Using puppet-puppet, puppet-foreman_proxy, and puppet-foreman to configure my Foreman ENvironment. I’m running into issues where config(s) are directly conflicting.
If on my Dedicated Puppet CA I use (abbreviated config):
puppetca => true,
puppetca_split_configs => false,
puppet => false,
server => true,
server_ca => true,
autosign_entries => ["*.my.fqdn.com"]
It configures my autosign.conf correctly - as follows
[root@fmncanpw1 puppet]# cat autosign.conf
# Managed by Puppet
HOWEVER - puppetca_hostname_whitelisting is also enabled. Which means any new host that is provisioned “adds its fqdn” to my autosign.conf This is mostly redundant from what I can tell, except now on the next puppet run on the CA server itself, it “removes” the host entry from autosign.conf and then “bounces” the puppetserver service. In my heavier build environments this is leading to intermittent build failures as the CA is “needlessly restarting” when new builds are requesting a certificate.
Looking at “puppet-puppet” and “puppet-foreman_proxy” - i can’t seem to find a way to configure these to coexist.
My “desired” configuration would be puppet-puppet manages my wildcarded autosign.conf entries, and $foreman_proxy::puppetca_provider is set to “false” or “undef” in order to disable both hostname_whitelisting, as well as fqdn_whitelisting. But it doesn’t look like the option exists to configure it this way yet…
Is there a better way (currently) to configure this? Allow hostname_whitelisting to exclusively manage it while the puppet-puppet module doesn’t manage the file at all?