Yea, the report processor is there.
So, here’s where I’m at with this, and I could use anyone’s help at this point because I don’t know where to go from here.
I started over fresh with PuppetDB 4. Dropped the DB, recreated, and all of my Katello Master Connected systems (Call it “master01”) are properly reporting to PuppetDB. If the system is registered to “master01” all is fine.
I also have 7 additional smart proxies installed. When I attempt to get any of those smart proxies (call them proxy01 - proxy07) to connect to master01’s PuppetDB, things don’t work well.
server_urls = https://master01.domain.tld:8081
Package puppetdb-termini installed on the smart proxy.
reports = foreman,puppetdb
server = proxy01.domain.tld
show_diff = true
certname = proxy01.domain.tld
ca = true
certname = proxy01.domain.tld
storeconfigs = true
storeconfigs_backend = puppetdb
(There are other settings, they’re default from the puppet installation and shouldn’t matter to the task at hand).
Here’s the thing. My Smart Proxies were installed with the following installation settings:
foreman-installer --scenario foreman-proxy-content\
--foreman-proxy-oauth-consumer-key "< secret >"\
--foreman-proxy-oauth-consumer-secret "< secret >"\
--foreman-proxy-content-pulp-oauth-secret "< secret >"\
In Foreman/Katello the products installed show:
Templates, Pulp Node, TFTP, Puppet, Puppet CA, Logs, Dynflow, Ansible, Discovery, Openscap, and SSH
The thing that bothers me is “Puppet” and “Puppet CA”.
On proxy01.domain.tld, when I go to “puppet agent --test”, I get the following:
[root@proxy01 puppet]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for proxy01.domain.tld: Failed to find facts from PuppetDB at proxy01.domain.tld:8140: Failed to execute '/pdb/query/v4/nodes/proxy01.domain.tld/facts' on at least 1 of the following 'server_urls': https://master01.domain.tld:8081
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=< checksum >&version=5&certname=proxy01.domain.tld&command=replace_facts&producer-timestamp=1522191220' on at least 1 of the following 'server_urls': https://master01.domain.tld:8081
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
And when I run:
[root@proxy01 puppet]# curl --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem https://stlppkgmgt02.rgare.net:8443
curl: (60) Peer's Certificate issuer is not recognized.
Which I think is exactly as expected.
proxy01 is a puppet CA…that means it’s got it’s own CA Certs right? And those CA Certs aren’t the same CA Certs as on the master…which means trying to use the master’s PuppetDB (which will use the master’s certs) won’t work? Right?
All this for the question:
What the heck is the right/expected way to make PuppetDB work through a smart proxy? I can install PuppetDB on the smart proxy (noted above) but that will cause the Katello master server not to work properly when it goes to de-register nodes right?
There’s GOT to be an expected Architecture / Configuration for this, Right? Is there a way to get each of the Smart Proxy’s Certs recognizable by the Master PuppetDB installation? Is there a way to move/copy/replace all of the Smart Proxy’s certs with the same cert from the Master so that all of Katello is using the same master certs?
Should I have not installed (in some way) Puppet/Puppet CA when I installed the smart proxies?
THERE HAS to be a way to get this to work.