Upgrade rpm packages from yum-puppetcore.puppet.com

Add optional username and password parameters to the `puppet_agent` class.

If `manage_repo` is true, then add the credentials to the repo config (for RPM
platforms other than SLES) with secure permissions.

For SLES, add credentials to /etc/zypp/credentials.d/PuppetcoreCreds with secure
permissions. Also include auth=basic and credentials=PuppetcoreCreds to the
baseurl.

Update the Dockerfile to install 7.34.0 from yum.puppet.com and upgrade to
8.11.0 from yum-puppetcore, to verify the module can upgrade agents on amazon
2023, fedora 40, rocky 8 and sles 15.

    export PUPPET_FORGE_TOKEN=...
    docker/bin/upgrade.sh [platform] [from] [to]

where platform is one of amazon, fedora, rocky or sles and from/to are
puppet-agent versions.

The password is passed to the `docker run` command as an environment variable,
so that it's not persisted in the docker image.

Author: joshcooper

docker/bin/helpers/run-upgrade.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
-# Run upgrades on a container. The default upgrade TO argument will be 8.10.0 if
+# Run upgrades on a container. The default upgrade TO argument will be 8.11.0 if
 # no arguments are passed to this script.
 set -e
 
-to_version=${1:-8.10.0}
+to_version=${1:-8.11.0}
 # Calculate which collection should be used. This is derived from the puppet
 # version.
 puppet_version=( ${to_version//./ } )
@@ -20,7 +20,12 @@ case $puppet_major in
     echo "Invalid version supplied" 1>&2
     exit 1
 esac
-FACTER_to_version=${1:-8.10.0} FACTER_to_collection=${to_collection} /opt/puppetlabs/puppet/bin/puppet apply --debug --trace --modulepath /tmp/modules /tmp/upgrade.pp
+FACTER_to_version=${to_version} \
+                 FACTER_to_collection=${to_collection} \
+                 FACTER_forge_username=forge-key \
+                 FACTER_forge_password="${PUPPET_FORGE_TOKEN}" \
+                 /opt/puppetlabs/puppet/bin/puppet apply --debug --trace --modulepath /tmp/modules /tmp/upgrade.pp
+
 # Make e.g. `puppet --version` work out of the box.
 PATH=/opt/puppetlabs/bin:$PATH \
     read -p "Explore the upgraded container? [y/N]: " choice && \

docker/bin/upgrade.sh

@@ -8,23 +8,65 @@
 # - PLATFORM: The platform on which the upgrade should occur. This also
 #             supports comma-separated lists. Available:
 #             - `ubuntu`
-#             - `centos`
+#             - `amazon`
+#             - `fedora`
 #             - `rocky`
+#             - `sles`
 #             Default: `ubuntu`
 # - BEFORE: The puppet-agent package version that is installed prior to upgrade.
-#           Default: 1.10.14
+#           Default: 7.34.0
 # - AFTER: The puppet-agent package version that should exist after upgrade.
-#          Default: 6.2.0
+#          Default: 8.1.0
 set -e
 
+if [ -z "${PUPPET_FORGE_TOKEN}" ]; then
+    echo "Environment variable PUPPET_FORGE_TOKEN must be set"
+    exit 1
+fi
+
 cd "$(dirname "$0")/../.."
-platforms=${1:-ubuntu}
+platforms=${1:-rocky}
 before=${2:-7.34.0}
-after=${3:-8.10.0}
+after=${3:-8.11.0}
 for platform in ${platforms//,/ }
 do
-    docker build --rm -f docker/$platform/Dockerfile . -t pa-dev:$platform \
-        --build-arg before=${before}
-    docker run --rm -ti pa-dev:$platform ${after}
+    dockerfile='docker/upgrade/dnf/Dockerfile'
+
+    # REMIND: if (7.35 <= before && before < 8.0) OR (8.11.0 <= before), then install release
+    # package from yum-puppetcore.
+    case $platform in
+        amazon)
+            base_image='amazonlinux:2023'
+            release_package='http://yum.puppet.com/puppet7-release-amazon-2023.noarch.rpm'
+            ;;
+
+        fedora)
+            base_image='fedora:40'
+            release_package='http://yum.puppet.com/puppet7-release-fedora-40.noarch.rpm'
+            ;;
+
+        rocky)
+            base_image='rockylinux/rockylinux:8'
+            release_package='http://yum.puppet.com/puppet7-release-el-8.noarch.rpm'
+            ;;
+
+        sles)
+            base_image='registry.suse.com/suse/sle15:15.6'
+            release_package='http://yum.puppet.com/puppet7-release-sles-15.noarch.rpm'
+            dockerfile='docker/upgrade/sles/Dockerfile'
+            ;;
+
+        *)
+            echo "$0: Usage upgrade.sh [amazon|fedora|rocky|sles] [before] [after]"
+            exit 1
+            ;;
+    esac
+
+    docker build --rm -f ${dockerfile} . -t pa-dev:$platform \
+           --build-arg before=${before} \
+           --build-arg BASE_IMAGE=${base_image} \
+           --build-arg RELEASE_PACKAGE=${release_package}
+
+    docker run -e PUPPET_FORGE_TOKEN --rm -ti pa-dev:$platform ${after}
 done
-echo Complete
+echo Complete

