Forge Home

discovery_proxy Discovery Proxy


10,913 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.0 (latest)
  • 0.0.1
released Aug 19th 2017
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.4.x
  • Puppet >= 4.9.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'choria-discovery_proxy', '0.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add choria-discovery_proxy
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install choria-discovery_proxy --version 0.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



choria/discovery_proxy — version 0.1.0 Aug 19th 2017

Choria Discovery Proxy

A basic module to install the Choria Discovery Proxy service and it's cli.


When configuring Choria to use PuppetDB as a discovery source it's required to expose the PuppetDB query interface to all users. This can be a source of potential secrets leak due to the vast amount of data stored in PuppetDB.

This proxy sits in front of PuppetDB and exposes a HTTPS secure REST service that Choria uses to do discovery. This service will only return certnames thus greatly reducing the possibility of sensitive information leaking. You now only have to allow this proxy to communicate with PuppetDB directly.

Additionally it allows named sets to be created that can later be referenced by name in Choria discovery.


By default this module sets up the proxy to listen on for incoming HTTPS requests from clients using HTTPS client certificates signed by the Puppet CA.

class{"choria_discovery_proxy": }

This sets it all up working with your PuppetDB on puppet:8081.

There are many customizations available, you can specify custom PuppetDB location and ports for example:

    tls_port => 9292,
    puppetdb_host => "",

See the module source for other options available.

In the above cases the server process will be started, you can install just the client using this:

    manage_service => false

Then look at the discovery_proxy sets --help output to see about maintaining sets.


At present integration with MCollective is not yet released, but eventually to integrate with this service you'd add SRV records like:

_mcollective-discovery._tcp   IN  SRV 10  0 8085

And then enable use of the proxy by setting plugin.choria.discovery_proxy to true.

The host and port can also be set using plugin.choria.discovery_host and plugin.choria.discovery_port.

Further documentation will be written in the main choria docs about this integration.

A created set can be discovered using something like mco package update foo -I set:bobs_machines where bobs_machines were made using discovery_proxy sets create bobs_machines.


This is a early release of the module and the proxy so for now the module embeds the compiled proxy as a binary and will only support Linux distributions using SystemD.