Should a puppet server be local to the network or available to all networks?

Question

We have several servers that I'd like to start managing with Puppet. We have:

Linux servers in our California office that I access over a VPN
Linux servers in an Oklahoma data center that I access over SSH
Linux servers in Amazon Elastic Compute Cloud (North Virginia)

I see a two options:

Three puppet servers, local to each environment
One puppet server, exposed by public DNS

Does anyone have experience with one of these configurations? How would you do it?

score 2 · Accepted Answer · answered Jun 21 '10 at 14:46

2

IMHO, I don't think puppet servers should ever be available over the public internet. It seriously restricts the type of things you can push out.. No SSH keys, no SSL certs, etc.

Set up OpenVPN on the puppet server, then vpn to it from the guests you want to puppet.

I've done an EC2 node using vpnc to set up a tunnel back to my protected puppet server, although that was actually behind a Cisco ASA..

answered Jun 21 '10 at 14:46

Tom O'Connor

27,480
10
73
148

So, you are doing HTTPS over a VPN connection, using SSL certificates to verify host and client? It seems like one level too many of safety nets. – John Whitlock Jun 24 '10 at 16:31
I'm not sure I agree with that.. but there we go. It's your network. – Tom O'Connor Jun 24 '10 at 22:11

Should a puppet server be local to the network or available to all networks?

1 Answers1