Bug 1233302

Summary: [RFE] Puppet CA proxy
Product: Red Hat Satellite Reporter: Stephen Benjamin <stbenjam>
Component: ProvisioningAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0.4CC: bkearney, bscalio, fgarciad, itewksbu, mburgerh, shbharad, stbenjam
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/4345
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-14 18:03:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Benjamin 2015-06-18 15:56:01 UTC 
In my environment I have a single CA according to http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-1-direct-agent-nodes-to-the-ca-master which foreman supports very well. Now I'm running into the problem that the clients are in subnets that are unable (and undesired) to connect to the central CA. I already set up a proxy according to http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic which works well manually. It would be useful if foreman supported this better.

Possible areas:
* Installer should be able to set up the CA proxy in the vhost
* Installer should be able to set up auth.conf
* Foreman support so you can still use <%= @host.puppet_ca_server %>
Comment 1 Stephen Benjamin 2015-06-18 15:56:02 UTC 
Created from redmine issue http://projects.theforeman.org/issues/4345
Comment 2 Stephen Benjamin 2016-12-02 19:30:21 UTC 
*** Bug 1399859 has been marked as a duplicate of this bug. ***
Comment 3 Stephen Benjamin 2016-12-02 20:07:47 UTC 
*** Bug 1399856 has been marked as a duplicate of this bug. ***
Comment 4 Stephen Benjamin 2016-12-02 20:08:11 UTC 
Someone did try to get this working, a few notes from the workarounds required.  See BZ1399859, and BZ1399856 for more details.

- Ensure puppet certificates are generated from the master CA before running the installer

- Edit the auth.conf to allow unrestricted access to revocation list.  This needs to be done by the installer.
Comment 5 Ian Tewksbury 2016-12-02 20:11:48 UTC 
@stephen,

Thanks!
Comment 8 Bryan Kearney 2018-06-14 18:03:00 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.