Sean, Previously I've set up a cluster of Puppet Masters with one machine acting as the software load balancer (IPVS) as well as the Puppet Certificate Authority. The relevant puppet.conf options are ca_port and ca_server to specify where your CA is. The Puppet Master service on the CA server listened on the ca_port and signed CA requests. The default puppet port 8140 was load balanced to a pool of "slave" Puppet Masters and these masters all NFS mounted the ssl/ca/ directory so they knew about all signed puppet agents. You could then go even further and make your CA server resilient with Pacemaker / Heartbeat or other HA techniques. I didn't bother to go that far though ;)
Hope that helps, -Luke On Aug 16, 3:25 pm, Sean Carolan <[email protected]> wrote: > How do you all handle load balancing and certificate management? Is > there a way to have a master authority cert server, that all the other > nodes turn to for all things SSL? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
