(role/foreman) bump to 3.16 & migrate to el9 & puppetserver8

Puppetfile

@@ -1,5 +1,7 @@
 forge 'https://forgeapi.puppetlabs.com'
 
+exclusion 'choria-mcollective'
+
 mod 'atsonkov/grubby', '0.3.2'
 mod 'blockops/tailscale', git: 'https://github.com/lsst-it/puppet-tailscale', ref: 'bc7e880'  # https://github.com/lsst-it/puppet-tailscale/pull/3 we are using a fork as we wait for the main Forge release to accept apt 10.x
 mod 'bodgit/scl', git: 'https://github.com/lsst-it/puppet-scl', ref: 'c367361'  # https://github.com/bodgit/puppet-scl/pull/2
@@ -34,7 +36,7 @@ mod 'lsst/powertop', '0.1.2'
 mod 'lsst/rke', '2.2.0'
 mod 'lsst/rke2', '2.0.0'
 mod 'lsst/s3nd', '1.2.1'
-mod 'lsst/smee', '2.4.0'
+mod 'lsst/smee', '3.0.0'
 mod 'puppet/alternatives', '6.0.0'
 mod 'puppet/archive', '8.1.0'
 mod 'puppet/augeas', '2.0.0'
@@ -89,7 +91,7 @@ mod 'puppet/postfix',  '6.0.0'
 mod 'puppet/prometheus', '17.0.0'
 mod 'puppet/python', '8.0.0'
 mod 'puppet/quadlets', '2.2.1'
-mod 'puppet/r10k', git: 'https://github.com/lsst-it/puppet-r10k', ref: '78b200b'  # Using branch temporarily while waiting for approval here: https://github.com/voxpupuli/puppet-r10k/pull/679
+mod 'puppet/r10k', '15.0.0'
 mod 'puppet/redis', '11.1.0'
 mod 'puppet/rsyslog', '7.3.0'
 mod 'puppet/selinux', '5.0.0'
@@ -114,10 +116,10 @@ mod 'stm/debconf', '7.0.1'
 mod 'syseleven/restic', '2.8.1'
 mod 'theforeman/dhcp', '9.4.0'
 mod 'theforeman/dns', '11.1.0'
-mod 'theforeman/foreman', git: 'https://github.com/lsst-it/puppet-foreman', ref: '23f86f4'  # 20.2.0 + dep updates
-mod 'theforeman/foreman_proxy', git: 'https://github.com/lsst-it/puppet-foreman_proxy', ref: '90af64a'  # https://github.com/theforeman/puppet-foreman_proxy/pull/772 https://github.com/theforeman/puppet-foreman_proxy/pull/816
+mod 'theforeman/foreman', '27.2.0'
+mod 'theforeman/foreman_proxy', '28.2.0'
 mod 'theforeman/puppet', '21.1.0'
-mod 'theforeman/puppetserver_foreman', '4.2.2'
-mod 'theforeman/tftp', git: 'https://github.com/lsst-it/puppet-tftp', ref: 'a27be8a' # Official module does not support EL8
+mod 'theforeman/puppetserver_foreman', '4.3.0'
+mod 'theforeman/tftp', '10.0.0'
 mod 'treydock/clustershell', '4.0.0'
 mod 'treydock/perfsonar', git: 'https://github.com/lsst-it/puppet-module-perfsonar', ref: '6e9449e'  # 4.1.0 + https://github.com/treydock/puppet-module-perfsonar/pull/26

hieradata/node/foreman.dev.lsst.org.yaml

@@ -1,20 +1,24 @@
 ---
-network::interfaces_hash:
-  ens192:  # fqdn
-    bootproto: "none"
-    defroute: "yes"
-    dns1: "%{lookup('dhcp::nameservers.0')}"
-    dns2: "%{lookup('dhcp::nameservers.1')}"
-    domain: "%{lookup('dhcp::dnsdomain.0')}"
-    ipaddress: "139.229.134.5"
-    gateway: "139.229.134.254"
-    netmask: "255.255.255.0"
-    nozeroconf: "yes"
-    onboot: "yes"
-    type: "Ethernet"
+nm::connections:
+  enp1s0:  # fqdn
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "b99c7656-4a18-36dd-9aa7-9b2dff15ae7f"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.134.5/24,139.229.134.254"
+        dns: "139.229.134.53;139.229.134.54;139.229.134.55;"
+        dns-search: "dev.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
 
 dhcp::interfaces:
-  - "ens192"
+  - "enp1s0"
 
 dhcp::authoritative: true
 dhcp::pxeserver: "139.229.134.5"  # foreman.dev.lsst.org

