Refs #35184 - Drop puppetca_http_api provider

While cc1cee8 already formally dropped
support for Puppet, the code was still present and Foreman Proxy
supported it too. In Foreman Proxy 3.4 the old puppetca_puppet_cert
provider is dropped, meaning this is dead code anyway.

The puppetca_http_api provider is ensured absent to clean up the config
file.

For compatibility with Foreman Proxy < 3.4 the puppet_version version is
set to 6.0. This forces the puppetca_http_api provider to be used and a
static value means fewer service restarts. Foreman Proxy >= 3.4 ignores
this setting altogether.

This gets rids of various top level parameters, which simplifies things.

No care is taken to clean up sudo entries. It is assumed users already
upgraded to Puppet 6 in which case the module previously cleaned up the
entries. The proper upgrade path is to upgrade to Puppet 6 using
theforeman/foreman_proxy 22.x and only then upgrade the module to the
latest version.

Author: ekohl

manifests/config.pp

@@ -89,7 +89,11 @@
   contain foreman_proxy::module::puppetca
   foreman_proxy::provider { ['puppetca_hostname_whitelisting', 'puppetca_token_whitelisting']:
   }
-  foreman_proxy::provider { ['puppetca_http_api', 'puppetca_puppet_cert']:
+  foreman_proxy::provider { 'puppetca_http_api':
+  }
+  # Foreman Proxy 3.4 dropped puppetca_puppet_cert
+  foreman_proxy::provider { 'puppetca_puppet_cert':
+    ensure => absent,
   }
 
   contain foreman_proxy::module::realm
@@ -104,29 +108,8 @@
 
   contain foreman_proxy::module::registration
 
-  if $foreman_proxy::puppetca or $foreman_proxy::puppet {
-    $uses_sudo = $foreman_proxy::puppetca and versioncmp($facts['puppetversion'], '6.0') < 0
-
-    if $foreman_proxy::use_sudoersd {
-      if $uses_sudo and $foreman_proxy::manage_sudoersd {
-        ensure_resource('file', "${foreman_proxy::sudoers}.d", { 'ensure' => 'directory' })
-      }
-
-      file { "${foreman_proxy::sudoers}.d/foreman-proxy":
-        ensure  => bool2str($uses_sudo, 'file', 'absent'),
-        owner   => 'root',
-        group   => 0,
-        mode    => '0440',
-        content => template('foreman_proxy/sudo.erb'),
-      }
-    } elsif $foreman_proxy::use_sudoers {
-      augeas { 'sudo-foreman-proxy':
-        context => "/files${foreman_proxy::sudoers}",
-        changes => template('foreman_proxy/sudo_augeas.erb'),
-      }
-    }
-  } else {
-    # The puppet-agent (puppet 4 AIO package) doesn't create a puppet user and group
+  unless $foreman_proxy::puppetca or $foreman_proxy::puppet {
+    # The puppet-agent doesn't create a puppet user and group
     # but the foreman proxy still needs to be able to read the agent's private key
     if $foreman_proxy::manage_puppet_group and $foreman_proxy::ssl {
       if !defined(Group[$foreman_proxy::puppet_group]) {

manifests/init.pp

@@ -48,13 +48,6 @@
 #
 # $trusted_hosts::              Only hosts listed will be permitted, empty array to disable authorization
 #
-# $manage_sudoersd::            Whether to manage File['/etc/sudoers.d'] or not.  When reusing this module, this may be
-#                               disabled to let a dedicated sudo module manage it instead.
-#
-# $use_sudoersd::               Add a file to /etc/sudoers.d (true).
-#
-# $use_sudoers::                Add contents to /etc/sudoers (true). This is ignored if $use_sudoersd is true.
-#
 # $puppetca::                   Enable Puppet CA feature
 #
 # $puppetca_listen_on::         Protocols for the Puppet CA feature to listen on
@@ -65,8 +58,6 @@
 #
 # $puppetdir::                  Puppet var directory
 #
-# $puppetca_cmd::               Puppet CA command to be allowed in sudoers
-#
 # $puppet_group::               Groups of Foreman proxy user
 #
 # $autosignfile::               Hostname-Whitelisting only: Location of puppets autosign.conf
@@ -308,14 +299,10 @@
   Array[String] $trusted_hosts = $foreman_proxy::params::trusted_hosts,
   Array[String] $ssl_disabled_ciphers = [],
   Array[String] $tls_disabled_versions = [],
-  Boolean $manage_sudoersd = true,
-  Boolean $use_sudoersd = true,
-  Boolean $use_sudoers = true,
   Boolean $puppetca = true,
   Foreman_proxy::ListenOn $puppetca_listen_on = 'https',
   Stdlib::Absolutepath $ssldir = $foreman_proxy::params::ssldir,
   Stdlib::Absolutepath $puppetdir = $foreman_proxy::params::puppetdir,
-  String $puppetca_cmd = $foreman_proxy::params::puppetca_cmd,
   String $puppet_group = 'puppet',
   String $puppetca_provider = 'puppetca_hostname_whitelisting',
   Stdlib::Absolutepath $autosignfile = $foreman_proxy::params::autosignfile,

