Puppet certificate signing is the one item that (I think) has caused issues for
everyone at one point or another. I think the security provided is a
requirement for tools such as this given the amount of access to both hosts and
sensitive data they have.
There were a few presentations at PuppetConf where presenters went through
semi-detailed explanations on how they handled this issue, but none that I was
so excited about I implemented last night. I'm curious how other people deal
with securely signing certificates in an auto-scaling environment (getting up
at 3AM to sign a cert when a node is automatically provisioned is not an
option). I have a working solution right now, but I find myself wondering if
there is a better way.
Current:
I'm using R.I. Pienaar's ec2-boot-init scripts combined with his
mcollective-server-provisioner tool which works pretty well. The biggest
concern I have with it is the fact my collective information is accessible to
anyone who has access to the machine through the Amazon APIs. One possible
solution is have a provisioning collective and a production collective and have
puppet switch the machine as it is provisioning it.
Other options I have seen:
Auto-signing - Is someone using this outside of POC/dev?
Cron entry on the puppet master that checks for pending certificates to
sign, verifies them against a known truth, and signs. How are old certificates
cleaned up to allow for reuse of hostname? (We use standard naming to allow
regex provisioning of nodes) Could be another cron.
Cloud provisioner - I haven't used this, but it looks like it might
work for us. I don't see a way to specify the hostname with it, but depending
on the guts of how it works I might still be able to do that with the
ec2-boot-init scripts or extend cloud provisioner with that feature. I need to
dig into the code on this more.
Custom app - You can easily integrate into both the puppet REST
certificate service and your cloud provider's APIs and roll your own. You know
what you launched therefore it is good.
How are you doing it I didn't touch on? What issues have you run into?
jl
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
