theforeman · evgeni · Sep 29, 2025 · Sep 24, 2025 · ekohl · Sep 24, 2025
diff --git a/manifests/core_host_inventory.pp b/manifests/core_host_inventory.pp
@@ -28,7 +28,7 @@
   Stdlib::Port $database_port = 5432,
 ) inherits iop::params {
   include podman
-  include iop::core_network
+  require iop::core_network
   include iop::core_kafka
   include iop::database
 

diff --git a/manifests/core_kafka.pp b/manifests/core_kafka.pp
@@ -31,7 +31,7 @@
   }
 
   podman::volume { 'iop-core-kafka-data':
-    ensure => $ensure,
+    ensure => 'present',
   }
 
   podman::quadlet { 'iop-core-kafka':
@@ -75,14 +75,16 @@
     },
   }
 
-  exec { 'kafka-init':
-    command => "podman run --network=iop-core-network --secret iop-core-kafka-init,target=/opt/kafka/init.sh,mode=0755 ${image} /opt/kafka/init.sh --create",
-    unless  => "podman run --network=iop-core-network --secret iop-core-kafka-init,target=/opt/kafka/init.sh,mode=0755 ${image} /opt/kafka/init.sh --check",
-    require => [
-      Podman::Quadlet['iop-core-kafka'],
-      Podman::Network['iop-core-network'],
-      Podman::Secret['iop-core-kafka-init']
-    ],
-    path    => ['/usr/bin', '/usr/sbin'],
+  if $ensure == 'present' {
+    exec { 'kafka-init':
+      command => "podman run --network=iop-core-network --secret iop-core-kafka-init,target=/opt/kafka/init.sh,mode=0755 ${image} /opt/kafka/init.sh --create",
+      unless  => "podman run --network=iop-core-network --secret iop-core-kafka-init,target=/opt/kafka/init.sh,mode=0755 ${image} /opt/kafka/init.sh --check",
+      require => [
+        Podman::Quadlet['iop-core-kafka'],
+        Podman::Network['iop-core-network'],
+        Podman::Secret['iop-core-kafka-init']
+      ],
+      path    => ['/usr/bin', '/usr/sbin'],
+    }
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -2,16 +2,16 @@
 #
 # Install and configure IOP services
 #
+# === Parameters:
+#
 # === Advanced parameters:
 #
 # $register_as_smartproxy:: Whether to register as a smart proxy
 #
-# $enable_vulnerability:: Enable vulnerability services
-#
-# $enable_advisor:: Enable advisor services
-#
 # $foreman_base_url:: Base URL for Foreman connection
 #
+# $ensure:: Whether services should be present or absent
+#
 # === Database parameters:
 #
 # $database_host:: Shared database host for all services
@@ -49,9 +49,8 @@
 # $remediations_database_password:: Database password for remediations service
 #
 class iop (
+  Enum['present', 'absent'] $ensure = 'present',
   Boolean $register_as_smartproxy = true,
-  Boolean $enable_vulnerability = true,
-  Boolean $enable_advisor = true,
   Optional[Stdlib::HTTPUrl] $foreman_base_url = undef,
   String[1] $database_host = '/var/run/postgresql/',
   Stdlib::Port $database_port = 5432,
@@ -71,54 +70,56 @@
   String[1] $remediations_database_user = 'remediations_user',
   String[1] $remediations_database_password = extlib::cache_data('iop_cache_data', 'remediations_db_password', extlib::random_password(32)),
 ) inherits iop::params {
-  include iop::core_ingress
-  include iop::core_puptoo
-  include iop::core_yuptoo
-  include iop::core_engine
-  include iop::core_gateway
+  class { 'iop::core_kafka': ensure => $ensure }
+  class { 'iop::core_ingress': ensure => $ensure }
+  class { 'iop::core_puptoo': ensure => $ensure }
+  class { 'iop::core_yuptoo': ensure => $ensure }
+  class { 'iop::core_engine': ensure => $ensure }
+  class { 'iop::core_gateway': ensure => $ensure }
   class { 'iop::core_host_inventory':
+    ensure            => $ensure,
     database_host     => $database_host,
     database_port     => $database_port,
     database_name     => $inventory_database_name,
     database_user     => $inventory_database_user,
     database_password => $inventory_database_password,
   }
-  include iop::core_host_inventory_frontend
+  class { 'iop::core_host_inventory_frontend': ensure => $ensure }
 
