puppetmodule icon indicating copy to clipboard operation
puppetmodule copied to clipboard

Published 20 hours ago verified publisher icon stephenrjohnson

add feature for disabling/enabling CA

Open bastelfreak opened this issue 10 years ago • 11 comments

defaults to true, this is the normal case on a master. If you run multiple master with one dedicated ca, you want to deactivate this feature on the other master

also fixed two missing quotes and added the "ensure => present" as default to Ini_setting{}

bastelfreak avatar Jan 26 '15 13:01 bastelfreak

I'm feeling this pain right now as well. Can your PR add Apache proxy config to reach the CA host (https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic) or is that best served in another PR?

joelesalas avatar Jan 28 '15 01:01 joelesalas

I'm happy to merge this just waiting on the response to @joelesalas comment.

stephenrjohnson avatar Jan 28 '15 08:01 stephenrjohnson

I'm not using apache so it would be great if somebody else can do another PR

bastelfreak avatar Jan 28 '15 14:01 bastelfreak

Hi Team,

Kindly let me know when this feature will be available and will it also change the passenger config accordingly?

monisha-bhattacharya avatar Jan 28 '15 20:01 monisha-bhattacharya

@monisha-bhattacharya I guess @stephenrjohnson will merge it in the next hours/days. This PR just sets "ca = false" in the [master] part of a puppet.conf. It doesn't modify the apache conf. Maybe @joelesalas will create an additional PR for this. I'm working on an implementation with nginx

bastelfreak avatar Jan 28 '15 21:01 bastelfreak

"ca = false" and "generate_ssl_certs = false" not make sense without changing passenger config. Because Passenger will still require /ca/ca_crt.pem file. According PuppetLabs Passenger configuration docs in case if "ca = false" it should be: SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

EssentialMix avatar Jan 29 '15 17:01 EssentialMix

As I said, I still need Passenger/Apache in your setup, but thats not my use case. I'm running on nginx/unicorn (see my other PR https://github.com/stephenrjohnson/puppetmodule/pull/74 ), free free to implement implement your apache config changes

bastelfreak avatar Jan 30 '15 16:01 bastelfreak

@stephenrjohnson could you please take a look at merge it?

bastelfreak avatar Feb 12 '15 14:02 bastelfreak

added the needed nginx update to actually use this setting here: https://github.com/bastelfreak/puppetmodule/commit/06d74a09f233253bcc7101e6ef05a3e75c2bf7c5

now it is possible to run a puppet CA on a loadbalancer, to run puppet master and CA on the same node or to run a puppet master without CA behind a loadbalancer

bastelfreak avatar Feb 20 '15 00:02 bastelfreak

@stephenrjohnson could you have a look again?

bastelfreak avatar Apr 13 '15 12:04 bastelfreak

Is everyone ok with just add that one property then?

stephenrjohnson avatar Jan 15 '16 13:01 stephenrjohnson