Multiple PuppetMasters, one PuppetDB
142 views
Skip to first unread message
Cassiano Leal
May 14, 2014, 5:15:49 AM5/14/14
to puppet...@googlegroups.com
Hi,
I’d like to ask for advice on certificate trust in a scenario with multiple puppet masters.
I’m in a position where I have roughly 50 environments, each with their own puppetmaster, running their own CAs.
I also have another environment from where I provide some centralised services, such as an MCollective broker, a central Logstash/Elasticsearch instance, etc., and that’s got its own puppetmaster as well.
I have installed PuppetDB in this environment, and its cert is signed by this central puppetmaster’s CA.
Now I’m in a position where my environments don’t trust the PuppetDB’s cert because they have no knowledge of the CA that signed it.
Is there a way to make them communicate? I reckon making the individual puppetmasters trust the central CA would do it, but how would I go around to do that?
Thanks,
Cassiano Leal
I’d like to ask for advice on certificate trust in a scenario with multiple puppet masters.
I’m in a position where I have roughly 50 environments, each with their own puppetmaster, running their own CAs.
I also have another environment from where I provide some centralised services, such as an MCollective broker, a central Logstash/Elasticsearch instance, etc., and that’s got its own puppetmaster as well.
I have installed PuppetDB in this environment, and its cert is signed by this central puppetmaster’s CA.
Now I’m in a position where my environments don’t trust the PuppetDB’s cert because they have no knowledge of the CA that signed it.
Is there a way to make them communicate? I reckon making the individual puppetmasters trust the central CA would do it, but how would I go around to do that?
Thanks,
Cassiano Leal
Christopher Wood
May 14, 2014, 10:18:23 AM5/14/14
to puppet...@googlegroups.com
(inline)
On Wed, May 14, 2014 at 09:15:49AM +0000, Cassiano Leal wrote:
> Hi,
>
> I'd like to ask for advice on certificate trust in a scenario with multiple puppet masters.
>
> I'm in a position where I have roughly 50 environments, each with their own puppetmaster, running their own CAs.
In your position I would probably bite the bullet and pick one puppetmaster to be the CA. Then I would have 49 non-CA puppetmasters and one CA puppetmaster, each being able to serve one of my 50 puppet environments:
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
http://docs.puppetlabs.com/puppet/latest/reference/environments_classic.html
(I'm a bit nonplussed that you're still sane after running 50 separate environments.)
> I also have another environment from where I provide some centralised services, such as an MCollective broker, a central Logstash/Elasticsearch instance, etc., and that's got its own puppetmaster as well.
>
> I have installed PuppetDB in this environment, and its cert is signed by this central puppetmaster's CA.
>
> Now I'm in a position where my environments don't trust the PuppetDB's cert because they have no knowledge of the CA that signed it.
>
> Is there a way to make them communicate? I reckon making the individual puppetmasters trust the central CA would do it, but how would I go around to do that?
I don't know of another way than turning 49 of your puppetmasters into non-CA puppetmasters and re-keying everything based on the new CA, sorry. I can wonder if puppet would use more than one CA certificate in the CA cert file, but then you'd have a massive pile of work keeping that distributed and updated even if it did. Better to go with one CA.
Where I am only one puppetmaster has the following set to true:
http://docs.puppetlabs.com/references/latest/configuration.html#ca
Everything else has this set, as well as "server":
http://docs.puppetlabs.com/references/latest/configuration.html#caserver
That way no matter what (geographically dispersed) puppetmaster an agent is pointed towards, it will still take CA services from a single puppetmaster. (If that puppetmaster breaks we'll restore the CA files from backup and promote another puppetmaster to be the CA.)
You will have to re-key everything, but they're all puppetized hosts so this will be relatively easy.
>
> Thanks,
> Cassiano Leal
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9F2FD551-D61D-423D-A3C4-2B19095DF2EA%40gamesys.co.uk.
> For more options, visit https://groups.google.com/d/optout.
On Wed, May 14, 2014 at 09:15:49AM +0000, Cassiano Leal wrote:
> Hi,
>
> I'd like to ask for advice on certificate trust in a scenario with multiple puppet masters.
>
> I'm in a position where I have roughly 50 environments, each with their own puppetmaster, running their own CAs.
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
http://docs.puppetlabs.com/puppet/latest/reference/environments_classic.html
(I'm a bit nonplussed that you're still sane after running 50 separate environments.)
> I also have another environment from where I provide some centralised services, such as an MCollective broker, a central Logstash/Elasticsearch instance, etc., and that's got its own puppetmaster as well.
>
> I have installed PuppetDB in this environment, and its cert is signed by this central puppetmaster's CA.
>
> Now I'm in a position where my environments don't trust the PuppetDB's cert because they have no knowledge of the CA that signed it.
>
> Is there a way to make them communicate? I reckon making the individual puppetmasters trust the central CA would do it, but how would I go around to do that?
Where I am only one puppetmaster has the following set to true:
http://docs.puppetlabs.com/references/latest/configuration.html#ca
Everything else has this set, as well as "server":
http://docs.puppetlabs.com/references/latest/configuration.html#caserver
That way no matter what (geographically dispersed) puppetmaster an agent is pointed towards, it will still take CA services from a single puppetmaster. (If that puppetmaster breaks we'll restore the CA files from backup and promote another puppetmaster to be the CA.)
You will have to re-key everything, but they're all puppetized hosts so this will be relatively easy.
>
> Thanks,
> Cassiano Leal
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9F2FD551-D61D-423D-A3C4-2B19095DF2EA%40gamesys.co.uk.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages