From 98b866fce78039c26f77041397040945720936b6 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 18 Oct 2025 19:11:38 +1100
Subject: [PATCH] feat: migrate puppet-agent to openvox (#408)

- change from puppet-agent to openvox-agent
- upgrade version from 7.34 to 7.36
- ensure workflow of: Yumrepo -> dnf-makecache -> Package

Reviewed-on: https://git.unkin.net/unkin/puppet-prod/pulls/408
---
 hieradata/common.yaml                    |  3 --
 hieradata/os/AlmaLinux/all_releases.yaml | 10 +---
 hieradata/os/Debian/Debian11.yaml        |  2 +-
 hieradata/os/Debian/Debian12.yaml        |  2 +-
 hieradata/roles/infra/puppet/master.yaml |  5 ++
 site/profiles/manifests/base.pp          | 10 +---
 site/profiles/manifests/defaults.pp      |  1 +
 site/profiles/manifests/puppet/agent.pp  | 64 +++++++++++++++++-------
 site/profiles/manifests/yum/global.pp    |  3 ++
 9 files changed, 62 insertions(+), 38 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 279c10b..3863f91 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -176,9 +176,6 @@ profiles::ntp::client::peers:
   - 2.au.pool.ntp.org
   - 3.au.pool.ntp.org
 
-profiles::base::puppet_servers:
-  - 'prodinf01n01.main.unkin.net'
-
 consul::install_method: 'package'
 consul::manage_repo: false
 consul::bin_dir: /usr/bin
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index fc20a28..47c116d 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -3,7 +3,8 @@
 profiles::firewall::firewalld::ensure_package: 'absent'
 profiles::firewall::firewalld::ensure_service: 'stopped'
 profiles::firewall::firewalld::enable_service: false
-profiles::puppet::agent::puppet_version: '7.34.0'
+profiles::puppet::agent::version: '7.37.2'
+profiles::puppet::agent::openvox_enable: true
 
 hiera_include:
   - profiles::almalinux::base
@@ -53,13 +54,6 @@ profiles::yum::global::repos:
     baseurl: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/
     gpgkey: https://packagerepo.service.consul/epel/%{facts.os.release.major}/everything-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-EPEL-%{facts.os.release.major}
     mirrorlist: absent
-  puppet:
-    name: puppet
-    descr: puppet repository
-    target: /etc/yum.repos.d/puppet.repo
-    baseurl: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/
-    gpgkey: https://packagerepo.service.consul/puppet7/el/%{facts.os.release.major}-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-puppet-20250406
-    mirrorlist: absent
   unkinben:
     name: unkinben
     descr: unkinben repository
diff --git a/hieradata/os/Debian/Debian11.yaml b/hieradata/os/Debian/Debian11.yaml
index 594461c..5aa30c0 100644
--- a/hieradata/os/Debian/Debian11.yaml
+++ b/hieradata/os/Debian/Debian11.yaml
@@ -11,4 +11,4 @@ profiles::apt::components:
   - main
   - non-free
 
-profiles::puppet::agent::puppet_version: '7.25.0-1bullseye'
+profiles::puppet::agent::version: '7.25.0-1bullseye'
diff --git a/hieradata/os/Debian/Debian12.yaml b/hieradata/os/Debian/Debian12.yaml
index f6b5f7d..8e19138 100644
--- a/hieradata/os/Debian/Debian12.yaml
+++ b/hieradata/os/Debian/Debian12.yaml
@@ -12,4 +12,4 @@ profiles::apt::components:
   - non-free
   - non-free-firmware
 
-profiles::puppet::agent::puppet_version: 'latest'
+profiles::puppet::agent::version: 'latest'
diff --git a/hieradata/roles/infra/puppet/master.yaml b/hieradata/roles/infra/puppet/master.yaml
index f1a7010..12b6909 100644
--- a/hieradata/roles/infra/puppet/master.yaml
+++ b/hieradata/roles/infra/puppet/master.yaml
@@ -19,6 +19,11 @@ profiles::puppet::autosign::domains:
 # profiles::puppet::autosign::nodes:
 #  - 'somenode.main.unkin.net'
 
+# not ready to migrate puppet masters yet
+profiles::puppet::agent::version: '7.34.0'
+profiles::puppet::agent::openvox_enable: false
+
+
 profiles::puppet::cobbler_enc::cobbler_scheme: https
 profiles::puppet::cobbler_enc::cobbler_hostname: cobbler.main.unkin.net
 profiles::puppet::cobbler_enc::version: 'system'
diff --git a/site/profiles/manifests/base.pp b/site/profiles/manifests/base.pp
index 7add82f..f9d2f80 100644
--- a/site/profiles/manifests/base.pp
+++ b/site/profiles/manifests/base.pp
@@ -1,7 +1,5 @@
 # this is the base class, which will be used by all servers
-class profiles::base (
-  Array  $puppet_servers,
-) {
+class profiles::base () {
 
