Thanks so this looks like a regression in RHEL/CentOS.
The thing is - in Foreman we use the official grub2 binary which comes from the grub2-efi package. It is meant for local booting and not network booting. So why we use it? It is simple - it is the only version which is signed by Red Hat (or CentOS/Fedora/any clone) therefore it works seamlessly with SecureBoot.
We could start building our grub via grub2-mknetdir which has options to configure where grub should load configuration files from, but then the bootloader will not be signed and SecureBoot will not be possible.
Therefore I suggest that we workaround the problem in the installer:
I emailed Red Hat grub2 maintainers about this to get more info on what happened, to me it looks like a security patch. Let’s see what they say, we will solve this.
WORKAROUND: The symlink as you figured out.
Thanks for the report and insights, this was REALLY hepful!