It depends on how often you build "new" machines, or if you think you'd need to bootstrap new Puppet Agents if your DCs were cut off from one another. I get away with 1 CA for your entire estate and with multiple redundant compile masters at each DC. That way you don't need to sync certificates around, you'll only need to contact the CA the first time an Agent checks in. This is simplicity but with a point of failure. You're probably going to have one PuppetDB anyway (or postgres cluster in one location)?
To do it properly though, I think you would need each Puppet Server to have it's own intermediate CA, all signed from a common root CA of yours: https://puppet.com/docs/puppetserver/5.2/intermediate_ca_configuration.html On Tuesday, 17 September 2019 07:08:39 UTC+1, chris wrote: > > Hi Guys, > > so we've got a few data centres spread across the world and are looking to > upgrade from Puppet v4 to Puppet v6. > > At the moment we just have the one CA in the original DC (fast growing > company). > > I like the idea of having a separate CA in each DC and having the "local" > machine use that - simples .. ;) > > However, I'd like to know if there are any sane alternatives as I'll need > to persuade the rest of the team/mgrs. > Is it possible/sane to just build a CA in each DC but have it not active > and then rsync the certs across every hour/day from the active CA & bring > it up if (ie when) the main CA/DC goes away. > > Are there any other sensible ideas out there? > Ideally, what is the recommended best practice by Puppet (we are on the > FOSS version, so I can't ask them). > > FWIW, we use Foreman to keep an eye on stuff & I believe(?) it could be > tricky to have multiple CAs talking to it ?? > (I know nothing about how the foreman - puppet cxn works). > > Cheers > Chris > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b0bccffa-03a6-4a6e-b03c-067772d91cee%40googlegroups.com.