-  if $enable_vulnerability {
-    class { 'iop::service_vmaas':
-      database_host     => $database_host,
-      database_port     => $database_port,
-      database_name     => $vmaas_database_name,
-      database_user     => $vmaas_database_user,
-      database_password => $vmaas_database_password,
-    }
-    include iop::service_vulnerability_frontend
-    class { 'iop::service_vulnerability':
-      database_host     => $database_host,
-      database_port     => $database_port,
-      database_name     => $vulnerability_database_name,
-      database_user     => $vulnerability_database_user,
-      database_password => $vulnerability_database_password,
-    }
+  class { 'iop::service_vmaas':
+    ensure            => $ensure,
+    database_host     => $database_host,
+    database_port     => $database_port,
+    database_name     => $vmaas_database_name,
+    database_user     => $vmaas_database_user,
+    database_password => $vmaas_database_password,
+  }
+  class { 'iop::service_vulnerability_frontend': ensure => $ensure }
+  class { 'iop::service_vulnerability':
+    ensure            => $ensure,
+    database_host     => $database_host,
+    database_port     => $database_port,
+    database_name     => $vulnerability_database_name,
+    database_user     => $vulnerability_database_user,
+    database_password => $vulnerability_database_password,
   }
 
-  if $enable_advisor {
-    include iop::service_advisor_frontend
-    class { 'iop::service_advisor':
-      database_host     => $database_host,
-      database_port     => $database_port,
-      database_name     => $advisor_database_name,
-      database_user     => $advisor_database_user,
-      database_password => $advisor_database_password,
-    }
-    class { 'iop::service_remediations':
-      database_host     => $database_host,
-      database_port     => $database_port,
-      database_name     => $remediations_database_name,
-      database_user     => $remediations_database_user,
-      database_password => $remediations_database_password,
-    }
+  class { 'iop::service_advisor_frontend': ensure => $ensure }
+  class { 'iop::service_advisor':
+    ensure            => $ensure,
+    database_host     => $database_host,
+    database_port     => $database_port,
+    database_name     => $advisor_database_name,
+    database_user     => $advisor_database_user,
+    database_password => $advisor_database_password,
+  }
+  class { 'iop::service_remediations':
+    ensure            => $ensure,
+    database_host     => $database_host,
+    database_port     => $database_port,
+    database_name     => $remediations_database_name,
+    database_user     => $remediations_database_user,
+    database_password => $remediations_database_password,
   }
 
   if $register_as_smartproxy {
@@ -128,7 +129,7 @@
     $_foreman_base_url_real = pick($foreman_base_url, "https://${facts['networking']['fqdn']}")
 
     foreman_smartproxy { 'iop-gateway':
-      ensure          => present,
+      ensure          => $ensure,
       base_url        => $_foreman_base_url_real,
       consumer_key    => $oauth_consumer_key,
       consumer_secret => $oauth_consumer_secret,

diff --git a/manifests/service_advisor.pp b/manifests/service_advisor.pp
@@ -30,7 +30,7 @@
   include podman
   include iop::database
   include iop::core_kafka
-  include iop::core_network
+  require iop::core_network
   include iop::core_host_inventory
 
   $service_name = 'iop-service-advisor-backend'

diff --git a/manifests/service_remediations.pp b/manifests/service_remediations.pp
@@ -30,7 +30,7 @@
   include podman
   include iop::database
   include iop::core_kafka
-  include iop::core_network
+  require iop::core_network
   include iop::core_host_inventory
   include iop::service_advisor
 

diff --git a/manifests/service_vmaas.pp b/manifests/service_vmaas.pp
@@ -28,7 +28,7 @@
   Stdlib::Port $database_port = 5432,
 ) {
   include podman
-  include iop::core_network
+  require iop::core_network
   include iop::core_kafka
   include iop::core_gateway
   include iop::database
@@ -94,7 +94,7 @@
   }
 
   podman::volume { 'iop-service-vmaas-data':
-    ensure => $ensure,
+    ensure => 'present',
   }
 
   podman::quadlet { 'iop-service-vmaas-reposcan':

diff --git a/manifests/service_vulnerability.pp b/manifests/service_vulnerability.pp
@@ -36,7 +36,7 @@
   include podman
   include iop::database
   include iop::core_kafka
-  include iop::core_network
+  require iop::core_network
   include iop::core_host_inventory
   include iop::service_vmaas
 

