Puppet Open Source with Foreman

The SovLabs Puppet Enterprise module for vRealize Automation increases IT agility and speed of delivery for systems and applications by combining SovLabs Module Framework with Puppet’s advanced configuration management and vRealize Automation’s provisioning and lifecycle management capabilities.


Puppet Open Source 3.8.1+
Foreman 9, 11, 12, 13, 14, 15, 16
VMware vRealize Automation (vRA) 7.x
VMware vRealize Orchestrator (vRO) 7.x
EMC Enterprise Hybrid Cloud (EHC) 4.x

Quick Start Process

  1. Define Foreman/Puppet Master
  2. Define Foreman/Puppet Agent configuration
  3. Apply to existing blueprint and provision!


  • Ensure NTP is set up correctly

Create Puppet Certificate and Update Puppet Console configuration

Create the certificate on the Puppet Master that will be used for communication with the Foreman API and the Puppet CA API.

Perform the following for each Puppet Master:

In the following instructions, replace CERTNAME with the chosen cert name. We recommend vrosvc

1. SSH to the Puppet Master (as root, or an account that has sudo privileges)
2. su to root if needed
3. Create a certificate (replace CERTNAME with vrosvc)

puppet cert generate CERTNAME

4. Modify auth.conf by typing in the following:

vi /etc/puppet/auth.conf

If the following section does not exist, copy and paste the following section into the auth.conf file, and replace CERTNAME with the certificate name you created in Step 3 (without the .pem extension). This is case-sensitive.

If the section does exist, add your certificate to the allow list.

path  /certificate_status
method find, save, search
auth yes
allow <code>CERTNAME</code>

5. Hit the esc key and then type in :wq
6. Restart necessary services by typing in: service puppet restart

Puppet Foreman Credentials

On a monolithic Puppet Open Source instance you will need root credentials (recommended) or credentials with sudo elevated privileges on the Puppet Master server.

If these are separate servers in your environment, you need root credentials or credentials with elevated privileges on these:

  • Puppet CA
  • Puppet Compile Master
  • Puppet database server
vRO must be able to authenticate to the Puppet Master and the other components as root or must be able to sudo to root to execute commands.
The root user can be authenticated using the password or with SSH keys.
The alternative is a service account that has been granted sudo permissions in sudoers.
The steps to setting up sudo permissions on the Puppet components can be quite involved and are not in the scope of this document.

Collect the appropriate keys from the Foreman Master Paste into a text editor or copy/paste directly into the SovLabs Foreman Master configuration form:

Type Location
API Certificate /etc/puppetlabs/puppet/ssl/certs/CERTNAME
Private Key Certificate /etc/puppetlabs/puppet/ssl/private_keys/CERTNAME
CA Certificate (used to sign the API cert) /etc/puppetlabs/puppet/ssl/ca/ca_crt
Replace CERTNAME accordingly (e.g.vrosvc)

Provisioning Windows VMs

If you plan to provision Windows VMs with Puppet Enterprise, you will need a method to connect to the VM to install the agent. You can choose to use the VMware Tools option or the WinRM option when you configure your SovLabs Foreman Agent configuration.

  1. Create a SovLabs vCenter Endpoint (required)
  2. Create the Puppet Agent with vmware-tools as the Connection Type on the Puppet Agent Configuration tab.

WinRM Option
To connect to a VM using WinRM, you must configure WinRM on the target server. We have provided a script that does all the needed configurations on the target to enable WinRM. Your environment may have GPOs that affect these permissions, so check with your Windows administrator for any questions on this.
  1. Download the activateWinRM.ps1
  2. Put the activateWinRM.ps1 script into a share OR incorporate it into your Windows Template in vCenter.
  3. In your Customization Specification, call the activateWinRM.ps1 script in the Run Once section

Using activateWinRM.ps1 from a share location

cmd /c powershell -executionpolicy Bypass -noninteractive -file //example.sovlabs.net/SovlabsSoftware/activateWinRM.ps1

Using a local copy of activateWinRM.ps1 in the template:

cmd /c powershell -executionpolicy Bypass -noninteractive -file c:\example_dir\activateWinRM.ps1

For Linux/Unix VM Provisioning

It is recommended to use the SSH connection type in the Foreman Agent configuration. You will need root credentials to the VM for this.

TIP set your root password in your template in vCenter. If you use a Puppet class to change the root password, make sure it does not run before the SovLabs Puppet OSF MachineProvisioned workflow completes or you will lose the ability to log in, mid-job