puppet 5.3.4 → 6.29.0

data/lib/puppet/defaults.rb

@@ -1,13 +1,75 @@
+require 'puppet/util/platform'
+
 module Puppet
 
   def self.default_diffargs
-    if (Facter.value(:kernel) == "AIX" && Facter.value(:kernelmajversion) == "5300")
+    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
       ""
     else
       "-u"
     end
   end
 
+  def self.default_digest_algorithm
+    Puppet::Util::Platform.fips_enabled? ? 'sha256' : 'md5'
+  end
+
+  def self.valid_digest_algorithms
+    Puppet::Util::Platform.fips_enabled? ?
+      %w[sha256 sha384 sha512 sha224] :
+      %w[md5 sha256 sha384 sha512 sha224]
+  end
+
+  def self.default_file_checksum_types
+    Puppet::Util::Platform.fips_enabled? ?
+      %w[sha256 sha384 sha512 sha224] :
+      %w[md5 sha256 sha384 sha512 sha224]
+  end
+
+  def self.valid_file_checksum_types
+    Puppet::Util::Platform.fips_enabled? ?
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
+      %w[md5 md5lite sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime]
+  end
+
+  def self.default_basemodulepath
+    if Puppet::Util::Platform.windows?
+      path = ['$codedir/modules']
+      installdir = ENV["FACTER_env_windows_installdir"]
+      if installdir
+        path << "#{installdir}/puppet/modules"
+      end
+      path.join(File::PATH_SEPARATOR)
+    else
+      '$codedir/modules:/opt/puppetlabs/puppet/modules'
+    end
+  end
+
+  def self.default_vendormoduledir
+    if Puppet::Util::Platform.windows?
+      installdir = ENV["FACTER_env_windows_installdir"]
+      if installdir
+        "#{installdir}\\puppet\\vendor_modules"
+      else
+        nil
+      end
+    else
+      '/opt/puppetlabs/puppet/vendor_modules'
+    end
+  end
+
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = '/etc/puppetlabs/puppetserver/ca'
+
+    if File.exist?("#{new_ca_dir}/ca_crt.pem")
+      new_ca_dir
+    else
+      old_ca_dir
+    end
+  end
+
   ############################################################################################
   # NOTE: For information about the available values for the ":type" property of settings,
   #   see the docs for Settings.define_settings
@@ -15,7 +77,34 @@ module Puppet
 
   AS_DURATION = %q{This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).}
 
-  define_settings(:main,
+  # @api public
+  # @param args [Puppet::Settings] the settings object to define default settings for
+  # @return void
+  def self.initialize_default_settings!(settings)
+    settings.define_settings(:main,
+      :facterng => {
+        :default => false,
+        :type    => :boolean,
+        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
+          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
+          This setting is still experimental.',
+        :hook    => proc do |value|
+          value = munge(value)
+          if value && Puppet::Util::Package.versioncmp(Puppet.runtime[:facter].value('facterversion'), '4.0.0') < 0
+            begin
+              original_facter = Object.const_get(:Facter)
+              Object.send(:remove_const, :Facter)
+
+              require 'facter-ng'
+              # It is required to re-setup logger for facter-ng
+              Puppet::Util::Logging.setup_facter_logging!
+            rescue LoadError
+              Object.const_set(:Facter, original_facter)
+              raise ArgumentError, 'facter-ng could not be loaded'
+            end
+          end
+        end
+    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -52,7 +141,7 @@ module Puppet
     }
   )
 
-  define_settings(:main,
+  settings.define_settings(:main,
     :logdir => {
         :default  => nil,
         :type     => :directory,
@@ -99,11 +188,24 @@ module Puppet
         valid   = %w[deprecations undefined_variables undefined_resources]
         invalid = values - (values & valid)
         if not invalid.empty?
-          raise ArgumentError, _("Cannot disable unrecognized warning types %{invalid}.") % { invalid: invalid.inspect } +
-              ' ' + _("Valid values are %{values}.") % { values: valid.inspect}
+          raise ArgumentError, _("Cannot disable unrecognized warning types '%{invalid}'.") % { invalid: invalid.join(',') } +
+              ' ' + _("Valid values are '%{values}'.") % { values: valid.join(', ') }
         end
       end
     },
+    :merge_dependency_warnings => {
+      :default => false,
+      :type    => :boolean,
+      :desc    => "Whether to merge class-level dependency failure warnings.
+
+        When a class has a failed dependency, every resource in the class
+        generates a notice level message about the dependency failure,
+        and a warning level message about skipping the resource.
+
+        If true, all messages caused by a class dependency failure are merged
+        into one message associated with the class.
+        ",
+    },
     :strict => {
       :default    => :warning,
       :type       => :symbolic_enum,
@@ -116,7 +218,7 @@ module Puppet
 
         The strictness level is for both language semantics and runtime
         evaluation validation. In addition to controlling the behavior with
-        this master switch some individual warnings may also be controlled
+        this primary server switch some individual warnings may also be controlled
         by the disable_warnings setting.
 
         No new validations will be added to a micro (x.y.z) release,
@@ -143,7 +245,7 @@ module Puppet
     }
   )
 
-  define_settings(:main,
+  settings.define_settings(:main,
     :priority => {
       :default => nil,
       :type    => :priority,
@@ -156,12 +258,19 @@ module Puppet
     :trace => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Whether to print stack traces on some errors",
+        :desc     => "Whether to print stack traces on some errors. Will print
+          internal Ruby stack trace interleaved with Puppet function frames.",
         :hook     => proc do |value|
           # Enable or disable Facter's trace option too
-          Facter.trace(value) if Facter.respond_to? :trace
+          Puppet.runtime[:facter].trace(value)
         end
     },
+    :puppet_trace => {
+        :default  => false,
+        :type     => :boolean,
+        :desc     => "Whether to print the Puppet stack trace on some errors.
+          This is a noop if `trace` is also set.",
+    },
     :profile => {
         :default  => false,
         :type     => :boolean,
@@ -174,10 +283,19 @@ module Puppet
         major releases of Puppet. Should be used with caution, as in development
         features are experimental and can have unexpected effects."
     },
+    :versioned_environment_dirs => {
+      :default => false,
+      :type => :boolean,
+      :desc => "Whether or not to look for versioned environment directories,
+      symlinked from `$environmentpath/<environment>`. This is an experimental
+      feature and should be used with caution."
+    },
     :static_catalogs => {
       :default    => true,
       :type       => :boolean,
-      :desc       => "Whether to compile a static catalog."
+      :desc       => "Whether to compile a [static catalog](https://puppet.com/docs/puppet/latest/static_catalogs.html#enabling-or-disabling-static-catalogs),
+        which occurs only on Puppet Server when the `code-id-command` and
+        `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
     :strict_environment_mode => {
       :default    => false,
@@ -231,18 +349,18 @@ module Puppet
           on the CLI.",
     },
     :configprint => {
-        :default  => "",
-        :desc     => "Print the value of a specific configuration setting.  If the name of a
+        :default    => "",
+        :deprecated => :completely,
+        :desc       => "Prints the value of a specific configuration setting.  If the name of a
           setting is provided for this, then the value is printed and puppet
           exits.  Comma-separate multiple values.  For a list of all values,
-          specify 'all'.",
+          specify 'all'. This setting is deprecated, the 'puppet config' command replaces this functionality.",
     },
     :color => {
       :default => "ansi",
       :type    => :string,
       :desc    => "Whether to use colors when logging to the console.  Valid values are
-        `ansi` (equivalent to `true`), `html`, and `false`, which produces no color.
-        Defaults to false on Windows, as its console does not support ansi colors.",
+        `ansi` (equivalent to `true`), `html`, and `false`, which produces no color."
     },
     :mkusers => {
         :default  => false,
@@ -250,9 +368,10 @@ module Puppet
         :desc     => "Whether to create the necessary user and group that puppet agent will run as.",
     },
     :manage_internal_file_permissions => {
-        :default  => true,
+        :default  => ! Puppet::Util::Platform.windows?,
         :type     => :boolean,
-        :desc     => "Whether Puppet should manage the owner, group, and mode of files it uses internally",
+        :desc     => "Whether Puppet should manage the owner, group, and mode of files it uses internally.
+          **Note**: For Windows agents, the default is `false` for versions 4.10.13 and greater, versions 5.5.6 and greater, and versions 6.0 and greater.",
     },
     :onetime => {
         :default  => false,
@@ -268,7 +387,7 @@ module Puppet
           from the parent process.
 
