bolt 3.22.1 → 3.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9bb70cb2643e6f83db4c78140e69b63f1adb0547babb48a56f7263d6e231e190
-  data.tar.gz: 87bac24240c774e3142631834692b1c1f03aacd28ec35bb1ef33693be42af1ba
+  metadata.gz: 7ad3bbc9413aac278feeac8a7e31173bd065f0029fb211d7e1906c4803a4c390
+  data.tar.gz: 387d3a07844139eb29a1db06d1792acfdad6a09eab2b5576a9c4d34fdffdaca8
 SHA512:
-  metadata.gz: 9a5bdda010517568732212c1436560c952da36be78511cfaf2543ce7b330245d7c8d78ebf1c8c2a1feb986f2276d644edf54ccaa1c52cd4d1072954c3e644214
-  data.tar.gz: cc5ec411b3b3d3772f89ce19cca8d3a9bf086c7b4da580c334ccb0c31c763a1641fe5972389a71e7874e64e10323ec7286027bc6c4b86447a8beb28cdb04796a
+  metadata.gz: 83c1685fc238f049dad5cf841ea55f37c57a1aa59d66ef420d754b78d7b0ba8cca4533accb2cfbe53915587f1832beb7cbf956501486de63e135933b57f5fa98
+  data.tar.gz: c6900fde1fd9234a603171c79c2f2b3a22b2d2661797b94bf0afd2050f4ef5cc32844562734d3e41bd94464806e1efaabaac346d6887773f547c801c33cc3d6f

data/Puppetfile

@@ -1,18 +1,18 @@
 # frozen_string_literal: true
 
-forge "http://forge.puppetlabs.com"
+forge 'https://forge.puppetlabs.com'
 
 moduledir File.join(File.dirname(__FILE__), 'modules')
 
 # Core modules used by 'apply'
-mod 'puppetlabs-service', '2.1.0'
-mod 'puppetlabs-puppet_agent', '4.9.0'
+mod 'puppetlabs-service', '2.2.0'
+mod 'puppetlabs-puppet_agent', '4.11.0'
 mod 'puppetlabs-facts', '1.4.0'
 
 # Core types and providers for Puppet 6
 mod 'puppetlabs-augeas_core', '1.2.0'
 mod 'puppetlabs-host_core', '1.1.0'
-mod 'puppetlabs-scheduled_task', '3.0.1'
+mod 'puppetlabs-scheduled_task', '3.1.0'
 mod 'puppetlabs-sshkeys_core', '2.3.0'
 mod 'puppetlabs-zfs_core', '1.3.0'
 mod 'puppetlabs-cron_core', '1.1.0'
@@ -22,14 +22,14 @@ mod 'puppetlabs-yumrepo_core', '1.1.0'
 mod 'puppetlabs-zone_core', '1.0.3'
 
 # Useful additional modules
-mod 'puppetlabs-package', '2.1.0'
+mod 'puppetlabs-package', '2.2.0'
 mod 'puppetlabs-powershell_task_helper', '0.1.0'
-mod 'puppetlabs-puppet_conf', '1.2.0'
+mod 'puppetlabs-puppet_conf', '1.3.0'
 mod 'puppetlabs-python_task_helper', '0.5.0'
-mod 'puppetlabs-reboot', '4.1.0'
-mod 'puppetlabs-ruby_task_helper', '0.6.0'
+mod 'puppetlabs-reboot', '4.2.0'
+mod 'puppetlabs-ruby_task_helper', '0.6.1'
 mod 'puppetlabs-ruby_plugin_helper', '0.2.0'
-mod 'puppetlabs-stdlib', '8.1.0'
+mod 'puppetlabs-stdlib', '8.2.0'
 
