetserver phone home to check for available updates?
 #                                           Defaults to true
 #
@@ -448,16 +441,13 @@
 #                                           Defaults to 30000, using the Jetty default of 30s
 #
 # $server_puppetserver_metrics::            Enable puppetserver http-client metrics
-#                                           Defaults to true, matching defaults in Puppetserver 5+.
 #
 # $server_puppetserver_profiler::           Enable JRuby profiling.
-#                                           Defaults to true, matching defaults in Puppetserver 5+.
 #                                           If set to false, compiler and function metrics will not be available, (eg. when enabling graphite metrics)
 #
 # $server_puppetserver_telemetry::          Enable Dropsonde telemetry.
 #                                           Undef means disabled while booleans are explicit opt-in or opt-out.
 #                                           This is different from Puppetserver's default values.
-#                                           Only valid since Puppetserver 7.
 #
 # $server_metrics_jmx_enable::              Enable or disable JMX metrics reporter. Defaults to true
 #
@@ -571,7 +561,7 @@
 #
 #   class {'puppet':
 #     agent_noop => true,
-#     version    => '6.15.0-1',
+#     version    => '7.24.0-1',
 #   }
 #
 class puppet (
@@ -630,7 +620,6 @@
   String $classfile = $puppet::params::classfile,
   String $hiera_config = $puppet::params::hiera_config,
   String $localconfig = $puppet::params::localconfig,
-  String $auth_template = $puppet::params::auth_template,
   Boolean $allow_any_crl_auth = $puppet::params::allow_any_crl_auth,
   Array[String] $auth_allowed = $puppet::params::auth_allowed,
   Variant[String, Array[String]] $client_package = $puppet::params::client_package,
@@ -723,7 +712,6 @@
   Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests,
   Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay,
   Boolean $server_multithreaded = $puppet::params::server_multithreaded,
-  Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf,
   Boolean $server_check_for_updates = $puppet::params::server_check_for_updates,
   Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled,
   Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info,

manifests/params.pp

@@ -189,9 +189,6 @@
   $package_source = undef
   $package_install_options = undef
 
-  # Need your own config templates? Specify here:
-  $auth_template   = 'puppet/auth.conf.erb'
-
   # Allow any to the CRL. Needed in case of puppet CA proxy
   $allow_any_crl_auth = false
 
@@ -399,9 +396,6 @@
 
   $server_puppetserver_version      = undef
 
-  # Which auth.conf shall we use?
-  $server_use_legacy_auth_conf      = false
-
   # Puppetserver metrics shipping
   $server_metrics_jmx_enable        = true
   $server_metrics_graphite_enable   = false

manifests/server.pp

@@ -229,7 +229,6 @@
 #                                      'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
 #
 # $ruby_load_paths::                   List of ruby paths
-#                                      Defaults based on $::puppetversion
 #
 # $ca_client_whitelist::               The whitelist of client certificates that
 #                                      can query the certificate-status endpoint
@@ -248,10 +247,6 @@
 # $ca_client_self_delete::             Adds a rule to auth.conf, that allows a client to self delete its own certificate
 #                                      Defaults to false
 #
-# $use_legacy_auth_conf::              Should the puppetserver use the legacy puppet auth.conf?
-#                                      Defaults to false (the puppetserver will use its own conf.d/auth.conf)
-#                                      Note that Puppetserver 7 has dropped support for this.
-#
 # $check_for_updates::                 Should the puppetserver phone home to check for available updates?
 #
 # $environment_class_cache_enabled::   Enable environment class cache in conjunction with the use of the
@@ -268,8 +263,8 @@
 #                                      Defaults to false because that's the Puppet Inc. default behaviour.
 #
 # $puppetserver_telemetry::            Enable Dropsonde telemetry.
-#                                      Valid on puppetserver >= 7
-#                                      Defaults to true because that's the Puppet Inc. default behaviour since puppet 7
+#                                      Undef means disabled while booleans are explicit opt-in or opt-out.
+#                                      This is different from Puppetserver's default values.
 #
 # $metrics_jmx_enable::                Enable or disable JMX metrics reporter. Defaults to true
 #
@@ -430,7 +425,6 @@
   Integer[0] $max_queued_requests = $puppet::server_max_queued_requests,
   Integer[0] $max_retry_delay = $puppet::server_max_retry_delay,
   Boolean $multithreaded = $puppet::server_multithreaded,
-  Boolean $use_legacy_auth_conf = $puppet::server_use_legacy_auth_conf,
   Boolean $check_for_updates = $puppet::server_check_for_updates,
   Boolean $environment_class_cache_enabled = $puppet::server_environment_class_cache_enabled,
   Boolean $allow_header_cert_info = $puppet::server_allow_header_cert_info,
@@ -462,21 +456,7 @@
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
   Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist,
 ) {
-  # For Puppetserver, certain configuration parameters are version specific. We
-  # assume a particular version here.
-  if $puppetserver_version {
-    $real_puppetserver_version = $puppetserver_version
-  } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
-    $real_puppetserver_version = '7.0.0'
-  } else {
-    $real_puppetserver_version = '6.15.0'
-  }
-
-  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
-    $cadir = "${puppetserver_dir}/ca"
-  } else {
-    $cadir = "${ssl_dir}/ca"
-  }
+  $cadir = "${puppetserver_dir}/ca"
 
   if $ca {
     $ssl_ca_cert     = "${cadir}/ca_crt.pem"
@@ -493,12 +473,6 @@
   $ssl_cert      = "${ssl_dir}/certs/${certname}.pem"
   $ssl_cert_key  = "${ssl_dir}/private_keys/${certname}.pem"
 