docker/upgrade.pp

@@ -8,5 +8,7 @@
     # process.
     service_names   => [],
     collection      => $facts['to_collection'],
+    username        => $facts['forge_username'],
+    password        => Sensitive($facts['forge_password'])
   }
 }

docker/rocky/Dockerfile renamed to docker/upgrade/dnf/Dockerfile

@@ -24,24 +24,26 @@
 # Arguments:
 # - before: The version to do upgrade FROM. Default: "7.34.0"
 
-FROM rockylinux/rockylinux:8
+ARG BASE_IMAGE=rocky:8
+FROM ${BASE_IMAGE}
 
 # Use this to force a cache reset (e.g. for output purposes)
 #COPY $0 /tmp/Dockerfile
 
 # Install some other dependencies for ease of life.
 RUN  dnf update -y \
-  && dnf install -y wget git \
+  && dnf install -y git \
   && dnf clean all
 
 ARG before=7.34.0
 LABEL before=${before}
 
+ARG RELEASE_PACKAGE
+
 # Install proper FROM repo pupet 7
 RUN if [[ ${before} == 7.* ]]; then \
         echo Installing puppet7 repo; \
-        wget -O puppet7.rpm http://yum.puppet.com/puppet7-release-el-8.noarch.rpm && \
-        rpm -i puppet7.rpm; \
+        rpm -Uvh ${RELEASE_PACKAGE}; \
     else echo no; \
     fi
 
@@ -50,7 +52,8 @@ RUN if [[ ${before} == 7.* ]]; then \
 
 # Install FROM version of puppet-agent.
 RUN dnf -y update && \
-    dnf install -y puppet-agent-${before}-1.el8
+    dnf install -y puppet-agent-${before} && \
+    dnf clean all
 
 # This is also duplicated in the docker/bin/helpers/run-upgrade.sh.
 ENV module_path=/tmp/modules

docker/upgrade/sles/Dockerfile

@@ -0,0 +1,94 @@
+# This Dockerfile enables an iterative development workflow where you can make
+# a change and test it out quickly. The majority of commands in this file will
+# be cached, making the feedback loop typically quite short. The workflow is
+# as follows:
+#   1. Set up pre-conditions for the system in puppet code using `deploy.pp`.
+#   2. Make a change to the module.
+#   3. Run `docker build -f docker/Dockerfile .` or
+#      `./docker/bin/upgrade.sh rocky` from the project directory. If you would
+#      like to test specific version upgrades, you can add run this like so:
+#        `docker build -f docker/rocky/Dockerfile . \
+#           -t pa-dev:rocky --build-arg before=1.10.14`
+#   4. Upgrade the container by running the image:
+#        `docker run -it pa-dev:rocky`
+#      Specify your upgrade TO version as an argument to the `docker run`
+#      command.
+#   5. Review the output. Repeat steps 2-5 as needed.
+#
+# At the end of execution, you will see a line like:
+#
+# Notice: /Stage[main]/Puppet_agent::Install/Package[puppet-agent]/ensure: ensure changed '1.10.14-1.el8' to '6.2.0'
+#
+# This specifies the versions that were used for upgrade.
+#
+# Arguments:
+# - before: The version to do upgrade FROM. Default: "7.34.0"
+
+ARG BASE_IMAGE=registry.suse.com/suse/sle15:15.6
+FROM ${BASE_IMAGE}
+
+# Use this to force a cache reset (e.g. for output purposes)
+#COPY $0 /tmp/Dockerfile
+
+# Install some other dependencies for ease of life.
+RUN zypper install --no-confirm wget git-core
+
+ARG before=7.34.0
+LABEL before=${before}
+
+ARG RELEASE_PACKAGE
+
+# Install proper FROM repo pupet 7
+RUN if [[ ${before} == 7.* ]]; then \
+       wget -O puppet7.rpm ${RELEASE_PACKAGE} && \
+       rpm -i puppet7.rpm; \
+    else echo no; \
+    fi
+
+# Install FROM version of puppet-agent.
+RUN rpm --import https://yum.puppet.com/RPM-GPG-KEY-puppet-20250406 && \
+    zypper install --no-confirm --oldpackage --no-recommends --no-confirm puppet-agent-${before}
+
+# This is also duplicated in the docker/bin/helpers/run-upgrade.sh.
+ENV module_path=/tmp/modules
+WORKDIR "${module_path}/puppet_agent"
+COPY metadata.json ./
+
+# Dependency installation: Forge or source? The former is what the user will
+# have downloaded, but the latter allows testing of version bumps.
+# Install module dependencies from the Forge using Puppet Module Tool (PMT).
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-stdlib
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-inifile
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-apt
+RUN /opt/puppetlabs/puppet/bin/puppet module install --modulepath $module_path --target-dir .. puppetlabs-facts
+
+# Installing dependencies from source. These versions should be within the range
+# of `dependencies` in metadata.json.
+#RUN git clone https://github.com/puppetlabs/puppetlabs-stdlib ../stdlib --branch 9.7.0
+#RUN git clone https://github.com/puppetlabs/puppetlabs-inifile ../inifile --branch 6.2.0
+#RUN git clone https://github.com/puppetlabs/puppetlabs-apt ../apt --branch 10.0.1
+#RUN git clone https://github.com/puppetlabs/puppetlabs-facts ../facts --branch 1.7.0
+
+# Check that all dependencies are installed.
+RUN /opt/puppetlabs/puppet/bin/puppet module --modulepath $module_path list --tree
+COPY docker/deploy.pp /tmp/deploy.pp
+RUN ["sh", "-c", "/opt/puppetlabs/puppet/bin/puppet apply --modulepath $module_path /tmp/deploy.pp"]
+
+# Now move the project directory's files into the image. That way, if these
+# files change, caching will skip everything before this.
+COPY docker/bin/helpers/run-upgrade.sh /tmp/bin/run-upgrade.sh
+COPY files/ ./files/
+COPY locales/ ./locales/
+COPY spec/ ./spec/
+COPY task_spec/  ./task_spec/
+COPY tasks/ ./tasks/
+COPY templates/ ./templates
+COPY types/ ./types/
+COPY Gemfile Gemfile.lock Rakefile ./
+COPY lib/ ./lib/
+COPY manifests/ ./manifests/
+
+COPY docker/upgrade.pp /tmp/upgrade.pp
+
+# Perform the upgrade.
+ENTRYPOINT ["/tmp/bin/run-upgrade.sh"]

