|
Yasmin Rajabi The tooling is split between some ruby code `puppet cert` and puppet server (cert API). The only way I'm aware for us to ship this only in PE, would be to make it a PE - Server extension. I don't know of us doing a ruby change like this in PE only though. That's mostly to say it's likely a core puppet change and a puppet server change. Once it was done though we would want to create a ticket to fix the "offset indexing" we do in PE HA, so those changes will all be in PE only.
This solves a sort of minor problem that can have major considerations for PE HA over time. I think it's worth mentioning that this is more or less a band-aid but would be a good first step though. Specifically, this might over time allow us to support Active/Active CAs. Given you don't have worry about what number you are at on the primary vs replica it solves the "who is in charge of signing certs problem".
It doesn't solve the "who is in charge of revoking certs problem", though for my money I think if we implement the OCSP covered in OPTY-99 would do that in the long term by decentralizing the certificate revocation list.
I think to move to Active / Active HA over time, or at a bare minimum allowing easier fail back in PE HA, would be helped by this ticket as it negates the possible collisions that could occur.
|