           This setting can only be set in the `[main]` section of puppet.conf; it cannot
-          be set in `[master]`, `[agent]`, or an environment config section.",
+          be set in `[server]`, `[agent]`, or an environment config section.",
         :call_hook => :on_define_and_write,
         :hook             => proc do |value|
           Puppet::Util.set_env('PATH', '') if Puppet::Util.get_env('PATH').nil?
@@ -287,25 +406,19 @@ module Puppet
           for those files that Puppet will load on demand, and is only
           guaranteed to work for those cases.  In fact, the autoload
           mechanism is responsible for making sure this directory
-          is in Ruby's search path\n",
-      :call_hook => :on_initialize_and_write,
-      :hook             => proc do |value|
-        $LOAD_PATH.delete(@oldlibdir) if defined?(@oldlibdir) && $LOAD_PATH.include?(@oldlibdir)
-        @oldlibdir = value
-        $LOAD_PATH << value
-      end
+          is in Ruby's search path\n"
     },
     :environment => {
         :default  => "production",
         :desc     => "The environment in which Puppet is running. For clients,
           such as `puppet agent`, this determines the environment itself, which
-          Puppet uses to find modules and much more. For servers, such as `puppet master`,
+          Puppet uses to find modules and much more. For servers, such as `puppet server`,
           this provides the default environment for nodes that Puppet knows nothing about.
 
           When defining an environment in the `[agent]` section, this refers to the
-          environment that the agent requests from the master. The environment doesn't
+          environment that the agent requests from the primary server. The environment doesn't
           have to exist on the local filesystem because the agent fetches it from the
-          master. This definition is used when running `puppet agent`.
+          primary server. This definition is used when running `puppet agent`.
 
           When defined in the `[user]` section, the environment refers to the path that
           Puppet uses to search for code and modules related to its execution. This
@@ -326,9 +439,20 @@ module Puppet
 
         This setting must have a value set to enable **directory environments.** The
         recommended value is `$codedir/environments`. For more details, see
-        <https://docs.puppet.com/puppet/latest/reference/environments.html>",
+        <https://puppet.com/docs/puppet/latest/environments_about.html>",
       :type    => :path,
     },
+    :use_last_environment => {
+      :type     => :boolean,
+      :default  => true,
+      :desc     => <<-'EOT'
+      Puppet saves both the initial and converged environment in the last_run_summary file.
+      If they differ, and this setting is set to true, we will use the last converged
+      environment and skip the node request.
+
+      When set to false, we will do the node request and ignore the environment data from the last_run_summary file.
+    EOT
+    },
     :always_retry_plugins => {
         :type     => :boolean,
         :default  => true,
@@ -356,7 +480,7 @@ module Puppet
           files. The command to use can be chosen with the `diff` setting.",
     },
     :diff => {
-      :default => (Puppet.features.microsoft_windows? ? "" : "diff"),
+      :default => (Puppet::Util::Platform.windows? ? "" : "diff"),
       :desc    => "Which diff command to use when printing differences between files. This setting
           has no default value on Windows, as standard `diff` is not available, but Puppet can use many
           third-party diff tools.",
@@ -373,13 +497,13 @@ module Puppet
     },
     :daemonize => {
         :type     => :boolean,
-        :default  => (Puppet.features.microsoft_windows? ? false : true),
+        :default  => (Puppet::Util::Platform.windows? ? false : true),
         :desc     => "Whether to send the process into the background.  This defaults
           to true on POSIX systems, and to false on Windows (where Puppet
           currently cannot daemonize).",
         :short    => "D",
         :hook     => proc do |value|
-          if value and Puppet.features.microsoft_windows?
+          if value and Puppet::Util::Platform.windows?
             raise "Cannot daemonize on Windows"
           end
       end
@@ -415,7 +539,7 @@ module Puppet
 
         * `plain` --- Returns no data, so that the main manifest controls all node configuration.
         * `exec` --- Uses an
-          [external node classifier (ENC)](https://docs.puppet.com/puppet/latest/nodes_external.html),
+          [external node classifier (ENC)](https://puppet.com/docs/puppet/latest/nodes_external.html),
           configured by the `external_nodes` setting. This lets you pull a list of Puppet classes
           from any external system, using a small glue script to perform the request and format the
           result as YAML.
@@ -427,7 +551,7 @@ module Puppet
       :type       => :terminus,
       :default    => nil,
       :desc       => "How to store cached nodes.
-      Valid values are (none), 'json', 'msgpack', 'yaml' or write only yaml ('write_only_yaml').",
+      Valid values are (none), 'json', 'msgpack', or 'yaml'.",
     },
     :data_binding_terminus => {
       :type    => :terminus,
@@ -454,15 +578,15 @@ module Puppet
     :hiera_config => {
       :default => lambda do
         config = nil
-        codedir = Puppet.settings[:codedir]
+        codedir = settings[:codedir]
         if codedir.is_a?(String)
           config = File.expand_path(File.join(codedir, 'hiera.yaml'))
           config = nil unless Puppet::FileSystem.exist?(config)
         end
-        config = File.expand_path(File.join(Puppet.settings[:confdir], 'hiera.yaml')) if config.nil?
+        config = File.expand_path(File.join(settings[:confdir], 'hiera.yaml')) if config.nil?
         config
       end,
-      :desc    => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it.",
+      :desc    => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet server every time you edit it.",
       :type    => :file,
     },
     :binder_config => {
@@ -487,6 +611,25 @@ module Puppet
       :default => 'facter',
       :desc => "The node facts terminus.",
     },
+    :trusted_external_command => {
+      :default  => nil,
+      :type     => :file_or_directory,
+      :desc     => "The external trusted facts script or directory to use.
+        This setting's value can be set to the path to an executable command that
+        can produce external trusted facts or to a directory containing those
+        executable commands. The command(s) must:
+
+        * Take the name of a node as a command-line argument.
+        * Return a JSON hash with the external trusted facts for this node.
+        * For unknown or invalid nodes, exit with a non-zero exit code.
+
+        If the setting points to an executable command, then the external trusted
+        facts will be stored in the 'external' key of the trusted facts hash. Otherwise
+        for each executable file in the directory, the external trusted facts will be
+        stored in the `<basename>` key of the `trusted['external']` hash. For example,
+        if the files foo.rb and bar.sh are in the directory, then `trusted['external']`
+        will be the hash `{ 'foo' => <foo.rb output>, 'bar' => <bar.sh output> }`.",
+    },
     :default_file_terminus => {
       :type       => :terminus,
       :default    => "rest",
@@ -497,9 +640,10 @@ module Puppet
     },
     :http_proxy_host => {
       :default    => "none",
-      :desc       => "The HTTP proxy host to use for outgoing connections.  Note: You
+      :desc       => "The HTTP proxy host to use for outgoing connections. The proxy will be bypassed if
+      the server's hostname matches the NO_PROXY environment variable or `no_proxy` setting. Note: You
       may need to use a FQDN for the server hostname when using a proxy. Environment variable
-      http_proxy or HTTP_PROXY will override this value",
+      http_proxy or HTTP_PROXY will override this value. ",
     },
     :http_proxy_port => {
       :default    => 3128,
@@ -512,7 +656,7 @@ module Puppet
     :http_proxy_password =>{
       :default    => "none",
       :hook       => proc do |value|
-        if Puppet.settings[:http_proxy_password] =~ /[@!# \/]/
+        if value =~ /[@!# \/]/
           raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}"
         end
       end,
@@ -523,6 +667,10 @@ module Puppet
         contains any characters with special meanings in URLs (as specified by RFC 3986
         section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)",
     },
+    :no_proxy => {
+      :default    => "localhost, 127.0.0.1",
+      :desc       => "List of host or domain names that should not go through `http_proxy_host`. Environment variable no_proxy or NO_PROXY will override this value. Names can be specified as an FQDN `host.example.com`, wildcard `*.example.com`, dotted domain `.example.com`, or suffix `example.com`.",
+    },
     :http_keepalive_timeout => {
       :default    => "4s",
       :type       => :duration,
@@ -542,9 +690,10 @@ module Puppet
       #{AS_DURATION}",
     },
     :http_read_timeout => {
+      :default => "10m",
       :type    => :duration,
-      :desc    => "The time to wait for one block to be read from an HTTP connection. If nothing is
-      read after the elapsed interval then the connection will be closed. The default value is unlimited.
+      :desc    => "The time to wait for data to be read from an HTTP connection. If nothing is
+      read after the elapsed interval then the connection will be closed. The default value is 10 minutes.
       #{AS_DURATION}",
     },
     :http_user_agent => {
@@ -556,38 +705,72 @@ module Puppet
       :type       => :duration,
       :desc       => "The minimum time to wait between checking for updates in
       configuration files.  This timeout determines how quickly Puppet checks whether
-      a file (such as manifests or templates) has changed on disk. #{AS_DURATION}",
+      a file (such as manifests or puppet.conf) has changed on disk. The default will
+      change in a future release to be 'unlimited', requiring a reload of the Puppet
+      service to pick up changes to its internal configuration. Currently we do not
+      accept a value of 'unlimited'. To reparse files within an environment in
+      Puppet Server please use the environment_cache endpoint",
+      :hook => proc do |val|
+        unless [0, 15, '15s'].include?(val)
+          Puppet.deprecation_warning(<<-WARNING)
+Fine grained control of filetimeouts is deprecated. In future
+releases this value will only determine if file content is cached.
+
+Valid values are 0 (never cache) and 15 (15 second minimum wait time).
+            WARNING
+        end
+      end
     },
     :environment_timeout => {
       :default    => "0",
       :type       => :ttl,
-      :desc       => "How long the Puppet master should cache data it loads from an
+      :desc       => "How long the Puppet server should cache data it loads from an
       environment.
-      #{AS_DURATION}
+
       A value of `0` will disable caching. This setting can also be set to
-      `unlimited`, which will cache environments until the master is restarted
-      or told to refresh the cache.
+      `unlimited`, which will cache environments until the server is restarted
+      or told to refresh the cache. All other values will result in Puppet
+      server evicting expired environments. The expiration time is computed
+      based on either when the environment was created or last accessed, see
+      `environment_timeout_mode`.
 
