Does this require that a human being has to be in the loop every time a node joins the site? How would one automate 100% the provisioning of new hosts? With the current system, I can turn on auto-sign and have some simple rules for which nodes I will accept, and trust in the knowledge that I have already ensured my network is secure enough to accept the risk of auto-signing. With that, I can automatically take a bare-metal server, and provision it all the way up to taking traffic without having anyone else involved. From the example above, having to generate the key on the master before I can provision puppet on the node seems to make that much more difficult.
Also, it would be good if you specify the issues that Sites is trying to solve in more detail. From my viewpoint, I don't have any issues with the current CA-based model. So I'm struggling to understand what you are trying to "fix". I'm sure I'm not alone, and I am assuming that I missing some details, so putting a more detailed description of the problems that the community is encountering, and how Sites would solve those would help with the discussion. On Thursday, May 10, 2012 2:34:14 PM UTC-4, Daniel Sauble wrote: > > On Thursday, May 10, 2012 10:39:22 AM UTC-7, windowsrefund wrote: >> >> >> On May 10, 12:44 pm, Daniel Sauble <djsau...@puppetlabs.com> wrote: >> > >> > - Securely add nodes to your deployment without manually signing >> > certificates on the CA... >> > - ...so that you can have the advantages of autosigning without >> its >> > security problems. >> > >> >> I'm about to engage on a similar effort and was thinking of writing a >> puppet face to handle this job. Can you elaborate on the work flow and >> solution you're thinking about? >> > > We're looking to implement a Puppet Face to address this need. The > workflow currently looks like: > > > 1. Login to the site host > 2. Generate a pre-shared key > 3. Join a node to the site using the pre-shared key > 4. Repeat step 3 for every node you want to add to the site > > > From the command-line, this workflow might be represented as the following: > * > node02$ ssh ad...@site02.domain.com > Last login: Mon May 7 18:15:43 2012 > site02$ mount /media/usbdisk > site02$ puppet site generate key > /media/usbdisk/site.key > site02$ umount /media/usbdisk > site02$ exit > node02$ mount /media/usbdisk > node02$ puppet node join site02.domain.com < /media/usbdisk/site.key > Trying to add node02.domain.com to the site at site02.domain.com... > > Use `puppet site status node02.domain.com` to confirm success > > To stop waiting for the command to complete, press Ctrl-C. > > The command will still complete in the background. > Added node02.domain.com to the site at site02.domain.com* > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8pW3iqUnj4MJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