 # Plugin modules
 mod 'puppetlabs-aws_inventory', '0.7.0'

data/bolt-modules/boltlib/lib/puppet/functions/puppetdb_command.rb

@@ -17,6 +17,8 @@ require 'bolt/error'
 # > **Note:** Not available in apply block
 #
 Puppet::Functions.create_function(:puppetdb_command) do
+  # Send a command with a payload to PuppetDB.
+  #
   # @param command The command to invoke.
   # @param version The version of the command to invoke.
   # @param payload The payload to the command.
@@ -38,7 +40,36 @@ Puppet::Functions.create_function(:puppetdb_command) do
     return_type 'String'
   end
 
+  # Send a command with a payload to a named PuppetDB instance.
+  #
+  # @param command The command to invoke.
+  # @param version The version of the command to invoke.
+  # @param payload The payload to the command.
+  # @param instance The PuppetDB instance to send the command to.
+  # @return The UUID identifying the response sent by PuppetDB.
+  # @example Replace facts for a target using a named PuppetDB instance
+  #   $payload = {
+  #     'certname'           => 'localhost',
+  #     'environment'        => 'dev',
+  #     'producer'           => 'bolt',
+  #     'producer_timestamp' => '1970-01-01',
+  #     'values'             => { 'orchestrator' => 'bolt' }
+  #   }
+  #
+  #   puppetdb_command('replace_facts', 5, $payload, 'instance-1')
+  dispatch :puppetdb_command_with_instance do
+    param 'String[1]', :command
+    param 'Integer', :version
+    param 'Hash[Data, Data]', :payload
+    param 'String', :instance
+    return_type 'String'
+  end
+
   def puppetdb_command(command, version, payload)
+    puppetdb_command_with_instance(command, version, payload, nil)
+  end
+
+  def puppetdb_command_with_instance(command, version, payload, instance)
     # Disallow in apply blocks.
     unless Puppet[:tasks]
       raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
@@ -61,6 +92,6 @@ Puppet::Functions.create_function(:puppetdb_command) do
       )
     end
 
-    puppetdb_client.send_command(command, version, payload)
+    puppetdb_client.send_command(command, version, payload, instance)
   end
 end

data/bolt-modules/boltlib/lib/puppet/functions/puppetdb_fact.rb

@@ -7,6 +7,8 @@ require 'bolt/error'
 # If a node is not found in PuppetDB, it's included in the returned hash with an empty facts hash.
 # Otherwise, the node is included in the hash with a value that is a hash of its facts.
 Puppet::Functions.create_function(:puppetdb_fact) do
+  # Collect facts from PuppetDB.
+  #
   # @param certnames Array of certnames.
   # @return A hash of certname to facts hash for each matched Target.
   # @example Get facts for nodes
@@ -16,13 +18,30 @@ Puppet::Functions.create_function(:puppetdb_fact) do
     return_type 'Hash[String, Data]'
   end
 
+  # Collects facts from a named PuppetDB instance.
+  #
+  # @param certnames Array of certnames.
+  # @param instance The PuppetDB instance to query.
+  # @return A hash of certname to facts hash for each matched Target.
+  # @example Get facts for nodes from a named PuppetDB instance
+  #   puppetdb_fact(['app.example.com', 'db.example.com'], 'instance-1')
+  dispatch :puppetdb_fact_with_instance do
+    param 'Array[String]', :certnames
+    param 'String', :instance
+    return_type 'Hash[String, Data]'
+  end
+
   def puppetdb_fact(certnames)
+    puppetdb_fact_with_instance(certnames, nil)
+  end
+
+  def puppetdb_fact_with_instance(certnames, instance)
     puppetdb_client = Puppet.lookup(:bolt_pdb_client)
     # Bolt executor not expected when invoked from apply block
     executor = Puppet.lookup(:bolt_executor) { nil }
     # Send Analytics Report
     executor&.report_function_call(self.class.name)
 
