Problem:
I have new hosts in a new AWS account/region that will be complicated to peer to the VPC that has my Foreman server. I’m looking to register hosts so that YUM content is configured on each host. No management actions from Foreman. My thought is to run a Smart Proxy fronted by a ALB and use a publicly resolved hostname. I’d apply security groups to the ALB for all my known NAT gateway IPs.
Expected outcome:
The Smart Proxy setup would give me a new katello-ca-consumer-x package I could bake into an AMI. Those hosts would register using a public DNS/endpoint. No VPC peering needed.
Is that the sane way to do it? Are all the functions of YUM content delivery to a host done through the SP FQDN? Like repo files have the SP URL?
Foreman and Proxy versions:
meh. 3.1. This is all still CentOS 7. Again, short-term solution pending much bigger upgrades.
Here is the documentation about load balancing for Foreman 3.1: Configuring Smart Proxies with a Load Balancer
In more modern versions I think it’s a bit better handled, but I’ll leave it to folks with more experience to give you more details here.
1 Like
Thanks for the reply. I had read through docs but realize maybe not for the exact 3.1 version.
One concern is in registering clients the katello-ca-consumer rpm method is deprecated. That’s basically how I do it now. I get the katello-ca-consumer and put it on a simply internal utility yum repo that’s baked into the AMI. I was hoping that the new RPM fetched from the new load balanced SP would have the proper hostnames and certs configured within. Is that not the case?
It may or may not be the case for 3.1. I think it’s addressed in more modern versions with global registration (which is the replacement for the consumer rpm) and the new registration_url installer option.
1 Like
To follow up for those finding this later…
Including cnames with foreman-proxy-certs-generate with --foreman-proxy-cname or foreman-installer with a --certs-cname
- DOES add the name as a SAN to the cert.
- DOES NOT affect the hostname that is built into the
katello-ca-consumer-latest.noarch.rpm. Those get the true hostname.
To get things working through an NLB to a Smart Proxy, one would have to alter the subscription-manager registration like:
subscription-manager config
--rhsm.baseurl=http://sp.example.net/pulp/content/
--server.hostname=sp.example.net
Or fixup the /pub scripts that set the value.
Side note: If your YUM or subscription-manager performance is oddly really slow or delayed, make sure you have cross-zone load balancing turned on for that single Smart Proxy host. 
