search

stephenrjohnson / puppetmodule

A Puppet configuration manager for puppet agent, master, and puppetdb
http://forge.puppetlabs.com/stephenrjohnson/puppet
30 stars 62 forks source link

add feature for disabling/enabling CA #91

Open bastelfreak opened 9 years ago

bastelfreak commented 9 years ago

defaults to true, this is the normal case on a master. If you run multiple master with one dedicated ca, you want to deactivate this feature on the other master

also fixed two missing quotes and added the "ensure => present" as default to Ini_setting{}

joelesalas commented 9 years ago

I'm feeling this pain right now as well. Can your PR add Apache proxy config to reach the CA host (https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic) or is that best served in another PR?

stephenrjohnson commented 9 years ago

I'm happy to merge this just waiting on the response to @joelesalas comment.

bastelfreak commented 9 years ago

I'm not using apache so it would be great if somebody else can do another PR

monisha-bhattacharya commented 9 years ago

Hi Team,

Kindly let me know when this feature will be available and will it also change the passenger config accordingly?

bastelfreak commented 9 years ago

@monisha-bhattacharya I guess @stephenrjohnson will merge it in the next hours/days. This PR just sets "ca = false" in the [master] part of a puppet.conf. It doesn't modify the apache conf. Maybe @joelesalas will create an additional PR for this. I'm working on an implementation with nginx

EssentialMix commented 9 years ago

"ca = false" and "generate_ssl_certs = false" not make sense without changing passenger config. Because Passenger will still require /ca/ca_crt.pem file. According PuppetLabs Passenger configuration docs in case if "ca = false" it should be: SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

bastelfreak commented 9 years ago

As I said, I still need Passenger/Apache in your setup, but thats not my use case. I'm running on nginx/unicorn (see my other PR https://github.com/stephenrjohnson/puppetmodule/pull/74 ), free free to implement implement your apache config changes

bastelfreak commented 9 years ago

@stephenrjohnson could you please take a look at merge it?

bastelfreak commented 9 years ago

added the needed nginx update to actually use this setting here: https://github.com/bastelfreak/puppetmodule/commit/06d74a09f233253bcc7101e6ef05a3e75c2bf7c5

now it is possible to run a puppet CA on a loadbalancer, to run puppet master and CA on the same node or to run a puppet master without CA behind a loadbalancer

bastelfreak commented 9 years ago

@stephenrjohnson could you have a look again?

stephenrjohnson commented 8 years ago

Is everyone ok with just add that one property then?