Cannot get Template Smart Proxy to work

Support
1

Problem:

Our Foreman/Puppet server is a single host connected to two different networks: NetworkA and NetworkB. I’ve been provisioning hosts over NetworkA for a year. Now we need to be able to provision hosts from NetworkB.

The Foreman server is named foreman.example.org on the NetworkA interface. It’s called foreman-internal.example.org on the NetworkB interface.

It sounds like we want to use the Template Smart Proxy for this. So, I enabled this via the foreman-installer. Here is the config. I’m not sure if port 8000 is right, I simply used what’s in the example.

# cat /etc/foreman-proxy/settings.d/templates.yml
:enabled: http
:template_url: http://foreman-internal.example.org:8000/

What do I do now? How can I configure the Subnet NetworkB to use http://foreman-internal.example.org:8000/ ?

Should I be using port 8000 at all? Looks like it’s already in use by the default Foreman Proxy?

Expected outcome:

Foreman and Proxy versions:

1.24.3

Foreman and Proxy plugin versions:

Distribution and version:

Ubuntu 18.04.5

Other relevant data:

2

Some more information.

Here’s the config for my default foreman-proxy:

# cat /etc/foreman-proxy/settings.yml

---
:settings_directory: /etc/foreman-proxy/settings.d

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem

:trusted_hosts:
  - foreman.example.org
  - foreman-internal.example.org

:foreman_url: https://foreman.example.org

:daemon: true

:bind_host: '*'
:https_port: 8443
:http_port: 8000
:log_file: /var/log/foreman-proxy/proxy.log
:log_level: DEBUG

What do I do now? How can I configure the Subnet NetworkB to use http://foreman-internal.example.org:8000/ ?

The hosts on that network need to be told to use http://foreman-internal.example.org:8000/ instead of the default URL.

3

Here it comes - this is called multi-homing and I always say - if you can avoid it, avoid it.

Correct me if I am wrong @ekohl but our installer assumes just a single name. While it’s technically possible to have a host with 10 NICs connected to 10 networks with 10 IP addresses, we simply can’t support all those scenarios.

You can’t. Foreman has a federate design. There should be one Foreman with one DNS name and IP address and one or many smart-proxies that does the dirty job of relying all the communication from nodes and to backend services.

Everytime I hear “I have two subnets” I automatically respond “then deploy two smart proxies”. If you can change your infra, then do it.

Otherwise you are on your own. You’d probably need to regenerate X509 and add an alias there, create some kind of HTTPs proxy or other hack I don’t even know about, I haven’t tried this and you should really avoid it.