Puppet relies on SSL certificates on both clients and servers for authentication. These certificates are handled by the puppetca.
Architecture
As the CA role has to be centralized, the architecture here is simply one single server. We use the role "role::puppet::ca" for our puppetca machines, which basicly is the same as "role::puppet::server" except for the loadbalancer backend registration.
Hiera decides which machine should serve as the puppetca trough the key "profile::puppet::caserver".
Backups
| Status | ||||
|---|---|---|---|---|
|
Installing a new puppetca
To install a new puppetca machine we first installs the machine with a the role "role::puppet::ca". There are no problems having more than one machine with this role; only one of them are used by agents anyway.
After the machine is installed you should copy the ca folder from the current puppetca machine (/etc/puppetlabs/puppet/ssl/ca) to the new machine (or restore the most recent backup if the old puppetca machine is not available). Then the hiera key "profile::puppet::caserver" can be updated to contain the hostname of the new puppetca.
When all machines are configured to use the new puppetca, the old one can be decommissioned. The ca role will however be turned off at this machine as soon as a puppet agent runs on it, as the "profile::puppet::caserver" doesn't contain its hostname anymore.