Puppet in 3.0 release

We are getting close to the next stabilization period and as proposed in Foreman 3.0 without any objections, this realease should include Puppet ENC only as plugin. Given time is short I’d like to formalize the plan we have now so any objections are raised as soon as possible.

First of all blockers to merge the extraction PR:

  • test plugin, automation and manually (kudos to everyone who helped here!)
  • scratch build without puppet
  • nightly build needs to pass on said scrach build

What will happen in 3.0 when we merge:

  • installer installs the Puppet plugin by default
  • installer has scenario without puppet that will warn user, that they have to provide certificates manually
  • all data will be kept intact even if user choose not to install plugin
  • there will be no way of getting enc that was previously served by /node/<hostname> without installing the plugin
  • there is a rake task that allows to migrate data (puppetserver, puppetca_server) from host(group) fields to host params
  • there is a rake task that removes Puppet related data from database

In 3.1 then

  • installer doesn’t install the plugin by default
  • new ENC api endpoint will be added, which will be discussed previously in an RFE here

In 3.2 or 3.3 the data should be removed for every user who doesn’t have the plugin installed


Today we discussed this and I want to capture the discussion with a few more words.

We can minimize the risk if we install the plugin for all users (fresh installs and upgrades). If we have the plugin installed, there should be no difference between Foreman 2.5 and 2.6. This will allow us to proceed with merging.

We’ll start with considering this scenario experimental. After merging everything, we’ll start work on installations without Puppet. The starting point will be Katello since that doesn’t rely on the Puppet CA, which makes work easier.

AFAIK we still have the /api/hosts/:id/enc endpoint which contains the same info but in JSON. However, without client certificate authentication. The ENC API endpoint won’t contain puppet classes nor the environment. This is OK to me because without the client certificate auth (which relies on the Puppet feature), the existing ENC script needs to be modified anyway.

So the next steps are:

Once all of that is in place, we can merge the puppet extraction PR together with the other PRs.

After that we’ll work on getting nightly green again. Once it is and we’re content, the Foreman version will be bumped to 3.0.

Note that because of the installation by default in 3.0, for end users it won’t really be a difference. However, a major version bump is still warranted.

@ezr-ondrej @ehelms @tbrisker keep me honest and correct me if I’m wrong.

1 Like


  • plugin version 1.0.0.rc.1 has been released and packaged in RPM, deb has open PR
  • nightlies bats are passing installation and the bats with the puppet_extraction PR

Caveat: must admit, that nightlies passed only on second time, the first time with the same scratch build it failed to apply the puppet classes (last bat step in puppet.bats)

1 Like

This was never true, no pipeline has passed. Looks like right now the problem is in hammer.

We also have a tracker for issues:

Then there’s a PR to disable Puppet in the katello devel setup:

That should be good guidance to disabling Puppet.

I guess it may have been true because it was tested manually with scratch builds (before merging the PR) so with the PUPPET_EXTRACTED env variable set to 1, since it’s (correctly) expecting Foreman version to be 3.0. It was likely assuming the version is bumped already.

Possibly, but I think it also means it hasn’t been promoted to actual nightly.