HI,
I'm Kelvyn and i implementing puppet in my office, but my foreman server
today not supporting all of my puppet nodes (in total 26 nodes) because
this machine is very old and slow.
And i like to migrate to a strong infrastructure to supporting +500 nodes,
and i like to put in HA
The infrastructure purpose is that
[Load Balancer]
/ \
/ \
/ \
/ \
[Puppetmaster and CA] [Puppetmaster]
> \ / |
> \ / |
> \ / |
[Foreman] [Foreman]
\ /
\ /
\ /
[Postgresql]
But my problem is, the 2 machines with puppet will not connected to 2
foreman machines with foreman-proxy
How i change this to a complete HA?
PS: the Postgresql is in a master-slave machine.
Tks!
If I am understanding this correctly you also need to load balance the
foreman smart-proxy on each of the puppet masters. But in your current
architecture I think that poses a risk of CA requests going to a non-CA
puppet master. My suggestion is to always run a completely separate CA from
your masters.
···
On Monday, July 18, 2016 at 10:01:17 AM UTC-4, Kelvyn Tomaz wrote:
>
> HI,
>
> I'm Kelvyn and i implementing puppet in my office, but my foreman server
> today not supporting all of my puppet nodes (in total 26 nodes) because
> this machine is very old and slow.
>
> And i like to migrate to a strong infrastructure to supporting +500 nodes,
> and i like to put in HA
>
>
> The infrastructure purpose is that
>
>
> [Load Balancer]
> / \
> / \
> / \
> / \
> [Puppetmaster and CA] [Puppetmaster]
> > \ / |
> > \ / |
> > \ / |
> [Foreman] [Foreman]
> \ /
> \ /
> \ /
> [Postgresql]
>
>
> But my problem is, the 2 machines with puppet will not connected to 2
> foreman machines with foreman-proxy
>
> How i change this to a complete HA?
>
> PS: the Postgresql is in a master-slave machine.
>
>
> Tks!
>
Sorry if i don't explain very well, has a long time without speaking or
writing in english
But if i put 2 CA in my infrastructure, my clients has to generate certs in
2 CA?
My goal is just replicate my infrastructure, and i stuck in 2 questions:
- I cannot put 1 puppet in 2 foreman simultaneously
- I cannot have 2 CA for one virtual IP (In Load Balancer).
And i don't know to resolve this
Tks to reply Christopher!
···
Em segunda-feira, 18 de julho de 2016 13:49:13 UTC-3, Christopher Pisano escreveu:
>
> If I am understanding this correctly you also need to load balance the
> foreman smart-proxy on each of the puppet masters. But in your current
> architecture I think that poses a risk of CA requests going to a non-CA
> puppet master. My suggestion is to always run a completely separate CA from
> your masters.
>
>
> On Monday, July 18, 2016 at 10:01:17 AM UTC-4, Kelvyn Tomaz wrote:
>>
>> HI,
>>
>> I'm Kelvyn and i implementing puppet in my office, but my foreman server
>> today not supporting all of my puppet nodes (in total 26 nodes) because
>> this machine is very old and slow.
>>
>> And i like to migrate to a strong infrastructure to supporting +500
>> nodes, and i like to put in HA
>>
>>
>> The infrastructure purpose is that
>>
>>
>> [Load Balancer]
>> / \
>> / \
>> / \
>> / \
>> [Puppetmaster and CA] [Puppetmaster]
>> > \ / |
>> > \ / |
>> > \ / |
>> [Foreman] [Foreman]
>> \ /
>> \ /
>> \ /
>> [Postgresql]
>>
>>
>> But my problem is, the 2 machines with puppet will not connected to 2
>> foreman machines with foreman-proxy
>>
>> How i change this to a complete HA?
>>
>> PS: the Postgresql is in a master-slave machine.
>>
>>
>> Tks!
>>
>
You can have 2 CA servers behind a load balancer if you make them active
passive and set up shared storage for all the certs. . . or some type of
replication. If you do not want two CA servers you still should move your
CA off of your Puppet master if you plan on load balancing your Puppet
masters and have them talk to Foreman. I am not sure what you mean by can't
put 1 puppet in 2 foreman simultaneously.
Have you read the Foreman blog post on HA or watched the case study? I'll
put the link below just in case.
https://theforeman.org/2015/12/journey_to_high_availability.html
···
On Monday, July 18, 2016 at 2:57:49 PM UTC-4, Kelvyn Tomaz wrote:
>
> Sorry if i don't explain very well, has a long time without speaking or
> writing in english
>
> But if i put 2 CA in my infrastructure, my clients has to generate certs
> in 2 CA?
>
> My goal is just replicate my infrastructure, and i stuck in 2 questions:
>
> - I cannot put 1 puppet in 2 foreman simultaneously
> - I cannot have 2 CA for one virtual IP (In Load Balancer).