       You should change this setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of `0` because it lets new
       users update their code without any extra steps, but it lowers the
-      performance of your Puppet master.
-
-      We recommend setting this to `unlimited` and explicitly refreshing your
-      Puppet master as part of your code deployment process.
-
-      * With Puppet Server, you should refresh environments by calling the
-        `environment-cache` API endpoint. See the docs for the Puppet Server
-        administrative API.
-      * With a Rack Puppet master, you should restart the web server or the
-        application server. Passenger lets you touch a `restart.txt` file to
-        refresh an application without restarting Apache; see the Passenger docs
-        for details.
-
-      We don't recommend using any value other than `0` or `unlimited`, since
-      most Puppet masters use a pool of Ruby interpreters which all have their
-      own cache timers. When these timers drift out of sync, agents can be served
-      inconsistent catalogs."
+      performance of your Puppet server. We recommend either:
+
+      * Setting this to `unlimited` and explicitly refreshing your Puppet server
+        as part of your code deployment process.
+
+      * Setting this to a number that will keep your most actively used
+        environments cached, but allow testing environments to fall out of the
+        cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable
+        value. This option requires setting `environment_timeout_mode` to
+        `from_last_used`.
+
+      Once you set `environment_timeout` to a non-zero value, you need to tell
+      Puppet server to read new code from disk using the `environment-cache` API
+      endpoint after you deploy new code. See the docs for the Puppet Server
+      [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
+      ",
+      :hook => proc do |val|
+        if Puppet[:environment_timeout_mode] == :from_created
+          unless [0, 'unlimited', Float::INFINITY].include?(val)
+            Puppet.deprecation_warning("Evicting environments based on their creation time is deprecated, please set `environment_timeout_mode` to `from_last_used` instead.")
+          end
+        end
+      end
+    },
+    :environment_timeout_mode => {
+      :default => :from_created,
+      :type    => :symbolic_enum,
+      :values  => [:from_created, :from_last_used],
+      :desc => "How Puppet interprets the `environment_timeout` setting when
+      `environment_timeout` is neither `0` nor `unlimited`. If set to
+      `from_created`, then the environment will be evicted `environment_timeout`
+      seconds from when it was created. If set to `from_last_used` then the
+      environment will be evicted `environment_timeout` seconds from when it
+      was last used."
     },
     :environment_data_provider => {
       :desc       => "The name of a registered environment data provider used when obtaining environment
@@ -621,13 +804,6 @@ module Puppet
           essentially means that you can't have any code outside of a node,
           class, or definition other than in the site manifest.",
     },
-    :trusted_server_facts => {
-      :default => true,
-      :type    => :boolean,
-      :deprecated => :completely,
-      :desc    => "The 'trusted_server_facts' setting is deprecated and has no effect as the
-        feature this enabled is now always on. The setting will be removed in a future version of puppet.",
-    },
     :preview_outputdir => {
       :default => '$vardir/preview',
       :type     => :directory,
@@ -635,32 +811,24 @@ module Puppet
       :owner    => "service",
       :group    => "service",
       :desc    => "The directory where catalog previews per node are generated."
+    },
+    :location_trusted => {
+      :default => false,
+      :type     => :boolean,
+      :desc    => "This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to.
+        This may or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info and cookies."
     }
   )
 
-  define_settings(:main,
-      # Whether the application management feature is on or off - now deprecated and always on.
-      :app_management => {
-          :default  => false,
-          :type     => :boolean,
-          :desc       => "This setting has no effect and will be removed in a future Puppet version.",
-          :deprecated => :completely,
-      }
-  )
-
-  Puppet.define_settings(:module_tool,
+  settings.define_settings(:module_tool,
     :module_repository  => {
       :default  => 'https://forgeapi.puppet.com',
       :desc     => "The module repository",
     },
     :module_working_dir => {
-        :default  => (Puppet.features.microsoft_windows? ? Dir.tmpdir() : '$vardir/puppet-module'),
+        :default  => (Puppet::Util::Platform.windows? ? Dir.tmpdir() : '$vardir/puppet-module'),
         :desc     => "The directory into which module tool data is stored",
     },
-    :module_skeleton_dir => {
-        :default  => '$module_working_dir/skeleton',
-        :desc     => "The directory which the skeleton for module tool generate is stored.",
-    },
     :forge_authorization => {
         :default  => nil,
         :desc     => "The authorization key to connect to the Puppet Forge. Leave blank for unauthorized or license based connections",
@@ -671,7 +839,7 @@ module Puppet
     }
   )
 
-    Puppet.define_settings(
+    settings.define_settings(
     :main,
 
     # We have to downcase the fqdn, because the current ssl stuff (as opposed to in master) doesn't have good facilities for
@@ -679,37 +847,42 @@ module Puppet
     :certname => {
       :default => lambda { Puppet::Settings.default_certname.downcase },
       :desc => "The name to use when handling certificates. When a node
-        requests a certificate from the CA puppet master, it uses the value of the
+        requests a certificate from the CA Puppet Server, it uses the value of the
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
-        [auth.conf](https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html).
+        [auth.conf](https://puppet.com/docs/puppet/latest/config_file_auth.html).
         In most cases, it is also used as the node's name when matching
-        [node definitions](https://docs.puppetlabs.com/puppet/latest/reference/lang_node_definitions.html)
+        [node definitions](https://puppet.com/docs/puppet/latest/lang_node_definitions.html)
         and requesting data from an ENC. (This can be changed with the `node_name_value`
         and `node_name_fact` settings, although you should only do so if you have
         a compelling reason.)
 
         A node's certname is available in Puppet manifests as `$trusted['certname']`. (See
-        [Facts and Built-In Variables](https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html)
+        [Facts and Built-In Variables](https://puppet.com/docs/puppet/latest/lang_facts_and_builtin_vars.html)
         for more details.)
 
         * For best compatibility, you should limit the value of `certname` to
           only use lowercase letters, numbers, periods, underscores, and dashes. (That is,
           it should match `/\A[a-z0-9._-]+\Z/`.)
         * The special value `ca` is reserved, and can't be used as the certname
-          for a normal node.
+          for a normal node.         
+
+          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
 
         Defaults to the node's fully qualified domain name.",
-      :hook => proc { |value| raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase }},
+      :call_hook => :on_initialize_and_write,
+      :hook => proc { |value|
+        raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase
+      }},
     :dns_alt_names => {
       :default => '',
       :desc    => <<EOT,
 A comma-separated list of alternate DNS names for Puppet Server. These are extra
 hostnames (in addition to its `certname`) that the server is allowed to use when
-serving agents. Puppet checks this setting when automatically requesting a
-certificate for Puppet agent or Puppet Server, and when manually generating a
-certificate with `puppet cert generate`.
+serving agents. Puppet checks this setting when automatically creating a
+certificate for Puppet agent or Puppet Server. These can be either IP or DNS, and the type
+should be specified and followed with a colon. Untyped inputs will default to DNS.
 
 In order to handle agent requests at a given hostname (like
 "puppet.example.com"), Puppet Server needs a certificate that proves it's
@@ -721,20 +894,12 @@ names.
 
