How do I loadbance puppet masters using F5

asked 2013-11-14 17:15:19 -0500

I currently have 2 puppet masters and a separate CA/Foreman server. My goal is to load balance my puppet masters behind a VIP in my F5.

So far I've don't the following:

Added my two masters to the F5 Configured a VIP with DNS set as puppet.fqdn On my CA generated a cert for puppet.fqdn Loaded puppet.fqdn cert and key into the F5 Loaded the ca.pem from the CA to the F5 Created a client SSL profile and applied to VIP

When I run the puppet agent on one of my masters I ... (more)

answered 2013-11-18 14:58:14 -0500

We do load balancing, but we use an Apache server with mod_balancer to do it instead of an F5. This allows us to offload the SSL and certificate checks to the frontend server, and pass the data back down to the multiple puppetmaster backends. We also run the dashboard, report server, filebucket and CA on the frontend server as these are low-load and it saves us from having messy synchronisation problems.

However, you could theoretically have two frontend servers, in active/passive mode, behind your F5 for resiliance. Both would have knowledge of the same puppetmaster backends. You'd need ... (more)

answered 2013-11-15 16:42:13 -0500

You may find this document helpful:

From what you've described, I'd guess that the secondary (non-CA masters) may still need the ca_server = ca.fqdn and ca = false options set in their puppet.confs, so that when agents hit them, they'll correct look to the CA for certificate information.

Thanks for the link. I was able to get everything working in the loadbalancer and on the puppet end but i am now hitting an issue that I believe is ...(more)

So you're saying the message sent from LB to puppetmaster uses the PMs IP not FQDN. Yes this will cause a failure. Can you add the PMs IP address ...(more)

I'm also very interested in hearing if you have resolved this as i am running into the same problems.

I have gotten this to work through an F5, so know that it is possible, but I no longer have access to my config. I believe I configured the DNS ...(more)

