On 27 September 2013 13:26, Ken Barber <[email protected]> wrote: > > Lastly, the puppetdb-ssl-setup script still does not work when the > PuppetDB > > does not reside on the Puppetmaster. The fix is pretty simple, and the > > issue is in the bug tracker. I created a question and answer on > > ask.puppetlabs.com to try and help others that run into it: > > > https://ask.puppetlabs.com/question/3333/puppetdbs-puppetdb-ssl-setup-script-does-not-work-when-the-puppetdb-is-not-on-the-puppetmaster/ > > So the ticket for those reading along at home is here: > > http://projects.puppetlabs.com/issues/17523 > > And I must admit its controversial but saying it 'doesn't work' isn't > entirely true. More precisely there are situations where it doesn't > work, and I want to hear what people have to add to this - as its a > really interesting topic that we probably need some community feedback > on. > > Let me show you an example, with an empty puppet.conf ... the settings > returned are identical: > > root@puppetdb1:~# puppet apply --configprint hostcert > /etc/puppet/ssl/certs/puppetdb1.vm.pem > root@puppetdb1:~# puppet master --configprint hostcert > /etc/puppet/ssl/certs/puppetdb1.vm.pem > > But when you have overrides in relation to agent/master that create > differences between the [master] and [agent] sections things go wrong. > Try this one on for size: > > root@puppetdb1:~# cat /etc/puppet/puppet.conf > [master] > ssldir = /tmp > > [agent] > ssldir = /tmp2 > root@puppetdb1:~# puppet master --configprint hostcert > /tmp/certs/puppetdb1.vm.pem > root@puppetdb1:~# puppet agent --configprint hostcert > /tmp2/certs/puppetdb1.vm.pem > > So like I said ... this is actually fine for some people, and > preferential, but for others its not fine. The question is, what is > the better default I think. > > So in my opinion I would have thought that agent was a better default > over master as some people presume, but that changed some time ago in > 0.9.2: > > > https://github.com/puppetlabs/puppetdb/commit/de23912a73f6adadf36f26d438939d4c9e49a68b > > I suppose there are arguments for either direction, but I'm not as > clear on the direction to move this to use the [master] section > specifically. I can't help but feel its a less common case. Erik - > perhaps you can chime in on the thread and give us your reasoning for > wanting this in the first place? > > In our setup we have a "main" puppet infrastructure and a couple of child infrastructures. Each puppet setup has its own CA. The puppetmasters in the children are agents to the main puppet infrastructure, so they have a separate ssldir for the master. With this change it just worked out of the box if we co-hosted a puppetdb instance on them as it would use the ssldir from the master.
-- Erik Dalén -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
