| I have the same use case, We have two puppetservers puppetserver A on an infra A node, for puppet agents on infra A nodes (with own hiera and puppet code) puppetserver B on an infra A node, for puppet agents on infra B nodes (with own hiera and puppet code) Therefore puppetserver B is configured with a puppet agent connecting to puppetserver A. Because both puppetservers have different CA we separated puppet agent ssldir to /etc/puppetlabs/puppet/ssl.agent/ on puppetserver B. This works like we want it to work, however during rebuild of puppetserver B we have the issue that puppetdb ssl-setup ( that is executed by the puppet agent during rebuild) copies puppetserver A ssl stuff coming from /etc/puppetlabs/puppet/ssl.agent/ to puppetdb ssldir. We need a manual intervention that temporary changes [agent] ssldir on puppetserver B to /etc/puppetlabs/puppet/ssl before we run puppetdb-sslsetup and afterward we change it back to /etc/puppetlabs/puppet/ssl.agent/ and puppet agent run can be started again We could automate this if we could override puppetdb sslsetup ssldir where it retrieves the ssl information. |
