I’d like to set up a Smart Proxy with Puppet Master and Puppet CA features to serve nodes on a private network. The Smart Proxy would have a connection on an external network with a public DNS name; this is how Foreman would contact the Smart Proxy. The Smart Proxy would also have a connection on the private network with a different, private DNS name; this is how the nodes would connect to it for Puppet services.
I’ve read enough other posts that I am fairly certain this is possible but I’m unsure how to actually implement it. In particular, what are the parameters I need to pass to foreman-installer to get it configured with this dual-hostname setup? I.e., to which installer parameters do I feed the public hostname and to which installer parameters do I feed the private hostname? Here are the parameters that I think might come into play along with assumed values; some may not be necessary and I might be missing others:
–foreman-proxy-foreman-base-url=https://<the foreman master hostname>
–foreman-proxy-puppet-url=https://???
–foreman-proxy-registered-name=<public (short?) hostname of the proxy>
–foreman-proxy-registered-proxy-url=https://<public hostname of the proxy>
–foreman-proxy-trusted-hosts=https://<the foreman master hostname>
–puppet-server-ca-proxy=https://<the private hostname of the proxy, although maybe this is not needed>
–puppet-server-certname=https://<the private hostname of the proxy>
–puppet-server-foreman-url=https://<the foreman master hostname>
Again, the idea is to have the Foreman Master contact the Smart Proxy using the public hostname but have the clients contact the Smart Proxy as a Puppet Master/Puppet CA using its private hostname. A related concern is making sure that when I use Foreman to provision a node (e.g., using kickstart) that its Puppet Master/Puppet CA URLs will be set correctly to the private hostname of the Smart Proxy.
Any guidance on this would be most welcome.
Thanks,
Jake
P.S. I believe that another part of configuring this successfully would be creating an SSL certificate with multiple hostnames for the Smart Proxy to use for Puppet as well as communication with the Foreman Master.
–foreman-proxy-registered-name & --puppet-server-certname are just names,
they don't actually do anything.
–foreman-proxy-registered-proxy-url will default to ::fqdn
···
On Thu, Oct 19, 2017 at 9:10 PM, Rundall, Jacob D wrote:
I’d like to set up a Smart Proxy with Puppet Master and Puppet CA features
to serve nodes on a private network. The Smart Proxy would have a
connection on an external network with a public DNS name; this is how
Foreman would contact the Smart Proxy. The Smart Proxy would also have a
connection on the private network with a different, private DNS name; this
is how the nodes would connect to it for Puppet services.
I’ve read enough other posts that I am fairly certain this is possible but
I’m unsure how to actually implement it. In particular, what are the
parameters I need to pass to foreman-installer to get it configured with
this dual-hostname setup? I.e., to which installer parameters do I feed the
public hostname and to which installer parameters do I feed the private
hostname? Here are the parameters that I think might come into play along
with assumed values; some may not be necessary and I might be missing
others:
–foreman-proxy-foreman-base-url=https://
–foreman-proxy-puppet-url=https://???
–foreman-proxy-registered-name=<public (short?) hostname of the proxy>
–foreman-proxy-registered-proxy-url=https://<public hostname of the
–foreman-proxy-trusted-hosts=https://
–puppet-server-ca-proxy=https://<the private hostname of the proxy,
although maybe this is not needed>
–puppet-server-certname=https://
–puppet-server-foreman-url=https://
Again, the idea is to have the Foreman Master contact the Smart Proxy
using the public hostname but have the clients contact the Smart Proxy as a
Puppet Master/Puppet CA using its private hostname. A related concern is
making sure that when I use Foreman to provision a node (e.g., using
kickstart) that its Puppet Master/Puppet CA URLs will be set correctly to
the private hostname of the Smart Proxy.
Any guidance on this would be most welcome.
Thanks,
Jake
P.S. I believe that another part of configuring this successfully would be
creating an SSL certificate with multiple hostnames for the Smart Proxy to
use for Puppet as well as communication with the Foreman Master.
My Foreman AIO server connects to two networks, office & private.
I would like to use office network to connect to foreman WebUI and private
for foreman-proxy (ISC DHCP, Internal DNS, TFTP).
The question would be, at which stage is the best to configure this, during
installation or post install by generating new Cert for internal
foreman-proxy?
NOTE: I am new to Foreman and this group so upfront apologies if I am
braking rules of conduct anywhere.
···
On Friday, October 20, 2017 at 2:05:52 PM UTC+2, Sean O'Keeffe wrote:
Its kind of dependent on what the hostname is.. The following should work:
Set the hostname to what the foreman server see its on e.g (your 'public'
hostname)
--foreman-proxy-registered-name & --puppet-server-certname are just names,
they don't actually do anything.
--foreman-proxy-registered-proxy-url will default to ::fqdn
On Thu, Oct 19, 2017 at 9:10 PM, Rundall, Jacob D <run...@illinois.edu > <javascript:>> wrote:
I’d like to set up a Smart Proxy with Puppet Master and Puppet CA
features to serve nodes on a private network. The Smart Proxy would have a
connection on an external network with a public DNS name; this is how
Foreman would contact the Smart Proxy. The Smart Proxy would also have a
connection on the private network with a different, private DNS name; this
is how the nodes would connect to it for Puppet services.
I’ve read enough other posts that I am fairly certain this is possible
but I’m unsure how to actually implement it. In particular, what are the
parameters I need to pass to foreman-installer to get it configured with
this dual-hostname setup? I.e., to which installer parameters do I feed the
public hostname and to which installer parameters do I feed the private
hostname? Here are the parameters that I think might come into play along
with assumed values; some may not be necessary and I might be missing
others:
Again, the idea is to have the Foreman Master contact the Smart Proxy
using the public hostname but have the clients contact the Smart Proxy as a
Puppet Master/Puppet CA using its private hostname. A related concern is
making sure that when I use Foreman to provision a node (e.g., using
kickstart) that its Puppet Master/Puppet CA URLs will be set correctly to
the private hostname of the Smart Proxy.
Any guidance on this would be most welcome.
Thanks,
Jake
P.S. I believe that another part of configuring this successfully would
be creating an SSL certificate with multiple hostnames for the Smart Proxy
to use for Puppet as well as communication with the Foreman Master.
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
