Feature #6791
open
Foreman must accept a list of smart proxies in order to run puppetruns against puppet client through them in HA fashion
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1123359
Description of problem:
We are building a Satellite6 HA environment for a customer that is going to manage around 8k RHEL servers. Our setting is running providing capsule load balanced services (puppetmaster + yum repos) to clients. In that scenario if one capsule goes down, the client connect to another capsule member of the cluster and the service is provided.
Puppet applies on our clients are done through running puppetruns from Foreman, an at this point this feature is not in HA.
In order to provide HA for puppetruns executed from Foreman (WEB or API) it will be very useful if Foreman is able to assing a list of capsules (instead of just one capsule as now) to a puppet client in order to run puppetruns on that client through the capsule from Foreman.
In the actual setting just one capsule can be assigned to one host, in that case if that capsule is down the puppetrun will fail.
If Foreman can is able to try in failover fashion puppetruns through a list of capsules then HA for puppetruns will be archived.
Updated by Dominic Cleal over 9 years ago
- Tracker changed from Bug to Feature
- Subject changed from [RFE] Foreman must accept a list of capsules in order to run puppetruns against puppet client through them in HA fashion to Foreman must accept a list of smart proxies in order to run puppetruns against puppet client through them in HA fashion
- Category set to Puppet integration
Put a load balancer in front of your smart proxy service if HA's important to you.
Updated by Benjamin Chardi over 9 years ago
Hi Dominic,
I have already it, but the problem is that you can not use the load-balancer hostname as the capsule hostname associated to a client to run puppet runs.
We have capsulea.info.net, capsuleb.info.net and capsulec.info.net capsules individually registered in Satellite6. They are providing puppetmaster and rpm repo services to clients, so all clients are connecting to the load balance hostname capsule.info.net and are getting HA on that services.
The problem is that Satellite6 ( foreman) does not allow to configure "capsule.info.net" (the load balance capsule hostname) as capsule used to run puppet runs through clients. This is because there is not any capsule registered as "capsule.info.net" ...
Updated by Dominic Cleal over 9 years ago
I can't speak to Satellite 6 (this isn't an appropriate forum), but you can use whatever hostname you like with a registered smart proxy. In an SSL setup, that hostname would need to be on the certificate to verify the connection, but there's no reason it wouldn't work.
Updated by Benjamin Chardi over 9 years ago
hi Dominic,
Many thanks for your help. If I understand well you are proposing register a new smart-proxy with the load-balance smartproxy hostname ?
Updated by Benjamin Chardi over 9 years ago
I have tried it and it seems to work. The following is the description of the configuration tested:
- On Foreman server I have registered casulea.info.net, capsuleb.info.net and capsulec.info.net as individual smart-proxy.
- I have changed the SSL cert for these smart-proxys with a SSL wilcard certificate:
...
Subject: ... CN=*.info.net
...
X509v3 Subject Alternative Name:
DNS:*.info.net
....
- I have registered a new smart-proxy with the name of the load balance name capsule.info.net. (capsule.info.net balance to capsulea.info.net, capsuleb.info.net and capsulec.info.net).
- I have assigned the new smart-proxy capsule.info.net as puppetmaster to use when puppetrun in called.
- Puppetruns are load balanced correctly.
Respecting this setting I have some questions:
- Is this procedure reasonable ?
- Is there any problem using here a wildcard certificate ?
- What features must be tested in order to be sure that communication between Foreman server and individual smart-proxy has not been broken because of the use of the new wildcard ssl certificate ?
Many thanks in advance,
Benja.