Setup of a smart proxy for a private network

olifre · February 18, 2019, 4:32pm

Problem:
I’d like to setup a smart proxy for a private network. It has two network interfaces: One in the same network as Foreman, and one inside the private network.
The interface inside the “foreman network” has the hostname “puppet-private.example.com”, the interface inside the “private network” has the hostname “puppet.private.example.com”.

I’d like to run the following things on the smart proxy:

TFTP
Templates
Logs
Puppet

For templates, I can use the “foreman-proxy-template-url” from foreman-installer to specify the internal interface should be used. For TFTP, things will just work if I configure firewall and “next server” correctly.
But I fail to get Foreman to put the correct puppetmaster URL when “@host.puppetmaster” is used in the templates.

What I used on the smart proxy is:

foreman-installer --no-enable-foreman \
  --no-enable-foreman-plugin-bootdisk \
  --no-enable-foreman-plugin-setup \
  --enable-puppet \
  --enable-foreman-proxy-plugin-discovery \
  --no-enable-foreman-plugin-default-hostgroup \
  --foreman-proxy-plugin-discovery-install-images=true \
  --puppet-server-ca=false \
  --puppet-server-foreman-url=https://foreman.example.com \ 
  --enable-foreman-proxy \
  --foreman-proxy-tftp=true \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-foreman-base-url=https://foreman.example.com \
  --foreman-proxy-oauth-consumer-key=something \ 
  --foreman-proxy-oauth-consumer-secret=somethingelse \
  --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/my-private-ca.pem \
  --foreman-proxy-trusted-hosts={puppet-private.example.com,foreman.example.com} \
  --foreman-proxy-templates=true \
  --foreman-proxy-template-url=http://puppet.private.example.com:8000 \
  --foreman-proxy-puppet-url=https://puppet.private.example.com:8140 \
  --foreman-proxy-registered-name=puppet.private.example.com \
  --puppet-dns-alt-names=puppet.private.example.com

I also ensured the puppet cert has both alternate names (i.e. puppet-private.example.com and puppet.private.example.com) which needs manual signing due to Feature #14882: Puppet CA signing should support --allow-dns-alt-names - Smart Proxy - Foreman still being unresolved.

However, when assigning the proxy to a subnet and a host, foreman insists on “@host.puppetmaster” to be “puppet-private.example.com” which the nodes in the private network can not reach.
Is there any way to force Foreman to use “puppet.private.example.com” in the templates?

Foreman and Proxy versions:
1.18.3 (both foreman and proxies)

olifre · February 25, 2019, 4:05pm

Anybody has an idea on this?

Basically, I just want to have an isolated network with a smart proxy inside, and only the smart proxy should communicate with Foreman (but the remaining network should be isolated). But I wonder whether that’s actually supported, since the puppet master FQDN for a subnet appears to change together with the Smart Proxy URL Foreman talks to…

ekohl · February 26, 2019, 2:15pm

This is currently not supported. I have an idea on how to do this multi homing but it relies on a feature that’s not merged yet in foreman (Exposing capabilities in the smart proxy). I hope that RFC will make it into 1.22. That might mean we get the multi homing in 1.22 as well or 1.23.

olifre · February 26, 2019, 2:35pm

Many thanks for the feedback, at least I did not miss anything then!
Your linked thread looks very good plan, and of course is something that will take at least one release and proper testing, so I’m hopeful to see it in 1.23. If 1.22 will already have it, I’ll be glad to test .

ekohl · February 26, 2019, 3:07pm

I’ve created Feature #26164: Provide Puppet (CA) multi homing - Foreman. I’d be interested to know if you think this approach would fit your use case and solve it.

cc @sean797

Untested WIP PRs here:

https://github.com/theforeman/smart-proxy/pull/638

olifre · February 27, 2019, 2:30pm

That does indeed look like a perfect match!
Of course we’d also need the Puppet CA proxy for full glory, but I see that is already linked as part of the feature proposal. Since we don’t have a test setup, I can not really help out with testing the PRs, but as far as my limited Ruby knowledge goes, this looks good .

ekohl · February 27, 2019, 2:33pm

Puppet and Puppet CA are separate features on a proxy. Each have their own configs. It will require Puppetserver 6.3+ (unreleased right now I think) since that’s the first version that provides a REST API with all the fields we need.