-    puppetdb_client.facts_for_node(certnames)
+    puppetdb_client.facts_for_node(certnames, instance)
   end
 end

data/bolt-modules/boltlib/lib/puppet/functions/puppetdb_query.rb

@@ -6,6 +6,8 @@ require 'bolt/error'
 # using Bolt's PuppetDB client.
 Puppet::Functions.create_function(:puppetdb_query) do
   # rubocop:disable Layout/LineLength
+  # Make a query to PuppetDB.
+  #
   # @param query A PQL query.
   #   Learn more about [Puppet's query language](https://puppet.com/docs/puppetdb/latest/api/query/tutorial-pql.html), PQL.
   # @return Results of the PuppetDB query.
@@ -16,15 +18,35 @@ Puppet::Functions.create_function(:puppetdb_query) do
     param 'Variant[String, Array[Data]]', :query
     return_type 'Array[Data]'
   end
+
+  # rubocop:disable Layout/LineLength
+  # Make a query to a named PuppetDB instance.
+  #
+  # @param query A PQL query.
+  #   Learn more about [Puppet's query language](https://puppet.com/docs/puppetdb/latest/api/query/tutorial-pql.html), PQL.
+  # @param instance The PuppetDB instance to query.
+  # @return Results of the PuppetDB query.
+  # @example Request certnames for all nodes using a named PuppetDB instance
+  #   puppetdb_query('nodes[certname] {}', 'instance-1')
+  # rubocop:enable Layout/LineLength
+  dispatch :make_query_with_instance do
+    param 'Variant[String, Array[Data]]', :query
+    param 'String', :instance
+    return_type 'Array[Data]'
+  end
   # The query type could be more specific ASTQuery = Array[Variant[String, ASTQuery]]
 
   def make_query(query)
+    make_query_with_instance(query, nil)
+  end
+
+  def make_query_with_instance(query, instance)
     puppetdb_client = Puppet.lookup(:bolt_pdb_client)
     # Bolt executor not expected when invoked from apply block
     executor = Puppet.lookup(:bolt_executor) { nil }
     # Send Analytics Report
     executor&.report_function_call(self.class.name)
 
-    puppetdb_client.make_query(query)
+    puppetdb_client.make_query(query, nil, instance)
   end
 end

data/bolt-modules/boltlib/lib/puppet/functions/run_task.rb

@@ -57,6 +57,7 @@ Puppet::Functions.create_function(:run_task) do
 
     options, params = args.partition { |k, _v| k.start_with?('_') }.map(&:to_h)
     options = options.transform_keys { |k| k.sub(/^_/, '').to_sym }
+    options[:description] = description if description
 
     executor = Puppet.lookup(:bolt_executor)
     inventory = Puppet.lookup(:bolt_inventory)
@@ -68,18 +69,24 @@ Puppet::Functions.create_function(:run_task) do
       executor.report_function_call(self.class.name)
     end
 
-    # Report Analytics for bundled content, this should capture tasks run from both CLI and Plans
+    # Report Analytics for bundled content, this should capture tasks run from
+    # both CLI and Plans.
     executor.report_bundled_content('Task', task_name)
 
-    # Ensure that given targets are all Target instances
+    # Ensure that given targets are all Target instances.
     targets = inventory.get_targets(targets)
 
-    options[:description] = description if description
+    # Return early if there are no targets.
+    if targets.empty?
+      return Bolt::ResultSet.new([])
+    end
 
-    # Don't bother loading the local task definition if all targets use the 'pcp' transport.
-    if !targets.empty? && targets.all? { |t| t.transport == 'pcp' }
-      # create a fake task
-      task = Bolt::Task.new(task_name, {}, [{ 'name' => '', 'path' => '' }])
+    # If all targets use the PCP transport, create a fake task instead of
+    # loading the actual task definition.
+    if targets.all? { |t| t.transport == 'pcp' }
+      task = Bolt::Task.new(task_name,
+                            { 'supports_noop' => true },
+                            [{ 'name' => '', 'path' => '' }])
     else
       # TODO: use the compiler injection once PUP-8237 lands
       task_signature = Puppet::Pal::ScriptCompiler.new(closure_scope.compiler).task_signature(task_name)
@@ -89,7 +96,8 @@ Puppet::Functions.create_function(:run_task) do
 
       task = Bolt::Task.from_task_signature(task_signature)
 
