Upgrade puppetcore* rpm from yum-puppetcore.puppet.com

Add optional username and password parameters to the `puppet_agent` class.

If `manage_repo` is true, then add the credentials to the repo config (for RPM
platforms other than SLES) with secure permissions.

For SLES, add credentials to /etc/zypp/credentials.d/PuppetcoreCreds with secure
permissions. Also include auth=basic and credentials=PuppetcoreCreds to the
baseurl.

Update the Dockerfile to install 7.34.0 from yum.puppet.com and upgrade to
8.11.0 from yum-puppetcore, to verify the module can upgrade agents on amazon
2023, fedora 40, rocky 8 and sles 15.

    export PUPPET_FORGE_TOKEN=...
    docker/bin/upgrade.sh [platform] [from] [to]

where platform is one of amazon, fedora, rocky or sles and from/to are
puppet-agent versions.

The password is passed to the `docker run` command as an environment variable,
so that it's not persisted in the docker image.

Author: joshcooper

REFERENCE.md

@@ -98,6 +98,8 @@ The following parameters are available in the `puppet_agent` class:
 * [`version_file_path`](#-puppet_agent--version_file_path)
 * [`skip_if_unavailable`](#-puppet_agent--skip_if_unavailable)
 * [`disable_proxy`](#-puppet_agent--disable_proxy)
+* [`username`](#-puppet_agent--username)
+* [`password`](#-puppet_agent--password)
 
 ##### <a name="-puppet_agent--arch"></a>`arch`
 
@@ -371,6 +373,22 @@ Data type: `Boolean`
 
 Default value: `false`
 
+##### <a name="-puppet_agent--username"></a>`username`
+
+Data type: `Optional`
+
+The username to use when downloading from a source location requiring authentication.
+
+Default value: `undef`
+
+##### <a name="-puppet_agent--password"></a>`password`
+
+Data type: `Optional[Sensitive]`
+
+The password to use when downloading from a source location requiring authentication.
+
+Default value: `undef`
+
 ### <a name="puppet_agent--configure"></a>`puppet_agent::configure`
 
 It does not require management of the agent package.
@@ -843,7 +861,7 @@ The version of puppet-agent to install (defaults to latest when no agent is inst
 
 ##### `collection`
 
-Data type: `Optional[Enum[puppet7, puppet8, puppet, puppet7-nightly, puppet8-nightly, puppet-nightly]]`
+Data type: `Optional[Enum[puppet7, puppet8, puppet, puppet7-nightly, puppet8-nightly, puppet-nightly, puppetcore7, puppetcore8]]`
 
 The Puppet collection to install from (defaults to puppet, which maps to the latest collection released)
 
@@ -895,6 +913,18 @@ Data type: `Optional[Integer]`
 
 The number of retries in case of network connectivity failures
 
+##### `username`
+
+Data type: `Optional[String]`
+
+The username to use when downloading from a source location requiring authentication
+
+##### `password`
+
+Data type: `Optional[String]`
+
+The password to use when downloading from a source location requiring authentication
+
 ### <a name="install_powershell"></a>`install_powershell`
 
 Install the Puppet agent package
@@ -979,7 +1009,7 @@ The version of puppet-agent to install
 
 ##### `collection`
 
-Data type: `Optional[Enum[puppet7, puppet8, puppet, puppet7-nightly, puppet8-nightly, puppet-nightly]]`
+Data type: `Optional[Enum[puppet7, puppet8, puppet, puppet7-nightly, puppet8-nightly, puppet-nightly, puppetcore7, puppetcore8]]`
 
 The Puppet collection to install from (defaults to puppet, which maps to the latest collection released)
 
@@ -1031,6 +1061,18 @@ Data type: `Optional[Integer]`
 
 The number of retries in case of network connectivity failures
 
+##### `username`
+
+Data type: `Optional[String]`
+
+The username to use when downloading from a source location requiring authentication
+
+##### `password`
+
+Data type: `Optional[String]`
+
+The password to use when downloading from a source location requiring authentication
+
 ### <a name="run"></a>`run`
 
 Run the Puppet agent. This task may cause problems if run in Puppet Enterprise.

