Generates shared certificates to be used for load-balancing Puppet Enterprise nodes such as PuppetDB and Node Classifiers, as per the documented known issue.
This module uses reidmv-puppet_certificate to generate certificates on the CA node, and then distributes them to the nodes via standard file resources. Note that most services will require dependencies on the Puppet_enterprise::certs class, for example:
pe_shared_cert { 'puppetdb.example.com':
certname => 'puppetdb.example.com',
dns_alt_names => ['puppetdb'],
before => Puppet_enterprise::Certs['pe-puppetdb'],
}
puppet module install pizzaops-puppetdb_shared_cert
If you're using r10k, you'll need to include the dependencies, puppetlabs-stdlib 4.5.0, and reidmv-puppet_certificate 0.0.2. Please see the metadata.json file for the most up to date dependencies.
Classify the CA master with puppetdb_shared_cert::ca. By default, it will read $::puppet_enterprise::profile::puppetdb::certname for the certname and set the alt-names to puppetdb,puppetdb.${domain}.
class { 'puppetdb_shared_cert::ca':
certname => 'puppetdb-shared-cert',
dns_alt_names => ['puppetdb.bar.com','puppetdb'],
}
Classify your PuppetDB nodes with puppetdb_shared_cert::puppetdb, and the standard puppet_enterprise::profile::puppetdb class. puppetdb_shared_cert::puppetdb will ship the certs generated by the CA class to your puppetdb nodes. It has the same defaults as the ca class.
class { 'puppetdb_shared_cert::puppetdb':
certname => 'puppetdb-shared-cert',
dns_alt_names => ['puppetdb.bar.com','puppetdb'],
}
You may also supply all data directly to the ::puppetdb_shared_cert class to reduce duplication. For example you might add it to the PE infrastructure console group, and then add the ca and puppetdb classes to the appropriate groups.
NB: You will need to supply the datadabase password to the puppet_enterprise::profile::puppetdb class, via the console or hiera, when setting up multiple PuppetDBs. That is the only required configuration in my testing.