Hola guys, I have played with foreman previously, just a dev setup for testing. At that time I was not running puppet in my environment.
Now I am running puppet (5.5) to manage approx. 30 nodes/hosts and I want to get foreman setup and used for viewing node classes and other cool stuff.
There are 2 scenarios, on the install guide, for foreman with external puppet master: #1. “Setting up Foreman with external Puppet masters” #2. “Standalone Puppet master”
I’m ass(uming) I want #2 “Standalone Puppet master” ? Is that right?
I dont follow how I can know these values:
*–foreman-proxy-oauth-consumer-key= *
–foreman-proxy-oauth-consumer-secret=*
If I dont have foreman already installed?
Or do I have it wrong and I do #1 on my foreman host.
And run #2 on my existing puppet master?
In which case I need to proceed with both #1 and #2?
Interesting, after a long night I have reporting and facts working from my external Puppet Master being sent back to Foreman - who for now is the Puppet CA.
I just need to work out how to force the agents to use Foreman as the CA.
Are there any major pros/cons with Foreman being CA or external Puppet Master being CA?
When using Foreman to provision it will automatically use the CA you assign to the host via Puppet CA setting which points to a Smart Proxy with the feature.
For existing ones you can simply adjust the puppet.conf, which has separate settings for server (the Puppet Master) and ca_server (the Puppet CA).
No pros or cons, just make sure to use only one for all certificates. So using the old CA or renew certificates on old clients.
Yes, facts upload is done by the ENC script and reports are done by a report handler. Both get installed on the puppet master when using the installer like the scenario “Standalone Puppet master”, but could also be done manually.
If running the installer on an already existing system, you could do try runs with the parameters you want and adding --verbose --noop --dont-save-answers so you see what would be changed and adjust parameters as needed.
I checked the nodes.pp on my puppet master after I added some classes via Foreman ENC, it works the agents get the classes assigned but its not written to the nodes.pp - How does it work really briefly?
I can even remove the node from nodes.pp and Foreman still assigns the classes, which is cool - just wonder how that works.
For some reference, I did play around with fully running it external. Currently I wouldn’t recommend splitting the Foreman Proxy away from the Puppetmaster, but it can give you a good idea of how the different components play together:
Foreman :: Manual is a bit outdated and in Foreman :: Manual I rewrote it to just talk about puppetserver. Generally it all applies on 1.23 without change.
Do you mean Puppet Master on a host, proxy on another host, and Foreman on another?
I’m happy for the Puppet Master and Proxy to be on same host. I am just trying to decide which of the two is best to be the CA? Sounds like not much difference?
Foreman doesn’t care. For serious deployments I’d recommend only running Puppetservers on hosts (with a Foreman Proxy). That way you can maintain/scale those servers independent from your main Foreman instance. It’s ok if Foreman is a Puppet client to a Puppetserver on some Foreman Proxy, even if it’s just for certificates.
Got it thanks, currently I have about 30 hosts, so if I continue with Foreman as the CA then I have to re-cert them all - which I would do if there was a benefit to it.
But sounds like running Foreman on its own host, and Puppet Master + CA + proxy on another is fine - and it will save me re-certing all my current hosts.
