Drop Puppet 6 support

theforeman · May 15, 2023 · 23dc63a · 23dc63a
1 parent 5050652
commit 23dc63a
Show file tree

Hide file tree

Showing 11 changed files with 6 additions and 143 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -101,15 +101,4 @@
       }
     }
   }
-
-  if versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
-    file { "${puppet_dir}/auth.conf":
-      ensure => absent,
-    }
-  } else {
-    file { "${puppet_dir}/auth.conf":
-      ensure  => file,
-      content => template($auth_template),
-    }
-  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -406,7 +406,6 @@
 #                                           'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
 #
 # $server_ruby_load_paths::                 List of ruby paths
-#                                           Defaults based on $::puppetversion
 #
 # $server_ca_client_whitelist::             The whitelist of client certificates that
 #                                           can query the certificate-status endpoint
@@ -425,10 +424,6 @@
 # $server_ca_client_self_delete::           Adds a rule to auth.conf, that allows a client to delete its own certificate
 #                                           Defaults to false
 #
-# $server_use_legacy_auth_conf::            Should the puppetserver use the legacy puppet auth.conf?
-#                                           Defaults to false (the puppetserver will use its own conf.d/auth.conf)
-#                                           Note that Puppetserver 7 has dropped this option.
-#
 # $server_check_for_updates::               Should the puppetserver phone home to check for available updates?
 #                                           Defaults to true
 #
@@ -723,7 +718,6 @@
   Integer[0] $server_max_queued_requests = $puppet::params::server_max_queued_requests,
   Integer[0] $server_max_retry_delay = $puppet::params::server_max_retry_delay,
   Boolean $server_multithreaded = $puppet::params::server_multithreaded,
-  Boolean $server_use_legacy_auth_conf = $puppet::params::server_use_legacy_auth_conf,
   Boolean $server_check_for_updates = $puppet::params::server_check_for_updates,
   Boolean $server_environment_class_cache_enabled = $puppet::params::server_environment_class_cache_enabled,
   Boolean $server_allow_header_cert_info = $puppet::params::server_allow_header_cert_info,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -399,9 +399,6 @@
 
   $server_puppetserver_version      = undef
 
-  # Which auth.conf shall we use?
-  $server_use_legacy_auth_conf      = false
-
   # Puppetserver metrics shipping
   $server_metrics_jmx_enable        = true
   $server_metrics_graphite_enable   = false

diff --git a/manifests/server.pp b/manifests/server.pp
@@ -229,7 +229,6 @@
 #                                      'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', ]
 #
 # $ruby_load_paths::                   List of ruby paths
-#                                      Defaults based on $::puppetversion
 #
 # $ca_client_whitelist::               The whitelist of client certificates that
 #                                      can query the certificate-status endpoint
@@ -248,10 +247,6 @@
 # $ca_client_self_delete::             Adds a rule to auth.conf, that allows a client to self delete its own certificate
 #                                      Defaults to false
 #
-# $use_legacy_auth_conf::              Should the puppetserver use the legacy puppet auth.conf?
-#                                      Defaults to false (the puppetserver will use its own conf.d/auth.conf)
-#                                      Note that Puppetserver 7 has dropped support for this.
-#
 # $check_for_updates::                 Should the puppetserver phone home to check for available updates?
 #
 # $environment_class_cache_enabled::   Enable environment class cache in conjunction with the use of the
@@ -430,7 +425,6 @@
   Integer[0] $max_queued_requests = $puppet::server_max_queued_requests,
   Integer[0] $max_retry_delay = $puppet::server_max_retry_delay,
   Boolean $multithreaded = $puppet::server_multithreaded,
-  Boolean $use_legacy_auth_conf = $puppet::server_use_legacy_auth_conf,
   Boolean $check_for_updates = $puppet::server_check_for_updates,
   Boolean $environment_class_cache_enabled = $puppet::server_environment_class_cache_enabled,
   Boolean $allow_header_cert_info = $puppet::server_allow_header_cert_info,
@@ -462,21 +456,7 @@
   Optional[Stdlib::Absolutepath] $versioned_code_content = $puppet::server_versioned_code_content,
   Array[String[1]] $jolokia_metrics_whitelist = $puppet::server_jolokia_metrics_whitelist,
 ) {
-  # For Puppetserver, certain configuration parameters are version specific. We
-  # assume a particular version here.
-  if $puppetserver_version {
-    $real_puppetserver_version = $puppetserver_version
-  } elsif versioncmp($facts['puppetversion'], '7.0.0') >= 0 {
-    $real_puppetserver_version = '7.0.0'
-  } else {
-    $real_puppetserver_version = '6.15.0'
-  }
-
-  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
-    $cadir = "${puppetserver_dir}/ca"
-  } else {
-    $cadir = "${ssl_dir}/ca"
-  }
+  $cadir = "${puppetserver_dir}/ca"
 
   if $ca {
     $ssl_ca_cert     = "${cadir}/ca_crt.pem"
@@ -493,12 +473,6 @@
   $ssl_cert      = "${ssl_dir}/certs/${certname}.pem"
   $ssl_cert_key  = "${ssl_dir}/private_keys/${certname}.pem"
 
