Skip to content

Update module to support puppetcore on Windows #766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 21, 2025
Merged

Update module to support puppetcore on Windows #766

merged 4 commits into from
Apr 21, 2025

Conversation

joshcooper
Copy link
Contributor

This is analogous to #757 but for windows.

Updates the puppet_agent::install_task so it's possible to install msi-based packages from https://artifacts-puppetcore.puppet.com. Credentials are required when installing from puppetcore. The username defaults to forge-key and the password must be set to your forge API token.

When using WinRM, you must specify Windows credentials (using --user and --password arguments) to log into the host and puppetcore credentials to download the MSI (as username and password task parameters)

$ /opt/puppetlabs/bolt/bin/bolt task run puppet_agent::install \
  collection=puppetcore8 \
  version=8.11.0 \
  username=forge-key \
  password=... \
  --targets 'winrm://HOST' \
  --user Administrator \
  --password ...

Also updates the puppet_agent class so it's possible to manage agent versions over time:

class { 'puppet_agent':
  package_version => '8.11.0',
  collection => 'puppetcore8',
  password => Sensitive(...)
}

The puppet_agent::prepare::package class on Windows normally uses a file resource to download the MSI from the source. However, due to a bug in puppet, it is not possible to pass credentials as the userinfo component of the URL, e.g. https://forge-id:TOKEN@artifacts-puppetcore.puppet.com So instead use a powershell script to download the MSI. That code is borrowed from https://github.com/klab-systems/puppet_core_agent, credit to @klab-systems

@joshcooper joshcooper changed the title Private windows Update module to support puppetcore on Windows Mar 20, 2025
@joshcooper joshcooper force-pushed the private_windows branch 3 times, most recently from a57e338 to 11b51fb Compare March 31, 2025 18:25
@joshcooper joshcooper marked this pull request as ready for review March 31, 2025 19:06
@joshcooper joshcooper requested review from bastelfreak and a team as code owners March 31, 2025 19:06
@cthorn42
Copy link
Collaborator

Wanted to discuss the old 'puppet8-nightly' collection. With the new layout do we still require a different collection? Or can we get by with just always using puppetcore8, and then just adding logic to determine if we should set the dev parameter to true or false depending on the package version?
I think we already have ticketed the updating of https://github.com/puppetlabs/puppetlabs-puppet_agent/blob/14b1844f60a225387157c002c01c8c9d983c6fa2/acceptance/tests/test_upgrade_puppet7_to_puppet8.rb#L28C25-L28C40, and that is the only obvious usage of that puppet8-nightly collection.

@joshcooper
Copy link
Contributor Author

joshcooper commented Apr 1, 2025
edited
Loading

Or can we get by with just always using puppetcore8, and then just adding logic to determine if we should set the dev parameter to true or false depending on the package version?

The dev parameter is mainly for PE CI, so that it can test agent upgrades to a version that's newer than what it ships with. It's not a direct replacement for puppetcore8-nightlies because the last passing agent SHA isn't always promoted to PE.

Beaker tests like test_upgrade_pouppet7_to_puppet8 run in our internal jenkins, so can already install from our internal nightly repos. I think d we're already overriding the yum_source, etc to point to artifactory. I'm not sure if we need to change the collection in the test? I can't access jenkins because of the lame Jenkins plugin/SAML bug, "You are now logged out of Jenkins, however this has not logged you out of SAML."

@cthorn42 cthorn42 mentioned this pull request Apr 1, 2025
Open
@joshcooper
Add puppetcore support for Windows install tasks
b501b48 
Now possible to run the install task specifying puppetcore collection:

```
/opt/puppetlabs/bolt/bin/bolt task run puppet_agent::install \
  collection=puppetcore8 \
  version=8.11.0 \
  username=forge-key \
  password=${PUPPET_FORGE_TOKEN} \
  --targets 'winrm://HOST' \
  --user Administrator \
  --password ...
```

If the `windows_source` class parameter is explicitly given, then the task will
use that.

Also add additional logging as to where we are downloading the MSI from and the
exception message if downloading fails.
bastelfreak
bastelfreak reviewed Apr 16, 2025
View reviewed changes
manifests/prepare/package.pp
source => $source,
require => File[$puppet_agent::params::local_packages_dir],
if $puppet_agent::collection and $puppet_agent::collection =~ /core/ and $facts['os']['family'] =~ /windows/ {
$download_username = getvar('puppet_agent::username', 'forge-key')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you use getvar, instead of accessing the variable directly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was mainly following the getvar convention used in this module.

@joshcooper joshcooper closed this Apr 21, 2025
@joshcooper joshcooper reopened this Apr 21, 2025
@joshcooper joshcooper force-pushed the private_windows branch 2 times, most recently from 7dd61cb to 755e975 Compare April 21, 2025 16:00
@joshcooper joshcooper requested a review from bastelfreak April 21, 2025 17:08
bastelfreak
bastelfreak reviewed Apr 21, 2025
View reviewed changes
manifests/osfamily/debian.pp Outdated
@@ -66,7 +66,7 @@
ensure => absent,
priority => '90',
}
} elsif $puppet_agent::collection =~ /core/ {
} elsif $puppet_agent::collection and $puppet_agent::collection =~ /core/ {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do you check if $puppet_agent::collection isn't undef? params.pp sets collection always, and the datatype in init.pp enforces String, so this shouldn't be required and the old syntax was fine?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edit: in the commit message you say:

If $puppet_agent::collection was undef, then the regex match would result in an error

But was is there a situation where undef is possible?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another question: Why a regex? Are there valid values like core8, core-latest? Could you maybe document them in the init.pp?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so this shouldn't be required and the old syntax was fine?

I removed the commit.

Why a regex? Are there valid values like core8, core-latest? Could you maybe document them in the init.pp?

They're documented in the task metadata:

Optional[Enum[puppet7, puppet8, puppet, puppet7-nightly, puppet8-nightly, puppet-nightly, puppetcore7, puppetcore8]]

But in puppet's init, it is defined to just be a String. I'll update the documentation for that parameter.

joshcooper and others added 3 commits April 21, 2025 10:40
@joshcooper @klab-systems
Upgrade puppetcore* msi from artifacts-puppetcore.puppet.com
fceee1b 
When using the puppetcore collection on Windows, if we detect the installed
version does not match, then upgrade the MSI. Due to a puppet bug, we cannot
pass credentials in the `source` parameter. And `curl.exe` is not present in
our puppet-agent packages. So use powershell to download.

Co-authored-by: Kevin <114269618+klab-systems@users.noreply.github.com>
@joshcooper
Include review feedback
901a94a 
Use '@api private' for private classes, so they are excluded from REFERENCES.md

Use 'String[1]' for username parameter. If it is specified, then it should not
be empty.

Use 'Sensitive[String[1]]' for password parameter.

Use ruby-style way of conditionally setting a variable.
@joshcooper
Add support for development MSI builds
d00532f 
Dev builds have more than 3 dotted components
@joshcooper joshcooper requested a review from bastelfreak April 21, 2025 18:01
@joshcooper joshcooper merged commit 22e07b9 into puppetlabs:main Apr 21, 2025
16 checks passed
@joshcooper joshcooper deleted the private_windows branch April 21, 2025 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak approved these changes

@cthorn42 cthorn42 cthorn42 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joshcooper @cthorn42 @bastelfreak