-      # Set the default value for any params that have one and were not provided or are undef
+      # Set the default value for any params that have one and were not provided
+      # or are undef.
       params = task.parameter_defaults.merge(params) do |_, default, passed|
         passed.nil? ? default : passed
       end
@@ -99,9 +107,9 @@ Puppet::Functions.create_function(:run_task) do
       end || (raise with_stack(:TYPE_MISMATCH, 'Task parameters do not match'))
     end
 
+    # Generate a helpful error message about the type-mismatch between the type
+    # Data and the actual type of params.
     unless Puppet::Pops::Types::TypeFactory.data.instance?(params)
-      # generate a helpful error message about the type-mismatch between the type Data
-      # and the actual type of params
       params_t = Puppet::Pops::Types::TypeCalculator.infer_set(params)
       desc = Puppet::Pops::Types::TypeMismatchDescriber.singleton.describe_mismatch(
         'Task parameters are not of type Data. run_task()',
@@ -133,23 +141,20 @@ Puppet::Functions.create_function(:run_task) do
     # Report whether the task was run in noop mode.
     executor.report_noop_mode(executor.noop || options[:noop])
 
-    if targets.empty?
-      Bolt::ResultSet.new([])
-    else
-      file_line = Puppet::Pops::PuppetStack.top_of_stack
-      result = if executor.in_parallel?
-                 executor.run_in_thread do
-                   executor.run_task(targets, task, params, options, file_line)
-                 end
-               else
+    file_line = Puppet::Pops::PuppetStack.top_of_stack
+    result = if executor.in_parallel?
+               executor.run_in_thread do
                  executor.run_task(targets, task, params, options, file_line)
                end
+             else
+               executor.run_task(targets, task, params, options, file_line)
+             end
 
-      if !result.ok && !options[:catch_errors]
-        raise Bolt::RunFailure.new(result, 'run_task', task_name)
-      end
-      result
+    if !result.ok && !options[:catch_errors]
+      raise Bolt::RunFailure.new(result, 'run_task', task_name)
     end
+
+    result
   end
 
   def with_stack(kind, msg)

data/bolt-modules/boltlib/lib/puppet/functions/run_task_with.rb

@@ -92,10 +92,17 @@ Puppet::Functions.create_function(:run_task_with) do
     # Get all the targets
     targets = Array(inventory.get_targets(targets))
 
+    # Return early if there are no targets.
+    if targets.empty?
+      return Bolt::ResultSet.new([])
+    end
+
     # If all targets use the 'pcp' transport, use a fake task instead of loading the local definition
     # Otherwise, load the local task definition
-    if (pcp_only = targets.any? && targets.all? { |t| t.transport == 'pcp' })
-      task = Bolt::Task.new(task_name, {}, [{ 'name' => '', 'path' => '' }])
+    if (pcp_only = targets.all? { |t| t.transport == 'pcp' })
+      task = Bolt::Task.new(task_name,
+                            { 'supports_noop' => true },
+                            [{ 'name' => '', 'path' => '' }])
     else
       task_signature = Puppet::Pal::ScriptCompiler.new(closure_scope.compiler).task_signature(task_name)
 
@@ -178,27 +185,23 @@ Puppet::Functions.create_function(:run_task_with) do
     # Report whether the task was run in noop mode.
     executor.report_noop_mode(executor.noop || options[:noop])
 
-    if targets.empty?
-      Bolt::ResultSet.new([])
-    else
-      # Combine the results from the task run with any failing results that were
-      # generated earlier when creating the target mapping
-      file_line = Puppet::Pops::PuppetStack.top_of_stack
-      task_result = if executor.in_parallel?
-                      executor.run_in_thread do
-                        executor.run_task_with(target_mapping, task, options, file_line)
-                      end
-                    else
+    # Combine the results from the task run with any failing results that were
+    # generated earlier when creating the target mapping
+    file_line = Puppet::Pops::PuppetStack.top_of_stack
+    task_result = if executor.in_parallel?
+                    executor.run_in_thread do
                       executor.run_task_with(target_mapping, task, options, file_line)
                     end
-      result = Bolt::ResultSet.new(task_result.results + error_set)
-
-      if !result.ok && !options[:catch_errors]
-        raise Bolt::RunFailure.new(result, 'run_task', task_name)
-      end
+                  else
+                    executor.run_task_with(target_mapping, task, options, file_line)
+                  end
+    result = Bolt::ResultSet.new(task_result.results + error_set)
 
