Solution Brief: Red Hat Satellite 6 & Puppet Enterprise Integration

Updated -


Rich Jerrido - Principal Technical Product Marketing Manager, Red Hat


As a user of Red Hat Satellite 6.1, you would like to deploy Red Hat Satellite in conjunction with Puppet Enterprise.


  • Red Hat Satellite 6.1.x or newer
  • Puppet Enterprise 3.8.1 or newer

Architectural Overview

In this usage, the customer wants to use Puppet Enterprise for Configuration Management i.e. node classification, infrastructure event reporting, application orchestration, and device integrations such as networking and storage, and use Satellite 6 for everything else (Provisioning, Errata Management, Subscription Management, etc)

The customer deploys a Red Hat Satellite server, along with Red Hat Satellite Capsule Servers as needed to support integration and content delivery functionality. It is expected that the customer does not leverage the puppet capabilities as included in Satellite 6 (as they are being provided by Puppet Enterprise). The integration points are in three well-defined areas:

  • Leveraging Satellite's repository synchronization capabilities to mirror Puppet Enterprise agent packages
  • Using Satellite's provisioning capabilities to install the PE agent and perform its initial configuration.
  • Leveraging Puppet Enterprise to update Satellite with updated facts & reports. (As ongoing puppet runs are being reported to PE, we need a means to keep Satellite's database up to date with fact and run report information such that reporting is accurate). To this end, Puppet Labs has developed a custom reports processor and facts terminus (effectively plugins), which reports this data from PE to Satellite (via Satellite's API)

Support Stance

Task Which Product Handles It Who Supports it
OS Provisioning Satellite Red Hat
Puppet Enterprise Agent Installation Satellite (via custom Kickstart) Red Hat
Role Assignment Puppet Enterprise Puppet Labs
Configuration Reporting Satellite & Puppet Enterprise Puppet Labs
Inventory Reporting Satellite & Puppet Enterprise Puppet Labs

How it works

First, Red Hat Satellite is used to synchronize in the Puppet Enterprise (PE) Agent RPMs for the versions of RHEL that will be managed. This is done by means of a Custom Product, and a repository of type yum. This allows the customer to deploy the Agent RPM during provisioning as part of a Content View. Additionally, as with all custom product, subscription tracking capabilities (via hammer subscription list for example)


Next, the system is provisioned using any of the supported methods in Satellite. We provide a customized provisioning template & snippet (more on these below), which install the PE agent and not the Puppet Agent as shipped in the Satellite tools repository. Additionally, the provisioning templates configure the pe-puppet.conf file with the user-provided hostname of the Puppet Master that is to be used. A Hostgroup Parameter is used to configure the hostname of the Puppet Master and Puppet Certificate Authority


After the node completes its first puppet run, its agent certificate is approved and it is classified (either manually or via rules). Ongoing puppet runs are reported to whichever Puppet Master was designated during provisioning.


Lastly, ongoing facts and reporting data are reported to Satellite via the custom reports processor and facts terminus. Additionally this data is stored in PuppetDB


Getting Started with the Satellite 6 & Puppet Enterprise Integration.

  • Add the Puppet Enterprise (PE) certificate to the Satellite's trust.
    • Copy from the PE server: /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • To the Satellite server: /etc/pki/ca-trust/source/anchors/pe-ca.pem
  • Run update-ca-trust
  • Restart katello-services
  • Create a Custom Product named 'Puppet Enterprise' in Satellite 6, with a yum repository named 'PE-EL6-x86_64-RPMs'. (This example uses RHEL6 x86_64)
  • PE stores all of their agents at


  • Next, create a content view with
    • the RHEL 6Server rpms repo (this example uses RHEL 6, but any version of RHEL supported by Satellite 6 and Puppet Enterprise is supported)
    • the RHEL 6.6 kickstart repo
    • RHEL Satellite Tools repo.
  • Additionally, add the PE-EL6-x86_64-RPMs repo from above to the content view.
  • Publish and promote the content view into a lifecycle environment.
  • Create an activation key to register content hosts to the lifecycle environment, with a RHEL sub and a 'Puppet Enterprise' sub attached.
  • Create a hostgroup, with two hostgroup parameters 'pe_puppet_ca' & 'pe_puppet_master', which are used in a modified version of the Satellite 6 provisioning templates. This will allow the user to define different CA's and masters depending on their setup. In a simple setup, this doesn't matter, but if the installation of Puppet Enterprise is a 'split' install with multiple puppet masters, the flexibility is provided to do such without having to modify the provisioning templates.
  • Download the attached provisioning templates sat_kickstart_default_w_pe.erb_.txt and pe-puppet.conf_.erb_.txt from this article.
  • Upload the templates to your Satellite and associate them with the Operating Systems, Organization and Location that is desired.
  • Provision the system using any supported Kickstart based method.

Frequently Asked Questions

  • Q: When will this reference architecture be released?
  • A: Red Hat is expecting release of this reference architecture mid-Fall 2015

  • Q: May I use the community edition of Puppet?

  • A: This reference architecture was designed around the Enterprise version of Puppet. If a customer chooses to use a non-Enterprise version of Puppet Red Hat will request that any issue be reproduced using the Enterprise version of Puppet.
    Please note that customers cannot install a non-Red Hat provided Puppet agent on a Satellite or Capsule, nor do we provide any higher level integrations between Satellite + Community Puppet.




Can you provide an ETA for when this reference architecture is going to be released?

The yum repo sync, of the PE master, fails on the self-signed SSL cert (see Bugzilla 1210878). The work around is to copy the PE RPMs to an non-SSL HTTP server and import from there.

The following PE module exports the Puppet facts into Satellite 6:

Communications between the PE master and Satellite can be found in the following log: pe-master:/var/log/puppetlabs/puppetserver/puppetserver.log

Should this work with Satellite 6.2 - as I cant seem to get it to work

Im also seeing "There was an error rendering the Satellite Kickstart PE template: The snippet 'puppet_csr_attributes.yaml' threw an error: Safemode doesn't allow to access 'constant' on Hash"

Should I need to disable safe mode rendering?

Do I have to use Puppet Enterprise to do Configuration and Inventory Reporting? or the standard Satellite is enough?

This is obsolete. When might an update happen ?

Hi, Currently we have Puppet PE 2017.2.2 [ 4.x ] with 4 compile masters, a physical DB box, a console puppet server for managing 4000+ Unix nodes. We came out of Satellite 5 couple of years ago. Now we are planning to bring in Satellite 6 , not decided if 6.2 or 6.3 yet. I'm thinking how complex and complicated this idea could be to use satellite 6 suppressing its puppet features. Moreover in terms of long run, for maintenance like upgrading satellite 6 Or migration from current PE to puppet within satellite in future. We are not sure if we are about to try something more challenging and uncommon in practice. I was referring at this as well - - Integration of Red Hat Satellite 6.2.x with external Puppet Master

I need some expert advice/opinion from your experience on this to learn if this is good even to try or not ? Please share your valuable suggestion.

Some things to consider: This has not been touched by Puppet or Red Hat in almost a year. There is no current information that I have been able to locate. If you know of any, please share. Satellite 6.3 has Puppet 4.x inside it while 6.2.x has the EOL Puppet 3.x in it.

Looking for an updated version of this with current software versions for 2019.

This document needs to updated for Satellite 6.5, and it's new templates. PE Puppet is still viable for the customers.

Is there an update for satellite 6.6?