Bug 1399859
Summary: | need a way to specify the ca_server when installing a puppet master capsule that is not a Puppet CA | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Ian Tewksbury <itewksbu> |
Component: | Installation | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED DUPLICATE | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2.4 | CC: | bbuckingham, bscalio, itewksbu, stbenjam |
Target Milestone: | Unspecified | ||
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-02 19:30:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ian Tewksbury
2016-11-29 22:46:21 UTC
Hi, The external puppet ca proxying doesn't work. That's covered by BZ1233302, so marking this a dupe. We only have partial support for it and looks like it doesn't work with the capsule installer. Even if you get the capsule to install correctly with how you're trying to do things, you'll still need to configure provisioned hosts to hit the capsule for puppet but the satellite for the CA, which might not be possible if you have segregated networks. The reason is, Satellite needs some awareness of the concept so it can correctly add the autosign.conf entries to the right place (covered by that BZ I mentioned). The Puppet CA's are a bit of a problem child in Satellite, the best option is just leave it alone to how we have it and use them as independent CA's. I realize this links a client with only a single capsule. There is a ref arch for HA if you need that, although it relies on cluster suite. Just a little more info in case you're interested, there's a bunch of history here we need to correct :-\. Since the beginning the Puppet CA was left alone and outside of Satellite PKI. It's a pain, and something we're looking to fix -- the CA proxy is one way, but it's likely not the one we'll recommend anyway. It'll get fixed at some point in case you want to use it, but I'm thinking the default approach will be to turn off Puppet CA everywhere entirely and use the consumer certificates from subscription-manager, that's covered by https://bugzilla.redhat.com/show_bug.cgi?id=1348660. *** This bug has been marked as a duplicate of bug 1233302 *** @stephen, Thanks for the info. As I said in my original report I was able to get it working using the work around I posted. If you were interested in seeing that setup at all let me know. |