-      result
+    if !result.ok && !options[:catch_errors]
+      raise Bolt::RunFailure.new(result, 'run_task', task_name)
     end
+
+    result
   end
 
   def with_stack(kind, msg)

data/lib/bolt/application.rb

@@ -49,7 +49,7 @@ module Bolt
                         code
                       end
 
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       Puppet[:tasks] = false
       ast = pal.parse_manifest(manifest_code, manifest)
@@ -90,7 +90,7 @@ module Bolt
     # @return [Bolt::ResultSet]
     #
     def run_command(command, targets, env_vars: nil)
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         executor.run_command(targets, command, env_vars: env_vars)
@@ -106,7 +106,7 @@ module Bolt
     #
     def download_file(source, destination, targets)
       destination = File.expand_path(destination, Dir.pwd)
-      targets     = inventory.get_targets(targets)
+      targets     = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         executor.download_file(targets, source, destination)
@@ -122,7 +122,7 @@ module Bolt
     #
     def upload_file(source, destination, targets)
       source  = find_file(source)
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       Bolt::Util.validate_file('source file', source, true)
 
@@ -225,7 +225,7 @@ module Bolt
 
       with_benchmark do
         pal.lookup(key,
-                   inventory.get_targets(targets),
+                   inventory.get_targets(targets, ext_glob: true),
                    inventory,
                    executor,
                    plan_vars: vars)
@@ -351,6 +351,7 @@ module Bolt
     # @return [Bolt::PlanResult]
     #
     def run_plan(plan, targets, params: {})
+      plan_params = pal.get_plan_info(plan)['parameters']
       if targets && targets.any?
         if params['nodes'] || params['targets']
           key = params.include?('nodes') ? 'nodes' : 'targets'
@@ -360,7 +361,6 @@ module Bolt
                 "in the JSON data passed in the --params option"
         end
 
-        plan_params  = pal.get_plan_info(plan)['parameters']
         target_param = plan_params.dig('targets', 'type') =~ /TargetSpec/
         node_param   = plan_params.include?('nodes')
 
@@ -375,13 +375,17 @@ module Bolt
         end
       end
 
-      plan_context = { plan_name: plan, params: params }
+      sensitive_params = params.keys.select { |param| plan_params.dig(param, 'sensitive') }
+
+      plan_context = { plan_name: plan, params: params, sensitive: sensitive_params }
 
       executor.start_plan(plan_context)
       result = pal.run_plan(plan, params, executor, inventory, plugins.puppetdb_client)
       executor.finish_plan(result)
 
       result
+    rescue Bolt::Error => e
+      Bolt::PlanResult.new(e, 'failure')
     end
 
     # Show plan information.
@@ -620,7 +624,10 @@ module Bolt
       Bolt::Util.validate_file('script', script)
 
       with_benchmark do
-        executor.run_script(inventory.get_targets(targets), script, arguments, env_vars: env_vars)
+        executor.run_script(inventory.get_targets(targets, ext_glob: true),
+                            script,
+                            arguments,
+                            env_vars: env_vars)
       end
     end
 
