The Puppet Master CA is the only Certificate Authority (CA) in the whole infrastructure. It issues certificates for all Puppet agents. It also manages the Puppet Master systems.
The Puppet Masters are only responsible for compiling catalogs requested by Puppet Agents - they don't act as CA themselves. They only accept Puppet Agents which certificates have been issued by the Puppet Master CA.
The Puppet Agent retrieves their certificates from the Puppet Master CA the first time they run. They connect to the Puppet Masters afterwards to get their catalogs. They won't contact the Puppet Master CA anymore.
Puppet Master CA
The Puppet Master CA manages all Puppet Masters. In particular it distributes its own Certificate Revocation List (CRL) file to every Puppet Master. The Puppet Master CA also issues certificates to Puppet Agents.
A Puppet Master runs under Apache and Passenger. Apache ssl module is configured to require certificates signed by the Puppet Master CA (/etc/apache2/site-available/puppetmaster):
# Require certificates to be valid SSLVerifyClient require SSLVerifyDepth 1
The Puppet Master is also configured to not act as a Puppet CA (/etc/puppet/puppet.conf):
[main] ca = false
Puppet Agents retrieve their certificate from the Puppet Master CA and request their catalog from one of the Puppet Masters (/etc/puppet/puppet.conf):
[agent] ca_server = PUPPET_MASTER_CA server = PUPPET_MASTER
From a security perspective setting the SSLVerifyClient option to require increases the protection of Puppet Masters from unknown requests and revoked Puppet Agents. Having the Puppet Master CA manage the Puppet Masters also facilitates the distribution of the Puppet Master CA CRL.
On the reliability front new systems won't be added to the infrastructure if the Puppet Master CA is unavailable. However existing Puppet Agents are still functional as long as they can connect to a Puppet Master.
Did you ever implement this or extend on the concept further?ReplyDelete
I would be interested to see your approach to SPOF and dual site-failover resilience using this.
This is the right weblog for any individual who wants to find out about this topic. You comprehend so much its just about difficult to argue with you (not that I basically would want?-HaHa). You surely put a brand new spin on a subject thats been written about for years. Superb stuff, just amazing! Hadoop Online Training .ReplyDelete
hadoop training in hyderabad referred me to this blog to know about latest trends in the IT and staffing related information. Really appreciable information on overview of a Puppet Split CA architecture with diagram. Thank you.ReplyDelete
This information is great.It is useful for all in future.I like to read the information.It is very impressing matter.ReplyDelete
hadoop training in chennai
thanks for sharing great blog with us. keep updating more useful information.ReplyDelete
Software Testing Training in Chennai
It is really very helpful for us and I have gathered some important information from this blog.Keep update..ReplyDelete
SEO Training in Chennai
This blog is having a wonderful talk. The technology are discussed and provide a great knowledge toall. This helps to learn more details about technology. All this details are important for this technology. Thank you for this blog.ReplyDelete
Hadoop Training in Chennai
Hii you are providing good information.Thanks for sharing if anyone interested SAP APOReplyDelete
Online training See below
Truely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this content.
PHP Training in Chennai
It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day. Keep update more information..ReplyDelete
J2ee Training in Chennai Thiruvanmiyur
HAve an overview of puppet nice posts..ReplyDelete
Hadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
hadoop training in hyderabad
Great job and keep blogging,hadoop is the best online training course in hyderabad for more details refer atReplyDelete
hadoop online training
Well said ,you have furnished the right information that will be useful to anyone at all time.Thanks for sharing your Ideas.ReplyDelete
informatica online training
Thanks for taking the time to share the good article.ReplyDelete
python interview questions and answers
aws interview questions and answers
devops interview questions and answers
rpa interview questions
angularjs interview questions
software testing interview question and answer