Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2106475 - [RFE] Enhance puppet agent deployment for external puppetserver
Summary: [RFE] Enhance puppet agent deployment for external puppetserver
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Puppet
Version: 6.11.0
Hardware: All
OS: Linux
unspecified
low
Target Milestone: 6.13.0
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Gaurav Talreja
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-12 18:37 UTC by Gary Scarborough
Modified: 2023-05-03 13:22 UTC (History)
8 users (show)

Fixed In Version: foreman-3.5.1.10-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-03 13:21:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 35187 0 Normal Closed Permit puppet settings when puppet-plugins are not loaded 2022-11-14 12:03:46 UTC
Foreman Issue Tracker 36131 0 Normal Closed Remove Puppet host_param options from template 2023-02-27 13:29:55 UTC
Red Hat Issue Tracker SAT-14684 0 None None None 2023-01-05 07:04:55 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:22:01 UTC

Description Gary Scarborough 2022-07-12 18:37:22 UTC 
Description of problem:

With the removal of puppet from satellite, customer has proposed a snippet to help users migrate to external puppetserver set in provisioning:

https://github.com/theforeman/foreman/pull/9296

"I'm expecting Satellite to drop the puppet plugin in one of the upcoming releases.  With having access to that plugin, the puppet.conf snippets as currently written are usable.  The addition of these parameters lets folks continue to use this snippets in a useful way once the plugin is dropped.

With the github PR I've got there, the puppet plugin for foreman isn't used or installed.  The puppet snippets are, but foreman itself does not have any of the puppet server/hosting/etc bits installed.  With the PR in place, the snippets can be tailored in a manner similar to how the puppet upstream repos are tailored.

To my mind this makes the PR a workable solution for the plugin being removed from Sat without making my external integrations any more difficult."



Version-Release number of selected component (if applicable):

Satellite 6.11.
Comment 1 Pat Riehecky 2022-07-25 14:22:25 UTC 
With https://github.com/theforeman/foreman/pull/9296 merged upstream, can this patch be a candidate for 6.11.z?
Comment 3 Bryan Kearney 2022-08-23 12:05:06 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/35187 has been resolved.
Comment 8 Ewoud Kohl van Wijngaarden 2023-02-20 15:56:53 UTC 
I took a look at the original PR and even though I merged it, I now see that Leos actually wrote the correct fix later: https://github.com/theforeman/foreman/commit/eebd309f89c71567c2b7e6d4e4fc8f4b00d0edc6

I'm proposing to revert https://github.com/theforeman/foreman/pull/9296 in https://github.com/theforeman/foreman/pull/9630. If we do a cherry pick, it should be Leos' fix.
Comment 9 Pat Riehecky 2023-02-20 16:16:13 UTC 
As the author of the PR getting reverted, this all sounds good to me.

Extra love if this can get cherry picked into Sat 6.12+
Comment 10 Gaurav Talreja 2023-02-22 08:56:36 UTC 
Thanks for posting that PR here. I think we can move it back to ASSIGNED until we get it into the snap, as we discussed and please update the BZ later when PR is merged.
Comment 13 Ron Lavi 2023-02-22 11:39:53 UTC 
Moving back to ON_QA per the comment above that mentions "Reverting isn't strictly needed, since at worst it's redundant."
Gaurav, is it really failedQA?
Comment 19 Ewoud Kohl van Wijngaarden 2023-03-07 13:51:40 UTC 
Adding steps to verify the non-integrated scenario. I'll use generic hostnames to indicate their roles and easily identify them, but the actual hostnames don't matter. As long as you're consistent.

There's a host satellite.example.com. It's installed as a regular Satellite, without Puppet integration. This "just" follows the regular manual, so I'm not including those steps here.

Then on puppet.example.com there's a standalone Puppetserver instance. It's installed as follows (assuming EL8):

dnf install https://yum.puppet.com/puppet-release-el-8.noarch.rpm
dnf install puppetserver
. /etc/profile.d/puppet-agent.sh # just needed now, normally part of the shell startup but it was created in the previous command
puppetserver ca setup
systemctl enable --now puppetserver

Depending on your setup you also need to open TCP port 8140 in your firewall.

In addition to that, you can simplify provisioning by creating /etc/puppetlabs/puppet/autosign.conf and add hostnames to it. https://www.puppet.com/docs/puppet/7/config_file_autosign.html has the full documentation. It also accepts asterisks, so * or *.example.com is accepted. This is not recommended for production setups since it's insecure, but makes testing a lot easier.

To really test it end to end, a trivial environment can be created:

puppet module install theforeman/motd
mkdir -p /etc/puppetlabs/code/environments/production/manifests
echo "include motd" > /etc/puppetlabs/code/environments/production/manifests/site.pp

With all of that set up you should be able to provision a new host (let's name it client.example.com) with a parameter (either on the host, hostgroup, or globally):

puppet_server (string): puppet.example.com

The host also needs access to the puppet-agent package. This can be either done through content views or setting a host parameter. This BZ is not about those host parameters, so I'd suggest to use content views now since that's the generally recommended solution for Satellite users.

Make sure the certificate is signed. Either via autosign as above, or manually: puppetserver ca sign --certname client.example.com (note you can only sign after the host has requested a certificate)

The expected result is:
* On client.example.com `puppet config print server` prints puppet.example.com (which should be set via /etc/puppetlabs/puppet/puppet.conf)
* On client.example.com you can run Puppet (either manually using puppet agent -t or systemctl enable --now puppet) and it'll successfully retrieve its configuration and apply it. Afterwards /etc/motd is customized.
* On puppet.example.com you see the certificate is signed, as verified by: puppetserver ca list --certname client.example.com
Comment 21 Gaurav Talreja 2023-03-07 18:46:10 UTC 
Verified.

Tested on Satellite 6.13.0 Snap 13.0 with foreman-3.5.1.10-1.el8sat.noarch

Steps:
Same as mentioned in comment 19

Observation:
1. Puppet config on provisioned host points to external puppetserver for server and ca_server under agent section
2. /etc/motd contains content of template from installed theforeman/motd module, which can be seen when login via SSH


Thanks for helping me resolve the setup, I really appreciate it. @ekohlvan ++
Comment 24 errata-xmlrpc 2023-05-03 13:21:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.13 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2097
Note You need to log in before you can comment on or make changes to this bug.