Architecture

  • the Foreman server : Foreman UI+ENC, and smart proxy with TFTP, Puppet (master) and Puppet CA (we won’t use the Puppet master, only the Puppet CA)

The Foreman server could also be used to set and edit the puppet class parameters (with the smart variables) but we will use hiera for this instead.

Because hiera is more flexible.

  • a smart proxy with Puppet (master)

For scalability we can add other Puppet master hosts in the future. The Puppet masters will all have the same Puppet CA (set on the Foreman server)

                                         +--------------+    - Web UI
       +------------------------------>  | The Foreman  |    - External Node Classifier
       |             +---------------->  |              |    - Puppet Certificate Authority
       |             |                   +--------------+                               ^
       |             |                           ^                                      |
       | Smart Proxy |               Smart Proxy | - Get ENC                            |
       |             |                           | - Push reports                       |
       |             |                   +--------------+                               |
       |             |                   | Puppet Master| - Compile node    - Request & |
(Puppet Master  (Puppet Master           |              |   catalogs          check     |
     Ter)           Bis)  ^              +--------------+                     certif.   |
                          |                     ^    ^                                  |
                          +----+                |    |                                  |
                               |                |    +-----------+                      |
                               |                |                | - Get catalog        |
                               |                |                |                      |
                        +------------+    +------------+    +------------+              |
                        | Node with  |    | Node with  |    | Node with  |              |
                        | Pup. agent |    | Pup. agent |    | Pup. agent | -------------+
                        +------------+    +------------+    +------------+

For other architecture diagrams, see :

Install the main Foreman server

Provides some repos : EPEL, RH or Centos Software collections, Foreman and Foreman plugins.

Install and start puppet-server

Do a puppet agent --test on the node

Then :

yum -y install foreman-installer
foreman-installer --foreman-configure-epel-repo=false

Initial credentials are provided in the installation summary of foreman-installer

In the UI you must configure the first proxy with the foreman host itself

Cf the screencast http://theforeman.org/media.html → Quick start installation

Disable Foreman’s parameterised ENC output if you’re using hiera exclusively

Administer > Settings > Puppet

Enable_Smart_Variables_in_ENC → false

Parametrized_Classes_in_ENC → false

Install the smart proxy

On the future Puppet master host :

# Version for Foreman 1.6
foreman-installer \
  --no-enable-foreman \
  --no-enable-foreman-cli \
  --no-enable-foreman-plugin-bootdisk \
  --no-enable-foreman-plugin-setup \
  --enable-puppet \
  --puppet-server-ca=false \
  --puppet-server-foreman-url=https://<the foreman server hostname> \
  --enable-foreman-proxy \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-tftp=false \
  --foreman-proxy-foreman-base-url=https://<the foreman server hostname> \
  --foreman-proxy-trusted-hosts=<the foreman server hostname> \
  --foreman-proxy-oauth-consumer-key=<consumer key from the Foreman server> \
  --foreman-proxy-oauth-consumer-secret=<consumer secret from the foreman server>

Get the consumer key and secret from the Foreman server WebUI, in Administer → Settings → Auth → oauth_consumer_key & oauth_consumer_secret

Or grep oauth_consumer /etc/foreman/settings.yaml on the Foreman server.

More information here :

Look in sections :

  • Setting up Foreman with external Puppet masters

  • Standalone Puppet master

When the Puppet master is deployed, you need to set or replace the CA with the CA from the Foreman Server and generate a certificate for the (new) Puppet master.

Follow instructions from section :

  • SSL certificate authority setup

On every agent node, you must set the ca_server setting in puppet.conf (in the [main] configuration block) to the hostname of the server acting as the certificate authority.

  • ca_server will be the Foreman server

  • server will be a/the Puppet master

Manual run on a node with the puppet agent :

puppet agent --test --server <puppet master> --ca_server <the foreman>

Also check that ca_server is set correctly in the puppet.conf of the Puppet master.

Reference :