Fixes #29780 - Drop Passenger support

With Foreman 2.5, support to run with Passenger (technically
mod_passenger) is dropped in favor of using Puma with a reverse proxy.

This also moves the request headers part of settings.yaml to a concat
fragment to simplify some code.

It keeps in code to remove tfm-rubygem-passenger-native on EL7 which it
previously didn't do, but is nice to do. It doesn't remove mod_passenger
itself since that's not managed in this module.

manifests/config.pp

@@ -35,11 +35,7 @@
     mode  => '0640',
   }
 
-  if $foreman::use_foreman_service {
-    $db_pool = max($foreman::db_pool, $foreman::foreman_service_puma_threads_max)
-  } else {
-    $db_pool = $foreman::db_pool
-  }
+  $db_pool = max($foreman::db_pool, $foreman::foreman_service_puma_threads_max)
 
   file { '/etc/foreman/database.yml':
     owner   => 'root',
@@ -48,24 +44,22 @@
     content => template('foreman/database.yml.erb'),
   }
 
-  if $foreman::use_foreman_service {
-    if $foreman::apache {
-      include apache
-    }
+  if $foreman::apache {
+    include apache
+  }
 
-    $listen_stream = regsubst($foreman::foreman_service_bind, 'unix://|tcp://', '')
+  $listen_stream = regsubst($foreman::foreman_service_bind, 'unix://|tcp://', '')
 
-    systemd::dropin_file { 'foreman-socket':
-      filename => 'installer.conf',
-      unit     => "${foreman::foreman_service}.socket",
-      content  => template('foreman/foreman.socket-overrides.erb'),
-    }
+  systemd::dropin_file { 'foreman-socket':
+    filename => 'installer.conf',
+    unit     => "${foreman::foreman_service}.socket",
+    content  => template('foreman/foreman.socket-overrides.erb'),
+  }
 
-    systemd::dropin_file { 'foreman-service':
-      filename => 'installer.conf',
-      unit     => "${foreman::foreman_service}.service",
-      content  => template('foreman/foreman.service-overrides.erb'),
-    }
+  systemd::dropin_file { 'foreman-service':
+    filename => 'installer.conf',
+    unit     => "${foreman::foreman_service}.service",
+    content  => template('foreman/foreman.service-overrides.erb'),
   }
 
   file { $foreman::app_root:
@@ -107,33 +101,28 @@
 
   if $foreman::apache  {
     class { 'foreman::config::apache':
-      passenger               => $foreman::passenger,
-      app_root                => $foreman::app_root,
-      passenger_ruby          => $foreman::passenger_ruby,
-      priority                => $foreman::vhost_priority,
-      servername              => $foreman::servername,
-      serveraliases           => $foreman::serveraliases,
-      server_port             => $foreman::server_port,
-      server_ssl_port         => $foreman::server_ssl_port,
-      proxy_backend           => $foreman::foreman_service_bind,
-      ssl                     => $foreman::ssl,
-      ssl_ca                  => $foreman::server_ssl_ca,
-      ssl_chain               => $foreman::server_ssl_chain,
-      ssl_cert                => $foreman::server_ssl_cert,
-      ssl_certs_dir           => $foreman::server_ssl_certs_dir,
-      ssl_key                 => $foreman::server_ssl_key,
-      ssl_crl                 => $foreman::server_ssl_crl,
-      ssl_protocol            => $foreman::server_ssl_protocol,
-      ssl_verify_client       => $foreman::server_ssl_verify_client,
-      user                    => $foreman::user,
-      passenger_prestart      => $foreman::passenger_prestart,
-      passenger_min_instances => $foreman::passenger_min_instances,
-      passenger_start_timeout => $foreman::passenger_start_timeout,
-      foreman_url             => $foreman::foreman_url,
-      ipa_authentication      => $foreman::ipa_authentication,
-      keycloak                => $foreman::keycloak,
-      keycloak_app_name       => $foreman::keycloak_app_name,
-      keycloak_realm          => $foreman::keycloak_realm,
+      app_root           => $foreman::app_root,
+      priority           => $foreman::vhost_priority,
+      servername         => $foreman::servername,
+      serveraliases      => $foreman::serveraliases,
+      server_port        => $foreman::server_port,
+      server_ssl_port    => $foreman::server_ssl_port,
+      proxy_backend      => $foreman::foreman_service_bind,
+      ssl                => $foreman::ssl,
+      ssl_ca             => $foreman::server_ssl_ca,
+      ssl_chain          => $foreman::server_ssl_chain,
+      ssl_cert           => $foreman::server_ssl_cert,
+      ssl_certs_dir      => $foreman::server_ssl_certs_dir,
+      ssl_key            => $foreman::server_ssl_key,
+      ssl_crl            => $foreman::server_ssl_crl,
+      ssl_protocol       => $foreman::server_ssl_protocol,
+      ssl_verify_client  => $foreman::server_ssl_verify_client,
+      user               => $foreman::user,
+      foreman_url        => $foreman::foreman_url,
+      ipa_authentication => $foreman::ipa_authentication,
+      keycloak           => $foreman::keycloak,
+      keycloak_app_name  => $foreman::keycloak_app_name,
+      keycloak_realm     => $foreman::keycloak_realm,
     }
 
