There are a few places you can configure proxies with Puppet. This doc will try and list each of the places that they can be configured, and which components will use it.
This is a work in progress and will no doubt change over time. Please add comments if you've got additional info, or found something incorrect.
The following configuration options are relevant:
Proxy configs in the puppet.conf file will apply to the Agent, or Master, or both depending on which section they are placed in. Possible uses:
- in the [agent] section - when agent connects to master via proxy
- in the [master] section - (unsure what in the master would use this - perhaps everything? eg puppetdb, node classifier ... ?)
This should be picked up by http requests used by libcurl, eg pe_repo from userspace, eg log in as root user and run puppet agent -t etc
https-proxy = http://proxy.example:3128
proxy-user = username:password
proxy-basic
noproxy = internal-host.example,ldap.example
git config --global http.proxy http://proxyuser:[email protected]:8080
The puppet_enterprise::master::code_manager class takes a bunch of parameters related to configuring proxies.
See: https://puppet.com/docs/pe/2018.1/code_mgr_customizing.html#code-manager-parameters
Especially:
puppet_enterprise::master::code_manager::proxy: 'http://user:[email protected]:3128'
puppet_enterprise::master::code_manager::forge_settings:
#base_url: 'https://forgeapi.puppetlabs.com'
proxy: 'http://user:[email protected]:3128'
puppet_enterprise::master::code_manager::git_settings:
#private_key: '/some/path/to.key'
proxy: 'http://user:[email protected]:3128'
Note when behind a proxy that does ssl decryption/re-encryption you will want to FIXME: what will you want to do?
r10k uses puppet_forge gem which uses faraday gem to do http operations with the forge.
PuppetForge::Connection tells faraday to use it's default adapter, which is Ruby's built in Net::HTTP
https://github.com/lostisland/faraday/wiki/Setting-up-SSL-certificates
[root@pe-201814-master lib]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 29 12:45:07 UTC 2015
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
Things to try:
# Learn the openssldir:
openssl version -a | grep OPENSSLDIR
# Eg for CentOS:
OPENSSLDIR='/etc/pki/tls'
export SSL_CERT_FILE=${OPENSSLDIR}/certs/ca-bundle.crt
sudo -H -u pe-puppet bash -c \
'SSL_CERT_FILE=${SSL_CERT_FILE} $/opt/puppetlabs/puppet/bin/r10k deploy environment -c /opt/puppetlabs/server/data/code-manager/r10k.yaml -p -v debug'
Ref on running r10k directly: https://puppet.com/docs/pe/2018.1/code_mgr_troubleshoot-1.html#run-a-deployment-test
Some orgs use proxies (transparent or otherwise) that perform TLS decryption/re-encryption and in order to communicate to the internet through such a thing you need to trust the certificate presented by the proxy. This involves obtaining the CA certificate and making it available to the executable establishing the http connection. This is done in different ways for different components.
bolt uses r10k to install puppet modules specified in a Puppetfile in a bolt project dir. This uses ruby's Net::HTTP by default, or the Typhoeus ruby gem if it's available.
Add the CA certificate to the following file: /opt/puppetlabs/bolt/ssl/cert.pem