-  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
-    if $use_legacy_auth_conf {
-      fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7')
-    }
-  }
-
   if $jvm_extra_args {
     $real_jvm_extra_args = $jvm_extra_args
   } else {

manifests/server/config.pp

@@ -164,19 +164,6 @@
         Exec['puppet_server_config-create_ssl_dir'],
       ],
     }
-
-    # In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca
-    # This migrates the directory if it was in the old location
-    # The migration command leaves a symlink in place
-    if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 {
-      exec { 'migrate Puppetserver cadir':
-        command => "${puppet::puppetserver_cmd} ca migrate",
-        creates => $puppet::server::cadir,
-        onlyif  => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'",
-        path    => $facts['path'],
-        before  => Exec['puppet_server_config-generate_ca_cert'],
-      }
-    }
   } elsif $puppet::server::ca_crl_sync {
     # If not a ca AND sync the crl from the ca server
     if $server_facts['servername'] {

manifests/server/puppetserver.pp

@@ -113,8 +113,6 @@
   Boolean $server_ca_client_self_delete = $puppet::server::ca_client_self_delete,
   Array[String] $server_ca_client_whitelist = $puppet::server::ca_client_whitelist,
   Array[String] $server_admin_api_whitelist = $puppet::server::admin_api_whitelist,
-  String[1] $server_puppetserver_version = $puppet::server::real_puppetserver_version,
-  Boolean $server_use_legacy_auth_conf = $puppet::server::use_legacy_auth_conf,
   Boolean $server_check_for_updates = $puppet::server::check_for_updates,
   Boolean $server_environment_class_cache_enabled = $puppet::server::environment_class_cache_enabled,
   Optional[Boolean] $server_metrics = $puppet::server::puppetserver_metrics,
@@ -149,10 +147,6 @@
 ) {
   include puppet::server
 
-  if versioncmp($server_puppetserver_version, '6.15.0') < 0 {
-    fail('puppetserver <6.15.0 is not supported by this module version')
-  }
-
   $puppetserver_package = pick($puppet::server::package, 'puppetserver')
 
   $jvm_heap_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}"]

metadata.json

@@ -35,7 +35,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 6.15.0 < 8.0.0"
+      "version_requirement": ">= 7.0.0 < 8.0.0"
     }
   ],
   "operatingsystem_support": [

spec/acceptance/puppetserver_upgrade_spec.rb

@@ -17,19 +17,12 @@
   when 'puppet7'
     from_version = '7.0.0'
     to_version = '7.2.0'
-  when 'puppet6'
-    from_version = '6.7.0'
-    to_version = '6.7.2'
   else
     raise 'Unsupported Puppet collection'
   end
 
   case fact('osfamily')
   when 'Debian'
-    if ENV['BEAKER_PUPPET_COLLECTION'] == 'puppet6'
-      # Facter 3 needs lsb-release for the os.distro.codename fact
-      on default, puppet('resource package lsb-release ensure=installed')
-    end
     from_version_exact = "#{from_version}-1#{fact('os.distro.codename')}"
     to_version_exact = "#{to_version}-1#{fact('os.distro.codename')}"
   else

spec/classes/puppet_config_spec.rb

@@ -59,33 +59,6 @@
         it { is_expected.to contain_puppet__config__main('hostprivkey').with_value('$privatekeydir/$certname.pem { mode = 640 }') }
         it { is_expected.to contain_puppet__config__main('show_diff').with_value('false') }
         it { is_expected.to contain_puppet__config__main('server').with_value(facts[:networking]['fqdn']) }
-
-        context 'puppet < 7', if: os_facts[:puppetversion].to_i < 7 do
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('file').with_content(%r{/puppet/v3/}) }
-          it { is_expected.not_to contain_file("#{confdir}/auth.conf").with_content(%r{^path /certificate_revocation_list/ca\nmethod find$}) }
-        end
-
-        context 'puppet >= 7', if: os_facts[:puppetversion].to_i >= 7 do
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('absent') }
-        end
-      end
-
-      context 'auth.conf parameters', if: os_facts[:puppetversion].to_i < 7 do
-        describe 'with allow_any_crl_auth' do
-          let :params do
-            super().merge(allow_any_crl_auth: true)
-          end
-
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{^path /puppet-ca/v1/certificate_revocation_list/ca\nauth any$}) }
-        end
-
-        describe 'with auth_allowed' do
-          let :params do
-            super().merge(auth_allowed: ['$1', 'puppetproxy'])
-          end
-
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(/^allow \$1, puppetproxy$/) }
-        end
       end
 
       describe "when dns_alt_names => ['foo','bar']" do