hieradata/node/foreman.ls.lsst.org.yaml

@@ -1,20 +1,24 @@
 ---
-network::interfaces_hash:
-  eth0:  # fqdn
-    bootproto: "none"
-    defroute: "yes"
-    dns1: "%{lookup('dhcp::nameservers.0')}"
-    dns2: "%{lookup('dhcp::nameservers.1')}"
-    domain: "%{lookup('dhcp::dnsdomain.0')}"
-    ipaddress: "139.229.135.5"
-    gateway: "139.229.135.254"
-    netmask: "255.255.255.0"
-    nozeroconf: "yes"
-    onboot: "yes"
-    type: "Ethernet"
+nm::connections:
+  enp1s0:  # fqdn
+    content:
+      connection:
+        id: "enp1s0"
+        uuid: "b99c7656-4a18-36dd-9aa7-9b2dff15ae7f"
+        type: "ethernet"
+        interface-name: "enp1s0"
+      ethernet: {}
+      ipv4:
+        address1: "139.229.135.5/24,139.229.135.254"
+        dns: "139.229.135.53;139.229.135.54;139.229.135.55;"
+        dns-search: "ls.lsst.org;"
+        method: "manual"
+      ipv6:
+        method: "disabled"
+      proxy: {}
 
 dhcp::interfaces:
-  - "eth0"
+  - "enp1s0"
 
 dhcp::authoritative: true
 dhcp::pxeserver: "139.229.135.5"  # foreman.ls.lsst.org

hieradata/role/foreman.yaml

@@ -3,10 +3,11 @@ classes:
   - "profile::core::common"
   - "profile::core::debugutils"
   - "profile::core::dhcp"
-  - "profile::core::docker"
-  - "profile::core::docker::prune"
   - "profile::core::foreman"
-  - "profile::core::foreman::fog_hack"
+  - "restic"
+
+packages:
+  - "podman-docker"
 
 dhcp::bootp: true
 dhcp::ddns_update_style: "none"
@@ -53,14 +54,23 @@ r10k::sources:
     ignore_branch_prefixes: *ignore_branch
 #r10k::postrun: ['/bin/hammer', 'proxy', 'import-classes', '--id=1']
 r10k::postrun: ['systemd-cat', '-t', 'foreman_envsync', '/bin/foreman_envsync', '--verbose']
-r10k::webhook::config::use_mcollective: false
-r10k::webhook::config::enable_ssl: false
-r10k::webhook::config::protected: false
-r10k::webhook::use_mcollective: false
-r10k::webhook::user: "root"
-r10k::webhook::group: "root"
+r10k::webhook::server:
+  protected: false
+  tls:
+    enabled: false
+  queue:
+    enabled: true
+r10k::webhook::r10k:
+  command_path: "/opt/puppetlabs/puppet/bin/r10k"
+  config_path: "/etc/puppetlabs/r10k/r10k.yaml"
+  default_branch: "production"
+  allow_uppercase: true
+  verbose: true
+  deploy_modules: true
+  generate_types: true
 r10k::deploy_settings:
   generate_types: true
+  exclude_spec: true
 profile::core::common::manage_puppet_agent: false
 apache::mod::proxy::proxy_timeout: 300  # seconds -- allow long operations over rest api
 # copied from /etc/foreman-installer/scenarios.d/foreman-answers.yaml
@@ -92,7 +102,8 @@ foreman::plugin::column_view::columns:
     content: "params['cluster']"
 foreman::plugin::tasks::automatic_cleanup: true
 foreman_proxy::base_url: "https://%{facts.networking.fqdn}"
-foreman_proxy::bind_host: '*'
+foreman_proxy::bind_host:
+  - '*'
 foreman_proxy::bmc_default_provider: "ipmitool"
 foreman_proxy::bmc: true
 foreman_proxy::dhcp_listen_on: "https"
@@ -144,11 +155,11 @@ foreman_proxy::trusted_hosts: ["%{facts.networking.fqdn}"]
 foreman_proxy::version: "%{lookup('foreman::version')}"
 foreman::cli::version: "%{lookup('foreman::version')}"
 foreman::repo::configure_scl_repo: false
-foreman::repo::repo: "3.2"
+foreman::repo::repo: "3.16"
 foreman::unattended: true
 foreman::user: "foreman"
 foreman::user_groups: ["puppet"]
-foreman::version: "3.2.1"
+foreman::version: "3.16.0"
 postgresql::server::config_entries:
   max_connections: 1000
   shared_buffers: "2GB"
@@ -172,15 +183,16 @@ puppet::server_jvm_max_heap_size: &jvm_heap "5G"  # (max-act-inst * 0.5G) + 1G
 puppet::server_jvm_min_heap_size: *jvm_heap
 puppet::server_jvm_extra_args: ["-XX:ReservedCodeCacheSize=1G", "-Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"]
 puppet::server::puppetdb::soft_write_failure: true
-puppet::server_puppetserver_version: &server_version "7.14.0"
+puppet::server_puppetserver_version: &server_version "8.7.0"
 puppet::server_reports: "foreman,puppetdb"
 puppet::server_storeconfigs: true
 puppet::server: true
 puppet::server::puppetserver_metrics: false  # disabled for performance
 puppet::server::puppetserver_profiler: false  # disabled for performance
 puppet::server_version: *server_version  # XXX does this do anything?
+puppet_agent::package_version: "8.10.0"  # needed to update versionlock
 puppet::version: "%{lookup('puppet_agent::package_version')}"  # agent version
-puppetdb::globals::version: "7.14.0"
+puppetdb::globals::version: "8.8.1"
 
