Project

General

Profile

Actions
Copy link

Feature #4345

open

Puppet CA proxy

Added by Ewoud Kohl van Wijngaarden about 10 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
1233302
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

In my environment I have a single CA according to http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-1-direct-agent-nodes-to-the-ca-master which foreman supports very well. Now I'm running into the problem that the clients are in subnets that are unable (and undesired) to connect to the central CA. I already set up a proxy according to http://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic which works well manually. It would be useful if foreman supported this better.

Possible areas:
  • Installer should be able to set up the CA proxy in the vhost
  • Installer should be able to set up auth.conf
  • Foreman support so you can still use <%= @host.puppet_ca_server %>

Related issues 2 (1 open1 closed)

Related to Foreman - Feature #26164: Provide Puppet (CA) multi homingClosedEwoud Kohl van WijngaardenActions
Blocks Katello - Tracker #8172: Isolate Client Communication through a CapsuleNew

Actions
Actions
Copy link
 #1

Updated by Ewoud Kohl van Wijngaarden about 10 years ago

For foreman support I wrote the following in my puppet.conf snippet (requires safe mode off):

ca_server = <%= @host.info['classes']['puppet']['ca_server'] rescue @host.puppet_ca_server %>

Actions
Copy link
 #2

Updated by Ewoud Kohl van Wijngaarden about 10 years ago

Ewoud Kohl van Wijngaarden wrote:

  • Installer should be able to set up the CA proxy in the vhost

https://github.com/theforeman/puppet-puppet/pull/138 should address this part.

Actions
Copy link
 #3

Updated by Ewoud Kohl van Wijngaarden about 10 years ago

Ewoud Kohl van Wijngaarden wrote:

  • Installer should be able to set up auth.conf

https://github.com/theforeman/puppet-puppet/pull/139 should address this part.

Actions
Copy link
 #5

Updated by Eric Helms over 9 years ago

  • Blocks Tracker #8172: Isolate Client Communication through a Capsule added
Actions
Copy link
 #6

Updated by Stephen Benjamin over 9 years ago

Based on a conversation on IRC -

The installer portion is done to configure the actual proxy, but Foreman needs to be made aware of the concept. Foreman must know to set /etc/puppet/puppet.conf ca_server to the Smart Proxy, but to send the autosign request to the appropriate place.

Actions
Copy link
 #7

Updated by Stephen Benjamin almost 9 years ago

  • Bugzilla link set to 1233302
Actions
Copy link
 #8

Updated by Ewoud Kohl van Wijngaarden about 5 years ago

Actions
Copy link

Also available in: Atom PDF