 **Note:** The list of alternate names is locked in when the server's
 certificate is signed. If you need to change the list later, you can't just
-change this setting; you also need to:
-
-* On the server: Stop Puppet Server.
-* On the CA server: Revoke and clean the server's old certificate. (`puppet cert clean <NAME>`)
-* On the server: Delete the old certificate (and any old certificate signing requests)
-  from the [ssldir](https://docs.puppetlabs.com/puppet/latest/reference/dirs_ssldir.html).
-* On the server: Run `puppet agent -t --ca_server <CA HOSTNAME>` to request a new certificate
-* On the CA server: Sign the certificate request, explicitly allowing alternate names
-  (`puppet cert sign --allow-dns-alt-names <NAME>`).
-* On the server: Run `puppet agent -t --ca_server <CA HOSTNAME>` to retrieve the cert.
-* On the server: Start Puppet Server again.
+change this setting; you also need to regenerate the certificate. For more
+information on that process, see the 
+[cert regen docs](https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
 
 To see all the alternate names your servers are using, log into your CA server
-and run `puppet cert list -a`, then check the output for `(alt names: ...)`.
+and run `puppetserver ca list --all`, then check the output for `(alt names: ...)`.
 Most agent nodes should NOT have alternate names; the only certs that should
 have them are Puppet Server nodes that you want other agents to trust.
 EOT
@@ -745,8 +910,8 @@ EOT
       :desc => <<EOT
 An optional file containing custom attributes to add to certificate signing
 requests (CSRs). You should ensure that this file does not exist on your CA
-puppet master; if it does, unwanted certificate extensions may leak into
-certificates created with the `puppet cert generate` command.
+Puppet Server; if it does, unwanted certificate extensions may leak into
+certificates created with the `puppetserver ca generate` command.
 
 If present, this file must be a YAML hash containing a `custom_attributes` key
 and/or an `extension_requests` key. The value of each key must be a hash, where
@@ -760,13 +925,17 @@ This is useful for embedding a pre-shared key for autosigning policy executables
 ("challenge password") OID.
 
 Extension requests will be permanently embedded in the final certificate.
-Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`) or
-"ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`) OID arcs. The ppRegCertExt arc is
+Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`),
+"ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`), or
+"ppAuthCertExt" (`1.3.6.1.4.1.34380.1.3`) OID arcs. The ppRegCertExt arc is
 reserved for four of the most common pieces of data to embed: `pp_uuid` (`.1`),
 `pp_instance_id` (`.2`), `pp_image_name` (`.3`), and `pp_preshared_key` (`.4`)
 --- in the YAML file, these can be referred to by their short descriptive names
 instead of their full OID. The ppPrivCertExt arc is unregulated, and can be used
-for site-specific extensions.
+for site-specific extensions. The ppAuthCert arc is reserved for two pieces of
+data to embed: `pp_authorization` (`.1`) and `pp_auth_role` (`.13`). As with
+ppRegCertExt, in the YAML file, these can be referred to by their short
+descriptive name instead of their full OID.
 EOT
     },
     :certdir => {
@@ -785,6 +954,11 @@ EOT
       :group => "service",
       :desc => "Where SSL certificates are kept."
     },
+    :ssl_lockfile => {
+      :default => "$ssldir/ssl.lock",
+      :type    => :string,
+      :desc    => "A lock file to indicate that the ssl bootstrap process is currently in progress.",
+    },
     :publickeydir => {
       :default => "$ssldir/public_keys",
       :type   => :directory,
@@ -832,7 +1006,8 @@ EOT
       :mode => "0644",
       :owner => "service",
       :group => "service",
-      :desc => "Where individual hosts store and look for their certificate requests."
+      :deprecated  => :completely,
+      :desc => "This setting is deprecated."
     },
     :hostcert => {
       :default => "$certdir/$certname.pem",
@@ -866,6 +1041,23 @@ EOT
       :group => "service",
       :desc => "Where each client stores the CA certificate."
     },
+    :ca_fingerprint => {
+      :default => nil,
+      :type   => :string,
+      :desc => "The expected fingerprint of the CA certificate. If specified, the agent
+        will compare the CA certificate fingerprint that it downloads against this value
+        and reject the CA certificate if the values do not match. This only applies
+        during the first download of the CA certificate."
+    },
+    :ssl_trust_store => {
+      :default => nil,
+      :type => :file,
+      :desc => "A file containing CA certificates in PEM format that puppet should trust
+        when making HTTPS requests. This **only** applies to https requests to non-puppet
+        infrastructure, such as retrieving file metadata and content from https file sources,
+        puppet module tool and the 'http' report processor. This setting is ignored when
+        making requests to puppet:// URLs such as catalog and report requests.",
+    },
     :ssl_client_ca_auth => {
       :type  => :file,
       :mode  => "0644",
@@ -874,17 +1066,20 @@ EOT
       :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
         considered authentic unless they possess a certificate issued by an authority
         listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used."
+        certificate (localcacert) will be used.",
+      :hook => proc do |val|
+        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
+      end
     },
     :ssl_server_ca_auth => {
       :type  => :file,
       :mode  => "0644",
       :owner => "service",
       :group => "service",
-      :desc  => "Certificate authorities who issue client certificates.  SSL clients will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used."
+      :deprecated  => :completely,
+      :desc => "The setting is deprecated and has no effect. Ensure all root and
+        intermediate certificate authorities used to issue client certificates are
+        contained in the server's `cacert` file on the server."
     },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
@@ -898,142 +1093,136 @@ EOT
     :certificate_revocation => {
         :default  => 'chain',
         :type     => :certificate_revocation,
-        :desc     => <<EOT
-Whether certificate revocation checking should be enabled, and what level of checking should be performed.
-
-When certificate_revocation is set to 'true' or 'chain', Puppet will download the CA CRL and will perform revocation
-checking against each certificate in the chain.
-
-Puppet is unable to load multiple CRLs, so if certificate_revocation is set to 'chain' and Puppet attempts to verify
-a certificate signed by a root CA the behavior is equivalent to the 'leaf' setting, and if Puppet attempts to verify
-a certificate signed by an intermediate CA then verification will fail as Puppet will be unable to load the multiple
-CRLs required for full chain checking. As such the 'chain' setting is limited in functionality and is meant as a stand
-in pending the implementation of full chain checking.
-
-When certificate_revocation is set to 'leaf', Puppet will download the CA CRL and will verify the leaf certificate
-against that CRL. CRLs will not be fetched or checked for the rest of the certificates in the chain. If you are using
-an intermediate CA certificate and want to enable certificate revocation checking, this setting must be set to 'leaf'.
-
-When certificate_revocation is set to 'false', Puppet will disable all certificate revocation checking and will not
-attempt to download the CRL.
-EOT
+        :desc     => <<-'EOT'
+          Whether certificate revocation checking should be enabled, and what level of
+          checking should be performed.
+
+          When certificate revocation is enabled, Puppet expects the contents of its CRL
+          to be one or more PEM-encoded CRLs concatenated together. When using a cert
+          bundle, CRLs for all CAs in the chain of trust must be included in the crl file.
+          The chain should be ordered from least to most authoritative, with the first CRL
+          listed being for the root of the chain and the last being for the leaf CA.
+
+          When certificate_revocation is set to 'true' or 'chain', Puppet ensures
+          that each CA in the chain of trust has not been revoked by its issuing CA.
+
+          When certificate_revocation is set to 'leaf', Puppet verifies certs against
+          the issuing CA's revocation list, but it does not verify the revocation status
+          of the issuing CA or any CA above it within the chain of trust.
+
+          When certificate_revocation is set to 'false', Puppet disables all
+          certificate revocation checking and does not attempt to download the CRL.
+        EOT
+    },
+    :ciphers => {
+      :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
+      :type => :string,
+      :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
+                default value is chosen to support TLS 1.0 and up, but can be made
+                more restrictive if needed. The ciphersuites must be specified in OpenSSL
+                format, not IANA."
+    },
+    :key_type => {
+      :default => 'rsa',
+      :type    => :enum,
+      :values  => %w[rsa ec],
+      :desc    => "The type of private key. Valid values are `rsa` and `ec`. Default is `rsa`."
+    },
+    :named_curve => {
+      :default => 'prime256v1',
+      :type    => :string,
+      :desc    => "The short name for the EC curve used to generate the EC private key. Valid
+                   values must be one of the curves in `OpenSSL::PKey::EC.builtin_curves`.
+                   Default is `prime256v1`."
     },
     :digest_algorithm => {
-        :default  => 'md5',
+        :default  => lambda { default_digest_algorithm },
         :type     => :enum,
-        :values => ["md5", "sha256"],
-        :desc     => 'Which digest algorithm to use for file resources and the filebucket.
-                      Valid values are md5, sha256. Default is md5.',
+        :values   => valid_digest_algorithms,
+        :desc     => "Which digest algorithm to use for file resources and the filebucket.
+                      Valid values are #{valid_digest_algorithms.join(', ')}. Default is
+                      #{default_digest_algorithm}.",
     },
     :supported_checksum_types => {
-      :default => ['md5', 'sha256'],
+      :default => lambda { default_file_checksum_types },
       :type    => :array,
-      :desc    => 'Checksum types supported by this agent for use in file resources of a
-                   static catalog. Values must be comma-separated. Valid types are md5,
-                   md5lite, sha256, sha256lite, sha1, sha1lite, mtime, ctime.',
+      :desc    => "Checksum types supported by this agent for use in file resources of a
+                   static catalog. Values must be comma-separated. Valid types are
+                   #{valid_file_checksum_types.join(', ')}. Default is
+                   #{default_file_checksum_types.join(', ')}.",
       :hook    => proc do |value|
         values = munge(value)
-        valid   = ['md5', 'md5lite', 'sha256', 'sha256lite', 'sha1', 'sha1lite', 'mtime', 'ctime']
-        invalid = values.reject {|alg| valid.include?(alg)}
+
+        invalid = values - Puppet.valid_file_checksum_types
         if not invalid.empty?
-          raise ArgumentError, _("Unrecognized checksum types %{invalid} are not supported.") % { invalid: invalid } +
-              ' ' + _("Valid values are %{values}.") % { values: valid }
+          raise ArgumentError, _("Invalid value '%{value}' for parameter %{name}. Allowed values are '%{allowed_values}'") % {
+            value: invalid.first, name: @name, allowed_values: Puppet.valid_file_checksum_types.join("', '")
+          }
         end
       end
+    },
+    :logdest => {
+      :type      => :string,
+      :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
+      service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
+      file. Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
+      # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
+      # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
+      # settings are initialized as they test what gets logged during settings initialization.
     }
   )
 
