(CAT-2378) Removing puppet 7 support

.fixtures.yml

@@ -11,9 +11,7 @@ fixtures:
     rook: 'puppetlabs-rook'
   repositories:
     facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
-    puppet_agent:
-      repo: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
-      ref: v4.13.0
+    puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
     provision: 'https://github.com/puppetlabs/provision.git'
     yumrepo_core:
       repo: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git

.github/workflows/ci.yml

@@ -16,14 +16,32 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
-      matrix: {'platform':['rhel-8', 'debian-11'],'collection':['puppet7-nightly', 'puppet8-nightly']}
+      matrix: {'platform':['rhel-8', 'debian-11'],'collection':['puppetcore8-nightly']}
 
     steps:
     - name: "Install Twingate"
       uses: "twingate/github-action@v1"
       with:
         service-key: ${{ secrets.TWINGATE_PUBLIC_REPO_KEY }}
 
+    - name: Fix DNS
+      run: |
+        echo "=== Remove Azure DNS from eth0 interface ==="
+        sudo resolvectl dns eth0 ""
+
+        echo "=== Configure Twingate DNS properly ==="
+        sudo resolvectl dns sdwan0 100.95.0.251 100.95.0.252
+        sudo resolvectl domain sdwan0 delivery.puppetlabs.net
+
+        echo "=== Flush DNS cache ==="
+        sudo resolvectl flush-caches
+
+        echo "=== Check new configuration ==="
+        resolvectl status
+
+        echo "=== Test DNS resolution ==="
+        nslookup artifactory.delivery.puppetlabs.net
+
     - name: Checkout Source
       uses: actions/checkout@v3
 
@@ -49,8 +67,8 @@ jobs:
       run: |
         bundle exec bolt --modulepath spec/fixtures/modules plan run kubernetes::provision_cluster image_type=${{ matrix.platform }}
         FILE='spec/fixtures/litmus_inventory.yaml'
-        sed -e 's/password: .*/password: "[redacted]"/' < $FILE || true
         echo INVENTORY_PATH=$FILE >> $GITHUB_ENV
+        cat $FILE
 
     - name: Puppet server setup
       run: |
@@ -67,9 +85,3 @@ jobs:
     - name: Run integration tests
       run: |
         bundle exec rake kubernetes:integration
-
-    - name: Remove test environment
-      if: ${{ always() }}
-      continue-on-error: true
-      run: |
-        bundle exec rake 'litmus:tear_down'

.github/workflows/nightly.yml

@@ -14,14 +14,32 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
-      matrix: {'platform':['rhel-8', 'debian-11'],'collection':['puppet7-nightly', 'puppet8-nightly']}
+      matrix: {'platform':['rhel-8', 'debian-11'],'collection':['puppetcore8-nightly']}
 
     steps:
     - name: "Install Twingate"
       uses: "twingate/github-action@v1"
       with:
         service-key: ${{ secrets.TWINGATE_PUBLIC_REPO_KEY }}
 
+    - name: Fix DNS
+      run: |
+        echo "=== Remove Azure DNS from eth0 interface ==="
+        sudo resolvectl dns eth0 ""
+
+        echo "=== Configure Twingate DNS properly ==="
+        sudo resolvectl dns sdwan0 100.95.0.251 100.95.0.252
+        sudo resolvectl domain sdwan0 delivery.puppetlabs.net
+
+        echo "=== Flush DNS cache ==="
+        sudo resolvectl flush-caches
+
+        echo "=== Check new configuration ==="
+        resolvectl status
+
+        echo "=== Test DNS resolution ==="
+        nslookup artifactory.delivery.puppetlabs.net
+
     - name: Checkout Source
       uses: actions/checkout@v3
 

.puppet-lint.rc

@@ -1,2 +1,11 @@
+--fail-on-warnings
 --relative
 --no-params_empty_string_assignment-check
+--no-80chars-check
+--no-140chars-check
+--no-class_inherits_from_params_class-check
+--no-autoloader_layout-check
+--no-documentation-check
+--no-single_quote_string_with_variables-check
+--no-anchor_resource-check
+--ignore-paths=.vendor/**/*.pp,.bundle/**/*.pp,pkg/**/*.pp,spec/**/*.pp,tests/**/*.pp,types/**/*.pp,vendor/**/*.pp

.rubocop.yml

@@ -5,7 +5,7 @@ require:
 AllCops:
   NewCops: enable
   DisplayCopNames: true
-  TargetRubyVersion: '2.6'
+  TargetRubyVersion: 3.1
   Include:
   - "**/*.rb"
   Exclude:

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2023-12-21 07:51:18 UTC using RuboCop version 1.48.1.
+# on 2025-11-03 04:58:59 UTC using RuboCop version 1.50.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -10,28 +10,8 @@
 Lint/UselessAssignment:
   Enabled: false
 
-# Offense count: 1
-# Configuration parameters: AllowedNames.
-# AllowedNames: module_parent
-Naming/ClassAndModuleCamelCase:
-  Exclude:
-    - 'tooling/kube_tool.rb'
-
 # Offense count: 2640
 # Configuration parameters: EnforcedStyle, AllowedIdentifiers, AllowedPatterns.
 # SupportedStyles: snake_case, camelCase
 Naming/VariableName:
   Enabled: false
-
-# Offense count: 41
-# Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
-# SupportedStyles: always, named_only
-RSpec/NamedSubject:
-  Exclude:
-    - 'spec/classes/config/kubeadm_spec.rb'
-    - 'spec/classes/kube_addons_spec.rb'
-    - 'spec/classes/packages_spec.rb'
-    - 'spec/classes/repos_spec.rb'
-    - 'spec/classes/service_spec.rb'
-    - 'spec/defines/kubeadm_join_spec.rb'
-    - 'spec/defines/wait_for_default_sa_spec.rb'

Gemfile

@@ -14,50 +14,57 @@ def location_for(place_or_version, fake_version = nil)
 end
 
 group :development do
-  gem "json", '= 2.1.0',                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.3.0',                         require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.5.1',                         require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "deep_merge", '~> 1.2.2',                  require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
-  gem "facterdb", '~> 2.1',                      require: false
+  gem "facterdb", '~> 2.1',                      require: false if Gem::Requirement.create(['< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "facterdb", '~> 3.0',                      require: false if Gem::Requirement.create(['>= 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "metadata-json-lint", '~> 4.0',            require: false
-  gem "rspec-puppet-facts", '~> 4.0',            require: false
+  gem "json-schema", '< 5.1.1',                  require: false
+  gem "rspec-puppet-facts", '~> 4.0',            require: false if Gem::Requirement.create(['< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "rspec-puppet-facts", '~> 5.0',            require: false if Gem::Requirement.create(['>= 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "dependency_checker", '~> 1.0.0',          require: false
   gem "parallel_tests", '= 3.12.1',              require: false
   gem "pry", '~> 0.10',                          require: false
   gem "simplecov-console", '~> 0.9',             require: false
-  gem "puppet-debugger", '~> 1.0',               require: false
+  gem "puppet-debugger", '~> 1.6',               require: false
   gem "rubocop", '~> 1.50.0',                    require: false
   gem "rubocop-performance", '= 1.16.0',         require: false
   gem "rubocop-rspec", '= 2.19.0',               require: false
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "rexml", '>= 3.3.9',                       require: false
+  gem "bigdecimal", '< 3.2.2',                   require: false, platforms: [:mswin, :mingw, :x64_mingw]
 end
 group :development, :release_prep do
   gem "puppet-strings", '~> 4.0',         require: false
-  gem "puppetlabs_spec_helper", '~> 7.0', require: false
+  gem "puppetlabs_spec_helper", '~> 8.0', require: false
+  gem "puppet-blacksmith", '~> 7.0',      require: false
 end
 group :system_tests do
-  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw]
+  gem "puppet_litmus", '~> 2.0',   require: false, platforms: [:ruby, :x64_mingw] if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
+  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw] if ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
   gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "serverspec", '~> 2.41',     require: false
 end
 
-puppet_version = ENV['PUPPET_GEM_VERSION']
-facter_version = ENV['FACTER_GEM_VERSION']
-hiera_version = ENV['HIERA_GEM_VERSION']
-
 gems = {}
 
-gems['puppet'] = location_for(puppet_version)
-
+puppet_version = ENV.fetch('PUPPET_GEM_VERSION', nil)
+facter_version = ENV.fetch('FACTER_GEM_VERSION', nil)
+hiera_version = ENV.fetch('HIERA_GEM_VERSION', nil)
 # If facter or hiera versions have been specified via the environment
 # variables
 