manifests/params.pp

@@ -130,13 +130,10 @@
   # Only hosts listed will be permitted, empty array to disable authorization
   $trusted_hosts = [$lower_fqdn]
 
-  $sudoers = "${etc}/sudoers"
-
   # puppet settings
   $puppet_url = "https://${facts['networking']['fqdn']}:8140"
 
   # puppetca settings
-  $puppetca_cmd = "${puppet_cmd} cert"
   $autosignfile = "${puppetdir}/autosign.conf"
 
   # Template settings

spec/classes/foreman_proxy__spec.rb

@@ -228,7 +228,7 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_hostname_whitelisting',
-            ":puppet_version: #{Puppet.version}",
+            ":puppet_version: '6.0'",
           ])
         end
 
@@ -242,11 +242,8 @@
           ])
         end
 
-        it 'should generate correct puppetca_puppet_cert.yml' do
-          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml", [
-            '---',
-            ":ssldir: #{ssl_dir}",
-          ])
+        it 'should remove puppetca_puppet_cert.yml' do
+          is_expected.to contain_file("#{etc_dir}/foreman-proxy/settings.d/puppetca_puppet_cert.yml").with_ensure('absent')
         end
 
         it 'should generate correct puppetca_hostname_whitelisting.yml' do
@@ -321,27 +318,6 @@
           ])
         end
 
-        it 'should set up sudo rules', if: Puppet.version < '6.0' do
-          should contain_file("#{etc_dir}/sudoers.d").with_ensure('directory')
-
-          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with({
-            :ensure  => 'file',
-            :owner   => 'root',
-            :group   => 0,
-            :mode    => '0440',
-          })
-
-          verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-            "#{proxy_user_name} ALL = (root) NOPASSWD : #{puppetca_command}",
-            "Defaults:#{proxy_user_name} !requiretty",
-          ])
-        end
-
-        it 'should not set up sudo rules', if: Puppet.version >= '6.0' do
-          should_not contain_file("#{etc_dir}/sudoers.d")
-          should contain_file("#{etc_dir}/sudoers.d/foreman-proxy").with_ensure('absent')
-        end
-
         it "should not manage puppet group" do
           should_not contain_group('puppet')
         end
@@ -736,17 +712,6 @@
         end
       end
 
-      context 'when puppetca_cmd set', if: Puppet.version < '6.0' do
-        let(:params) { super().merge(puppetca_cmd: 'pup cert') }
-
-        it "should set puppetca_cmd" do
-          verify_exact_contents(catalogue, "#{etc_dir}/sudoers.d/foreman-proxy", [
-            "#{proxy_user_name} ALL = (root) NOPASSWD : pup cert *",
-            "Defaults:#{proxy_user_name} !requiretty",
-          ])
-        end
-      end
-
       context 'with custom puppetca params' do
         let(:params) do
           super().merge(
@@ -764,7 +729,7 @@
             '---',
             ':enabled: https',
             ':use_provider: puppetca_token_whitelisting',
-            ":puppet_version: #{Puppet.version}",
+            ":puppet_version: '6.0'",
           ])
         end
 

templates/puppetca.yml.erb

@@ -8,5 +8,5 @@
 #   - puppetca_token_whitelisting (verify CSRs based on a token whitelist)
 :use_provider: <%= scope.lookupvar("foreman_proxy::puppetca_provider") %>
 
-# Puppet version used
-:puppet_version: <%= @puppetversion %>
+# Using 6.0 forces use of puppetca_http_api
+:puppet_version: '6.0'