after updating foreman from 1.23 to 1.24.X, foreman changed the way to determine the variable puppetmaster and puppet_ca (https://github.com/theforeman/foreman/commit/c2317d4430325be04df9ddfe65f47223b7733b8b).
With puppet 5/6 the way to manage the puppet certificates changed to http. With puppet 6 you also need the certificate extension “pp_cli_auth” to administrate the puppetca (with foreman smart proxy).
For security reason, certificates with this extension should only be created for a few server - in my opinion only for the puppetca itself. As a consequence the foreman smart proxy for the puppetca should only be installed on the puppetca servers.
In my opinion, the combination of the new way to determine the variable puppetmaster and puppet_ca and puppet 6 significantly reduces the possibility and flexibility how you can set up your foreman/puppet infrastructure.
Example / wow we designed our foreman / puppet infrastructure
For our network infrastructure segments we use a central foreman / puppet cluster. This cluster is based on several dedicated server for foreman, the puppetmaster and puppetca. In front of these nodes there is a loadbalancer, which distributed the https requests to the backend nodes. In every network segment there are additional proxy server, which forward and centralize the traffic via a virtual ip to the loadbalancer. Furthermore we installed the foreman smart proxy on these proxy server, with the features puppet, puppetca, template, … activated.
Until Foreman 1.23 this gave us the opportunity to dynamical determine the address of the puppet master and puppet ca for the puppet client through the variable puppetmaster and puppet_ca from foreman. With foreman 1.24 this isn’t possible any more.
Is it possible to add a feature switch in foreman to support both variants of the determination of the variables puppetmaster and puppet_ca? Or do you have any suggestions for the layout of such a environment?
If you need further data, please let me know.