Hi @rainer_d,
Thanks for the input!
Starting with Foreman 3.0, while the puppet plugin will be installed by default in the Foreman scenario, you will be able to remove it if you do not need it. (See The Road to Making Puppet Optional and Puppet in 3.0 release for more details).
You are correct that certificate handling is one of the issues that need to be resolved in order to allow a fully puppet-free installation. It is already possible to provide your own certificates as options to the installer, but the default Foreman scenario uses the puppet CA for those. There has been some work on enabling the installer to generate certificates without relying on Puppet CA (see RFC: Redesign Certificate Handling within Foreman Deployments for details) but I don’t expect a solution to be ready prior to Foreman 3.1.
We are now revisiting this thread since in the Katello scenario we don’t rely on Puppet CA (rather on Candlepin) for certificate generation, so we could default to not installing Puppet at all in this scenario and only install it for those who wish to use it.