     contain foreman::config::apache

manifests/config/apache.pp

@@ -3,9 +3,6 @@
 # @param app_root
 #   Root of the application.
 #
-# @param passenger_ruby
-#   Path to Ruby interpreter
-#
 # @param priority
 #   Apache vhost priority
 #
@@ -51,27 +48,14 @@
 # @param user
 #   The user under which the application runs.
 #
-# @param passenger
-#   Whether to use passenger as an application server. If false, the reverse
-#   proxy setup is used.
-#
-# @param passenger_prestart
-#   Pre-start the first passenger worker instance process during httpd start.
-#
-# @param passenger_min_instances
-#   Minimum passenger worker instances to keep when application is idle.
-#
-# @param passenger_start_timeout
-#   Amount of seconds to wait for Ruby application boot.
-#
 # @param proxy_backend
-#   The backend service to proxy to. Only used when passenger is false
+#   The backend service to proxy to
 #
 # @param proxy_params
-#   The proxy parameters to use when proxying. Only used when passenger is false
+#   The proxy parameters to use when proxying
 #
 # @param proxy_no_proxy_uris
-#   URIs not to proxy. Only used when passenger is false
+#   URIs not to proxy
 #
 # @param foreman_url
 #   The URL Foreman should be reachable under. Used for loading the application
@@ -118,11 +102,6 @@
   Optional[String] $ssl_protocol = undef,
   Enum['none','optional','require','optional_no_ca'] $ssl_verify_client = 'optional',
   Optional[String] $user = undef,
-  Boolean $passenger = false,
-  Optional[String] $passenger_ruby = undef,
-  Boolean $passenger_prestart = false,
-  Integer[0] $passenger_min_instances = 1,
-  Integer[0] $passenger_start_timeout = 90,
   Optional[Stdlib::HTTPUrl] $foreman_url = undef,
   Optional[String] $access_log_format = undef,
   Boolean $ipa_authentication = false,
@@ -157,92 +136,70 @@
     $suburi = undef
   }
 
-  if $passenger {
-    if $suburi {
-      $custom_fragment = template('foreman/_suburi.conf.erb')
-    } else {
-      $custom_fragment = file('foreman/_assets.conf.erb')
-    }
-
-    $passenger_options = {
-      'passenger_app_root' => $app_root,
-      'passenger_min_instances' => $passenger_min_instances,
-      'passenger_start_timeout' => $passenger_start_timeout,
-      'passenger_ruby' => $passenger_ruby,
-    }
-
-    if $passenger_prestart {
-      $vhost_http_internal_options = $passenger_options + {'passenger_pre_start' => "http://${servername}:${server_port}"}
-      $vhost_https_internal_options = $passenger_options + {'passenger_pre_start' => "https://${servername}:${server_ssl_port}"}
-    } else {
-      $vhost_http_internal_options = $passenger_options
-      $vhost_https_internal_options = $passenger_options
-    }
-
-    if $app_root and $user {
-      file { ["${app_root}/config.ru", "${app_root}/config/environment.rb"]:
-        owner => $user,
-      }
-    }
+  if $suburi {
+    $custom_fragment = undef
   } else {
-    if $suburi {
-      $custom_fragment = undef
-    } else {
-      $custom_fragment = file('foreman/_assets.conf.erb')
-    }
+    $custom_fragment = file('foreman/_assets.conf.erb')
+  }
+
+  # This sets the headers matching what $vhost_https_internal_options sets
+  concat::fragment { 'foreman_settings+03-reverse-proxy-headers.yaml':
+    target  => '/etc/foreman/settings.yaml',
+    content => file('foreman/settings-reverse-proxy-headers.yaml'),
+    order   => '03',
+  }
 