docker/bin/helpers/run-upgrade.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
-# Run upgrades on a container. The default upgrade TO argument will be 8.10.0 if
+# Run upgrades on a container. The default upgrade TO argument will be 8.11.0 if
 # no arguments are passed to this script.
 set -e
 
-to_version=${1:-8.10.0}
+to_version=${1:-8.11.0}
 # Calculate which collection should be used. This is derived from the puppet
 # version.
 puppet_version=( ${to_version//./ } )
@@ -20,7 +20,12 @@ case $puppet_major in
     echo "Invalid version supplied" 1>&2
     exit 1
 esac
-FACTER_to_version=${1:-8.10.0} FACTER_to_collection=${to_collection} /opt/puppetlabs/puppet/bin/puppet apply --debug --trace --modulepath /tmp/modules /tmp/upgrade.pp
+FACTER_to_version=${to_version} \
+                 FACTER_to_collection=${to_collection} \
+                 FACTER_forge_username=forge-key \
+                 FACTER_forge_password="${PUPPET_FORGE_TOKEN}" \
+                 /opt/puppetlabs/puppet/bin/puppet apply --debug --trace --modulepath /tmp/modules /tmp/upgrade.pp
+
 # Make e.g. `puppet --version` work out of the box.
 PATH=/opt/puppetlabs/bin:$PATH \
     read -p "Explore the upgraded container? [y/N]: " choice && \

docker/bin/upgrade.sh

@@ -8,23 +8,65 @@
 # - PLATFORM: The platform on which the upgrade should occur. This also
 #             supports comma-separated lists. Available:
 #             - `ubuntu`
-#             - `centos`
+#             - `amazon`
+#             - `fedora`
 #             - `rocky`
+#             - `sles`
 #             Default: `ubuntu`
 # - BEFORE: The puppet-agent package version that is installed prior to upgrade.
-#           Default: 1.10.14
+#           Default: 7.34.0
 # - AFTER: The puppet-agent package version that should exist after upgrade.
-#          Default: 6.2.0
+#          Default: 8.1.0
 set -e
 
+if [ -z "${PUPPET_FORGE_TOKEN}" ]; then
+    echo "Environment variable PUPPET_FORGE_TOKEN must be set"
+    exit 1
+fi
+
 cd "$(dirname "$0")/../.."
-platforms=${1:-ubuntu}
+platforms=${1:-rocky}
 before=${2:-7.34.0}
-after=${3:-8.10.0}
+after=${3:-8.11.0}
 for platform in ${platforms//,/ }
 do
-    docker build --rm -f docker/$platform/Dockerfile . -t pa-dev:$platform \
-        --build-arg before=${before}
-    docker run --rm -ti pa-dev:$platform ${after}
+    dockerfile='docker/upgrade/dnf/Dockerfile'
+
+    # REMIND: if (7.35 <= before && before < 8.0) OR (8.11.0 <= before), then install release
+    # package from yum-puppetcore.
+    case $platform in
+        amazon)
+            base_image='amazonlinux:2023'
+            release_package='http://yum.puppet.com/puppet7-release-amazon-2023.noarch.rpm'
+            ;;
+
+        fedora)
+            base_image='fedora:40'
+            release_package='http://yum.puppet.com/puppet7-release-fedora-40.noarch.rpm'
+            ;;
+
+        rocky)
+            base_image='rockylinux/rockylinux:8'
+            release_package='http://yum.puppet.com/puppet7-release-el-8.noarch.rpm'
+            ;;
+
+        sles)
+            base_image='registry.suse.com/suse/sle15:15.6'
+            release_package='http://yum.puppet.com/puppet7-release-sles-15.noarch.rpm'
+            dockerfile='docker/upgrade/sles/Dockerfile'
+            ;;
+
+        *)
+            echo "$0: Usage upgrade.sh [amazon|fedora|rocky|sles] [before] [after]"
+            exit 1
+            ;;
+    esac
+
+    docker build --rm -f ${dockerfile} . -t pa-dev:$platform \
+           --build-arg before=${before} \
+           --build-arg BASE_IMAGE=${base_image} \
+           --build-arg RELEASE_PACKAGE=${release_package}
+
+    docker run -e PUPPET_FORGE_TOKEN --rm -ti pa-dev:$platform ${after}
 done
-echo Complete
+echo Complete

