Integration of Red Hat Satellite 6.2.x with external Puppet Master
Hello,
All Satellite documentation is about the integration of Puppet in Satellite 6. However, in my environment, we want to keep our current Puppet Master (oss version) server and keep Satellite 6 as provisioning/patching and reporting tool.
The reference architecture (as promised here: [ https://access.redhat.com/articles/satellite-and-puppet-enterprise ] ) is no where in the Customer Portal.
Can someone point me which options I need to pass on the installer in order to integrate it with our Puppet Master?
For simplicity, let's say that the hostnames are:
Puppet Master: pm.example.com
Satellite 6: rhs.example.com
Thank you,
Peter
Responses
You ca run them as 2 isolated systems without integration, just pass satellite-installer --capsule-puppet false and they will be unaware of themselves. OR: Here´s the manual steps I needed to perform to integrate satellite with our old existing puppet environment. (if I remember all steps, may have forgot something).
To Use satellite as ENC on your existing puppet master: /etc/puppet/puppet.conf
[master]
external_nodes = /etc/puppet/node.rb
node_terminus = exec
You can find the node.rb script here: https://github.com/theforeman/puppet-foreman/blob/master/files/external_node_v2.rb Configure /etc/puppet/foreman.yaml on your puppet master, copy from satellite server. If you don´t want to use a client certificates on your puppet masters to access satellite, comment out ssl_cert/ssl_key and In Satellite you will need to change Satellite / Settings / Auth / Require SSL for capsules to false. Note: you always need to specify the ssl_ca cert option which should point to a file containing the CA cert for your satellite. I also configured Settings / Puppet / Create new host when facts are uploaded and Create new host when report is uploaded to "false"
To send puppet run reports from your puppet master to satellite: /etc/puppet/puppet.conf
[master]
reports = puppetdb, foreman
Download https://github.com/theforeman/puppet-foreman/blob/master/files/foreman-report_v2.rb and place it in /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb .
In Satellite under Settings / Auth / Trusted puppetmaster hosts , add your puppet masters in array style.
To enable autosign of puppet CSRs on your external CA if the host is in satellite you can create a script that checks if the foreman host exist in satellite and then autosign the CSR.
I also believe we did some modification of node.rb but I´m afraid I can´t remember what it was right now ...
Here´s the autosign script if you are interested ...
/etc/puppet/puppet.conf:
[master]
ca = true
autosign = /usr/local/bin/autosign.sh
autosign.sh:
#!/bin/bash
# Autosign requests script
# signs if exit is 0 ignores if higher.
#
if [ -z $1 ]; then
echo "need a hostname to check"
exit 1
fi
fqdn=$1
echo "Searching Satellite for $fqdn ..."
curl -s -X GET -u admin:changeme -H "Accept:application/json" --cacert /etc/pki/tls/certs/satellite.crt https://satellite.domain.com/api/v2/hosts/$fqdn | python -m json.tool | grep "\"certname\": \"$fqdn\""
exit $?
Hi, Currently we have Puppet PE 2017.2.2 - 4.x with 4 compile masters, a physical DB box, a console puppet server for
managing 4000+ Unix nodes. We came out of Satellite 5 couple of years ago. Now we are planning to bring in Satellite 6 ,
not decided if 6.2 or 6.3 yet.
I'm thinking how complex and complicated this idea could be to use satellite 6 suppressing its puppet features. Moreover in terms of long run, for maintenance like upgrading satellite 6 Or migration from current PE to puppet within satellite in future. We are not sure if we are about to try something more challenging and uncommon in practice. I was referring at this as well - [Red Hat Customer Portal] (https://access.redhat.com/articles/satellite-and-puppet-enterprise#how-it-works-6) - Solution Brief: Red Hat Satellite 6 & Puppet Enterprise Integration
I need some expert advice/opinion from your experience on this to learn if this is good even to try or not ? Please share your valuable suggestion.
We have a similar setup as you have with PE and are currently working to migrate from PE to Satellite6. We will continue our use of r10k and hiera and will not add Puppet modules to content views in Sat6. The migration will be less error prone and frustrating if we manage to keep our workflows unchanged.
As Satellite6 is not currently supporting load balancing features for Puppet we will use one capsule for each lifecycle env and reduce the number of puppet runs if the load becomes too high. This is not an optimal solution, but the cost savings migrating away from PE is substantial. PE have more features compared to Satellite6, but we can live without. New config managment tools like Ansible is also interesting, so we may choose to gradually replace Puppet anyway.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
