At the suggestion of @dhoppe I spent some time to write up a foreman::enc function. This can serve as a Hiera lookup which means you can replace the Foreman ENC with pure Hiera. In environments where you don’t control the ENC (such as Puppet Enterprise), this can be useful.
This looks nice. If I read the code correctly, it uses the ssl certs of the puppetserver to authenticate to foreman. As the puppetserver is a smart-proxy, it can query the ENC data. If I want to run puppet in a masterless setup, could we reuse something like authorize_host_by_client_cert so a host is allowed to query it’s own enc data? Should a host see it’s own enc data? Can it contain secrets?
This solves the ENC part of Foreman, how about the reports? Are there other mechanisms than what we currently use?
It indeed does. I still need to figure out how to handle this in the Katello case where a different CA is used. I’m thinking about implementing a proxy for this. Possibly this will be an Apache reverse proxy to the Foreman proxy which should grow these capabilities. Not sure yet as this was a quick research. Long term we need to solve it if we want to support Puppet Enterprise (which is on my roadmap) or containers (like https://hub.docker.com/r/puppet/puppetserver / https://hub.docker.com/r/puppet/puppetserver-standalone).
I don’t know about a masterless setup. It does implement the HTTP basic auth so that would be a possible solution.
I was tempted to say anything, but decided to separate it. There’s a http report processor built into Puppet which uses the same connection pool. This is essentially the same as our report processor does, except that it sends raw reports and lets the server deal with it. I’m considering implementing this in the same proxy code as the ENC part I mentioned above. Then we could let the Foreman Proxy handle this. I haven’t researched that part yet.
Would you mind to post a small example ?
What I’ve tried without success: (in the r10k managed puppet environment folder)
- name: "Foreman Backend" data_hash: foreman::enc
… and I placed the data backend function (of type data hash I assumed) here (also below in the envrionment folder)
When puppet is running I get the following error:
ERROR [puppetserver] Puppet Evaluation Error: Error while evaluating a Function Call, undefined method `load_typed’ for nil:NilClass (f
ile: /etc/puppetlabs/code/environments/dev1puppet6/site.pp, line: 1, column: 1)