Just concerning this PSK aspect of Sites, would this also be a similar alternative to using a shared cert (or set of certs) in tandem with the node_name_value or node_name_fact, as was recently discussed in this thread?
https://groups.google.com/d/msg/puppet-users/2s0PJ7p_S7M/jLVUjL34Wz4J In evaluating our implementation strategy for Puppet, I'd considered using this method to allow me to more freely deploy/recycle nodes and with one less human involved. Tim On 2012-05-11, at 12:39 PM, Daniel Sauble wrote: > We don't want Puppet admins to have to trust that their network is secure. > What Puppet Sites provides (among other things) is a PSK system that allows > you to generate multiple-use keys for securely joining nodes to your site. In > the provisioning case, you could generate a pre-shared key, bake it into your > install tarball, and use that tarball to install Puppet and add each node to > your site without human intervention. When you're done installing, you can > revoke the PSK so it can't be used anymore. This gets you the convenience of > autosigning with the confidence that even if your network is compromised, > your Puppet deployment won't be. > > But note that you can still use autosigning if you don't want to mess with > pre-shared keys, or if you trust your network. We're just providing an > alternative, not a replacement. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
