Puppet, Ansible, requirements and decoupling

Sorry for the ignorant questions. When discussing deployment options with another Satellite6 using team leader yesterday, they claimed that they had decided not to use Puppet “because it installs thousands of files on clients”. (They are the first to use S6 in their team, which is otherwise still using Satellite 5. I won’t be addressing the claim that Puppet installs 000s of files, but I presume it’s incorrect)

The other reason was that in house, they had decided that Ansible was the way to go for that purpose.

I am also partial to Ansible and will most likely use it as well.

But to the best of my knowledge, Puppet is required for at least certificate signing.

What is the purpose of “signing puppet certificates” - and is it replaceable by an Ansible equivalent?

Does Katello use Puppet to report back to the server? Is that a correct understanding?

That sounds incorrect, though it depends on how you use it. If you heavily use it, pluginsync can sync a lot of files. In practice I’ve never noticed any negative impact by the number of files.

Foreman optionally integrates with configuration management and you’re free to choose what suits your needs. Whether that’s none, Puppet, Ansible or both (upstream there’s also plugins for Salt and Chef).

In my experience the main difference between Puppet and Ansible is how you perceive the world. In Puppet you declare how it should look like and relations. In Ansible you tell the tool what to do. Declarative vs imperative. The question is how the majority of your team thinks and translates their thoughts into code. Some can express themselves better in one than the other. That leads to a very different implementation. Finding the right tool that fits your team best to be productive is the challenge. Again, this might be a combination of more than one. I’d just urge you not to do it all manual :slight_smile:

In vanilla Foreman (without Katello) our installer defaults to using Puppet’s certificates. Mostly because we’ve always done it that way and it’s easy. However, all paths are exposed as parameters and you’re free to replace that. This is currently not really documented so requires some knowledge. In the Katello (and its proxy) scenarios the CA stack is different and Puppet’s CA certs are only used for Puppet clients.

The Puppet certificates are primarily used by Puppet to communicate securely. If you’re not using Puppet, there’s little benefit and you don’t have to use it.

No. Those are separate systems. Katello does have content management with subscription-manager integration. That hits a lot of the same APIs on Foreman (facts, reports) but that’s implementation details.

1 Like

Perfect response - thank you.