(CAT-2345) Prepare module for Puppetcore / Drop Support for Puppet 7

.github/workflows/ci.yml

@@ -18,4 +18,5 @@ jobs:
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main"
     with:
       runs_on: "ubuntu-24.04"
+      flags: "--nightly"
     secrets: "inherit"

.github/workflows/nightly.yml

@@ -17,5 +17,6 @@ jobs:
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main"
     with:
       runs_on: "ubuntu-24.04"
+      flags: "--nightly"
     secrets: "inherit"
 

.puppet-lint.rc

@@ -1 +1,9 @@
+--fail-on-warnings
 --relative
+--no-80chars-check
+--no-140chars-check
+--no-class_inherits_from_params_class-check
+--no-autoloader_layout-check
+--no-documentation-check
+--no-single_quote_string_with_variables-check
+--ignore-paths=.vendor/**/*.pp,.bundle/**/*.pp,pkg/**/*.pp,spec/**/*.pp,tests/**/*.pp,types/**/*.pp,vendor/**/*.pp

.rubocop.yml

@@ -5,7 +5,7 @@ require:
 AllCops:
   NewCops: enable
   DisplayCopNames: true
-  TargetRubyVersion: '2.6'
+  TargetRubyVersion: '3.1'
   Include:
   - "**/*.rb"
   Exclude:

.rubocop_todo.yml

@@ -1,56 +1,11 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2023-08-29 15:26:08 UTC using RuboCop version 1.48.1.
+# on 2025-07-01 09:21:38 UTC using RuboCop version 1.50.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 20
-# Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
-Metrics/AbcSize:
-  Max: 270
-
-# Offense count: 2
-# Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns, inherit_mode.
-# AllowedMethods: refine
-Metrics/BlockLength:
-  Max: 127
-
-# Offense count: 3
-# Configuration parameters: CountComments, CountAsOne.
-Metrics/ClassLength:
-  Max: 776
-
-# Offense count: 17
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/CyclomaticComplexity:
-  Max: 122
-
-# Offense count: 20
-# Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
-Metrics/MethodLength:
-  Max: 135
-
-# Offense count: 12
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/PerceivedComplexity:
-  Max: 122
-
-# Offense count: 18
-# Configuration parameters: IgnoredMetadata.
-RSpec/DescribeClass:
-  Enabled: false
-
-# Offense count: 9
-# Configuration parameters: CountAsOne.
-RSpec/ExampleLength:
-  Max: 8
-
-# Offense count: 41
-RSpec/MultipleExpectations:
-  Max: 2
-
 # Offense count: 38
 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
 # SupportedStyles: always, named_only
@@ -60,31 +15,9 @@ RSpec/NamedSubject:
     - 'spec/unit/classes/firewall_linux_debian_spec.rb'
     - 'spec/unit/classes/firewall_linux_redhat_spec.rb'
 
-# Offense count: 38
-# Configuration parameters: AllowedGroups.
-RSpec/NestedGroups:
-  Max: 5
-
-# Offense count: 43
-# Configuration parameters: AllowedPatterns.
-# AllowedPatterns: ^expect_, ^assert_
-RSpec/NoExpectationExample:
-  Exclude:
-    - 'spec/acceptance/class_spec.rb'
-    - 'spec/acceptance/firewall_attributes_exceptions_spec.rb'
-    - 'spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb'
-    - 'spec/acceptance/firewallchain_spec.rb'
-    - 'spec/acceptance/rules_spec.rb'
-    - 'spec/acceptance/standard_usage_spec.rb'
-
-# Offense count: 83
+# Offense count: 85
 # Configuration parameters: AllowedVariables.
 Style/GlobalVars:
   Exclude:
     - 'lib/puppet/provider/firewall/firewall.rb'
     - 'lib/puppet/provider/firewallchain/firewallchain.rb'
-
-# Offense count: 1
-Style/MixinUsage:
-  Exclude:
-    - 'spec/spec_helper.rb'

.sync.yml

@@ -1,4 +1,6 @@
 ---
+common:
+  service_url: https://facade-set-subnetwork-1079112402178.europe-west1.run.app/v1/provision
 ".gitlab-ci.yml":
   delete: true
 appveyor.yml:

