any sense in having multiple, distinct puppet masters?

Question

I am wondering is whether it makes sense to have a single machine connect to multiple, distinct Puppetmaster instances.

My use case is that i have different privilege level I want to grant to server operators. We already operate a fairly (~100) wide array of Puppet clients connected to a single Puppetmaster, on which we use exported resources to configure Nagios, Munin, Backups and so on. Fairly standard stuff. But now we have another project where we setup a completely separate Puppetmaster for a client, as we didn't want to grant them access to our internal infrastructure. Yet we would like to import the exported resources on their servers into our monitoring infrastructure so that we can monitor their machines.

I guess another way to frame the question is: is it possible to run (multiple?) Puppet clients on a single machine, connected to multiple, distinct Puppetmasters?

Or would there be a way to share exported resources or data between Puppetmaster while limiting access?

(I know that Puppet can be scaled horizontally by deploying multiple Puppetmaster servers in a load balancing setup. This question is not about that.)

Answer 1

Sharing exported resources is problematic, because it requires mutual trust between the collecting master and the storing PuppetDB. For this you will need to share the Puppet CA, and this will blur the separation of the infrastructure.

You might have better luck actually introducing additional agents on the monitoring infrastructure as well. These will connect to the customer puppet master and collect only resources from there. You will then need to devise a way to generate a consistent configuration from the resources that two agents manage independently.