-    define_settings(
+    settings.define_settings(
     :ca,
     :ca_name => {
-      :default    => "Puppet CA: $certname",
-      :desc       => "The name to use the Certificate Authority certificate.",
+      :default => "Puppet CA: $certname",
+      :desc    => "The name to use the Certificate Authority certificate.",
     },
     :cadir => {
-      :default => "$ssldir/ca",
+      :default => lambda { default_cadir },
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode => "0755",
-      :desc => "The root directory for the certificate authority."
+      :desc => "The root directory for the certificate authority.",
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
-      :desc => "The CA certificate."
+      :desc => "The CA certificate.",
     },
     :cakey => {
       :default => "$cadir/ca_key.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0640",
-      :desc => "The CA private key."
+      :desc => "The CA private key.",
     },
     :capub => {
       :default => "$cadir/ca_pub.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
-      :desc => "The CA public key."
+      :desc => "The CA public key.",
     },
     :cacrl => {
       :default => "$cadir/ca_crl.pem",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
-      :desc => "The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored.",
-    },
-    :caprivatedir => {
-      :default => "$cadir/private",
-      :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode => "0750",
-      :desc => "Where the CA stores private certificate information."
+      :desc => "The certificate revocation list (CRL) for the CA.",
     },
     :csrdir => {
       :default => "$cadir/requests",
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode  => "0755",
-      :desc => "Where the CA stores certificate requests"
+      :desc => "Where the CA stores certificate requests.",
     },
     :signeddir => {
       :default => "$cadir/signed",
       :type => :directory,
-      :owner => "service",
-      :group => "service",
-      :mode => "0755",
-      :desc => "Where the CA stores signed certificates."
-    },
-    :capass => {
-      :default => "$caprivatedir/ca.pass",
-      :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0640",
-      :desc => "Where the CA stores the password for the private key."
+      :desc => "Where the CA stores signed certificates.",
     },
     :serial => {
       :default => "$cadir/serial",
       :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0644",
-      :desc => "Where the serial number for certificates is stored."
+      :desc => "Where the serial number for certificates is stored.",
     },
     :autosign => {
       :default => "$confdir/autosign.conf",
       :type => :autosign,
       :desc => "Whether (and how) to autosign certificate requests. This setting
-        is only relevant on a puppet master acting as a certificate authority (CA).
+        is only relevant on a Puppet Server acting as a certificate authority (CA).
 
         Valid values are true (autosigns all certificate requests; not recommended),
         false (disables autosigning certificates), or the absolute path to a file.
@@ -1044,30 +1233,48 @@ EOT
         file, it will be treated as a policy executable; otherwise, it will be
         treated as a config file.
 
-        If a custom policy executable is configured, the CA puppet master will run it
+        If a custom policy executable is configured, the CA Puppet Server will run it
         every time it receives a CSR. The executable will be passed the subject CN of the
         request _as a command line argument,_ and the contents of the CSR in PEM format
         _on stdin._ It should exit with a status of 0 if the cert should be autosigned
         and non-zero if the cert should not be autosigned.
 
         If a certificate request is not autosigned, it will persist for review. An admin
-        user can use the `puppet cert sign` command to manually sign it, or can delete
+        user can use the `puppetserver ca sign` command to manually sign it, or can delete
         the request.
 
         For info on autosign configuration files, see
-        [the guide to Puppet's config files](https://docs.puppetlabs.com/puppet/latest/reference/config_about_settings.html).",
+        [the guide to Puppet's config files](https://puppet.com/docs/puppet/latest/config_file_autosign.html).",
     },
     :allow_duplicate_certs => {
       :default    => false,
       :type       => :boolean,
-      :desc       => "Whether to allow a new certificate
-      request to overwrite an existing certificate.",
+      :desc       => "Whether to allow a new certificate request to overwrite an existing
+        certificate request. If true, then the old certificate must be cleaned using
+        `puppetserver ca clean`, and the new request signed using `puppetserver ca sign`."
     },
     :ca_ttl => {
       :default    => "5y",
       :type       => :duration,
       :desc       => "The default TTL for new certificates.
-      #{AS_DURATION}"
+      #{AS_DURATION}",
+    },
+    :crl_refresh_interval => {
+      :type       => :duration,
+      :desc       => "How often the Puppet agent refreshes its local CRL. By
+         default the CRL is only downloaded once, and never refreshed. If a
+         duration is specified, then the agent will refresh its CRL whenever it
+         next runs and the elapsed time since the CRL was last refreshed exceeds
+         the duration.
+
+         In general, the duration should be greater than the `runinterval`.
+         Setting it to an equal or lesser value will cause the CRL to be
+         refreshed on every run.
+
+         If the agent downloads a new CRL, the agent will use it for subsequent
+         network requests. If the refresh request fails or if the CRL is
+         unchanged on the server, then the agent run will continue using the
+         local CRL it already has.#{AS_DURATION}",
     },
     :keylength => {
       :default    => 4096,
@@ -1076,17 +1283,14 @@ EOT
     :cert_inventory => {
       :default => "$cadir/inventory.txt",
       :type => :file,
-      :mode => "0644",
-      :owner => "service",
-      :group => "service",
       :desc => "The inventory file. This is a text file to which the CA writes a
-        complete listing of all certificates."
+        complete listing of all certificates.",
     }
   )
 
   # Define the config default.
 
-    define_settings(:application,
+    settings.define_settings(:application,
       :config_file_name => {
           :type     => :string,
           :default  => Puppet::Settings.default_config_file_name,
@@ -1109,17 +1313,13 @@ EOT
         :default    => nil,
         :desc       => "The address the agent should use to initiate requests.",
       },
-      :bindaddress => {
-        :default    => "*",
-        :desc       => "The address a listening server should bind to.",
-      }
   )
 
-  define_settings(:environment,
+  settings.define_settings(:environment,
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
-      :desc       => "The entry-point manifest for puppet master. This can be one file
+      :desc       => "The entry-point manifest for the primary server. This can be one file
         or a directory of manifests to be evaluated in alphabetical order. Puppet manages
         this path as a directory if one exists or if the path ends with a / or \\.
 