diff --git a/spec/acceptance/core_engine_spec.rb b/spec/acceptance/core_engine_spec.rb
@@ -31,4 +31,30 @@ class { 'iop::core_engine': }
       its(:exit_status) { should eq 0 }
     end
   end
+
+  context 'with ensure => absent' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'iop::core_engine':
+          ensure => 'absent',
+        }
+        PUPPET
+      end
+    end
+
+    describe service('iop-core-engine') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-engine.container') do
+      it { is_expected.not_to exist }
+    end
+
+    describe command('podman secret ls --format "{{.Name}}" | grep "^iop-core-engine-"') do
+      its(:exit_status) { should eq 1 }
+      its(:stdout) { should be_empty }
+    end
+  end
 end
diff --git a/spec/acceptance/core_gateway_spec.rb b/spec/acceptance/core_gateway_spec.rb
@@ -31,4 +31,30 @@ class { 'iop::core_gateway': }
       its(:stdout) { should match /200/ }
     end
   end
+
+  context 'with ensure => absent' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'iop::core_gateway':
+          ensure => 'absent',
+        }
+        PUPPET
+      end
+    end
+
+    describe service('iop-core-gateway') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-gateway.container') do
+      it { is_expected.not_to exist }
+    end
+
+    describe command('podman secret ls --format "{{.Name}}" | grep "^iop-core-gateway-"') do
+      its(:exit_status) { should eq 1 }
+      its(:stdout) { should be_empty }
+    end
+  end
 end
diff --git a/spec/acceptance/core_host_inventory_frontend_spec.rb b/spec/acceptance/core_host_inventory_frontend_spec.rb
@@ -56,4 +56,24 @@ class { 'iop::core_host_inventory_frontend': }
       it { should be_mode 755 }
     end
   end
+
+  context 'with ensure => absent' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'iop::core_host_inventory_frontend':
+          ensure => 'absent',
+        }
+        PUPPET
+      end
+    end
+
+    describe file("/var/lib/foreman/public/assets/apps/inventory") do
+      it { is_expected.not_to exist }
+    end
+
+    describe file("/var/lib/foreman/public/assets/apps/inventory/app.info.json") do
+      it { is_expected.not_to exist }
+    end
+  end
 end
diff --git a/spec/acceptance/core_host_inventory_spec.rb b/spec/acceptance/core_host_inventory_spec.rb
@@ -57,4 +57,57 @@ class { 'iop::core_host_inventory': }
       its(:content) { should match /WantedBy=timers.target/ }
     end
   end
+
+  context 'with ensure => absent' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'iop::core_host_inventory':
+          ensure => 'absent',
+        }
+        PUPPET
+      end
+    end
+
+    describe service('iop-core-host-inventory') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe service('iop-core-host-inventory-api') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe service('iop-core-host-inventory-cleanup') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe service('iop-core-host-inventory-cleanup.timer') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-host-inventory.container') do
+      it { is_expected.not_to exist }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-host-inventory-api.container') do
+      it { is_expected.not_to exist }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-host-inventory-cleanup.container') do
+      it { is_expected.not_to exist }
+    end
+
+    describe file('/etc/systemd/system/iop-core-host-inventory-cleanup.timer') do
+      it { is_expected.not_to exist }
+    end
+
+    describe command('podman secret ls --format "{{.Name}}" | grep "^iop-core-host-inventory-"') do
+      its(:exit_status) { should eq 1 }
+      its(:stdout) { should be_empty }
+    end
+  end
 end
diff --git a/spec/acceptance/core_ingress_spec.rb b/spec/acceptance/core_ingress_spec.rb
@@ -30,4 +30,25 @@
       its(:stdout) { should match /200/ }
     end
   end
+
+  context 'with ensure => absent' do
+    it_behaves_like 'an idempotent resource' do
+      let(:manifest) do
+        <<-PUPPET
+        class { 'iop::core_ingress':
+          ensure => 'absent',
+        }
+        PUPPET
+      end
+    end
+
+    describe service('iop-core-ingress') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+
+    describe file('/etc/containers/systemd/iop-core-ingress.container') do
+      it { is_expected.not_to exist }
+    end
+  end
 end