4.2. 使用默认 SSL 证书配置胶囊服务器以使用 Puppet 负载平衡

流程

1. 在卫星服务器上，为您配置 Capsule Server 以生成并签名 Puppet 证书的系统生成 Katello 证书：

   # capsule-certs-generate \
   --certs-tar "/root/capsule-ca.example.com-certs.tar" \
   --foreman-proxy-cname loadbalancer.example.com \
   --foreman-proxy-fqdn capsule-ca.example.com

   Copy to Clipboard Toggle word wrap

   保留 satellite-installer 命令示例 satellite-installer 命令的副本，它通过 capsule-certs-generate 命令安装 Capsule Server 证书。

2. 将证书存档文件从 Satellite 服务器复制到胶囊服务器：

   # scp /root/capsule-ca.example.com-certs.tar root@capsule-ca.example.com:capsule-ca.example.com-certs.tar

   Copy to Clipboard Toggle word wrap

3. 将以下选项附加到 satellite-installer 命令中，从 capsule-certs-generate 命令的输出中获取：

   --certs-cname "loadbalancer.example.com" \
   --enable-foreman-proxy-plugin-remote-execution-script \
   --foreman-proxy-puppetca "true" \
   --puppet-ca-server "capsule-ca.example.com" \
   --puppet-dns-alt-names "loadbalancer.example.com" \
   --puppet-server-ca "true"

   Copy to Clipboard Toggle word wrap

4. 在 Capsule 服务器上，输入 satellite-installer 命令：

   # satellite-installer --scenario capsule \
   --certs-cname "loadbalancer.example.com" \
   --certs-tar-file "capsule-ca.example.com-certs.tar" \
   --enable-foreman-proxy-plugin-remote-execution-script \
   --enable-puppet \
   --foreman-proxy-foreman-base-url "https://satellite.example.com" \
   --foreman-proxy-oauth-consumer-key "oauth key" \
   --foreman-proxy-oauth-consumer-secret "oauth secret" \
   --foreman-proxy-puppetca "true" \
   --foreman-proxy-register-in-foreman "true" \
   --foreman-proxy-trusted-hosts "satellite.example.com" \
   --foreman-proxy-trusted-hosts "capsule-ca.example.com" \
   --puppet-ca-server "capsule-ca.example.com" \
   --puppet-dns-alt-names "loadbalancer.example.com" \
   --puppet-server true \
   --puppet-server-ca "true" \
   --puppet-server-foreman-url "https://satellite.example.com"

   Copy to Clipboard Toggle word wrap

5. 在 Capsule Server 上，停止 Puppet 服务器：

   # puppet resource service puppetserver ensure=stopped

   Copy to Clipboard Toggle word wrap

6. 为您为负载平衡配置的其他所有胶囊服务器生成 Puppet 证书，除了配置 Puppet 证书签名的第一个系统外：

   # puppetserver ca generate \
   --ca-client \
   --certname capsule.example.com \
   --subject-alt-names loadbalancer.example.com

   Copy to Clipboard Toggle word wrap

   此命令会在配置胶囊服务器以为 Puppet 证书签名的系统中创建以下文件：

   • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
   • /etc/puppetlabs/puppet/ssl/certs/ca.pem
   • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
   • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

7. 恢复 Puppet 服务器：

   # puppet resource service puppetserver ensure=running

   Copy to Clipboard Toggle word wrap

流程

1. 在卫星服务器上，为 Capsule Server 生成 Katello 证书：

   # capsule-certs-generate \
   --certs-tar "/root/capsule.example.com-certs.tar" \
   --foreman-proxy-cname loadbalancer.example.com \
   --foreman-proxy-fqdn capsule.example.com

   Copy to Clipboard Toggle word wrap

   保留 satellite-installer 命令示例 satellite-installer 命令的副本，它通过 capsule-certs-generate 命令安装 Capsule Server 证书。

2. 将证书存档文件从 Satellite 服务器复制到胶囊服务器：

   # scp /root/capsule.example.com-certs.tar root@capsule.example.com:/root/capsule.example.com-certs.tar

   Copy to Clipboard Toggle word wrap

3. 在 Capsule Server 上，安装 puppetserver 软件包：

   # satellite-maintain packages install puppetserver

   Copy to Clipboard Toggle word wrap

4. 在 Capsule Server 上，为 puppet 证书创建目录：

   # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
   /etc/puppetlabs/puppet/ssl/private_keys/ \
   /etc/puppetlabs/puppet/ssl/public_keys/

   Copy to Clipboard Toggle word wrap

5. 在 Capsule Server 上，从配置胶囊服务器的系统中复制此胶囊服务器的 Puppet 证书，以为 Puppet 证书签名：

   # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
   # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem
   # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
   # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

   Copy to Clipboard Toggle word wrap

6. 在 Capsule 服务器上，将 /etc/puppetlabs/puppet/ssl/ 目录所有权改为用户 puppet 和组 puppet ：

   # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/

   Copy to Clipboard Toggle word wrap

7. 在 Capsule 服务器上，为 /etc/puppetlabs/puppet/ssl/ 目录设置 SELinux 上下文：

   # restorecon -Rv /etc/puppetlabs/puppet/ssl/

   Copy to Clipboard Toggle word wrap

8. 将以下选项附加到 satellite-installer 命令中，从 capsule-certs-generate 命令的输出中获取：

   --certs-cname "loadbalancer.example.com" \
   --enable-foreman-proxy-plugin-remote-execution-script \
   --foreman-proxy-puppetca "false" \
   --puppet-ca-server "capsule-ca.example.com" \
   --puppet-dns-alt-names "loadbalancer.example.com" \
   --puppet-server-ca "false"

   Copy to Clipboard Toggle word wrap

9. 在 Capsule 服务器上，输入 satellite-installer 命令：

   # satellite-installer --scenario capsule \
   --certs-cname "loadbalancer.example.com" \
   --certs-tar-file "capsule.example.com-certs.tar" \
   --enable-foreman-proxy-plugin-remote-execution-script \
   --foreman-proxy-foreman-base-url "https://satellite.example.com" \
   --foreman-proxy-oauth-consumer-key "oauth key" \
   --foreman-proxy-oauth-consumer-secret "oauth secret" \
   --foreman-proxy-puppetca "false" \
   --foreman-proxy-register-in-foreman "true" \
   --foreman-proxy-trusted-hosts "satellite.example.com" \
   --foreman-proxy-trusted-hosts "capsule.example.com" \
   --puppet-ca-server "capsule-ca.example.com" \
   --puppet-dns-alt-names "loadbalancer.example.com" \
   --puppet-server-ca "false" \
   --puppet-server-foreman-url "https://satellite.example.com"

   Copy to Clipboard Toggle word wrap