 ssh::client_options:
   "ProxyCommand": "--"
@@ -202,8 +214,8 @@ profile::core::foreman::foreman_config:
   bmc_credentials_accessible: {value: false}  # disable bmc pass in enc yaml
   default_pxe_item_global: {value: "discovery"}
   destroy_vm_on_host_delete: {value: true}
-  discovery_fact_column: {value: "ipmi_ipaddress,ipmi_macaddress"}
-  discovery_hostname: {value: "ipmi_macaddress,discovery_bootif"}
+  discovery_fact_column: {value: '["ipmi_ipaddress","ipmi_macaddress"]'}
+  discovery_hostname: {value: '["ipmi_macaddress","discovery_bootif"]'}
   entries_per_page: {value: 100}
   # remove "docker*" from default excluded_facts
   # XXX using block scalar style results in the double quotes being preceeded
@@ -214,7 +226,6 @@ profile::core::foreman::foreman_config:
   #excluded_facts:
   #  value: '["lo", "en*v*", "usb*", "vnet*", "macvtap*", ";vdsmdummy;", "veth*", "tap*", "qbr*", "qvb*", "qvo*", "qr-*", "qg-*", "vlinuxbr*", "vovsbr*", "br-int", "vif*", "load_averages::*", "memory::swap::available*", "memory::swap::capacity", "memory::swap::used*", "memory::system::available*", "memory::system::capacity", "memory::system::used*", "memoryfree", "memoryfree_mb", "swapfree", "swapfree_mb", "uptime_hours", "uptime_days"]'
   host_details_ui: {value: false}  # https://projects.theforeman.org/issues/35115
-  host_power_status: {value: false}
   idle_timeout: {value: 7200}  # session timeout in minutes
   ignore_puppet_facts_for_provisioning: {value: true}
   matchers_inheritance: {value: false}
@@ -281,7 +292,9 @@ profile::core::systemd::dropin_file:
     #notify_service: true  # needs camptocamp/systemd > 3.0.0
     content: |
       [Service]
-      MemoryLimit=17179869184
+      MemoryMax=17179869184
+
+smee::image: "ghcr.io/lsst-it/smee-client:4.3.1"
 
 files:
   /etc/foreman-proxy/settings.d:
@@ -295,3 +308,17 @@ files:
     content: |
       :filters:
         - !ruby/regexp '/^(?!profile::)/'
+  /etc/containers/nodocker:
+    ensure: "file"
+    mode: "0444"
+
+restic::repositories:
+  foreman:
+    backup_path:
+      - "/tmp/foreman-backups"
+    backup_pre_cmd: "/bin/foreman-maintain backup online /tmp/foreman-backups -y"
+    backup_post_cmd: "rm -rf /tmp/foreman-backups"
+    backup_timer: "*-*-* 09:00:00"
+    enable_forget: true
+    forget_timer: "Mon..Sun 23:00:00"
+    forget_flags: "--keep-last 90"

hieradata/role/foreman/osfamily/RedHat/major/8.yaml → hieradata/role/foreman/osfamily/RedHat/major/9.yaml

@@ -3,51 +3,51 @@ profile::core::yum::versionlock:
   puppetserver:
     ensure: "present"
     version: "%{lookup('puppet::server_puppetserver_version')}"
-    release: "1.el8"
+    release: "1.el9"
     before: "Package[puppetserver]"
   puppetdb-termini:
     ensure: "present"
-    version: "7.14.0"
-    release: "1.el8"
+    version: "%{lookup('puppetdb::globals::version')}"
+    release: "1.el9"
     before: "Package[puppetdb-termini]"
   foreman:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-libvirt:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-dynflow-sidekiq:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-service:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-postgresql:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-debug:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-cli:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-installer:
     ensure: "present"
     epoch: 1
     version: "%{lookup('foreman::version')}"
-    release: "2.el8"
+    release: "2.el9"
   foreman-proxy:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"
   foreman-vmware:
     ensure: "present"
     version: "%{lookup('foreman::version')}"
-    release: "1.el8"
+    release: "1.el9"