manifests/init.pp

@@ -34,8 +34,8 @@
 #   The exact location of the package to install. The entire path to the package must be
 #   provided with this parameter.
 # @param yum_source
-#   Base URL of the location of mirrors of yum.puppet.com downloads sites. Directories under
-#   the URL "yum_source" should match the structure of the yum.puppet.com
+#   Base URL of the location of mirrors of yum-puppetcore.puppet.com downloads sites. Directories under
+#   the URL "yum_source" should match the structure of the yum-puppetcore.puppet.com
 # @param apt_source
 #   Base URL of the location of mirrors of apt.puppet.com downloads sites. Directories under
 #   the URL "apt_source" should match the structure of the apt.puppet.com
@@ -114,7 +114,7 @@
   Array                          $service_names           = $puppet_agent::params::service_names,
   Optional                       $source                  = undef,
   Optional                       $absolute_source         = undef,
-  String                         $yum_source              = 'http://yum.puppet.com',
+  String                         $yum_source              = 'https://yum-puppetcore.puppet.com',
   String                         $apt_source              = 'https://apt.puppet.com',
   String                         $mac_source              = 'https://downloads.puppet.com',
   String                         $windows_source          = 'https://downloads.puppet.com',
@@ -131,7 +131,9 @@
   Optional                       $wait_for_pxp_agent_exit = undef,
   Optional                       $wait_for_puppet_run     = undef,
   Array[Puppet_agent::Config]    $config                  = [],
-  Stdlib::Absolutepath           $version_file_path       = '/opt/puppetlabs/puppet/VERSION'
+  Stdlib::Absolutepath           $version_file_path       = '/opt/puppetlabs/puppet/VERSION',
+  Optional                       $username                = undef,
+  Optional[Sensitive]            $password                = undef,
 ) inherits puppet_agent::params {
   # The configure class uses $puppet_agent::config to manage settings in
   # puppet.conf, and will always be present. It does not require management of

manifests/osfamily/redhat.pp

@@ -175,6 +175,14 @@
         sslclientcert       => $_sslclientcert_path,
         sslclientkey        => $_sslclientkey_path,
         skip_if_unavailable => $puppet_agent::skip_if_unavailable,
+        username            => $puppet_agent::username,
+        password            => $puppet_agent::password,
+      }
+      file { '/etc/yum.repos.d/pc_repo.repo':
+        ensure => file,
+        owner  => 0,
+        group  => 0,
+        mode   => "0600"
       }
     }
   }

