Foreman 1.15.0 here.
My Foreman environment is set up to manage Puppet host certificates:
I have a perfectly operational PuppetCA proxy. I can manually
view/sign/revoke/autosign certificates no problem:
PuppetCA proxy is assigned to organization and location (no screenshots
here, trust me ).
My hostgroup is set up to use the above PuppetCA smartproxy to manage the
certificates:
<https://lh3.googleusercontent.com/-_HyTRgoHFFI/WTpuJt9HITI/AAAAAAAAAEU/15rhZ9WCTxU_HpCZ8OHjZ_7upN0WnWojgCLcB/s1600/Edit%2BGT%2B-%2BGoogle%2BChrome_026.png>
However, I still need to sign CSRs manually. Looks like the PuppetCA proxy
autosign POST endpoint does not get triggered during the orchestration
process.
This applies to all hosts: manually created-provisioned and
discovered-autoprovisioned.
WIth the DEBUG sql turned on, I get nothing like 'puppetca' or 'puppet ca'
when I hit 'build host' or 'auto-provision'.
However, in the PuppetCA proxy logs I can see some 404s:
–> when the foreman_url("built") is reached: https://pastebin.com/Y0KgRkje
–> when deleting the host: https://pastebin.com/ebJzM68c
This makes perfect sense, as the autosign was never there in the first
place.
Once again, I can do anything I like from Infrastructure->Smart
Proxies->PuppetCA page (so the ACL/permissions are OK).
I use the discovery image and a custom initrd provisioning. To break the
custom initrd PXE boot loop, the host curls the foreman_url("built")
(passed as kernel parameter and called from initrd scripting).
Now the problems I see:
–> according to klaas' words on IRC, reaching the foreman_url("built")
shall remove hosts fqdn from the autosign.conf file; the host never had a
chance to run puppet yet (needs to boot from hd); this probably breaks
most scenarios that include Foreman Discovery Plugin
–> anyway, as stated above, I cannot see autosign.conf edited nor the
PuppetCA proxy POST called when hitting 'build host' or 'auto-provision'
–> probably can work around with Foreman Hooks, but seems like reinventing
the wheel.
Thoughts on this?
Missing POST looks like a minor code issue. But the Discovery Plugin -
PuppetCA - foreman_url("built") relation issue goes deeper. Maybe I should
use other API endpoint?
Please share your view on this. Thank you.