Centralized configuration management: Puppet + Foreman. Part II
This is the second part of a series of articles about the Puppet + Foreman bundle, it will cover the following:
* Creating host groups
* Adding a host to a group
* Apply manifests per host group
* Auto-signing certificates
* Automatic distribution of hosts in groups
To create a group of hosts, go to Foreman and select “Settings” - “Groups of nodes” - “New groups of nodes” in the menu, we will have a page with settings of a new group. Here you can choose the parent of the group (that is, it turns out you can make group attachments), the name (in our case, Bobrovka), the environment, the certification authority and the master server, choose our Puppet server.
')
If we want to immediately add the manifests that will be applied to the group - go to the "Puppet Classes" tab - here everything is the same with the manifest applied to a single client, only the manifest will be applied to all the hosts included in the group. We confirm the changes.
Now if we go to “Setup” - Groups of nodes "- we will see a list of our groups.
In order to add an existing host to a specific group - go to “Nodes” - “All nodes”, click on the name of the node we need (detailed information about the node opens) and click the “Change” button and in the “Group” field select the group we need . We confirm the changes.
After we have added the hosts we need to the group, we can add manifests for them (if you did not do this when creating the group). To add a manifest to an existing group, go to “Settings” - “Groups of nodes” - click on the name of the group we need and repeat the procedure described 3 paragraphs back.
So - we have a working server with a bunch of Puppet + Foreman, but if we want to add a new host to Puppet, we have to sign certificates every time (it strains me) in the web interface or in the console. In order for certificates to be signed automatically, you can use the option of automatically signing certificates based on the client's name. To do this, go to the menu "Infrastructure" - "Smart Proxies" click on "Certificates" and in the upper right click "Records autosign" - create a new record. In the field where the name is written - we write * and save.
As a result, we will have to sign all client certificates without exceptions, which is not very good (but for the beginning it will do). To sign not all certificates, for example, only certificates from web servers, you need to change the entry to web - * (this will work if you have all web servers named like www-1.domain.name, www-n.domain.name).
For automatic distribution of newly created hosts into groups, you can use the foreman_default_hostgroup plugin. This plugin allows you to distribute hosts into groups based on facts.
To install the plugin you need to run the command apt-get install ruby-foreman-default-hostgroup
If the plugin is installed - it will be displayed in the “Administrator” - “About the program” menu in the “Modules” tab (perhaps you need to restart Foreman)
After installation, you need to edit the file in the /usr/share/foreman/config/settings.plugins.d/default_hostgroup.yaml directory
If you use my config from the plugin, then you will have to sort by groups based on the client's IP address. In this example - if the client has an IP of 10.10.55.12 - he will be in the “Bobrovka” group, if he has the address 10.210.138.7 - he will be in the “Medvedka” group, if the client’s IP address does not fall under any of the conditions - he falls into the group "Default". The plugin reads the config from top to bottom, so the “Default” group is at the very bottom, since absolutely all IP addresses fall under its criteria.
This concludes the second part of my publication.
The result of our work is a working Puppet + Foreman with the ability to automatically sign certificates and distribute hosts into groups based on facts.
Resources used:
docs.puppetlabs.com/puppet/latest/reference/config_file_autosign.html
github.com/GregSutcliffe/foreman_default_hostgroup
* Creating host groups
* Adding a host to a group
* Apply manifests per host group
* Auto-signing certificates
* Automatic distribution of hosts in groups
To create a group of hosts, go to Foreman and select “Settings” - “Groups of nodes” - “New groups of nodes” in the menu, we will have a page with settings of a new group. Here you can choose the parent of the group (that is, it turns out you can make group attachments), the name (in our case, Bobrovka), the environment, the certification authority and the master server, choose our Puppet server.
')
If we want to immediately add the manifests that will be applied to the group - go to the "Puppet Classes" tab - here everything is the same with the manifest applied to a single client, only the manifest will be applied to all the hosts included in the group. We confirm the changes.
Now if we go to “Setup” - Groups of nodes "- we will see a list of our groups.
In order to add an existing host to a specific group - go to “Nodes” - “All nodes”, click on the name of the node we need (detailed information about the node opens) and click the “Change” button and in the “Group” field select the group we need . We confirm the changes.
After we have added the hosts we need to the group, we can add manifests for them (if you did not do this when creating the group). To add a manifest to an existing group, go to “Settings” - “Groups of nodes” - click on the name of the group we need and repeat the procedure described 3 paragraphs back.
So - we have a working server with a bunch of Puppet + Foreman, but if we want to add a new host to Puppet, we have to sign certificates every time (it strains me) in the web interface or in the console. In order for certificates to be signed automatically, you can use the option of automatically signing certificates based on the client's name. To do this, go to the menu "Infrastructure" - "Smart Proxies" click on "Certificates" and in the upper right click "Records autosign" - create a new record. In the field where the name is written - we write * and save.
As a result, we will have to sign all client certificates without exceptions, which is not very good (but for the beginning it will do). To sign not all certificates, for example, only certificates from web servers, you need to change the entry to web - * (this will work if you have all web servers named like www-1.domain.name, www-n.domain.name).
For automatic distribution of newly created hosts into groups, you can use the foreman_default_hostgroup plugin. This plugin allows you to distribute hosts into groups based on facts.
To install the plugin you need to run the command apt-get install ruby-foreman-default-hostgroup
If the plugin is installed - it will be displayed in the “Administrator” - “About the program” menu in the “Modules” tab (perhaps you need to restart Foreman)
After installation, you need to edit the file in the /usr/share/foreman/config/settings.plugins.d/default_hostgroup.yaml directory
default_hostgroup.yaml
-: default_hostgroup:
: facts_map:
"Bobrovka":
Ipaddress: 10.10. *
"Losovka":
“Ipaddress”: “10.110.0. *”
"Medvedka":
“Ipaddress”: “10.210.0. *”
"Default":
"Hostname": ". *"
: facts_map:
"Bobrovka":
Ipaddress: 10.10. *
"Losovka":
“Ipaddress”: “10.110.0. *”
"Medvedka":
“Ipaddress”: “10.210.0. *”
"Default":
"Hostname": ". *"
If you use my config from the plugin, then you will have to sort by groups based on the client's IP address. In this example - if the client has an IP of 10.10.55.12 - he will be in the “Bobrovka” group, if he has the address 10.210.138.7 - he will be in the “Medvedka” group, if the client’s IP address does not fall under any of the conditions - he falls into the group "Default". The plugin reads the config from top to bottom, so the “Default” group is at the very bottom, since absolutely all IP addresses fall under its criteria.
This concludes the second part of my publication.
The result of our work is a working Puppet + Foreman with the ability to automatically sign certificates and distribute hosts into groups based on facts.
Resources used:
docs.puppetlabs.com/puppet/latest/reference/config_file_autosign.html
github.com/GregSutcliffe/foreman_default_hostgroup
Source: https://habr.com/ru/post/267713/
All Articles