-  if versioncmp($real_puppetserver_version, '7.0.0') >= 0 {
-    if $use_legacy_auth_conf {
-      fail('The jruby-puppet.use-legacy-auth-conf setting is removed in Puppetserver 7')
-    }
-  }
-
   if $jvm_extra_args {
     $real_jvm_extra_args = $jvm_extra_args
   } else {

diff --git a/manifests/server/config.pp b/manifests/server/config.pp
@@ -164,19 +164,6 @@
         Exec['puppet_server_config-create_ssl_dir'],
       ],
     }
-
-    # In Puppet 7 the cadir was changed from $ssldir/ca to $puppetserver_dir/ca
-    # This migrates the directory if it was in the old location
-    # The migration command leaves a symlink in place
-    if versioncmp($puppet::server::real_puppetserver_version, '7.0') > 0 {
-      exec { 'migrate Puppetserver cadir':
-        command => "${puppet::puppetserver_cmd} ca migrate",
-        creates => $puppet::server::cadir,
-        onlyif  => "test -d '${puppet::server::ssl_dir}/ca' && ! test -L '${puppet::server::ssl_dir}'",
-        path    => $facts['path'],
-        before  => Exec['puppet_server_config-generate_ca_cert'],
-      }
-    }
   } elsif $puppet::server::ca_crl_sync {
     # If not a ca AND sync the crl from the ca server
     if $server_facts['servername'] {

diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -113,8 +113,6 @@
   Boolean $server_ca_client_self_delete = $puppet::server::ca_client_self_delete,
   Array[String] $server_ca_client_whitelist = $puppet::server::ca_client_whitelist,
   Array[String] $server_admin_api_whitelist = $puppet::server::admin_api_whitelist,
-  String[1] $server_puppetserver_version = $puppet::server::real_puppetserver_version,
-  Boolean $server_use_legacy_auth_conf = $puppet::server::use_legacy_auth_conf,
   Boolean $server_check_for_updates = $puppet::server::check_for_updates,
   Boolean $server_environment_class_cache_enabled = $puppet::server::environment_class_cache_enabled,
   Optional[Boolean] $server_metrics = $puppet::server::puppetserver_metrics,

diff --git a/metadata.json b/metadata.json
@@ -35,7 +35,7 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 6.15.0 < 8.0.0"
+      "version_requirement": ">= 7.0.0 < 8.0.0"
     }
   ],
   "operatingsystem_support": [

diff --git a/spec/classes/puppet_config_spec.rb b/spec/classes/puppet_config_spec.rb
@@ -59,33 +59,6 @@
         it { is_expected.to contain_puppet__config__main('hostprivkey').with_value('$privatekeydir/$certname.pem { mode = 640 }') }
         it { is_expected.to contain_puppet__config__main('show_diff').with_value('false') }
         it { is_expected.to contain_puppet__config__main('server').with_value(facts[:networking]['fqdn']) }
-
-        context 'puppet < 7', if: os_facts[:puppetversion].to_i < 7 do
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('file').with_content(%r{/puppet/v3/}) }
-          it { is_expected.not_to contain_file("#{confdir}/auth.conf").with_content(%r{^path /certificate_revocation_list/ca\nmethod find$}) }
-        end
-
-        context 'puppet >= 7', if: os_facts[:puppetversion].to_i >= 7 do
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_ensure('absent') }
-        end
-      end
-
-      context 'auth.conf parameters', if: os_facts[:puppetversion].to_i < 7 do
-        describe 'with allow_any_crl_auth' do
-          let :params do
-            super().merge(allow_any_crl_auth: true)
-          end
-
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(%r{^path /puppet-ca/v1/certificate_revocation_list/ca\nauth any$}) }
-        end
-
-        describe 'with auth_allowed' do
-          let :params do
-            super().merge(auth_allowed: ['$1', 'puppetproxy'])
-          end
-
-          it { is_expected.to contain_file("#{confdir}/auth.conf").with_content(/^allow \$1, puppetproxy$/) }
-        end
       end
 
       describe "when dns_alt_names => ['foo','bar']" do

diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -141,34 +141,6 @@
         end
       end
 
