On Tuesday, July 16, 2013 1:25:22 PM UTC-7, replicant wrote: > So, > > We are working on migrating a global deployment of Puppet over to a > single PuppetDB instance away from a single MySQL storeconfigs > instance and are running into an issue. It seems is that PuppetDB will > only allow nodes from a single Puppet master to connect if each Puppet > master is running as it's own CA, is this statement correct? > > Is it possible to have multiple Puppet masters, each running as their > own CA, talk to a single PuppetDB instance? > > By having multiple CAs, you're effectively establishing separate networks, so it doesn't seem to make much sense to comingle their data. PuppetDB itself has no notion that the data ought to be kept separate, which means a master on one CA can access all the data from a master on another CA. In that case, you may either be undermining the purpose of having separate CAs or not have a good reason to have separate CAs.
But assuming this really is what you want, you should be able to accomplish it by using an SSL termination proxy configured to present different certificates to different clients. > -- > I've seen things you people wouldn't believe. Attack ships on fire off > the shoulder of Orion. I watched C-beams glitter in the dark near the > Tannhauser gate. All those moments will be lost in time... like tears > in rain... Time to die. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
