On May 10, 2:04 pm, Daniel Sauble <djsau...@puppetlabs.com> wrote: > On Thursday, May 10, 2012 11:37:34 AM UTC-7, ohad wrote: > > > On Thu, May 10, 2012 at 9:34 PM, Daniel Sauble > > <djsau...@puppetlabs.com>wrote: > > >> On Thursday, May 10, 2012 10:39:22 AM UTC-7, windowsrefund wrote: > > >>> On May 10, 12:44 pm, Daniel Sauble <djsau...@puppetlabs.com> wrote: > > >>> > - Securely add nodes to your deployment without manually signing > >>> > certificates on the CA... > >>> > - ...so that you can have the advantages of autosigning without > >>> its > >>> > security problems. > > >>> I'm about to engage on a similar effort and was thinking of writing a > >>> puppet face to handle this job. Can you elaborate on the work flow and > >>> solution you're thinking about? > > >> We're looking to implement a Puppet Face to address this need. The > >> workflow currently looks like: > > >> 1. Login to the site host > >> 2. Generate a pre-shared key > >> 3. Join a node to the site using the pre-shared key > >> 4. Repeat step 3 for every node you want to add to the site > > >> From the command-line, this workflow might be represented as the > >> following: > >> * > >> node02$ ssh ad...@site02.domain.com > >> Last login: Mon May 7 18:15:43 2012 > >> site02$ mount /media/usbdisk > >> site02$ puppet site generate key > /media/usbdisk/site.key > >> site02$ umount /media/usbdisk > >> site02$ exit > >> node02$ mount /media/usbdisk > >> node02$ puppet node join site02.domain.com < /media/usbdisk/site.key > >> Trying to add node02.domain.com to the site at site02.domain.com... > > >> Use `puppet site status node02.domain.com` to confirm success > > >> To stop waiting for the command to complete, press Ctrl-C. > > >> The command will still complete in the background. > >> Added node02.domain.com to the site at site02.domain.com* > > > will you allow the older workflow to co exists? would it be possible to > > drive all of the process via an external api? > > No, at present we are looking to deprecate the 'clean', 'generate', 'list', > 'revoke', and 'sign' actions of > the puppet cert face. The reason for this is we want the semantics of the > user interface to match the > user need. The impression I've gotten (and feel free to chime in) is that > users don't want to sign > certificates, they want to add nodes to their deployment.
And remove them, and swap them for different physical nodes with the same name, and change the names of existing physical nodes, and maybe other things. It's one thing to provide easy ways to do things people often want to do. It's an altogether different thing to take away people's tools for doing unusual things, or to make them jump through hoops to do things that ought to be easy. Text interfaces are far more expressive than any other kind, and they are easy to integrate with other tools. That's the Unix way. By all means, provide all the convenience features and alternative interfaces you think people would like, but don't take away my CLI. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
