I would advise against running in the same container. Since Puppet 6 we can actually use the REST API for all calls to the Puppetserver. I’ve been working on an example which deploys Puppetserver on a VM and a separate Foreman Proxy:
https://github.com/theforeman/forklift/pull/979
Note that you will need to do some work to get reports and autosigning to work.
Foreman :: Manual lists how to configure the proxy for the Puppet feature.
Foreman :: Manual hasn’t been updated for Puppet 6 but puppetca_http_api.yml is very much the same.
I’d be interested to see what you come up with because properly supporting a remote Puppetserver is very much on my medium term agenda. I’m working on a draft RFC. puppet.md · GitHub is still incomplete and rough, but it goes over the various integration points.