>
> And i don't know to resolve this
>
> Tks to reply Christopher!
>
> Em segunda-feira, 18 de julho de 2016 13:49:13 UTC-3, Christopher Pisano > escreveu:
>>
>> If I am understanding this correctly you also need to load balance the
>> foreman smart-proxy on each of the puppet masters. But in your current
>> architecture I think that poses a risk of CA requests going to a non-CA
>> puppet master. My suggestion is to always run a completely separate CA from
>> your masters.
>>
>>
>> On Monday, July 18, 2016 at 10:01:17 AM UTC-4, Kelvyn Tomaz wrote:
>>>
>>> HI,
>>>
>>> I'm Kelvyn and i implementing puppet in my office, but my foreman server
>>> today not supporting all of my puppet nodes (in total 26 nodes) because
>>> this machine is very old and slow.
>>>
>>> And i like to migrate to a strong infrastructure to supporting +500
>>> nodes, and i like to put in HA
>>>
>>>
>>> The infrastructure purpose is that
>>>
>>>
>>> [Load Balancer]
>>> / \
>>> / \
>>> / \
>>> / \
>>> [Puppetmaster and CA] [Puppetmaster]
>>> > \ / |
>>> > \ / |
>>> > \ / |
>>> [Foreman] [Foreman]
>>> \ /
>>> \ /
>>> \ /
>>> [Postgresql]
>>>
>>>
>>> But my problem is, the 2 machines with puppet will not connected to 2
>>> foreman machines with foreman-proxy
>>>
>>> How i change this to a complete HA?
>>>
>>> PS: the Postgresql is in a master-slave machine.
>>>
>>>
>>> Tks!
>>>
>>
i don't see this post, i read and implementing this.
Thanks!
···
Em segunda-feira, 18 de julho de 2016 16:01:51 UTC-3, Christopher Pisano escreveu:
>
> You can have 2 CA servers behind a load balancer if you make them active
> passive and set up shared storage for all the certs. . . or some type of
> replication. If you do not want two CA servers you still should move your
> CA off of your Puppet master if you plan on load balancing your Puppet
> masters and have them talk to Foreman. I am not sure what you mean by can't
> put 1 puppet in 2 foreman simultaneously.
>
> Have you read the Foreman blog post on HA or watched the case study? I'll
> put the link below just in case.
>
> https://theforeman.org/2015/12/journey_to_high_availability.html
>
> On Monday, July 18, 2016 at 2:57:49 PM UTC-4, Kelvyn Tomaz wrote:
>>
>> Sorry if i don't explain very well, has a long time without speaking or
>> writing in english
>>
>> But if i put 2 CA in my infrastructure, my clients has to generate certs
>> in 2 CA?
>>
>> My goal is just replicate my infrastructure, and i stuck in 2 questions:
>>
>> - I cannot put 1 puppet in 2 foreman simultaneously
>> - I cannot have 2 CA for one virtual IP (In Load Balancer).
>>
>> And i don't know to resolve this
>>
>> Tks to reply Christopher!
>>
>> Em segunda-feira, 18 de julho de 2016 13:49:13 UTC-3, Christopher Pisano >> escreveu:
>>>
>>> If I am understanding this correctly you also need to load balance the
>>> foreman smart-proxy on each of the puppet masters. But in your current
>>> architecture I think that poses a risk of CA requests going to a non-CA
>>> puppet master. My suggestion is to always run a completely separate CA from
>>> your masters.
>>>
>>>
>>> On Monday, July 18, 2016 at 10:01:17 AM UTC-4, Kelvyn Tomaz wrote:
>>>>
>>>> HI,
>>>>
>>>> I'm Kelvyn and i implementing puppet in my office, but my foreman
>>>> server today not supporting all of my puppet nodes (in total 26 nodes)
>>>> because this machine is very old and slow.
>>>>
>>>> And i like to migrate to a strong infrastructure to supporting +500
>>>> nodes, and i like to put in HA
>>>>
>>>>
>>>> The infrastructure purpose is that
>>>>
>>>>
>>>> [Load Balancer]
>>>> / \
>>>> / \
>>>> / \
>>>> / \
>>>> [Puppetmaster and CA] [Puppetmaster]
>>>> > \ / |
>>>> > \ / |
>>>> > \ / |
>>>> [Foreman] [Foreman]
>>>> \ /
>>>> \ /
>>>> \ /
>>>> [Postgresql]
>>>>
>>>>
>>>> But my problem is, the 2 machines with puppet will not connected to 2
>>>> foreman machines with foreman-proxy
>>>>
>>>> How i change this to a complete HA?
>>>>
>>>> PS: the Postgresql is in a master-slave machine.
>>>>
>>>>
>>>> Tks!
>>>>
>>>
