theforeman
use Ansible/Quadlet to deploy the main app
what is this?
a playground to test out deploying a Foreman/Katello with the following "adjustments":
- certs generated by
puppet-certs - Foreman, Pulp, Candlepin, PostgreSQL, Redis deployed by
foreman-quadlet - Foreman Proxy deployed by
puppet-foreman_proxy
details, gory details
- this uses https://github.com/evgeni/pulp_smart_proxy instead of https://github.com/theforeman/smart_proxy_pulp -- see https://github.com/theforeman/foreman-quadlet/commits/pulp-smart for the details of that switch
- this uses a hacked up
foreman-quadletto allow usingpuppet-certsgenerated certs straight out of/root/ssl-build-- see https://github.com/theforeman/foreman-quadlet/commits/installer-certs for the details of this hack - this removes any calls to
puppet-foremanandpuppet-foreman_proxy_contentfrom the installer, which means no CLI among other things - this uses a rather hackish patch to
puppet-katelloto achieve the following:- generate all certs
- deploy foreman-proxy certs (which was done by
puppet-foreman_proxy_contentin the past) - create some shims so that
puppet-certscan deploy Foreman and Candlepin certs, even tho they are unused on the system - check out
foreman-quadletand run it'sdeployplaybook at "the right time" so that it sets up Foreman/Katello/Candlepin/Pulp is deployed for us
problems
- many, probably
- one that I know of: for some reason foreman-tasks gets listed as failed, it gets fixed by
systemctl restart dynflow*, so probably some ordering issue or something
testing
# foreman-installer --scenario katello --foreman-proxy-oauth-consumer-key abcdefghijklmnopqrstuvwxyz123456 --foreman-proxy-oauth-consumer-secret abcdefghijklmnopqrstuvwxyz123456 --tuning development
If you're lazy, you could also write a migration that removes all entries you don't want instead of removing all individual migrations.
answers.delete_if! do |key, _value|
['foreman', 'foreman_proxy_content', 'apache::mod::status'].include?(key) || key.start_with?('foreman::')
end
Will be easier if you need to rebase this more often.
foreman-installer --scenario katello --foreman-proxy-oauth-consumer-key abcdefghijklmnopqrstuvwxyz123456 --foreman-proxy-oauth-consumer-secret abcdefghijklmnopqrstuvwxyz123456 --tuning development
this should give you a working Frankenstein :tada:
this uses a rather hackish patch to
puppet-katelloto achieve the following:
- generate all certs
Oh look... more fun code that was attempting what you wanted way back:
https://github.com/theforeman/puppet-certs/pull/449
This was input to my idea to have a stand-alone to generate certificates the way puppet-certs generates them to be able to use the certs as input rather than coupling generation and deployment:
https://github.com/theforeman/foreman-installer/pull/935
You're saying we could've had a command that goes "prepare me a certs bundle" and use that certs bundle as a dedicated input to both the "foreman" and the "internal proxy" installations? THAT WOULD HAVE BEEN AWESOME! Where is my :unicorn:?
I don't want to lose track of some changes I was testing on your frankenstein class in puppet-katello and made these updates:
$katello_server_ca_cert = $certs::ca::server_ca_path
include trusted_ca
trusted_ca::ca { 'katello_server-host-cert':
source => $katello_server_ca_cert,
require => File[$katello_server_ca_cert],
}
class { 'certs::foreman_proxy':
deploy => true,
}
This allowed setting this at the answer file level:
certs:
deploy: false
group: root
This inspired me to start working on some puppet-certs updates that should decouple things more and help.
I don't want to lose track of some changes I was testing on your frankenstein class in puppet-katello and made these updates:
$katello_server_ca_cert = $certs::ca::server_ca_path include trusted_ca trusted_ca::ca { 'katello_server-host-cert': source => $katello_server_ca_cert, require => File[$katello_server_ca_cert], } class { 'certs::foreman_proxy': deploy => true, }This allowed setting this at the answer file level:
certs: deploy: false group: root
What am I missing?
2025-03-03 08:22:54 [ERROR ] [configure] Could not find resource 'File[/etc/pki/katello/certs/katello-default-ca.crt]' in parameter 'require' (file: /usr/share/foreman-installer/modules/certs/manifests/foreman_proxy.pp, line: 129) on node almalinux9.tanso.example.com
This inspired me to start working on some puppet-certs updates that should decouple things more and help.
What am I missing?
2025-03-03 08:22:54 [ERROR ] [configure] Could not find resource 'File[/etc/pki/katello/certs/katello-default-ca.crt]' in parameter 'require' (file: /usr/share/foreman-installer/modules/certs/manifests/foreman_proxy.pp, line: 129) on node almalinux9.tanso.example.com
Using group: root and deploy: true and then explicitly setting deploy: false for certs::candlepin and certs::foreman worked.
What am I missing? 2025-03-03 08:22:54 [ERROR ] [configure] Could not find resource 'File[/etc/pki/katello/certs/katello-default-ca.crt]' in parameter 'require' (file: /usr/share/foreman-installer/modules/certs/manifests/foreman_proxy.pp, line: 129) on node almalinux9.tanso.example.com
Using
group: rootanddeploy: trueand then explicitly settingdeploy: falseforcerts::candlepinandcerts::foremanworked.
I guess I had some local changes to puppet-certs as well I didn't capture. I think all of them are captured in the flood of puppet-certs PRs I opened :)