docker/upgrade.pp

@@ -8,5 +8,7 @@
     # process.
     service_names   => [],
     collection      => $facts['to_collection'],
+    username        => $facts['forge_username'],
+    password        => Sensitive($facts['forge_password']),
   }
 }

docker/rocky/Dockerfile renamed to docker/upgrade/dnf/Dockerfile

@@ -24,24 +24,26 @@
 # Arguments:
 # - before: The version to do upgrade FROM. Default: "7.34.0"
 
-FROM rockylinux/rockylinux:8
+ARG BASE_IMAGE=rocky:8
+FROM ${BASE_IMAGE}
 
 # Use this to force a cache reset (e.g. for output purposes)
 #COPY $0 /tmp/Dockerfile
 
 # Install some other dependencies for ease of life.
 RUN  dnf update -y \
-  && dnf install -y wget git \
+  && dnf install -y git \
   && dnf clean all
 
 ARG before=7.34.0
 LABEL before=${before}
 
+ARG RELEASE_PACKAGE
+
 # Install proper FROM repo pupet 7
 RUN if [[ ${before} == 7.* ]]; then \
         echo Installing puppet7 repo; \
-        wget -O puppet7.rpm http://yum.puppet.com/puppet7-release-el-8.noarch.rpm && \
-        rpm -i puppet7.rpm; \
+        rpm -Uvh ${RELEASE_PACKAGE}; \
     else echo no; \
     fi
 
@@ -50,7 +52,8 @@ RUN if [[ ${before} == 7.* ]]; then \
 
 # Install FROM version of puppet-agent.
 RUN dnf -y update && \
-    dnf install -y puppet-agent-${before}-1.el8
+    dnf install -y puppet-agent-${before} && \
+    dnf clean all
 