@@ -1128,7 +1328,7 @@ EOT
         directory environments instead. If you need to use something other than the
         environment's `manifests` directory as the main manifest, you can set
         `manifest` in environment.conf. For more info, see
-        <https://docs.puppet.com/puppet/latest/reference/environments.html>",
+        <https://puppet.com/docs/puppet/latest/environments_about.html>",
     },
     :modulepath => {
       :default => "",
@@ -1142,7 +1342,7 @@ EOT
         directory environments instead. If you need to use something other than the
         default modulepath of `<ACTIVE ENVIRONMENT'S MODULES DIR>:$basemodulepath`,
         you can set `modulepath` in environment.conf. For more info, see
-        <https://docs.puppet.com/puppet/latest/reference/environments.html>",
+        <https://puppet.com/docs/puppet/latest/environments_about.html>",
     },
     :config_version => {
       :default    => "",
@@ -1154,18 +1354,22 @@ EOT
       Setting a global value for config_version in puppet.conf is not allowed
       (but it can be overridden from the commandline). Please set a
       per-environment value in environment.conf instead. For more info, see
-      <https://docs.puppet.com/puppet/latest/reference/environments.html>",
+      <https://puppet.com/docs/puppet/latest/environments_about.html>",
     }
   )
 
-  define_settings(:master,
+  settings.define_settings(:server,
     :user => {
       :default    => "puppet",
-      :desc       => "The user puppet master should run as.",
+      :desc       => "The user Puppet Server will run as. Used to ensure
+      the agent side processes (agent, apply, etc) create files and
+      directories readable by Puppet Server when necessary.",
     },
     :group => {
       :default    => "puppet",
-      :desc       => "The group puppet master should run as.",
+      :desc       => "The group Puppet Server will run as. Used to ensure
+      the agent side processes (agent, apply, etc) create files and
+      directories readable by Puppet Server when necessary.",
     },
     :default_manifest => {
       :default    => "./manifests",
@@ -1204,32 +1408,34 @@ EOT
       by `puppet`, and should only be set if you're writing your own Puppet
       executable.",
     },
-    :masterhttplog => {
-      :default => "$logdir/masterhttp.log",
-      :type => :file,
-      :owner => "service",
-      :group => "service",
-      :mode => "0660",
-      :create => true,
-      :desc => "Where the puppet master web server saves its access log. This is
-        only used when running a WEBrick puppet master. When puppet master is
-        running under a Rack server like Passenger, that web server will have
-        its own logging behavior."
-    },
     :masterport => {
       :default    => 8140,
-      :desc       => "The port for puppet master traffic. For puppet master,
-      this is the port to listen on; for puppet agent, this is the port
-      to make requests on. Both applications use this setting to get the port.",
+      :desc       => "The default port puppet subcommands use to communicate
+      with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
+      overridden by more specific settings (see `ca_port`, `report_port`).",
+    },
+    :serverport => {
+      :type => :alias,
+      :alias_for => :masterport
     },
     :node_name => {
-      :default    => "cert",
+      :default    => 'cert',
+      :type       => :enum,
+      :values     => ['cert', 'facter'],
+      :deprecated => :completely,
+      :hook       => proc { |val|
+        if val != 'cert'
+          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
+        end
+      },
       :desc       => "How the puppet master determines the client's identity
       and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
       in particular for determining which 'node' statement applies to the client.
       Possible values are 'cert' (use the subject's CN in the client's
       certificate) and 'facter' (use the hostname that the client
-      reported in its facts)",
+      reported in its facts).
+
+      This setting is deprecated, please use explicit fact matching for classification.",
     },
     :bucketdir => {
       :default => "$vardir/bucket",
@@ -1242,14 +1448,11 @@ EOT
     :rest_authconfig => {
       :default    => "$confdir/auth.conf",
       :type       => :file,
+      :deprecated  => :completely,
       :desc       => "The configuration file that defines the rights to the different
-      rest indirections.  This can be used as a fine-grained
-      authorization system for `puppet master`.",
-    },
-    :ca => {
-      :default    => true,
-      :type       => :boolean,
-      :desc       => "Whether the master should function as a certificate authority.",
+      rest indirections.  This can be used as a fine-grained authorization system for
+      `puppet master`.  The `puppet master` command is deprecated and Puppet Server
+      uses its own auth.conf that must be placed within its configuration directory.",
     },
     :trusted_oid_mapping_file => {
       :default    => "$confdir/custom_trusted_oid_mapping.yaml",
@@ -1257,7 +1460,7 @@ EOT
       :desc       => "File that provides mapping between custom SSL oids and user-friendly names"
     },
     :basemodulepath => {
-      :default => "$codedir/modules#{File::PATH_SEPARATOR}/opt/puppetlabs/puppet/modules",
+      :default => lambda { default_basemodulepath },
       :type => :path,
       :desc => "The search path for **global** modules. Should be specified as a
         list of directories separated by the system path separator character. (The
@@ -1266,7 +1469,15 @@ EOT
         These are the modules that will be used by _all_ environments. Note that
         the `modules` directory of the active environment will have priority over
         any global directories. For more info, see
-        <https://docs.puppet.com/puppet/latest/reference/environments.html>",
+        <https://puppet.com/docs/puppet/latest/environments_about.html>",
+    },
+    :vendormoduledir => {
+      :default => lambda { default_vendormoduledir },
+      :type => :string,
+      :desc => "The directory containing **vendored** modules. These modules will
+      be used by _all_ environments like those in the `basemodulepath`. The only
+      difference is that modules in the `basemodulepath` are pluginsynced, while
+      vendored modules are not",
     },
     :ssl_client_header => {
       :default    => "HTTP_X_CLIENT_DN",
@@ -1315,15 +1526,17 @@ EOT
         their names should be comma-separated, with whitespace allowed. (For example,
         `reports = http, store`.)
 
-        This setting is relevant to puppet master and puppet apply. The puppet
-        master will call these report handlers with the reports it receives from
+        This setting is relevant to puppet server and puppet apply. The primary Puppet
+        server will call these report handlers with the reports it receives from
         agent nodes, and puppet apply will call them with its own report. (In
         all cases, the node applying the catalog must have `report = true`.)
 
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)",
+        `puppet/reports/NAME.rb`.)
+
+        To turn off reports entirely, set this to `none`",
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1347,14 +1560,23 @@ EOT
       :desc       => "Where the fileserver configuration is stored.",
     },
     :strict_hostname_checking => {
-      :default    => false,
+      :default    => true,
+      :type       => :boolean,
       :desc       => "Whether to only search for the complete
-            hostname as it is in the certificate when searching for node information
-            in the catalogs.",
+        hostname as it is in the certificate when searching for node information
+        in the catalogs or to match dot delimited segments of the cert's certname
+        and the hostname, fqdn, and/or domain facts.
+
+        This setting is deprecated and will be removed in a future release.",
+      :hook => proc { |val|
+        if val != true
+          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
+        end
+      }
     }
   )
 
-  define_settings(:device,
+  settings.define_settings(:device,
     :devicedir =>  {
         :default  => "$vardir/devices",
         :type     => :directory,
@@ -1369,11 +1591,11 @@ EOT
     }
   )
 
-  define_settings(:agent,
+  settings.define_settings(:agent,
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_fact.  Changing this setting also requires changes to the default
         auth.conf configuration on the Puppet Master.  Please see
         http://links.puppet.com/node_name_value for more information."
@@ -1381,7 +1603,7 @@ EOT
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_value.  Changing this setting also requires changes to the default
         auth.conf configuration on the Puppet Master.  Please see
         http://links.puppet.com/node_name_fact for more information.",
@@ -1394,16 +1616,29 @@ EOT
     :statefile => {
       :default => "$statedir/state.yaml",
       :type => :file,
-      :mode => "0660",
-      :desc => "Where puppet agent and puppet master store state associated
-        with the running configuration.  In the case of puppet master,
+      :mode => "0640",
+      :desc => "Where Puppet agent and Puppet Server store state associated
+        with the running configuration.  In the case of Puppet Server,
         this file reflects the state discovered through interacting
         with clients."
-      },
+    },
+    :statettl => {
+      :default => "32d",
+      :type    => :ttl,
+      :desc    => "How long the Puppet agent should cache when a resource was last checked or synced.
+      #{AS_DURATION}
+      A value of `0` or `unlimited` will disable cache pruning.
+
+      This setting affects the usage of `schedule` resources, as the information
+      about when a resource was last checked (and therefore when it needs to be
+      checked again) is stored in the `statefile`. The `statettl` needs to be
+      large enough to ensure that a resource will not trigger multiple times
+      during a schedule due to its entry expiring from the cache."
+    },
     :transactionstorefile => {
       :default => "$statedir/transactionstore.yaml",
       :type => :file,
-      :mode => "0660",
+      :mode => "0640",
       :desc => "Transactional storage file for persisting data between
         transactions for the purposes of infering information (such as
         corrective_change) on new data received."
@@ -1420,6 +1655,12 @@ EOT
       :mode => "0750",
       :desc => "The directory in which serialized data is stored on the client."
     },
+    :write_catalog_summary => {
+      :default => true,
+      :type => :boolean,
+      :desc => "Whether to write the `classfile` and `resourcefile` after applying
+        the catalog. It is enabled by default, except when running `puppet apply`.",
+    },
     :classfile => {
       :default => "$statedir/classes.txt",
       :type => :file,
@@ -1446,41 +1687,31 @@ EOT
         the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
         no supported operating systems match that description.)
 
-        Despite the name, both puppet agent and puppet master will use this file
+        Despite the name, both puppet agent and puppet server will use this file
         as the fallback logging destination.
 
