The Puppet Master CA is the only Certificate Authority (CA) in the whole infrastructure. It issues certificates for all Puppet agents. It also manages the Puppet Master systems.
The Puppet Masters are only responsible for compiling catalogs requested by Puppet Agents - they don't act as CA themselves. They only accept Puppet Agents which certificates have been issued by the Puppet Master CA.
The Puppet Agent retrieves their certificates from the Puppet Master CA the first time they run. They connect to the Puppet Masters afterwards to get their catalogs. They won't contact the Puppet Master CA anymore.
Puppet Master CA
The Puppet Master CA manages all Puppet Masters. In particular it distributes its own Certificate Revocation List (CRL) file to every Puppet Master. The Puppet Master CA also issues certificates to Puppet Agents.
Puppet Master
A Puppet Master runs under Apache and Passenger. Apache ssl module is configured to require certificates signed by the Puppet Master CA (/etc/apache2/site-available/puppetmaster):
# Require certificates to be valid SSLVerifyClient require SSLVerifyDepth 1
The Puppet Master is also configured to not act as a Puppet CA (/etc/puppet/puppet.conf):
[main] ca = false
Puppet Agent
Puppet Agents retrieve their certificate from the Puppet Master CA and request their catalog from one of the Puppet Masters (/etc/puppet/puppet.conf):
[agent] ca_server = PUPPET_MASTER_CA server = PUPPET_MASTER
Conclusion
From a security perspective setting the SSLVerifyClient option to require increases the protection of Puppet Masters from unknown requests and revoked Puppet Agents. Having the Puppet Master CA manage the Puppet Masters also facilitates the distribution of the Puppet Master CA CRL.
On the reliability front new systems won't be added to the infrastructure if the Puppet Master CA is unavailable. However existing Puppet Agents are still functional as long as they can connect to a Puppet Master.
Did you ever implement this or extend on the concept further?
ReplyDeleteI would be interested to see your approach to SPOF and dual site-failover resilience using this.
This is the right weblog for any individual who wants to find out about this topic. You comprehend so much its just about difficult to argue with you (not that I basically would want?-HaHa). You surely put a brand new spin on a subject thats been written about for years. Superb stuff, just amazing! Hadoop Online Training .
ReplyDeletehadoop training in hyderabad referred me to this blog to know about latest trends in the IT and staffing related information. Really appreciable information on overview of a Puppet Split CA architecture with diagram. Thank you.
ReplyDeleteThis information is great.It is useful for all in future.I like to read the information.It is very impressing matter.
ReplyDeletehadoop training in chennai
thanks for sharing great blog with us. keep updating more useful information.
ReplyDeleteSoftware Testing Training in Chennai
It is really very helpful for us and I have gathered some important information from this blog.Keep update..
ReplyDeleteSEO Training in Chennai
This blog is having a wonderful talk. The technology are discussed and provide a great knowledge toall. This helps to learn more details about technology. All this details are important for this technology. Thank you for this blog.
ReplyDeleteHadoop Training in Chennai
Hii you are providing good information.Thanks for sharing if anyone interested SAP APO
ReplyDeleteOnline training See below
http://www.sapapoonlinetraining.in/
ReplyDeleteTruely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this content.
PHP Training in Chennai
It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day. Keep update more information..
ReplyDeleteJ2ee Training in Chennai Thiruvanmiyur
HAve an overview of puppet nice posts..
ReplyDeleteHadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
hadoop training in hyderabad
Great job and keep blogging,hadoop is the best online training course in hyderabad for more details refer at
ReplyDeletehadoop online training
Well said ,you have furnished the right information that will be useful to anyone at all time.Thanks for sharing your Ideas.
ReplyDeleteinformatica online training
Thanks for taking the time to share the good article.
ReplyDeletepython interview questions and answers
aws interview questions and answers
devops interview questions and answers
rpa interview questions
angularjs interview questions
software testing interview question and answer
This blog is really nice and informative blog, The explanation given is really comprehensive and informative. Ziyyara Edutech brings you top-notch online tuition for Class 11. Our experienced tutors provide personalized guidance and comprehensive support to help you achieve your academic goals.
ReplyDeleteFor more info Contact us: +91-9654271931, +971-505593798 or visit online tuition for class 11
Awesome blog. I enjoyed reading your articles. Ziyyara’s expert tutors provide customized guidance to ensure comprehensive understanding and mastery of CBSE curriculum.
ReplyDeleteFor more info contact +91-9654271931 or visit CBSE Online Tuition Classes