puppet does not observe the {{server_list}} setting when making CA requests. This is a regression introduced in https://tickets.puppetlabs.com/browse/PUP-10040 as it wasn't apparent that {{Puppet::Rest::Routes}} called {{Puppet::Util::Connection.determine_server}} to set the {{@default_server}} .
We need to enable the server_list resolver such that:
# If we successfully resolved the CA server/port once in a session, then we should always reuse that same server/port # Next if {{ca_server}} is set explicitly on the CLI or puppet.conf, we should always use that regardless of SRV, {{server}} or {{server_list}} # Next if SRV records are enabled, we should try that # Next if {{server_list}} is set, we should try each server/port combo # Otherwise fallback to {{ca_server}} setting which defaults to {{server}}
All of those should already be working except ( 2) & ( 4).
Questions:
In step 1, if we fail to use a cached value, should resolution to performed again? Currently failures don't clear the cache. In step 2, if SRV records are enabled, the new code prefers SRV over the explicit server, which is wrong. In step 2, If the explicit server fails, should we fallback to other resolvers? Currently we don't and we should probably keep that as-is. In step 4, the old behavior was to only try the first server/port in server list. However, I think that was a limitation of the code, as there wasn't a way using the context system for puppet to try multiple server/port combinations. Perhaps would be better (less crafty exceptional logic) to try all the server/ports in server_list. |
|
|