   # run a limited set of classes on the first run aimed at bootstrapping the new node
   if $facts['firstrun'] {
@@ -13,11 +11,7 @@ class profiles::base (
 
     # manage the puppet agent
     include profiles::puppet::agent
-
-    # manage puppet clients
-    if ! member($puppet_servers, $trusted['certname']) {
-      include profiles::puppet::client
-    }
+    include profiles::puppet::client
 
     # include the base profiles
     include profiles::base::repos
diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp
index 3600652..0ae296b 100644
--- a/site/profiles/manifests/defaults.pp
+++ b/site/profiles/manifests/defaults.pp
@@ -11,6 +11,7 @@ class profiles::defaults {
     ensure  => present,
     require => [
       Class['profiles::base::repos'],
+      Exec['dnf_makecache'],
     ]
   }
 
diff --git a/site/profiles/manifests/puppet/agent.pp b/site/profiles/manifests/puppet/agent.pp
index 76164c1..fee46af 100644
--- a/site/profiles/manifests/puppet/agent.pp
+++ b/site/profiles/manifests/puppet/agent.pp
@@ -1,37 +1,68 @@
 # profiles::puppet::agent
 # This class manages Puppet agent package and service.
 class profiles::puppet::agent (
-  String $puppet_version      = 'latest',
+  String  $version        = 'latest',
+  Boolean $openvox_enable = false,
 ) {
 
-  # if puppet-version is anything other than latest, set a versionlock
-  $puppet_versionlock_ensure = $puppet_version ? {
+  # set openvox package, yumrepo, service
+  if $openvox_enable {
+    $use_package = 'openvox-agent'
+    $use_yumrepo = 'openvox'
+    $use_service = 'puppet'
+  }else{
+    $use_package = 'puppet-agent'
+    $use_yumrepo = 'puppet'
+    $use_service = 'puppet'
+  }
+
+  # manage the yumrepo for the given package
+  if $openvox_enable and $facts['os']['family'] == 'RedHat' {
+    yumrepo { 'openvox':
+      ensure  => 'present',
+      baseurl => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
+      descr   => 'openvox repository',
+      gpgkey  => "https://packagerepo.service.consul/openvox7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/GPG-KEY-openvox.pub",
+      notify  => Exec['dnf_makecache'],
+    }
+  }else{
+    yumrepo { 'puppet':
+      ensure  => 'present',
+      baseurl => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/",
+      descr   => 'puppet repository',
+      gpgkey  => "https://packagerepo.service.consul/puppet7/el/${facts['os']['release']['major']}-daily/${facts['os']['architecture']}/os/RPM-GPG-KEY-puppet-20250406",
+      notify  => Exec['dnf_makecache'],
+    }
+  }
+
+  # if agent-version is anything other than latest, set a versionlock
+  $agent_versionlock_ensure = $version ? {
     'latest' => 'absent',
     default  => 'present',
   }
-  $puppet_versionlock_version = $puppet_version ? {
+  $agent_versionlock_version = $version ? {
     'latest' => undef,
-    default  => $puppet_version,
+    default  => $version,
   }
 
   case $facts['os']['family'] {
     'RedHat': {
-      # Ensure the puppet-agent package is installed and locked to a specific version
-      package { 'puppet-agent':
-        ensure  => $puppet_version,
-        require => Yumrepo['puppet'],
+      # Ensure the agent package is installed and locked to a specific version
+      package { $use_package:
+        ensure  => $version,
+        require => Yumrepo[$use_yumrepo],
       }
 
       # versionlock puppet-agent
-      yum::versionlock{'puppet-agent':
-        ensure  => $puppet_versionlock_ensure,
-        version => $puppet_versionlock_version,
+      yum::versionlock{$use_package:
+        ensure  => $agent_versionlock_ensure,
+        version => $agent_versionlock_version,
       }
     }
     'Debian': {
       # Ensure the puppet-agent package is installed and locked to a specific version
-      package { 'puppet-agent':
-        ensure  => $puppet_version,
+      package { $use_package:
+        ensure  => $version,
         require => Class['profiles::apt::puppet7'],
       }
     }
@@ -39,12 +70,11 @@ class profiles::puppet::agent (
   }
 
   # Ensure the puppet service is running
-  service { 'puppet':
+  service { $use_service:
     ensure     => 'running',
     enable     => true,
     hasrestart => true,
-    require    => Package['puppet-agent'],
+    require    => Package[$use_package],
   }
 
 }
-
diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp
index 58695c4..065f47b 100644
--- a/site/profiles/manifests/yum/global.pp
+++ b/site/profiles/manifests/yum/global.pp
@@ -55,4 +55,7 @@ class profiles::yum::global (
   # setup dnf-autoupdate
   include profiles::yum::autoupdater
 
+  # ensure dnf makecache runs before packages
+  Yumrepo <| |> -> Exec['dnf_makecache'] -> Package <| |>
+
 }