-gems['facter'] = location_for(facter_version) if facter_version
+# If PUPPET_FORGE_TOKEN is set then use authenticated source for both puppet and facter, since facter is a transitive dependency of puppet
+# Otherwise, do as before and use location_for to fetch gems from the default source
+if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
+  gems['puppet'] = ['~> 8.11', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+  gems['facter'] = ['~> 4.11', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+else
+  gems['puppet'] = location_for(puppet_version)
+  gems['facter'] = location_for(facter_version) if facter_version
+end
 gems['hiera'] = location_for(hiera_version) if hiera_version
 
 gems.each do |gem_name, gem_params|

Rakefile

@@ -8,6 +8,14 @@ require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'
 
 PuppetLint.configuration.send('disable_relative')
 PuppetLint.configuration.send('disable_params_empty_string_assignment')
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.send('disable_140chars')
+PuppetLint.configuration.send('disable_class_inherits_from_params_class')
+PuppetLint.configuration.send('disable_autoloader_layout')
+PuppetLint.configuration.send('disable_documentation')
+PuppetLint.configuration.send('disable_single_quote_string_with_variables')
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.ignore_paths = [".vendor/**/*.pp", ".bundle/**/*.pp", "pkg/**/*.pp", "spec/**/*.pp", "tests/**/*.pp", "types/**/*.pp", "vendor/**/*.pp"]
 
 require 'rspec/core/rake_task'
 namespace :kubernetes do

lib/puppet/parser/functions/kubeadm_join_flags.rb

@@ -16,9 +16,14 @@ module Puppet::Parser::Functions
     flags << "--discovery-file '#{opts['discovery_file']}'" if opts['discovery_file'] && opts['discovery_file'].to_s != 'undef'
     flags << "--discovery-token '#{opts['discovery_token']}'" if opts['discovery_token'] && opts['discovery_token'].to_s != 'undef'
     flags << "--discovery-token-ca-cert-hash 'sha256:#{opts['ca_cert_hash']}'" if opts['ca_cert_hash'] && opts['ca_cert_hash'].to_s != 'undef'
-    flags << "--discovery-token-unsafe-skip-ca-verification '#{opts['skip_ca_verification']}'" if opts['skip_ca_verification']
+    # This is a boolean flag and should not take a value
+    flags << '--discovery-token-unsafe-skip-ca-verification' if opts['skip_ca_verification']
     flags << "--feature-gates '#{opts['feature_gates'].join(',')}'" if opts['feature_gates'] && opts['feature_gates'].to_s != 'undef'
-    flags << "--ignore-preflight-errors '#{opts['ignore_preflight_errors'].join(',')}'" if opts['ignore_preflight_errors'] && opts['ignore_preflight_errors'].to_s != 'undef'
+    if opts['ignore_preflight_errors'] && opts['ignore_preflight_errors'].to_s != 'undef'
+      cleaned = Array(opts['ignore_preflight_errors']).reject { |e| e.nil? || e.to_s.strip.empty? }
+      # kubeadm accepts comma-separated list without quoting
+      flags << "--ignore-preflight-errors '#{cleaned.join(',')}'" unless cleaned.empty?
+    end
     flags << "--node-name '#{opts['node_name']}'" if opts['node_name'] && opts['node_name'].to_s != 'undef'
     flags << "--token '#{opts['token']}'" if opts['token'] && opts['token'].to_s != 'undef'
 

metadata.json

@@ -30,7 +30,7 @@
     },
     {
       "name": "puppet-kmod",
-      "version_requirement": ">= 2.2.0 < 5.0.0"
+      "version_requirement": ">= 2.2.0 <= 5.0.0"
     }
   ],
   "operatingsystem_support": [
@@ -65,10 +65,10 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     }
   ],
-  "pdk-version": "3.2.0",
+  "pdk-version": "3.5.0 (ga43db72)",
   "template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
-  "template-ref": "tags/3.2.0.4-0-g5d17ec1"
+  "template-ref": "heads/main-0-g11c0f3d"
 }

