Guidance Scenario Existing External Puppet Master

Hola guys, I have played with foreman previously, just a dev setup for testing. At that time I was not running puppet in my environment.

Now I am running puppet (5.5) to manage approx. 30 nodes/hosts and I want to get foreman setup and used for viewing node classes and other cool stuff.

There are 2 scenarios, on the install guide, for foreman with external puppet master:
#1. “Setting up Foreman with external Puppet masters”
#2. “Standalone Puppet master”

I’m ass(uming) I want #2 “Standalone Puppet master” ? Is that right?

I dont follow how I can know these values:

*–foreman-proxy-oauth-consumer-key= *

  • –foreman-proxy-oauth-consumer-secret=*

If I dont have foreman already installed?

Or do I have it wrong and I do #1 on my foreman host.
And run #2 on my existing puppet master?

In which case I need to proceed with both #1 and #2?

Appreciate the guidance, thank you!

The other concept Im battling with is have the external Puppet Master be the Puppet CA.

It is not as hard as it seems at first. My way to do this at customers with a similar scenario is the following.

  1. Install puppet agent on the system which will be your Foreman to get the certificates.
  2. Run foreman-installer on your Foreman like the scenario “Foreman server without the Puppet master”.
  3. Run foreman-installer on your Puppet-Master/CA like the scenario “Standalone Puppet master” (using oauth from the settings from Foreman WebUI)
  4. Optional: Use the Foreman plugin Default host group to get hosts already grouped when created during a puppet run.

Interesting, after a long night I have reporting and facts working from my external Puppet Master being sent back to Foreman - who for now is the Puppet CA.

I just need to work out how to force the agents to use Foreman as the CA.

Are there any major pros/cons with Foreman being CA or external Puppet Master being CA?

Appreciate your feed back, thank you!

When using Foreman to provision it will automatically use the CA you assign to the host via Puppet CA setting which points to a Smart Proxy with the feature.

For existing ones you can simply adjust the puppet.conf, which has separate settings for server (the Puppet Master) and ca_server (the Puppet CA).

No pros or cons, just make sure to use only one for all certificates. So using the old CA or renew certificates on old clients.

I might consider what you said above an re-do the installs, leave my Puppet Master as the CA, and install foreman without a puppet master.

Doing it this way you say there is no pros/cons.

In foreman, this way, you still receive facts and reports ok?
Also you can still do ENC from Foreman?

thanks so much.

Yes, facts upload is done by the ENC script and reports are done by a report handler. Both get installed on the puppet master when using the installer like the scenario “Standalone Puppet master”, but could also be done manually.

If running the installer on an already existing system, you could do try runs with the parameters you want and adding --verbose --noop --dont-save-answers so you see what would be changed and adjust parameters as needed.

Awesome, nice one.

I checked the nodes.pp on my puppet master after I added some classes via Foreman ENC, it works the agents get the classes assigned but its not written to the nodes.pp - How does it work really briefly? :face_with_raised_eyebrow:

I can even remove the node from nodes.pp and Foreman still assigns the classes, which is cool - just wonder how that works.

For some reference, I did play around with fully running it external. Currently I wouldn’t recommend splitting the Foreman Proxy away from the Puppetmaster, but it can give you a good idea of how the different components play together:

Foreman :: Manual is a bit outdated and in Foreman :: Manual I rewrote it to just talk about puppetserver. Generally it all applies on 1.23 without change.

Foreman :: Manual describes how it works. It links to since the ENC is just a Puppet concept we’re implementing.

Do you mean Puppet Master on a host, proxy on another host, and Foreman on another?

I’m happy for the Puppet Master and Proxy to be on same host. I am just trying to decide which of the two is best to be the CA? Sounds like not much difference?

Thanks again!

Terrific, thank you, thats what I was after in regards to the ENC. :+1:

Foreman doesn’t care. For serious deployments I’d recommend only running Puppetservers on hosts (with a Foreman Proxy). That way you can maintain/scale those servers independent from your main Foreman instance. It’s ok if Foreman is a Puppet client to a Puppetserver on some Foreman Proxy, even if it’s just for certificates.

Got it thanks, currently I have about 30 hosts, so if I continue with Foreman as the CA then I have to re-cert them all - which I would do if there was a benefit to it.

But sounds like running Foreman on its own host, and Puppet Master + CA + proxy on another is fine - and it will save me re-certing all my current hosts.

Is that somewhat rational?

This would be my recommended approach.

1 Like

Nice one, thanks a million.