New to foreman.
I used to run multiple puppetmasters and separate CA for large scale
deployments.
Now im starting to test foreman and i liked it.
Yet to me the quick start guides showed the way to install
foreman+puppetmaster+CA at the 1 single box.
Run a separate puppet CA is easy as long as the certs are all signed by the
same CA, both clients and master.
however, im wondering if any gent ever tried to do 1 foreman instance
working with multiple puppet masters? to me its doable as all data is in DB.
> New to foreman.
> I used to run multiple puppetmasters and separate CA for large scale
> deployments.
> Now im starting to test foreman and i liked it.
>
> Yet to me the quick start guides showed the way to install
> foreman+puppetmaster+CA at the 1 single box.
Yes, this really is aimed at a basic getting-started installation. It's
expected that more advanced users with complex infrastructures would
either reuse the Puppet modules we provide (which are heavily
parameterised, so should be reusable), or configure by hand.
> Run a separate puppet CA is easy as long as the certs are all signed by
> the same CA, both clients and master.
>
> however, im wondering if any gent ever tried to do 1 foreman instance
> working with multiple puppet masters? to me its doable as all data is in DB.
It works fine, many users do this. I would recommend a single CA as
it's slightly easier to organise, particularly because we usually reuse
the Puppet SSL certificates for Foreman->smart proxy communications, so
everything in a single CA means it just works.
You would install a smart proxy on every puppetmaster and add all of
these to Foreman. On your Puppet CA server, install a smart proxy too
and only on this one enable the puppetca smart proxy setting. Foreman
will let you select the puppetmaster and CA independently for each host
or host group.
Separate CAs work as well and people with more segregated environments
sometimes do this and it works fine. You would only want a single CA
for the Foreman->smart proxy traffic though.
> New to foreman.
> I used to run multiple puppetmasters and separate CA for large scale
> deployments.
> Now im starting to test foreman and i liked it.
>
> Yet to me the quick start guides showed the way to install
> foreman+puppetmaster+CA at the 1 single box.
> Run a separate puppet CA is easy as long as the certs are all signed by
> the same CA, both clients and master.
>
> however, im wondering if any gent ever tried to do 1 foreman instance
> working with multiple puppet masters? to me its doable as all data is in DB.
>
its pretty easy, just instal foreman proxy on each one of your CA add it to
foreman, and then you can select the CA you want to use.
Ohad
···
On Wed, Jul 3, 2013 at 11:49 AM, Xin Ma wrote:
···
On Wednesday, July 3, 2013 4:56:04 PM UTC+8, Dominic Cleal wrote:
>
> On 03/07/13 09:49, Xin Ma wrote:
> > New to foreman.
> > I used to run multiple puppetmasters and separate CA for large scale
> > deployments.
> > Now im starting to test foreman and i liked it.
> >
> > Yet to me the quick start guides showed the way to install
> > foreman+puppetmaster+CA at the 1 single box.
>
> Yes, this really is aimed at a basic getting-started installation. It's
> expected that more advanced users with complex infrastructures would
> either reuse the Puppet modules we provide (which are heavily
> parameterised, so should be reusable), or configure by hand.
>
> > Run a separate puppet CA is easy as long as the certs are all signed by
> > the same CA, both clients and master.
> >
> > however, im wondering if any gent ever tried to do 1 foreman instance
> > working with multiple puppet masters? to me its doable as all data is in
> DB.
>
> It works fine, many users do this. I would recommend a single CA as
> it's slightly easier to organise, particularly because we usually reuse
> the Puppet SSL certificates for Foreman->smart proxy communications, so
> everything in a single CA means it just works.
>
> You would install a smart proxy on every puppetmaster and add all of
> these to Foreman. On your Puppet CA server, install a smart proxy too
> and only on this one enable the puppetca smart proxy setting. Foreman
> will let you select the puppetmaster and CA independently for each host
> or host group.
>
> Separate CAs work as well and people with more segregated environments
> sometimes do this and it works fine. You would only want a single CA
> for the Foreman->smart proxy traffic though.
>
> --
> Dominic Cleal
> Red Hat Engineering
>