-      describe 'use-legacy-auth-conf' do
-        context 'when server_puppetserver_version >= 6.15.0 and < 7.0.0' do
-          context 'with default parameters' do
-            it { should contain_file(puppetserver_conf).with_content(/^    use-legacy-auth-conf: false$/) }
-          end
-
-          context 'when use-legacy-auth-conf = true' do
-            let(:params) { super().merge(server_use_legacy_auth_conf: true) }
-
-            it { should contain_file(puppetserver_conf).with_content(/^    use-legacy-auth-conf: true$/) }
-          end
-        end
-
-        context 'when server_puppetserver_version == 7.0.0' do
-          let(:params) { super().merge(server_puppetserver_version: '7.0.0') }
-
-          context 'with default parameters' do
-            it { should contain_file(puppetserver_conf).without_content(/use-legacy-auth-conf/) }
-          end
-
-          context 'when use-legacy-auth-conf = true' do
-            let(:params) { super().merge(server_use_legacy_auth_conf: true) }
-
-            it { should compile.and_raise_error(/jruby-puppet.use-legacy-auth-conf setting is removed/) }
-          end
-        end
-      end
-
       describe 'environment-class-cache-enabled' do
         context 'with default parameters' do
           it { should contain_file(puppetserver_conf).with_content(/^    environment-class-cache-enabled: false$/) }

diff --git a/spec/classes/puppet_server_spec.rb b/spec/classes/puppet_server_spec.rb
@@ -16,11 +16,7 @@
         vardir              = '/var/puppet'
         rubydir             = %r{^/usr/local/lib/ruby/site_ruby/\d+\.\d+/puppet$}
         puppetserver_pkg    = "puppetserver#{facts[:puppetversion].to_i}"
-        puppetcacmd         = if facts[:puppetversion] >= '6.0'
-                                '/usr/local/bin/puppetserver ca setup'
-                              else
-                                '/usr/local/bin/puppet cert --generate puppetserver.example.com --allow-dns-alt-names'
-                              end
+        puppetcacmd         = '/usr/local/bin/puppetserver ca setup'
       else
         codedir             = '/etc/puppetlabs/code'
         confdir             = '/etc/puppetlabs/puppet'
@@ -34,21 +30,12 @@
         vardir              = '/opt/puppetlabs/puppet/cache'
         rubydir             = '/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet'
         puppetserver_pkg    = 'puppetserver'
-        puppetcacmd         = if facts[:puppetversion] >= '6.0'
-                                '/opt/puppetlabs/bin/puppetserver ca setup'
-                              else
-                                '/opt/puppetlabs/bin/puppet cert --generate puppetserver.example.com --allow-dns-alt-names'
-                              end
+        puppetcacmd         = '/opt/puppetlabs/bin/puppetserver ca setup'
       end
       conf_file           = "#{confdir}/puppet.conf"
       conf_d_dir          = "#{puppetserver_etcdir}/conf.d"
       environments_dir    = "#{codedir}/environments"
-      cadir               = facts[:puppetversion] >= '7.0' ? "#{puppetserver_etcdir}/ca" : "#{ssldir}/ca"
-      if facts[:puppetversion] >= '6.0'
-        cert_to_create      = "#{cadir}/ca_crt.pem"
-      else
-        cert_to_create      = "#{ssldir}/certs/puppetserver.example.com.pem"
-      end
+      cadir               = "#{puppetserver_etcdir}/ca"
 
       let(:facts) { facts }
 
@@ -111,7 +98,7 @@
             .with_umask('0022')
 
           should contain_exec('puppet_server_config-generate_ca_cert') \
-            .with_creates(cert_to_create) \
+            .with_creates("#{cadir}/ca_crt.pem") \
             .with_command(puppetcacmd) \
             .with_umask('0022') \
             .that_requires(["Concat[#{conf_file}]", 'Exec[puppet_server_config-create_ssl_dir]'])

diff --git a/templates/server/puppetserver/conf.d/puppetserver.conf.erb b/templates/server/puppetserver/conf.d/puppetserver.conf.erb
@@ -62,14 +62,6 @@ jruby-puppet: {
 
     # (optional) Sets the upper limit for the random sleep set as a Retry-After header on 503 responses returned when max-queued-requests is enabled.
     max-retry-delay: <%= @server_max_retry_delay %>
-<%- if scope.function_versioncmp([@server_puppetserver_version, '7.0']) < 0 -%>
-
-    # (optional) Authorize access to Puppet server endpoints via rules
-    # specified in the legacy Puppet auth.conf file (if true) or via rules
-    # specified in the Puppet Server HOCON-formatted auth.conf (if false or not
-    # specified).
-    use-legacy-auth-conf: <%= @server_use_legacy_auth_conf %>
-<%- end -%>
 
     # (optional) enable or disable environment class cache
     environment-class-cache-enabled: <%= @server_environment_class_cache_enabled %>