 # This is also duplicated in the docker/bin/helpers/run-upgrade.sh.
 ENV module_path=/tmp/modules

docker/upgrade/sles/Dockerfile

@@ -0,0 +1,94 @@
+# This Dockerfile enables an iterative development workflow where you can make
+# a change and test it out quickly. The majority of commands in this file will
+# be cached, making the feedback loop typically quite short. The workflow is
+# as follows:
+#   1. Set up pre-conditions for the system in puppet code using `deploy.pp`.
+#   2. Make a change to the module.
+#   3. Run `docker build -f docker/Dockerfile .` or
+#      `./docker/bin/upgrade.sh rocky` from the project directory. If you would
+#      like to test specific version upgrades, you can add run this like so:
+#        `docker build -f docker/rocky/Dockerfile . \
+#           -t pa-dev:rocky --build-arg before=1.10.14`
+#   4. Upgrade the container by running the image:
+#        `docker run -it pa-dev:rocky`
+#      Specify your upgrade TO version as an argument to the `docker run`
+#      command.
+#   5. Review the output. Repeat steps 2-5 as needed.
+#
+# At the end of execution, you will see a line like:
+#
+# Notice: /Stage[main]/Puppet_agent::Install/Package[puppet-agent]/ensure: ensure changed '1.10.14-1.el8' to '6.2.0'
+#
+# This specifies the versions that were used for upgrade.
+#
+# Arguments:
+# - before: The version to do upgrade FROM. Default: "7.34.0"
+
+ARG BASE_IMAGE=registry.suse.com/suse/sle15:15.6
+FROM ${BASE_IMAGE}
+
+# Use this to force a cache reset (e.g. for output purposes)
+#COPY $0 /tmp/Dockerfile
+
+# Install some other dependencies for ease of life.
+RUN zypper install --no-confirm wget git-core
+
+ARG before=7.34.0
+LABEL before=${before}
+
+ARG RELEASE_PACKAGE
+
+# Install proper FROM repo pupet 7
+RUN if [[ ${before} == 7.* ]]; then \
+       wget -O puppet7.rpm ${RELEASE_PACKAGE} && \
+       rpm -i puppet7.rpm; \
+    else echo no; \
+    fi
+
+# Install FROM version of puppet-agent.
+RUN rpm --import https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 && \
+    zypper install --no-confirm --oldpackage --no-recommends --no-confirm puppet-agent-${before}
+
+# This is also duplicated in the docker/bin/helpers/run-upgrade.sh.
+ENV module_path=/tmp/modules
+WORKDIR "${module_path}/puppet_agent"
+COPY metadata.json ./
+
+# Dependency installation: Forge or source? The former is what the user will
+# have downloaded, but the latter allows testing of version bumps.
+# Install module dependencies from the Forge using Puppet Module Tool (PMT).
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-stdlib
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-inifile
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-apt
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-facts
+
+# Installing dependencies from source. These versions should be within the range
+# of `dependencies` in metadata.json.
+#RUN git clone https://github.com/puppetlabs/puppetlabs-stdlib ../stdlib --branch 9.7.0
+#RUN git clone https://github.com/puppetlabs/puppetlabs-inifile ../inifile --branch 6.2.0
+#RUN git clone https://github.com/puppetlabs/puppetlabs-apt ../apt --branch 10.0.1
+#RUN git clone https://github.com/puppetlabs/puppetlabs-facts ../facts --branch 1.7.0
+
+# Check that all dependencies are installed.
+RUN /opt/puppetlabs/puppet/bin/puppet module --modulepath $module_path list --tree
+COPY docker/deploy.pp /tmp/deploy.pp
+RUN ["sh", "-c", "/opt/puppetlabs/puppet/bin/puppet apply --modulepath $module_path /tmp/deploy.pp"]
+
+# Now move the project directory's files into the image. That way, if these
+# files change, caching will skip everything before this.
+COPY docker/bin/helpers/run-upgrade.sh /tmp/bin/run-upgrade.sh
+COPY files/ ./files/
+COPY locales/ ./locales/
+COPY spec/ ./spec/
+COPY task_spec/  ./task_spec/
+COPY tasks/ ./tasks/
+COPY templates/ ./templates
+COPY types/ ./types/
+COPY Gemfile Gemfile.lock Rakefile ./
+COPY lib/ ./lib/
+COPY manifests/ ./manifests/
+
+COPY docker/upgrade.pp /tmp/upgrade.pp
+
+# Perform the upgrade.
+ENTRYPOINT ["/tmp/bin/run-upgrade.sh"]

manifests/init.pp

@@ -103,6 +103,8 @@
 # @param skip_if_unavailable
 #    For yum-based repositories, set the skip_if_unavailable option of the `yumrepo` type.
 # @param disable_proxy
+# @param username The username to use when downloading from a source location requiring authentication.
+# @param password The password to use when downloading from a source location requiring authentication.
 class puppet_agent (
   String                         $arch                    = $facts['os']['architecture'],
   String                         $collection              = $puppet_agent::params::collection,
@@ -131,7 +133,9 @@
   Optional                       $wait_for_pxp_agent_exit = undef,
   Optional                       $wait_for_puppet_run     = undef,
   Array[Puppet_agent::Config]    $config                  = [],
-  Stdlib::Absolutepath           $version_file_path       = '/opt/puppetlabs/puppet/VERSION'
+  Stdlib::Absolutepath           $version_file_path       = '/opt/puppetlabs/puppet/VERSION',
+  Optional                       $username                = undef,
+  Optional[Sensitive]            $password                = undef,
 ) inherits puppet_agent::params {
   # The configure class uses $puppet_agent::config to manage settings in
   # puppet.conf, and will always be present. It does not require management of

manifests/osfamily/redhat.pp

@@ -175,6 +175,14 @@
         sslclientcert       => $_sslclientcert_path,
         sslclientkey        => $_sslclientkey_path,
         skip_if_unavailable => $puppet_agent::skip_if_unavailable,
+        username            => $puppet_agent::username,
+        password            => $puppet_agent::password,
+      }
+      file { '/etc/yum.repos.d/pc_repo.repo':
+        ensure => file,
+        owner  => 0,
+        group  => 0,
+        mode   => '0600',
       }
     }
   }