On 17 July 2013 14:18, Nick Lewis <[email protected]> wrote: > On Tuesday, July 16, 2013 1:25:22 PM UTC-7, replicant wrote: >> >> So, >> >> We are working on migrating a global deployment of Puppet over to a >> single PuppetDB instance away from a single MySQL storeconfigs >> instance and are running into an issue. It seems is that PuppetDB will >> only allow nodes from a single Puppet master to connect if each Puppet >> master is running as it's own CA, is this statement correct? >> >> Is it possible to have multiple Puppet masters, each running as their >> own CA, talk to a single PuppetDB instance? >> > > By having multiple CAs, you're effectively establishing separate networks, > so it doesn't seem to make much sense to comingle their data. PuppetDB > itself has no notion that the data ought to be kept separate, which means a > master on one CA can access all the data from a master on another CA. In > that case, you may either be undermining the purpose of having separate CAs > or not have a good reason to have separate CAs. > > > But assuming this really is what you want, you should be able to accomplish > it by using an SSL termination proxy configured to present different > certificates to different clients. >
Alternatively you could consider using an external ca to sign the certs for your two masters. That way the whole env has a single ca and puppetdb will probably play nicer. http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html >> >> -- >> I've seen things you people wouldn't believe. Attack ships on fire off >> the shoulder of Orion. I watched C-beams glitter in the dark near the >> Tannhauser gate. All those moments will be lost in time... like tears >> in rain... Time to die. This is one of my all time favourite quotes. :) > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
