Puppet 6 support?



probably a bit early to ask but… has anyone tried puppet 6 with foreman (1.19) ?
Anyone knows if that’s expected to work, or to break ?



Puppet 6 changes the CA handling so that’ll break. There is one open PR for the proxy:

I haven’t had a look at our theforeman-puppet module in the installer. I expect it to need some changes but the other puppet modules probably don’t need changes.


We will need Puppet 6 support for Foreman as soon as possible. There are some pretty bad CVE’s that affect Puppets Jetty Server and according to Puppet, the only current fix is to upgrade to Puppet 6… boooo


To be honest I was caught off guard with how fast Puppet 6 was suddenly there. There are 2 ways forward now: a quick & dirty fix that modifies the command line implementation vs using the CA REST API. The latter would be a much more forward compatible implementation and much less invasive on the proxy server (because you don’t need sudo). It also allows splitting the proxy from the puppet services.

Since 1.19 the Puppet CA module has pluggable so we can write a standalone implementation and switch at install time though configuration. That means we could choose either implementation (or both).


Yesterday we had a hack day and @TimoGoebel wrote a provider for the smart proxy that uses the HTTP CA API that’s present since Puppet 4. It does lack some fields (serial, not_before and not_after) which means you will miss them in the overview but otherwise it looks very good:

This will need a patch for puppet-foreman_proxy to support the new config options.

Speaking of modules; I started with changing our testing template:

There are 2 open PRs using this functionality:

Once those pass and I know what to expect, I’ll open more PRs for the other modules. When those are up, it’s time to do some end to end testing but I’m confident we can finish it soon.


Since Timo’s puppet6 change was merged, does it mean that foreman 1.21 will support puppet6 completely?


It’s not merged yet, but I still fully intend to get all support in. Perhaps we’ll merge it and mark it as experimental.


We are planning to install a new foreman server (our old one is still version 1.12.4) together with a big rollout of puppetserver 6.
In which timeframe can we expect foreman support for this (experimental or not) ?
Thanks for your great support.


This thread does indeed deserve an update. During cfgmgmtcamp I tried to get closer.

I poked the Puppet team to do a puppetlabs-xinetd release. We also switched puppet-pulp to use the Voxpupuli squid module which is maintained and supports Puppet 6.

We need a release of camptocamp/systemd. metadata.json in git does list the right supported version so it shouldn’t be hard.

Now that I’m back from cfgmgmtcamp I plan on doing tests with nightly installations so see if there are other installer issues.

There is https://tickets.puppetlabs.com/browse/SERVER-2370 to add missing fields to the REST API. @afisher found someone to implement this. There is a WIP PR open which will make sure we have full feature parity with Puppet 6. Without it we can still do the provisioning operations but we can’t show the expiration dates of certs in the UI.

The smart-proxy support can be merged even without that. When testing the installer I should be able to test this as well.

Once that’s done, we should be able to officially support Puppet 6. My aim is Foreman 1.22.