Gemfile

@@ -14,51 +14,56 @@ def location_for(place_or_version, fake_version = nil)
 end
 
 group :development do
-  gem "json", '= 2.1.0',                         require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.3.0',                         require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "json", '= 2.5.1',                         require: false if Gem::Requirement.create(['>= 3.0.0', '< 3.0.5']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "deep_merge", '~> 1.2.2',                  require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
-  gem "facterdb", '~> 1.18',                      require: false
+  gem "facterdb", '~> 2.1',                      require: false if Gem::Requirement.create(['< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "facterdb", '~> 3.0',                      require: false if Gem::Requirement.create(['>= 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "metadata-json-lint", '~> 4.0',            require: false
-  gem "rspec-puppet-facts", '~> 2.0',            require: false
+  gem "json-schema", '< 5.1.1',                  require: false
+  gem "rspec-puppet-facts", '~> 4.0',            require: false if Gem::Requirement.create(['< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "rspec-puppet-facts", '~> 5.0',            require: false if Gem::Requirement.create(['>= 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "dependency_checker", '~> 1.0.0',          require: false
   gem "parallel_tests", '= 3.12.1',              require: false
   gem "pry", '~> 0.10',                          require: false
   gem "simplecov-console", '~> 0.9',             require: false
-  gem "puppet-debugger", '~> 1.0',               require: false
+  gem "puppet-debugger", '~> 1.6',               require: false
   gem "rubocop", '~> 1.50.0',                    require: false
   gem "rubocop-performance", '= 1.16.0',         require: false
   gem "rubocop-rspec", '= 2.19.0',               require: false
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
-  gem "rexml", '>= 3.3.9',                       require: false
+  gem "bigdecimal", '< 3.2.2',                   require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "puppet-resource_api",                     require: false
 end
 group :development, :release_prep do
   gem "puppet-strings", '~> 4.0',         require: false
-  gem "puppetlabs_spec_helper", '~> 7.0', require: false
+  gem "puppetlabs_spec_helper", '~> 8.0', require: false
+  gem "puppet-blacksmith", '~> 7.0',      require: false
 end
 group :system_tests do
-  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw]
+  gem "puppet_litmus", '~> 2.0',   require: false, platforms: [:ruby, :x64_mingw] if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
+  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw] if ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
   gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw]
   gem "serverspec", '~> 2.41',     require: false
 end
 
-puppet_version = ENV['PUPPET_GEM_VERSION']
-facter_version = ENV['FACTER_GEM_VERSION']
-hiera_version = ENV['HIERA_GEM_VERSION']
-
 gems = {}
+puppet_version = ENV.fetch('PUPPET_GEM_VERSION', nil)
+facter_version = ENV.fetch('FACTER_GEM_VERSION', nil)
+hiera_version = ENV.fetch('HIERA_GEM_VERSION', nil)
 
-gems['puppet'] = location_for(puppet_version)
-
-# If facter or hiera versions have been specified via the environment
-# variables
+# If PUPPET_FORGE_TOKEN is set then use authenticated source for both puppet and facter, since facter is a transitive dependency of puppet
+# Otherwise, do as before and use location_for to fetch gems from the default source
+if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
+  gems['puppet'] = ['~> 8.11', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+  gems['facter'] = ['~> 4.11', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+else
+  gems['puppet'] = location_for(puppet_version)
+  gems['facter'] = location_for(facter_version) if facter_version
+end
 
-gems['facter'] = location_for(facter_version) if facter_version
 gems['hiera'] = location_for(hiera_version) if hiera_version
 
 gems.each do |gem_name, gem_params|

Rakefile

@@ -7,3 +7,12 @@ require 'puppet-syntax/tasks/puppet-syntax'
 require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'
 
 PuppetLint.configuration.send('disable_relative')
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.send('disable_140chars')
+PuppetLint.configuration.send('disable_class_inherits_from_params_class')
+PuppetLint.configuration.send('disable_autoloader_layout')
+PuppetLint.configuration.send('disable_documentation')
+PuppetLint.configuration.send('disable_single_quote_string_with_variables')
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.ignore_paths = [".vendor/**/*.pp", ".bundle/**/*.pp", "pkg/**/*.pp", "spec/**/*.pp", "tests/**/*.pp", "types/**/*.pp", "vendor/**/*.pp"]
+

metadata.json

@@ -81,10 +81,10 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">= 7.0.0 < 9.0.0"
+      "version_requirement": ">= 8.0.0 < 9.0.0"
     }
   ],
   "template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
-  "template-ref": "tags/3.2.0.4-0-g5d17ec1",
-  "pdk-version": "3.2.0"
+  "template-ref": "heads/main-0-ga1e4056",
+  "pdk-version": "3.5.0 (ga43db72)"
 }