         For control over logging destinations, see the `--logdest` command line
-        option in the manual pages for puppet master, puppet agent, and puppet
+        option in the manual pages for puppet server, puppet agent, and puppet
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
-        or read them online at https://docs.puppetlabs.com/puppet/latest/reference/man/."
+        or read them online at https://puppet.com/docs/puppet/latest/man/."
+    },
+    :deviceconfdir => {
+      :default  => "$confdir/devices",
+      :type     => :directory,
+      :mode     => "0750",
+      :owner    => "service",
+      :group    => "service",
+      :desc     => "The root directory of devices' $confdir.",
     },
     :server => {
       :default => "puppet",
-      :desc => "The puppet master server to which the puppet agent should connect.",
-      :call_hook => :on_initialize_and_write,
-      :hook => proc { |value|
-        if Puppet.settings.set_by_config?(:server) && Puppet.settings.set_by_config?(:server_list)
-          #TRANSLATOR 'server' and 'server_list' are setting names and should not be translated
-          message = _('Attempted to set both server and server_list.')
-          message += ' ' + _('Server setting will not be used.')
-          Puppet.deprecation_warning(message, :SERVER_DUPLICATION)
-        end
-      }
+      :desc => "The primary Puppet server to which the Puppet agent should connect.",
     },
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of puppet master servers to which the puppet agent should connect,
+      :desc => "The list of primary Puppet servers to which the Puppet agent should connect,
         in the order that they will be tried.",
-      :call_hook => :on_initialize_and_write,
-      :hook => proc { |value|
-        if Puppet.settings.set_by_config?(:server) && Puppet.settings.set_by_config?(:server_list)
-          #TRANSLATOR 'server' and 'server_list' are setting names and should not be translated
-          message = _('Attempted to set both server and server_list.')
-          message += ' ' + _('Server setting will not be used.')
-          Puppet.deprecation_warning(message, :SERVER_DUPLICATION)
-        end
-      }
     },
     :use_srv_records => {
       :default    => false,
@@ -1491,6 +1722,12 @@ EOT
       :default    => lambda { Puppet::Settings.domain_fact },
       :desc       => "The domain which will be queried to find the SRV records of servers to use.",
     },
+    :http_extra_headers => {
+      :default => [],
+      :type => :http_extra_headers,
+      :desc => "The list of extra headers that will be sent with http requests to the primary server.
+      The header definition consists of a name and a value separated by a colon."
+    },
     :ignoreschedules => {
       :default    => false,
       :type       => :boolean,
@@ -1514,14 +1751,14 @@ EOT
         like it does when running normally. However, if a resource attribute is not in
         the desired state (as declared in the catalog), Puppet will take no
         action, and will instead report the changes it _would_ have made. These
-        simulated changes will appear in the report sent to the puppet master, or
+        simulated changes will appear in the report sent to the primary Puppet server, or
         be shown on the console if running puppet agent or puppet apply in the
         foreground. The simulated changes will not send refresh events to any
         subscribing or notified resources, although Puppet will log that a refresh
         event _would_ have been sent.
 
         **Important note:**
-        [The `noop` metaparameter](https://docs.puppetlabs.com/puppet/latest/reference/metaparameter.html#noop)
+        [The `noop` metaparameter](https://puppet.com/docs/puppet/latest/metaparameter.html#noop)
         allows you to apply individual resources in noop mode, and will override
         the global value of the `noop` setting. This means a resource with
         `noop => false` _will_ be changed if necessary, even when running puppet
@@ -1533,15 +1770,14 @@ EOT
       :type     => :duration,
       :desc     => "How often puppet agent applies the catalog.
           Note that a runinterval of 0 means \"run continuously\" rather than
-          \"never run.\" If you want puppet agent to never run, you should start
-          it with the `--no-client` option. #{AS_DURATION}",
+          \"never run.\" #{AS_DURATION}",
     },
     :runtimeout => {
-      :default  => 0,
+      :default  => "1h",
       :type     => :duration,
       :desc     => "The maximum amount of time an agent run is allowed to take.
-          A Puppet agent run that exceeds this timeout will be aborted.
-          Defaults to 0, which is unlimited. #{AS_DURATION}",
+          A Puppet agent run that exceeds this timeout will be aborted. A value
+          of 0 disables the timeout. Defaults to 1 hour. #{AS_DURATION}",
     },
     :ca_server => {
       :default    => "$server",
@@ -1550,7 +1786,7 @@ EOT
       and does not need to horizontally scale.",
     },
     :ca_port => {
-      :default    => "$masterport",
+      :default    => "$serverport",
       :desc       => "The port to use for the certificate authority.",
     },
     :preferred_serialization_format => {
@@ -1569,7 +1805,7 @@ EOT
     },
     :agent_disabled_lockfile => {
         :default    => "$statedir/agent_disabled.lock",
-        :type       => :file,
+        :type       => :string,
         :desc       => "A lock file to indicate that puppet agent runs have been administratively
           disabled.  File contains a JSON object with state information.",
     },
@@ -1586,20 +1822,16 @@ EOT
       :type       => :boolean,
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
         on every run.  Puppet can be run with this enabled by default and then selectively
-        disabled when a recompile is desired.",
+        disabled when a recompile is desired. Because a Puppet agent using cached catalogs
+        does not contact the primary server for a new catalog, it also does not upload facts at
+        the beginning of the Puppet run.",
     },
     :ignoremissingtypes => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
         prior compilation. The list of missing objects is maintained per-environment and
-        persists until the environment is cleared or the master is restarted.",
-    },
-    :ignorecache => {
-      :default    => false,
-      :type       => :boolean,
-      :desc       => "This setting has no effect and will be removed in a future Puppet version.",
-      :deprecated => :completely,
+        persists until the environment is cleared or the primary server is restarted.",
     },
     :splaylimit => {
       :default    => "$runinterval",
@@ -1629,7 +1861,7 @@ EOT
         If you restart an agent's puppet service with `splay` enabled, it
         recalculates its splay period and delays its first agent run after
         restarting for this new period. If you simultaneously restart a group of
-        puppet agents with `splay` enabled, their checkins to your puppet masters
+        puppet agents with `splay` enabled, their checkins to your primary servers
         can be distributed more evenly.",
     },
     :clientbucketdir => {
@@ -1638,25 +1870,12 @@ EOT
       :mode     => "0750",
       :desc     => "Where FileBucket files are stored locally."
     },
-    :configtimeout => {
-      :default  => "2m",
-      :type     => :duration,
-      :desc     => "How long the client should wait for the configuration to be retrieved
-        before considering it a failure. This setting is deprecated and has been replaced
-        by http_connect_timeout and http_read_timeout.
-        #{AS_DURATION}",
-      :deprecated => :completely,
-      :hook       => proc do |value|
-        Puppet[:http_connect_timeout] = value
-        Puppet[:http_read_timeout]    = value
-      end
-    },
     :report_server => {
       :default  => "$server",
       :desc     => "The server to send transaction reports to.",
     },
     :report_port => {
-      :default  => "$masterport",
+      :default  => "$serverport",
       :desc     => "The port to communicate with the report_server.",
     },
     :report => {
@@ -1664,6 +1883,28 @@ EOT
       :type     => :boolean,
       :desc     => "Whether to send reports after every transaction.",
     },
+    :report_include_system_store => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether the 'http' report processor should include the system
+        certificate store when submitting reports to HTTPS URLs. If false, then
+        the 'http' processor will only trust HTTPS report servers whose certificates
+        are issued by the puppet CA or one of its intermediate CAs. If true, the
+        processor will additionally trust CA certificates in the system's
+        certificate store."
+    },
+    :resubmit_facts => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether to send updated facts after every transaction. By default
+        puppet only submits facts at the beginning of the transaction before applying a
+        catalog. Since puppet can modify the state of the system, the value of the facts
+        may change after puppet finishes. Therefore, any facts stored in puppetdb may not
+        be consistent until the agent next runs, typically in 30 minutes. If this feature
+        is enabled, puppet will resubmit facts after applying its catalog, ensuring facts
+        for the node stored in puppetdb are current. However, this will double the fact
+        submission load on puppetdb, so it is disabled by default.",
+    },
     :lastrunfile =>  {
       :default  => "$statedir/last_run_summary.yaml",
       :type     => :file,
@@ -1674,7 +1915,11 @@ EOT
       :default  => "$statedir/last_run_report.yaml",
       :type     => :file,
       :mode     => "0640",
-      :desc     => "Where puppet agent stores the last run report in yaml format."
+      :desc     => "Where Puppet Agent stores the last run report, by default, in yaml format.
+        The format of the report can be changed by setting the `cache` key of the `report` terminus
+        in the [routes.yaml](https://puppet.com/docs/puppet/latest/config_file_routes.html) file.
+        To avoid mismatches between content and file extension, this setting needs to be
+        manually updated to reflect the terminus changes."
     },
     :graph => {
       :default  => false,
@@ -1708,43 +1953,49 @@ EOT
 
       When starting for the first time, puppet agent will submit a certificate
       signing request (CSR) to the server named in the `ca_server` setting
-      (usually the puppet master); this may be autosigned, or may need to be
+      (usually the primary Puppet server); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.
 
