On Monday, 9 July 2012 06:44:16 UTC+1, Alan Evans wrote: > > From what I can tell there is no need to use alternate names. You can > make the F5 appear to the clients to be the puppetmaster by leveraging > the F5 to do SSL offloading and part of the certificate verification > taking some load off your puppet masters. Even more though, since the > puppet environments and other calls use pretty consistently organized > URI paths, you can do some really neat stuff with F5 HTTP Class > profiles to delegate certain requests to certain servers. > > +1 on Alan's post. This is exactly how we do it where I currently am.
Allows us to scale out the Puppet Master pool horizontally based on demand and geographical location to keep hops to the minimum. Using AltDNSNames would not make this flexible at all as you would need to re-gen the cert each time. This was all the clients have a single entry point:- puppet.<domain> and the F5 takes the strain and sends them to the appropriate server and routes around accordingly. The only minor downside we have we this is that sometimes debugging the route from the client to the eventual master means we have to go through the logs on the potential masters to track down where it went. I do not have direct access to the F5's. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ouA64Dul3LYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