manifests/osfamily/suse.pp

@@ -137,12 +137,28 @@
             # In Puppet Enterprise, agent packages are served by the same server
             # as the master, which can be using either a self signed CA, or an external CA.
             # Zypper has issues with validating a self signed CA, so for now disable ssl verification.
+            # don't leak credentials
+            $repo_username = getvar('puppet_agent::username')
+            $repo_password = unwrap(getvar('puppet_agent::password'))
+
+            if $repo_username and $repo_password {
+              file { '/etc/zypp/credentials.d/PuppetcoreCreds':
+                ensure  => file,
+                owner   => 0,
+                group   => 0,
+                mode    => "0600",
+                content => Sensitive(@("EOT"))
+                  username=${repo_username}
+                  password=${repo_password}
+                  | EOT
+              }
+            }
             $repo_settings = {
               'name'        => $repo_name,
               'enabled'     => '1',
               'gpgcheck'    => '1',
               'autorefresh' => '0',
-              'baseurl'     => "${source}?ssl_verify=no",
+              'baseurl'     => "${source}?ssl_verify=no&auth=basic&credentials=PuppetcoreCreds",
               'type'        => 'rpm-md',
             }
 

spec/classes/puppet_agent_osfamily_redhat_spec.rb

@@ -151,7 +151,7 @@
           is_expected.to contain_yumrepo('pc_repo')
             .with({
                     # We no longer expect the 'f' in fedora repos
-                    'baseurl'  => "http://yum.puppet.com/puppet5/#{urlbit.gsub('/f', '/')}/#{arch}",
+                    'baseurl'  => "https://yum-puppetcore.puppet.com/puppet5/#{urlbit.gsub('/f', '/')}/#{arch}",
                     'enabled'  => 'true',
                     'gpgcheck' => '1',
                     'gpgkey'   => "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet\n  file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
@@ -261,6 +261,24 @@
             is_expected.to contain_yumrepo('pc_repo').with_skip_if_unavailable(true)
           }
         end
+        describe 'with credentials' do
+          let(:params) do
+            {
+              manage_repo: true,
+              package_version: package_version,
+              username: 'forge-key',
+              password: sensitive('open-sesame'),
+            }
+          end
+
+          it {
+            is_expected.to contain_yumrepo('pc_repo')
+              .with(
+                username: 'forge-key',
+                password: sensitive('open-sesame'),
+              )
+          }
+        end
       end
 
       context 'with manage_repo disabled' do

spec/classes/puppet_agent_osfamily_suse_spec.rb

@@ -151,7 +151,7 @@
                   'enabled'     => '1',
                   'gpgcheck'    => '1',
                   'autorefresh' => '0',
-                  'baseurl'     => "http://yum.puppet.com/puppet6/sles/#{os_version}/x86_64?ssl_verify=no",
+                  'baseurl'     => "https://yum-puppetcore.puppet.com/puppet6/sles/#{os_version}/x86_64?ssl_verify=no&auth=basic&credentials=PuppetcoreCreds",
                   'type'        => 'rpm-md',
                 }.each do |setting, value|
                   it {
@@ -203,7 +203,7 @@
                             'path' => '/etc/zypp/repos.d/pc_repo.repo',
                             'section' => 'pc_repo',
                             'setting' => 'baseurl',
-                            'value'   => "https://nightlies.puppet.com/yum/puppet6/sles/#{os_version}/x86_64?ssl_verify=no",
+                            'value'   => "https://nightlies.puppet.com/yum/puppet6/sles/#{os_version}/x86_64?ssl_verify=no&auth=basic&credentials=PuppetcoreCreds",
                           })
                 }
               end
@@ -291,7 +291,7 @@
                   'enabled'     => '1',
                   'gpgcheck'    => '1',
                   'autorefresh' => '0',
-                  'baseurl'     => "https://master.example.vm:8140/packages/2000.0.0/sles-#{os_version}-x86_64?ssl_verify=no",
+                  'baseurl'     => "https://master.example.vm:8140/packages/2000.0.0/sles-#{os_version}-x86_64?ssl_verify=no&auth=basic&credentials=PuppetcoreCreds",
                   'type'        => 'rpm-md',
                 }.each do |setting, value|
                   it {
@@ -341,7 +341,7 @@
                             'path'    => '/etc/zypp/repos.d/pc_repo.repo',
                             'section' => 'pc_repo',
                             'setting' => 'baseurl',
-                            'value'   => "https://fake-sles-source.com/packages/2000.0.0/sles-#{os_version}-x86_64?ssl_verify=no",
+                            'value'   => "https://fake-sles-source.com/packages/2000.0.0/sles-#{os_version}-x86_64?ssl_verify=no&auth=basic&credentials=PuppetcoreCreds",
                           })
                 }
               end