spec/classes/config/kubeadm_spec.rb

@@ -300,7 +300,7 @@
     end
 
     it {
-      expect(subject).to contain_file('/etc/kubernetes/config.yaml') \
+      is_expected.to contain_file('/etc/kubernetes/config.yaml') \
         .with_content(%r{clusterName: my_own_name\n})
     }
   end
@@ -314,7 +314,7 @@
     end
 
     it {
-      expect(subject).to contain_file('/etc/kubernetes/config.yaml') \
+      is_expected.to contain_file('/etc/kubernetes/config.yaml') \
         .with_content(%r{clusterName: my_own_name\n})
     }
   end
@@ -593,7 +593,7 @@
     let(:config_yaml) { YAML.load_stream(catalogue.resource('file', '/etc/kubernetes/config.yaml').send(:parameters)[:content]) }
 
     it {
-      expect(subject).to contain_file('/etc/kubernetes/config.yaml') \
+      is_expected.to contain_file('/etc/kubernetes/config.yaml') \
         .with_content(%r{key: node-role.kubernetes.io/control-plane\n})
     }
   end

spec/classes/kube_addons_spec.rb

@@ -32,17 +32,21 @@
     end
 
     it {
-      expect(subject).to contain_exec('Install calico rbac bindings').with({
-                                                                             command: ['kubectl', 'apply', '-f', 'foo'],
-                                                                             onlyif: ['kubectl get nodes']
-                                                                           })
+      is_expected.to contain_exec('Install calico rbac bindings').with(
+        {
+          command: ['kubectl', 'apply', '-f', 'foo'],
+          onlyif: ['kubectl get nodes']
+        },
+      )
     }
 
     it {
-      expect(subject).to contain_exec('Install cni network provider').with({
-                                                                             command: ['kubectl', 'apply', '-f', 'https://foo.test'],
-                                                                             onlyif: ['kubectl get nodes']
-                                                                           })
+      is_expected.to contain_exec('Install cni network provider').with(
+        {
+          command: ['kubectl', 'apply', '-f', 'https://foo.test'],
+          onlyif: ['kubectl get nodes']
+        },
+      )
     }
 
     it { is_expected.to contain_exec('schedule on controller') }
@@ -72,18 +76,20 @@
         case provider
         when 'calico-tigera'
           it {
-            expect(subject).to contain_exec('Install cni network (preinstall)').with({
-                                                                                       command: ['kubectl', 'create', '-f', 'https://foo.test/tigera-operator'],
-                                                                                       onlyif: 'kubectl get nodes'
-                                                                                     })
+            is_expected.to contain_exec('Install cni network (preinstall)').with(
+              {
+                command: ['kubectl', 'create', '-f', 'https://foo.test/tigera-operator'],
+                onlyif: 'kubectl get nodes'
+              },
+            )
           }
 
           it { is_expected.to contain_file('/etc/kubernetes/calico-installation.yaml') }
           it { is_expected.to contain_file_line('Configure calico ipPools.cidr') }
           it { is_expected.to contain_exec('Install cni network provider') }
         when 'flannel'
           it {
-            expect(subject).to contain_exec('Install cni network provider').with(
+            is_expected.to contain_exec('Install cni network provider').with(
               {
                 onlyif: ['kubectl get nodes'],
                 command: ['kubectl', 'create', '-f', "https://#{provider}.test"],
@@ -93,17 +99,21 @@
           }
         else
           it {
-            expect(subject).to contain_exec('Install cni network provider').with({
-                                                                                   onlyif: ['kubectl get nodes'],
-                                                                                   command: ['kubectl', 'apply', '-f', "https://#{provider}.test"],
-                                                                                   unless: ['kubectl -n kube-system get daemonset | egrep "(flannel|weave|calico-node|cilium)"']
-                                                                                 })
+            is_expected.to contain_exec('Install cni network provider').with(
+              {
+                onlyif: ['kubectl get nodes'],
+                command: ['kubectl', 'apply', '-f', "https://#{provider}.test"],
+                unless: ['kubectl -n kube-system get daemonset | egrep "(flannel|weave|calico-node|cilium)"']
+              },
+            )
           }
 
           it {
-            expect(subject).not_to contain_exec('Install cni network (preinstall)').with({
-                                                                                           onlyif: ['kubectl get nodes']
-                                                                                         })
+            is_expected.not_to contain_exec('Install cni network (preinstall)').with(
+              {
+                onlyif: ['kubectl get nodes']
+              },
+            )
           }
         end
       end