puppetdb_shared_cert

Generate and distribute a shared cert to your PuppetDB nodes.

Zee Alexander

pizzaops

8,583 downloads

8,228 latest version

4.6 quality score

Version information

  • 0.1.0 (latest)
  • 0.0.2
  • 0.0.1
released Feb 6th 2015
This version is compatible with:
  • RedHat
    ,
    Debian
    ,
    Suse
    ,
    Ubuntu

Start using this module

Documentation

pizzaops/puppetdb_shared_cert — version 0.1.0 Feb 6th 2015

Overview

Generates a shared certificate to be used for load-balancing PuppetDB nodes in Puppet Enterprise, as per the documented known issue.

Module Description

This module uses reidmv-puppet_certificate to generate certificates on the CA node, and then distributes them to the PuppetDB node via standard file resources, before the puppet_enterprise::puppetdb class copies them into PuppetDB's ssl directory.

Setup

puppet module install pizzaops-puppetdb_shared_cert

If you're using r10k, you'll need to include the dependencies, puppetlabs-stdlib 4.5.0, and reidmv-puppet_certificate 0.0.2.

Usage

Classify the CA master with puppetdb_shared_cert::ca. By default, it will read $::puppet_enterprise::profile::puppetdb::certname for the certname and set the alt-names to puppetdb,puppetdb.${domain}.

class { 'puppetdb_shared_cert::ca':
  certname      => 'puppetdb-shared-cert',
  dns_alt_names => ['puppetdb.bar.com','puppetdb'],
}

Classify your PuppetDB nodes with puppetdb_shared_cert::puppetdb, and the standard puppet_enterprise::profile::puppetdb class. puppetdb_shared_cert::puppetdb will ship the certs generated by the CA class to your puppetdb nodes. It has the same defaults as the ca class.

class { 'puppetdb_shared_cert::puppetdb':
  certname      => 'puppetdb-shared-cert',
  dns_alt_names => ['puppetdb.bar.com','puppetdb'],
}

You may also supply all data directly to the ::puppetdb_shared_cert class to reduce duplication. For example you might add it to the PE infrastructure console group, and then add the ca and puppetdb classes to the appropriate groups.

NB: You will need to supply the datadabase password to the puppet_enterprise::profile::puppetdb class, via the console or hiera, when setting up multiple PuppetDBs. That is the only required configuration in my testing.