You guys do realize that it's not necessary to share node certs with puppetmasters if your CA is separated, right?
It's signed for a reason :) On Aug 16, 2011 8:13 AM, "Luke Bigum" <luke.bi...@lmax.com> wrote: > Also I think Nigel posted a load balanced solution using entirely > Apache that's floating around on the list, configs and all. Was a few > months ago now if you want to go searching. > > On Aug 16, 4:12 pm, Luke Bigum <luke.bi...@lmax.com> wrote: >> Sean, >> >> Previously I've set up a cluster of Puppet Masters with one machine >> acting as the software load balancer (IPVS) as well as the Puppet >> Certificate Authority. The relevant puppet.conf options are ca_port >> and ca_server to specify where your CA is. The Puppet Master service >> on the CA server listened on the ca_port and signed CA requests. The >> default puppet port 8140 was load balanced to a pool of "slave" Puppet >> Masters and these masters all NFS mounted the ssl/ca/ directory so >> they knew about all signed puppet agents. You could then go even >> further and make your CA server resilient with Pacemaker / Heartbeat >> or other HA techniques. I didn't bother to go that far though ;) >> >> Hope that helps, >> >> -Luke >> >> On Aug 16, 3:25 pm, Sean Carolan <scaro...@gmail.com> wrote: >> >> > How do you all handle load balancing and certificate management? Is >> > there a way to have a master authority cert server, that all the other >> > nodes turn to for all things SSL? >> >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
