Puppet users - Jul 2013 - Multiple Puppet masters each running as their own CA connecting to a single PuppetDB instance

So,

We are working on migrating a global deployment of Puppet over to a
single PuppetDB instance away from a single MySQL storeconfigs
instance and are running into an issue. It seems is that PuppetDB will
only allow nodes from a single Puppet master to connect if each Puppet
master is running as it''s own CA, is this statement correct?

Is it possible to have multiple Puppet masters, each running as their
own CA, talk to a single PuppetDB instance?

--
I''ve seen things you people wouldn''t believe. Attack ships on
fire off
the shoulder of Orion. I watched C-beams glitter in the dark near the
Tannhauser gate. All those moments will be lost in time... like tears
in rain... Time to die.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Tuesday, July 16, 2013 1:25:22 PM UTC-7, replicant wrote:
> So, 
>
> We are working on migrating a global deployment of Puppet over to a 
> single PuppetDB instance away from a single MySQL storeconfigs 
> instance and are running into an issue. It seems is that PuppetDB will 
> only allow nodes from a single Puppet master to connect if each Puppet 
> master is running as it''s own CA, is this statement correct? 
>
> Is it possible to have multiple Puppet masters, each running as their 
> own CA, talk to a single PuppetDB instance? 
>
>
By having multiple CAs, you''re effectively establishing separate
networks,
so it doesn''t seem to make much sense to comingle their data. PuppetDB 
itself has no notion that the data ought to be kept separate, which means a 
master on one CA can access all the data from a master on another CA. In 
that case, you may either be undermining the purpose of having separate CAs 
or not have a good reason to have separate CAs.

But assuming this really is what you want, you should be able to accomplish 
it by using an SSL termination proxy configured to present different 
certificates to different clients.
 
> -- 
> I''ve seen things you people wouldn''t believe. Attack
ships on fire off
> the shoulder of Orion. I watched C-beams glitter in the dark near the 
> Tannhauser gate. All those moments will be lost in time... like tears 
> in rain... Time to die. 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On 17 July 2013 14:18, Nick Lewis <nick@puppetlabs.com>
wrote:
> On Tuesday, July 16, 2013 1:25:22 PM UTC-7, replicant wrote:
>>
>> So,
>>
>> We are working on migrating a global deployment of Puppet over to a
>> single PuppetDB instance away from a single MySQL storeconfigs
>> instance and are running into an issue. It seems is that PuppetDB will
>> only allow nodes from a single Puppet master to connect if each Puppet
>> master is running as it''s own CA, is this statement correct?
>>
>> Is it possible to have multiple Puppet masters, each running as their
>> own CA, talk to a single PuppetDB instance?
>>
>
> By having multiple CAs, you''re effectively establishing separate
networks,
> so it doesn''t seem to make much sense to comingle their data.
PuppetDB
> itself has no notion that the data ought to be kept separate, which means a
> master on one CA can access all the data from a master on another CA. In
> that case, you may either be undermining the purpose of having separate CAs
> or not have a good reason to have separate CAs.
>
>
> But assuming this really is what you want, you should be able to accomplish
> it by using an SSL termination proxy configured to present different
> certificates to different clients.
>
Alternatively you could consider using an external ca to sign the
certs for your two masters.
That way the whole env has a single ca and puppetdb will probably play nicer.
http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html

>>
>> --
>> I''ve seen things you people wouldn''t believe. Attack
ships on fire off
>> the shoulder of Orion. I watched C-beams glitter in the dark near the
>> Tannhauser gate. All those moments will be lost in time... like tears
>> in rain... Time to die.
This is one of my all time favourite quotes.
:)

>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.