Ask Your Question
0

How do I loadbance puppet masters using F5

asked 2013-11-14 17:15:19 -0500

Discreet gravatar image

I currently have 2 puppet masters and a separate CA/Foreman server. My goal is to load balance my puppet masters behind a VIP in my F5.

So far I've don't the following:

Added my two masters to the F5 Configured a VIP with DNS set as puppet.fqdn On my CA generated a cert for puppet.fqdn Loaded puppet.fqdn cert and key into the F5 Loaded the ca.pem from the CA to the F5 Created a client SSL profile and applied to VIP

When I run the puppet agent on one of my masters I ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2013-11-18 14:58:14 -0500

Steve Shipway gravatar image

We do load balancing, but we use an Apache server with mod_balancer to do it instead of an F5. This allows us to offload the SSL and certificate checks to the frontend server, and pass the data back down to the multiple puppetmaster backends. We also run the dashboard, report server, filebucket and CA on the frontend server as these are low-load and it saves us from having messy synchronisation problems.

However, you could theoretically have two frontend servers, in active/passive mode, behind your F5 for resiliance. Both would have knowledge of the same puppetmaster backends. You'd need ... (more)

edit flag offensive delete link more
0

answered 2013-11-15 16:42:13 -0500

You may find this document helpful: http://docs.puppetlabs.com/guides/scalingmultiplemasters.html

From what you've described, I'd guess that the secondary (non-CA masters) may still need the ca_server = ca.fqdn and ca = false options set in their puppet.confs, so that when agents hit them, they'll correct look to the CA for certificate information.

edit flag offensive delete link more

Comments

Thanks for the link. I was able to get everything working in the loadbalancer and on the puppet end but i am now hitting an issue that I believe is ...(more)

Discreet gravatar imageDiscreet ( 2013-11-15 17:03:18 -0500 )edit

So you're saying the message sent from LB to puppetmaster uses the PMs IP not FQDN. Yes this will cause a failure. Can you add the PMs IP address ...(more)

lfast gravatar imagelfast ( 2013-11-18 12:43:38 -0500 )edit

I'm also very interested in hearing if you have resolved this as i am running into the same problems.

Jeff gravatar imageJeff ( 2013-11-19 11:44:54 -0500 )edit

I have gotten this to work through an F5, so know that it is possible, but I no longer have access to my config. I believe I configured the DNS ...(more)

Ancillas gravatar imageAncillas ( 2013-11-20 14:58:13 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2013-11-14 17:15:19 -0500

Seen: 793 times

Last updated: Nov 18 '13