Hi, I apologize if this issue has been discussed earlier. If so, please point me to relevant information. Anyways, here it goes...
I plan on deploying Puppet to manage several separate nodes, all of which are accessible directly from the Internet. The nodes are connected by a VPN (OpenVPN), so they're effectively on the same LAN. However, the VPN IP-addresses don't have corresponding DNS names. There's currently no internal DNS server I could add the VPN addresses to. So, I've been considering three deployment alternatives (in order of preference): 1) Make puppetmaster available directly on the Internet and let clients connect to it directly. There should be no DNS issues with this approach. 2) Sync manifests/modules from a Git repository through the VPN tunnel and run puppet locally on each "client". DNS is a non-issue here. However, if any one node is compromised, the entire puppet manifest/ module catalog gets compromised, which makes me a little worried. 3) Publish puppetmaster only on the VPN subnet. The VPN addresses don't have DNS names, but syncing /etc/hosts file could help circumvent DNS/certificate issues. Is puppetmaster secure enough to be published directly on the Internet (1)? Or is it asking for trouble? If not, what do you think about options 2 and 3? What other approaches could I take? Samuli -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