@@ -676,7 +683,7 @@ module Bolt
     # @return [Bolt::ResultSet]
     #
     def run_task(task, targets, params: {})
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         pal.run_task(task, targets, params, executor, inventory)
@@ -775,7 +782,7 @@ module Bolt
       # Retrieve the known group and target names. This needs to be done before
       # updating targets, as that will add adhoc targets to the inventory.
       known_names = inventory.target_names
-      targets     = inventory.get_targets(targets)
+      targets     = inventory.get_targets(targets, ext_glob: true)
 
       inventory_targets, adhoc_targets = targets.partition do |target|
         known_names.include?(target.name)

data/lib/bolt/applicator.rb

@@ -162,7 +162,13 @@ module Bolt
 
     def validate_hiera_config(hiera_config)
       if File.exist?(File.path(hiera_config))
-        data = File.open(File.path(hiera_config), "r:UTF-8") { |f| YAML.safe_load(f.read, [Symbol]) }
+        data = File.open(File.path(hiera_config), "r:UTF-8") do |f|
+          if Psych.method(:safe_load).parameters.rassoc(:permitted_classes)
+            YAML.safe_load(f.read, permitted_classes: [Symbol])
+          else
+            YAML.safe_load(f.read, [Symbol])
+          end
+        end
         if data.nil?
           return nil
         elsif data['version'] != 5
@@ -219,7 +225,7 @@ module Bolt
         code_ast: ast,
         modulepath: @modulepath,
         project: @project.to_h,
-        pdb_config: @pdb_client.config.to_hash,
+        pdb_config: @pdb_client.instance(options[:puppetdb]).config.to_hash,
         hiera_config: @hiera_config,
         plan_vars: plan_vars,
         # This data isn't available on the target config hash

data/lib/bolt/bolt_option_parser.rb

@@ -10,7 +10,7 @@ module Bolt
     OPTIONS = { inventory: %w[targets query rerun],
                 authentication: %w[user password password-prompt private-key host-key-check ssl ssl-verify],
                 escalation: %w[run-as sudo-password sudo-password-prompt sudo-executable],
-                run_context: %w[concurrency inventoryfile save-rerun cleanup],
+                run_context: %w[concurrency inventoryfile save-rerun cleanup puppetdb],
                 global_config_setters: PROJECT_PATHS + %w[modulepath],
                 transports: %w[transport connect-timeout tty native-ssh ssh-command copy-command],
                 display: %w[format color verbose trace stream],
@@ -1054,6 +1054,9 @@ module Bolt
       define('--[no-]save-rerun', 'Whether to update the rerun file after this command.') do |save|
         @options[:'save-rerun'] = save
       end
+      define('--puppetdb INSTANCE', 'The named PuppetDB instance to connect to by default.') do |instance|
+        @options[:default_puppetdb] = instance
+      end
 
       separator "\n#{self.class.colorize(:cyan, 'Remote environment options')}"
       define('--env-var ENVIRONMENT_VARIABLES', 'Environment variables to set on the target.') do |envvar|

data/lib/bolt/catalog.rb

@@ -56,7 +56,7 @@ module Bolt
     end
 
     def compile_catalog(request)
-      pdb_client = Bolt::PuppetDB::Client.new(Bolt::PuppetDB::Config.new(request['pdb_config']))
+      pdb_client = Bolt::PuppetDB::Client.new(config: request['pdb_config'])
       project = request['project']
       bolt_project = Struct.new(:name, :path, :load_as_module?).new(project['name'],
                                                                     project['path'],

data/lib/bolt/config/options.rb

@@ -54,6 +54,58 @@ module Bolt
         }
       }.freeze
 
+      # PuppetDB options.
+      PUPPETDB_OPTIONS = {
+        "cacert" => {
+          description: "The path to the ca certificate for PuppetDB.",
+          type: String,
+          _example: "/etc/puppetlabs/puppet/ssl/certs/ca.pem",
+          _plugin: true
+        },
+        "cert" => {
+          description: "The path to the client certificate file to use for authentication.",
+          type: String,
+          _example: "/etc/puppetlabs/puppet/ssl/certs/my-host.example.com.pem",
+          _plugin: true
+        },
+        "connect_timeout" => {
+          description: "How long to wait in seconds when establishing connections with PuppetDB.",
+          type: Integer,
+          minimum: 1,
+          _default: 60,
+          _example: 120,
+          _plugin: true
+        },
+        "key" => {
+          description: "The private key for the certificate.",
+          type: String,
+          _example: "/etc/puppetlabs/puppet/ssl/private_keys/my-host.example.com.pem",
+          _plugin: true
+        },
+        "read_timeout" => {
+          description: "How long to wait in seconds for a response from PuppetDB.",
+          type: Integer,
+          minimum: 1,
+          _default: 60,
+          _example: 120,
+          _plugin: true
+        },
+        "server_urls" => {
+          description: "An array containing the PuppetDB host to connect to. Include the protocol `https` "\
+                        "and the port, which is usually `8081`. For example, "\
+                        "`https://my-puppetdb-server.com:8081`.",
+          type: Array,
+          _example: ["https://puppet.example.com:8081"],
+          _plugin: true
+        },
+        "token" => {
+          description: "The path to the PE RBAC Token.",
+          type: String,
+          _example: "~/.puppetlabs/token",
+          _plugin: true
+        }
+      }.freeze
+
       # Definitions used to validate config options.
       # https://github.com/puppetlabs/bolt/blob/main/schemas/README.md
       OPTIONS = {
@@ -409,55 +461,17 @@ module Bolt
           description: "A map containing options for [configuring the Bolt PuppetDB "\
                        "client](bolt_connect_puppetdb.md).",
           type: Hash,
-          properties: {
-            "cacert" => {
-              description: "The path to the ca certificate for PuppetDB.",
-              type: String,
-              _example: "/etc/puppetlabs/puppet/ssl/certs/ca.pem",
-              _plugin: true
-            },
-            "cert" => {
-              description: "The path to the client certificate file to use for authentication.",
-              type: String,
-              _example: "/etc/puppetlabs/puppet/ssl/certs/my-host.example.com.pem",
-              _plugin: true
-            },
-            "connect_timeout" => {
-              description: "How long to wait in seconds when establishing connections with PuppetDB.",
-              type: Integer,
-              minimum: 1,
-              _default: 60,
-              _example: 120,
-              _plugin: true
-            },
-            "key" => {
-              description: "The private key for the certificate.",
-              type: String,
-              _example: "/etc/puppetlabs/puppet/ssl/private_keys/my-host.example.com.pem",
-              _plugin: true
-            },
-            "read_timeout" => {
-              description: "How long to wait in seconds for a response from PuppetDB.",
-              type: Integer,
-              minimum: 1,
-              _default: 60,
-              _example: 120,
-              _plugin: true
-            },
-            "server_urls" => {
-              description: "An array containing the PuppetDB host to connect to. Include the protocol `https` "\
-                           "and the port, which is usually `8081`. For example, "\
-                           "`https://my-puppetdb-server.com:8081`.",
-              type: Array,
-              _example: ["https://puppet.example.com:8081"],
-              _plugin: true
-            },
-            "token" => {
-              description: "The path to the PE RBAC Token.",
-              type: String,
-              _example: "~/.puppetlabs/token",
-              _plugin: true
-            }
+          properties: PUPPETDB_OPTIONS,
+          _plugin: true
+        },
+        "puppetdb-instances" => {
+          description: "A map of named PuppetDB instances and their configuration, where keys are the name "\
+                       "of a PuppetDB instance and values are maps of configuration options. For more "\
+                       "information, see [Connecting Bolt to PuppetDB](bolt_connect_puppetdb.md).",
+          type: Hash,
+          additionalProperties: {
+            type: Hash,
+            properties: PUPPETDB_OPTIONS
           },
           _plugin: true
         },
@@ -610,6 +624,7 @@ module Bolt
         plugin-hooks
         plugins
         puppetdb
+        puppetdb-instances
         save-rerun
         spinner
         stream
@@ -637,6 +652,7 @@ module Bolt
         plugins
         policies
         puppetdb
+        puppetdb-instances
         rerunfile
         save-rerun
         spinner

data/lib/bolt/config/transport/local.rb

@@ -10,6 +10,7 @@ module Bolt
         WINDOWS_OPTIONS = %w[
           bundled-ruby
           cleanup
+          extensions
           interpreters
           tmpdir
         ].freeze