-    include apache::mod::proxy_wstunnel
-    $websockets_backend = regsubst($_proxy_backend, 'http://', 'ws://')
+  include apache::mod::proxy_wstunnel
+  $websockets_backend = regsubst($_proxy_backend, 'http://', 'ws://')
 
-    $vhost_http_internal_options = {
-      'proxy_preserve_host' => true,
-      'proxy_add_headers'   => true,
-      'request_headers'     => [
-        'set X_FORWARDED_PROTO "http"',
-        'set SSL_CLIENT_S_DN ""',
-        'set SSL_CLIENT_CERT ""',
-        'set SSL_CLIENT_VERIFY ""',
-        'unset REMOTE_USER',
-        'unset REMOTE_USER_EMAIL',
-        'unset REMOTE_USER_FIRSTNAME',
-        'unset REMOTE_USER_LASTNAME',
-        'unset REMOTE_USER_GROUPS',
-      ],
-      'proxy_pass'          => {
-        'no_proxy_uris' => $proxy_no_proxy_uris,
-        'path'          => pick($suburi, '/'),
-        'url'           => $_proxy_backend,
-        'params'        => $proxy_params,
+  $vhost_http_internal_options = {
+    'proxy_preserve_host' => true,
+    'proxy_add_headers'   => true,
+    'request_headers'     => [
+      'set X_FORWARDED_PROTO "http"',
+      'set SSL_CLIENT_S_DN ""',
+      'set SSL_CLIENT_CERT ""',
+      'set SSL_CLIENT_VERIFY ""',
+      'unset REMOTE_USER',
+      'unset REMOTE_USER_EMAIL',
+      'unset REMOTE_USER_FIRSTNAME',
+      'unset REMOTE_USER_LASTNAME',
+      'unset REMOTE_USER_GROUPS',
+    ],
+    'proxy_pass'          => {
+      'no_proxy_uris' => $proxy_no_proxy_uris,
+      'path'          => pick($suburi, '/'),
+      'url'           => $_proxy_backend,
+      'params'        => $proxy_params,
+    },
+    'rewrites'            => [
+      {
+        'comment'      => 'Upgrade Websocket connections',
+        'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
+        'rewrite_rule' => "/(.*) ${websockets_backend}\$1 [P,L]",
       },
-      'rewrites'            => [
-        {
-          'comment'      => 'Upgrade Websocket connections',
-          'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
-          'rewrite_rule' => "/(.*) ${websockets_backend}\$1 [P,L]",
-        },
-      ],
-    }
+    ],
+  }
 
-    $vhost_https_internal_options = $vhost_http_internal_options + {
-      'ssl_proxyengine' => true,
-      'request_headers' => [
-        'set X_FORWARDED_PROTO "https"',
-        'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
-        'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
-        'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
-        'unset REMOTE_USER',
-        'unset REMOTE_USER_EMAIL',
-        'unset REMOTE_USER_FIRSTNAME',
-        'unset REMOTE_USER_LASTNAME',
-        'unset REMOTE_USER_GROUPS',
-      ],
-    }
+  $vhost_https_internal_options = $vhost_http_internal_options + {
+    'ssl_proxyengine' => true,
+    'request_headers' => [
+      'set X_FORWARDED_PROTO "https"',
+      'set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"',
+      'set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"',
+      'set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"',
+      'unset REMOTE_USER',
+      'unset REMOTE_USER_EMAIL',
+      'unset REMOTE_USER_FIRSTNAME',
+      'unset REMOTE_USER_LASTNAME',
+      'unset REMOTE_USER_GROUPS',
+    ],
+  }
 
