Problem:
I am looking for advice on how I may extend Foreman/Katello.
Currently, I am using Foreman/Katello in one network, and for the time being, I only manage Content Hosts, i.e. manage software packets, run updates, schedule reboots.
(not using configuration management, host provisioning etc.)
Now I would like to manage Content Hosts in another network in the same manner.
Foreman doesn’t have direct network connection to these hosts, so either I would have to build a Smart Proxy, or pull from remote hosts (e.g. MQTT) rather than push (using SSH), or use a SSH bastion host for Foreman.
As the total host count is rather small, it doesn’t pay off to build a large solution. It would be better not to build a Smart Proxy at all, but if it’s impossible without Smart Proxy, at least manage Content Hosts without having a copy of all the contents on the Smart Proxy. (i.e. Products, Repositories, Content Views, etc)
How could this be built, and is there documentation about it?
Remote execution’s pull-mqtt mode, while it’s true it doesn’t require an SSH connection, still requires an HTTPS connection between host and smart proxy.
I think a Smart Proxy with Content will solve your issue. It would just need to have a network connection both to the main Foreman server and to your hosts.
You don’t have to sync all your content between the main Foreman server and smart proxy. (In fact, this is not recommended.) You can instead choose to sync only a single lifecycle environment: Installing an External Smart Proxy Server 3.5
Sending data from many hosts to the Smart Proxy is much simpler - these are outbound connections trying to reach one IP.
As opposed to the other way around, which is inbound connections, where one IP is trying to reach many, behind a firewall.
Are you saying that HTTPS is required in addition to MQTT?
Do you know if MQTT can be routed through a reverse-proxy or WAF, or does it have directly connect to the Smart Proxy (in terms of layer 7)?
Both mqtt and https connections originate from the hosts reaching the proxy. Once the connection is established, data can flow both ways. So as long as the hosts can contact foreman/smart proxy directly, you’re good to go with pull.
Eh, if you had a layer 7 proxy that would understand mqtt as a protocol then maybe yes? But as long as the hosts can reach foreman (which I assume they can, otherwise they wouldn’t be able to get content) you shouldn’t need this