spec/spec_helper_acceptance_local.rb

@@ -71,6 +71,15 @@ def fetch_os_name
       end
       LitmusHelper.instance.run_shell('touch /etc/sysconfig/iptables')
       LitmusHelper.instance.run_shell('touch /etc/sysconfig/ip6tables')
+    elsif ['almalinux-8', 'rocky-8'].include?("#{fetch_os_name}-#{os[:release].to_i}")
+      LitmusHelper.instance.run_shell('yum update -y')
+      LitmusHelper.instance.run_shell('depmod -a')
+      ['xt_bpf'].each do |t|
+        LitmusHelper.instance.run_shell("modprobe iptable_#{t}")
+        LitmusHelper.instance.run_shell("modprobe ip6table_#{t}")
+      end
+      LitmusHelper.instance.run_shell('touch /etc/sysconfig/iptables')
+      LitmusHelper.instance.run_shell('touch /etc/sysconfig/ip6tables')
     end
     if os[:family] == 'debian'
       LitmusHelper.instance.run_shell('apt-get update -y')

spec/spec_helper_local.rb

@@ -44,14 +44,14 @@
   end
 end
 
-shared_context 'when Debian 10' do
-  let(:facts) { on_supported_os['debian-10-x86_64'] }
-end
-
 shared_context 'when Debian 11' do
   let(:facts) { on_supported_os['debian-11-x86_64'] }
 end
 
+shared_context 'when Debian 12' do
+  let(:facts) { on_supported_os['debian-12-x86_64'] }
+end
+
 shared_context 'when Debian Unstable' do
   let(:facts) do
     {

spec/unit/classes/firewall_linux_debian_spec.rb

@@ -3,8 +3,8 @@
 require 'spec_helper'
 
 describe 'firewall::linux::debian', type: :class do
-  context 'with Debian 10' do
-    include_examples 'when Debian 10'
+  context 'with Debian 11' do
+    include_examples 'when Debian 11'
 
     it {
       expect(subject).to contain_package('iptables-persistent').with(
@@ -21,10 +21,10 @@
     }
   end
 
-  context 'with Debian 10, enable => false' do
+  context 'with Debian 11, enable => false' do
     let(:params) { { enable: 'false' } }
 
-    include_examples 'when Debian 10'
+    include_examples 'when Debian 11'
 
     it {
       expect(subject).to contain_service('netfilter-persistent').with(
@@ -33,10 +33,10 @@
     }
   end
 
-  context 'with Debian 10, ensure => stopped' do
+  context 'with Debian 11, ensure => stopped' do
     let(:params) { { ensure: 'stopped' } }
 
-    include_examples 'when Debian 10'
+    include_examples 'when Debian 11'
 
     it {
       expect(subject).to contain_service('netfilter-persistent').with(
@@ -45,8 +45,8 @@
     }
   end
 
-  context 'with Debian 11' do
-    include_examples 'when Debian 11'
+  context 'with Debian 12' do
+    include_examples 'when Debian 12'
 
     it {
       expect(subject).to contain_package('iptables-persistent').with(
@@ -63,10 +63,10 @@
     }
   end
 
-  context 'with Debian 11, enable => false' do
+  context 'with Debian 12, enable => false' do
     let(:params) { { enable: 'false' } }
 
-    include_examples 'when Debian 11'
+    include_examples 'when Debian 12'
 
     it {
       expect(subject).to contain_service('netfilter-persistent').with(
@@ -75,10 +75,10 @@
     }
   end
 
-  context 'with Debian 11, ensure => stopped' do
+  context 'with Debian 12, ensure => stopped' do
     let(:params) { { ensure: 'stopped' } }
 
-    include_examples 'when Debian 11'
+    include_examples 'when Debian 12'
 
     it {
       expect(subject).to contain_service('netfilter-persistent').with(

spec/unit/classes/firewall_spec.rb

@@ -4,7 +4,7 @@
 
 describe 'firewall', type: :class do
   context 'with kernel => Linux' do
-    include_examples 'when Debian 10'
+    include_examples 'when Debian 12'
 
     it { is_expected.to contain_class('firewall::linux').with_ensure('running') }
   end
@@ -30,7 +30,7 @@
   context 'with ensure => stopped' do
     let(:params) { { ensure: 'stopped' } }
 
-    include_examples 'when Debian 10'
+    include_examples 'when Debian 12'
 
     it { is_expected.to contain_class('firewall::linux').with_ensure('stopped') }
   end

spec/unit/puppet/provider/firewall/firewall_public_spec.rb

@@ -62,7 +62,7 @@
         },
       ].each do |test|
         it "updates the resource: '#{test[:should][:name]}'" do
-          expect(context).to receive(:notice).with(%r{\Updating Rule '#{test[:should][:name]}'})
+          expect(context).to receive(:notice).with(%r{Updating Rule '#{test[:should][:name]}'})
           allow(described_class).to receive(:insert_order)
             .with(context, test[:should][:name], test[:should][:chain], test[:should][:table], test[:should][:protocol]).and_return(1)
           allow(described_class).to receive(:hash_to_rule)