Ask Your Question

Can I share certificates between multiple Puppetmasters to achieve High Availibility in AWS?

asked 2016-04-27 15:55:54 -0600

schowdhury gravatar image

updated 2016-04-28 15:53:10 -0600

I currently have my puppetmaster (v4.4.1) running on an AWS EC2 instance. At the moment I only have 3 agents connected to my puppetmaster, but in future this could increase to 100+ agents. This could be quite a big load on a single Puppetmaster, which effectively would become a single point of failure. That's why I was wondering if it would be possible to create 2 puppetmasters that sits behind an AWS ELB. I will have autosigning enabled on both puppetmasters. I was thinking of sharing+syncing the certificates between the puppetmasters by mounting the (puppet config print ssldir) folder using:

This approach would mean that all certicates are stored in S3.

Does anyone have any ideas whether this approach would work?

Here's some useful links:

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-04-30 11:29:17 -0600

DarylW gravatar image

Here is the official documentation from puppetlabs, on a 'master of masters' style setup. The way it is usually done is that one master is used as the CA, and you set up other masters that use the Master of Masters for it's CA, and share the load.

I'm not 100% sure what effect you would have with multiple servers using a single shared file system for writes.

I haven't done this setup myself, but what I would probably do is follow the setup guide to have a CA master and a bunch of compile masters, and use something like keepalived to syncronize the certs. You would also need each of your masters to resolve with the same name, and have all of their names as altnames on your cert.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2016-04-27 15:55:54 -0600

Seen: 219 times

Last updated: Apr 30 '16