We are getting close to the next stabilization period and as proposed in Foreman 3.0 without any objections, this realease should include Puppet ENC only as plugin. Given time is short I’d like to formalize the plan we have now so any objections are raised as soon as possible.
First of all blockers to merge the extraction PR:
test plugin, automation and manually (kudos to everyone who helped here!)
scratch build without puppet
nightly build needs to pass on said scrach build
What will happen in 3.0 when we merge:
installer installs the Puppet plugin by default
installer has scenario without puppet that will warn user, that they have to provide certificates manually
all data will be kept intact even if user choose not to install plugin
there will be no way of getting enc that was previously served by /node/<hostname> without installing the plugin
there is a rake task that allows to migrate data (puppetserver, puppetca_server) from host(group) fields to host params
there is a rake task that removes Puppet related data from database
In 3.1 then
installer doesn’t install the plugin by default
new ENC api endpoint will be added, which will be discussed previously in an RFE here
In 3.2 or 3.3 the data should be removed for every user who doesn’t have the plugin installed
Today we discussed this and I want to capture the discussion with a few more words.
We can minimize the risk if we install the plugin for all users (fresh installs and upgrades). If we have the plugin installed, there should be no difference between Foreman 2.5 and 2.6. This will allow us to proceed with merging.
We’ll start with considering this scenario experimental. After merging everything, we’ll start work on installations without Puppet. The starting point will be Katello since that doesn’t rely on the Puppet CA, which makes work easier.
AFAIK we still have the /api/hosts/:id/enc endpoint which contains the same info but in JSON. However, without client certificate authentication. The ENC API endpoint won’t contain puppet classes nor the environment. This is OK to me because without the client certificate auth (which relies on the Puppet feature), the existing ENC script needs to be modified anyway.
So the next steps are:
The installer will be modified to enable Puppet by default (current PR will be updated)
I guess it may have been true because it was tested manually with scratch builds (before merging the PR) so with the PUPPET_EXTRACTED env variable set to 1, since it’s (correctly) expecting Foreman version to be 3.0. It was likely assuming the version is bumped already.