       Puppet agent cannot apply configurations until its approved certificate is
       available. Since the certificate may or may not be available immediately,
       puppet agent will repeatedly try to fetch it at this interval. You can
-      turn off waiting for certificates by specifying a time of 0, in which case
+      turn off waiting for certificates by specifying a time of 0, or a maximum
+      amount of time to wait in the `maxwaitforcert` setting, in which case
       puppet agent will exit if it cannot get a cert.
       #{AS_DURATION}",
     },
-    :ordering => {
-      :type => :enum,
-      :values => ["manifest", "title-hash", "random"],
-      :default => "manifest",
-      :desc => "How unrelated resources should be ordered when applying a catalog.
-      Allowed values are `title-hash`, `manifest`, and `random`. This
-      setting affects puppet agent and puppet apply, but not puppet master.
-
-      * `manifest` (the default) will use the order in which the resources were
-        declared in their manifest files.
-      * `title-hash` (the default in 3.x) will order resources randomly, but
-        will use the same order across runs and across nodes. It is only of
-        value if you're migrating from 3.x and have errors running with
-        `manifest`.
-      * `random` will order resources randomly and change their order with each
-        run. This can work like a fuzzer for shaking out undeclared dependencies.
-
-      Regardless of this setting's value, Puppet will always obey explicit
-      dependencies set with the before/require/notify/subscribe metaparameters
-      and the `->`/`~>` chaining arrows; this setting only affects the relative
-      ordering of _unrelated_ resources."
+    :maxwaitforcert => {
+      :default  => "unlimited",
+      :type     => :ttl,
+      :desc     => "The maximum amount of time the Puppet agent should wait for its
+      certificate request to be signed. A value of `unlimited` will cause puppet agent
+      to ask for a signed certificate indefinitely.
+      #{AS_DURATION}",
+    },
+    :waitforlock => {
+      :default  => "0",
+      :type     => :duration,
+      :desc     => "How frequently puppet agent should try running when there is an
+      already ongoing puppet agent instance.
+
+      This argument is by default disabled (value set to 0). In this case puppet agent will
+      immediately exit if it cannot run at that moment. When a value other than 0 is set, this
+      can also be used in combination with the `maxwaitforlock` argument.
+      #{AS_DURATION}",
+    },
+    :maxwaitforlock => {
+      :default  => "1m",
+      :type     => :ttl,
+      :desc     => "The maximum amount of time the puppet agent should wait for an
+      already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
+      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      #{AS_DURATION}",
     }
   )
 
   # Plugin information.
 
-  define_settings(
+  settings.define_settings(
     :main,
     :plugindest => {
       :type       => :directory,
@@ -1779,7 +2030,6 @@ EOT
       is used for retrieval, so anything that is a valid file source can
       be used here.",
     },
-
     :pluginsync => {
       :default    => true,
       :type       => :boolean,
@@ -1791,14 +2041,21 @@ EOT
       }
     },
     :pluginsignore => {
-        :default  => ".svn CVS .git .hg *.pot",
+        :default  => ".svn CVS .git .hg",
         :desc     => "What files to ignore when pulling down plugins.",
+    },
+    :ignore_plugin_errors => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether the puppet run should ignore errors during pluginsync. If the setting
+        is false and there are errors during pluginsync, then the agent will abort the run and
+        submit a report containing information about the failed run."
     }
   )
 
   # Central fact information.
 
-    define_settings(
+    settings.define_settings(
     :main,
     :factpath => {
       :type     => :path,
@@ -1810,12 +2067,13 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Facter.search(*paths)
+        facter = Puppet.runtime[:facter]
+        facter.search(*paths)
       end
     }
   )
 
-  define_settings(
+  settings.define_settings(
     :transaction,
     :tags => {
       :default    => "",
@@ -1843,7 +2101,7 @@ EOT
     }
   )
 
-    define_settings(
+    settings.define_settings(
     :main,
     :external_nodes => {
         :default  => "none",
@@ -1864,11 +2122,11 @@ EOT
 
           Generally, an ENC script makes requests to an external data source.
 
-          For more info, see [the ENC documentation](https://docs.puppet.com/puppet/latest/nodes_external.html).",
+          For more info, see [the ENC documentation](https://puppet.com/docs/puppet/latest/nodes_external.html).",
     }
     )
 
-        define_settings(
+        settings.define_settings(
         :ldap,
     :ldapssl => {
       :default  => false,
@@ -1886,11 +2144,11 @@ EOT
     },
     :ldapserver => {
       :default  => "ldap",
-      :desc     => "The LDAP server.  Only used if `node_terminus` is set to `ldap`.",
+      :desc     => "The LDAP server.",
     },
     :ldapport => {
       :default  => 389,
-      :desc     => "The LDAP port.  Only used if `node_terminus` is set to `ldap`.",
+      :desc     => "The LDAP port.",
     },
 
     :ldapstring => {
@@ -1937,7 +2195,7 @@ EOT
     }
   )
 
-  define_settings(:master,
+  settings.define_settings(:server,
     :storeconfigs => {
       :default  => false,
       :type     => :boolean,
@@ -1951,13 +2209,11 @@ EOT
       # Call our hook with the default value, so we always get the libdir set.
       :call_hook => :on_initialize_and_write,
       :hook => proc do |value|
-        require 'puppet/node'
-        require 'puppet/node/facts'
         if value
-          Puppet::Resource::Catalog.indirection.cache_class = :store_configs
-          Puppet.settings.override_default(:catalog_cache_terminus, :store_configs)
-          Puppet::Node::Facts.indirection.cache_class = :store_configs
-          Puppet::Resource.indirection.terminus_class = :store_configs
+          Puppet::Resource::Catalog.indirection.set_global_setting(:cache_class, :store_configs)
+          settings.override_default(:catalog_cache_terminus, :store_configs)
+          Puppet::Node::Facts.indirection.set_global_setting(:cache_class, :store_configs)
+          Puppet::Resource.indirection.set_global_setting(:terminus_class, :store_configs)
         end
       end
     },
@@ -1970,7 +2226,7 @@ EOT
     }
   )
 
-  define_settings(:parser,
+  settings.define_settings(:parser,
    :max_errors => {
      :default => 10,
      :desc => <<-'EOT'
@@ -2002,9 +2258,33 @@ EOT
       Causes an evaluation error when referencing unknown variables. (This does not affect
       referencing variables that are explicitly set to undef).
     EOT
+    },
+   :func3x_check => {
+     :default => true,
+     :type => :boolean,
+     :desc => <<-'EOT',
+       Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
+       could cause harm or that simply does not work. This flag is on by default. This flag is made available
+       so that the validation can be turned off in case the method of validation is faulty - if encountered, please
+       file a bug report.
+     EOT
+     :call_hook => :on_initialize_and_write,
+     :hook => proc do |value|
+       unless value
+         Puppet.deprecation_warning(_("The 'func3x_check' setting is deprecated and will be removed in a future release."))
+       end
+     end
+     },
+  :tasks => {
+    :default => false,
+    :type => :boolean,
+    :desc => <<-'EOT'
+      Turns on experimental support for tasks and plans in the puppet language. This is for internal API use only.
+      Do not change this setting.
+    EOT
     }
   )
-  define_settings(:puppetdoc,
+  settings.define_settings(:puppetdoc,
     :document_all => {
         :default  => false,
         :type     => :boolean,
@@ -2013,10 +2293,10 @@ EOT
     }
   )
 
-  define_settings(
+  settings.define_settings(
     :main,
     :rich_data => {
-      :default  => false,
+      :default  => true,
       :type     => :boolean,
       :hook    => proc do |value|
         envs = Puppet.lookup(:environments) { nil }
@@ -2024,11 +2304,11 @@ EOT
       end,
       :desc     => <<-'EOT'
         Enables having extended data in the catalog by storing them as a hash with the special key
-        `__pcore_type__`. When enabled, resource containing values of the data types `Binary`, `Regexp`,
+        `__ptype`. When enabled, resource containing values of the data types `Binary`, `Regexp`,
         `SemVer`, `SemVerRange`, `Timespan` and `Timestamp`, as well as instances of types derived
         from `Object` retain their data type.
       EOT
     }
   )
-
+  end
 end