(MODULES-11808) Fix InfluxDB apt source on Ubuntu 24.04 (apt::keyring)

[actowery]

Summary

puppetlabs/influxdb v3.0.1 fails to install on Ubuntu 24.04 because manifests/init.pp declares the Debian apt source with an inline key => { id, source } hash. That form routes through the deprecated apt::key defined type, which drops the trust file under /etc/apt/trusted.gpg.d/ without setting signed-by= on the source list entry. Ubuntu 24.04's apt enforces deb822-style trust scoping and rejects the InfluxDB source with a missing-signature error.

This PR switches to the modern key => { 'name', 'source' } hash, which routes through apt::keyring in puppetlabs-apt 9.2.0+. The apt module then writes the key file to /etc/apt/keyrings/, references it via signed-by= on the source list entry, and orders the keyring before the source list file automatically.

Changes

• manifests/init.pp — Debian-family branch of apt::source now uses key => { 'name' => "${repo_name}.asc", 'source' => $repo_gpg_key_url }. Param $repo_gpg_key_id is retained for backward compatibility but its docstring now notes it no longer enforces fingerprint verification (the apt::keyring path trusts the HTTPS-served file directly).
• metadata.json — bumps puppetlabs/apt dependency floor from >= 8.0.0 to >= 9.2.0 (the release that introduced apt::keyring, 2023-12-04).
• .fixtures.yml — pins the apt fixture to 9.2.0 so unit tests exercise the dependency floor.
• spec/classes/init_spec.rb — asserts contain_apt__keyring('influxdb2.asc') and the structural key: hash on every Debian-family OS in operatingsystem_support (including the originally-broken Ubuntu 24.04). Adds negative assertions in the archive_source and "neither repo nor archive" contexts to guard against regressions that would leak repo resources into the no-repo code paths.

Jira

• MODULES-11808

Upstream issue

• Missing apt::keyring on Debian based systems #126 (Reporter: tuxmea / Martin Alfke)

Test plan

• Unit: bundle exec rspec spec/classes/init_spec.rb — 83 examples, 0 failures across Ubuntu 18.04 / 20.04 / 22.04 / 24.04 + Debian 11.
• Validate: bundle exec rake validate clean.
• Lint: bundle exec rake lint clean.
• Litmus acceptance on Ubuntu 24.04 with PE 2023.8.9 — green at commit 93b0c34 (job run, 17m41s). Acceptance spec applies include influxdb idempotently and asserts ss -Htln sport = :8086 | LISTEN, i.e. install + idempotent + service alive on a real Ubuntu 24.04 + PE 2023.8.9 VM.

Out of scope

• Migrating Ubuntu 22.04 to deb822 sources (not required for this fix — one-line .list format with signed-by= works on 22.04).
• Issue Upgrading toml-rb causes issues at PE customer #127 (toml-rb native extension) — separate ticket, different module (puppet_operational_dashboards).
• Forge release — handled by auto_release.yml after merge.

🤖 Generated with Claude Code

[actowery]

CI failure context

Four jobs are red on the latest run. None are caused by this PR; all are pre-existing CI breakage on platforms this PR does not touch.

Sles-15, PE LTS and PE latest

PE install fails because pe-host-action-collector (and other PE packages) declare a net-tools dependency the configured zypper repos don't satisfy:

Error: nothing provides 'net-tools' needed by the to be installed
pe-host-action-collector-2023.8.9.1-1.sles15.noarch

The acceptance tests never run — deploy_pe::provision_master exits before them. This is a SLES image / repo-configuration gap in the test infrastructure, not a module problem.

RedHat-8, PE LTS and PE latest

Bolt's net-ssh transport drops mid-stream during the post-install deploy_pe::run_agent task — same line number both times:

.../net-ssh-7.3.2/lib/net/ssh/buffered_io.rb:101:in `send': closed stream (IOError)
"file":"spec/fixtures/modules/deploy_pe/plans/provision_master.pp","line":125

Classic SSH flake during a long-running heavy operation. Also fails before the acceptance step. Separately worth noting: RedHat-8 runs the 'RedHat': branch of case $facts['os']['family'] in manifests/init.pp (the yumrepo path), which this PR does not modify.

Prior history

The same two-platform failure pattern is present on every recent change to this module:

Run	Date	Title	Sles-15 (LTS / latest)	RedHat-8 (LTS / latest)
21864582127	2026-02-10	Update InfluxData's signing key fingerprint	❌ / ❌	❌ / ❌
21712530103	2026-02-05	(maint) v3.0.1 Release prep	❌ / ❌	❌ / ❌
21633134484	2026-02-03	(SUP-6938) update gpg key	❌ / ❌	❌ / ❌
19927713177	2025-12-04	(SUP-6705): v3.0.0 Release Prep	❌ / ❌	❌ / ❌

GitHub purged the job logs (>30 days, HTTP 410), so I can't byte-compare the failure causes against today's. What is verifiable: same workflow, same platforms, same failure conclusion across every recent merge — including the v3.0.0 and v3.0.1 release-prep PRs that did ship to Forge through this same red state.

What is green

On the latest run for this PR:

• ✅ PE LTS Testing / Ubuntu-2404, 2023.8.9 — the ticket's stated binary pass/fail (17m41s)
• ✅ PE LTS Testing / Ubuntu-2204, 2023.8.9 — was failing in run Add puppet-strings documentation #1 from the same idempotency bug 93b0c34 fixes
• ✅ PE LTS Testing / Ubuntu-2404, 2025.10.0 and Ubuntu-2204, 2025.10.0
• ✅ AlmaLinux-8/9, Rocky-Linux-8/9, RedHat-9 — both PE versions
• ✅ Spec testing (rspec-puppet, all OSes)

The Debian-family code path this PR changes is exercised, idempotent, and green everywhere the harness can actually install PE.