-    if $facts['os']['selinux']['enabled'] {
-      selboolean { 'httpd_can_network_connect':
-        persistent => true,
-        value      => 'on',
-      }
+  if $facts['os']['selinux']['enabled'] {
+    selboolean { 'httpd_can_network_connect':
+      persistent => true,
+      value      => 'on',
     }
   }
 

manifests/init.pp

@@ -46,22 +46,15 @@
 #
 # $unattended_url::               URL hosts will retrieve templates from during build (normally http as many installers don't support https)
 #
-# $apache::                       Configure Foreman via Apache. By default via passenger but otherwise as a reverse proxy.
-#
-# $passenger::                    Whether to configure Apache with passenger or as a reverse proxy.
-#
-# $passenger_ruby::               Ruby interpreter used to run Foreman under Passenger
-#
-# $passenger_ruby_package::       Package to install to provide Passenger libraries for the active Ruby
-#                                 interpreter
+# $apache::                       Configure Apache as a reverse proxy for the Foreman server
 #
 # $plugin_prefix::                String which is prepended to the plugin package names
 #
 # $servername::                   Server name of the VirtualHost in the webserver
 #
 # $serveraliases::                Server aliases of the VirtualHost in the webserver
 #
-# $ssl::                          Enable and set require_ssl in Foreman settings (note: requires passenger, SSL does not apply to kickstarts)
+# $ssl::                          Enable and set require_ssl in Foreman settings (note: requires Apache, SSL does not apply to kickstarts)
 #
 # $version::                      Foreman package version, it's passed to ensure parameter of package resource
 #                                 can be set to specific version number, 'latest', 'present' etc.
@@ -100,12 +93,6 @@
 #
 # $user_groups::                  Additional groups for the Foreman user
 #
-# $passenger_prestart::           Pre-start the first passenger worker instance process during httpd start.
-#
-# $passenger_min_instances::      Minimum passenger worker instances to keep when application is idle.
-#
-# $passenger_start_timeout::      Number of seconds to wait for Ruby application boot.
-#
 # $vhost_priority::               Defines Apache vhost priority for the Foreman vhost conf file.
 #
 # $server_port::                  Defines Apache port for HTTP requests
@@ -181,11 +168,11 @@
 #
 # $cors_domains::                 List of domains that show be allowed for Cross-Origin Resource Sharing
 #
-# $foreman_service_puma_threads_min::     Minimum number of threads for Puma. Relevant only when Puma service is used and ignored when Passenger is used.
+# $foreman_service_puma_threads_min::     Minimum number of threads for every Puma worker
 #
-# $foreman_service_puma_threads_max::     Maximum number of threads for Puma. Relevant only when Puma service is used and ignored when Passenger is used.
+# $foreman_service_puma_threads_max::     Maximum number of threads for every Puma worker
 #
-# $foreman_service_puma_workers::         Number of workers for Puma. Relevant only when Puma service is used and ignored when Passenger is used.
+# $foreman_service_puma_workers::         Number of workers for Puma
 #
 # $rails_cache_store::            Set rails cache store
 #
@@ -216,9 +203,6 @@
   Boolean $unattended = $foreman::params::unattended,
   Optional[Stdlib::HTTPUrl] $unattended_url = $foreman::params::unattended_url,
   Boolean $apache = $foreman::params::apache,
-  Boolean $passenger = $foreman::params::passenger,
-  Optional[String] $passenger_ruby = $foreman::params::passenger_ruby,
-  Optional[String] $passenger_ruby_package = $foreman::params::passenger_ruby_package,
   String $plugin_prefix = $foreman::params::plugin_prefix,
   Stdlib::Fqdn $servername = $foreman::params::servername,
   Array[Stdlib::Fqdn] $serveraliases = $foreman::params::serveraliases,
@@ -259,9 +243,6 @@
   Boolean $oauth_map_users = $foreman::params::oauth_map_users,
   String $oauth_consumer_key = $foreman::params::oauth_consumer_key,
   String $oauth_consumer_secret = $foreman::params::oauth_consumer_secret,
-  Boolean $passenger_prestart = $foreman::params::passenger_prestart,
-  Integer[0] $passenger_min_instances = $foreman::params::passenger_min_instances,
-  Integer[0] $passenger_start_timeout = $foreman::params::passenger_start_timeout,
   String $initial_admin_username = $foreman::params::initial_admin_username,
   String $initial_admin_password = $foreman::params::initial_admin_password,
   Optional[String] $initial_admin_first_name = $foreman::params::initial_admin_first_name,
@@ -326,10 +307,8 @@
   }
 
   if $apache {
-    $use_foreman_service = ! $passenger
     $foreman_service_bind = 'unix:///run/foreman.sock'
   } else {
-    $use_foreman_service = true
     $foreman_service_bind = 'tcp://0.0.0.0:3000'
   }