Thanks... I got a few private responses as well that all seemed to be 
in-line with what I figured we needed to do. Its entirely reasonable for us 
to have our clients 'curl ...' out to some endpoint to remove themselves at 
shutdown time. The concern I have is that I'd like to keep our clients from 
being able to do any other damage to the PuppetDB database while they're at 
it. We obviously want to use the Puppet CertName Whitelist in PuppetDB so 
that only our Puppet servers can send reports/connect to PuppetDB, and none 
of our clients can.

So that said ... I think I may end up going the 'CGI script' route. We 
already have what we call a 'cert-api' endpoint on our Puppet servers that 
allows our puppet clients to re-up their SSL certs every 15 days (we expire 
them very quickly). Its not unreasonable to add functionality to this 
endpoint allowing a client to request that its own node be destroyed.

That said, I have one question. We don't match our puppet 'node_name' to 
our puppet 'cert_name's. That is, our certnames are real FQDNs ... but our 
node names are kind of a combination of an arbitrary node name (like 
"web_server") and the certname. They look something like this 
"web_proxy_thingy|my.fqdn.her.com". In an ideal world, I would be able to 
tell PuppetDB that the true identifier that I care about is the 'certname' 
not the 'nodename'. That said, I think in our case we're going to have to 
do some hackery to figure this out.

Thanks again for the suggestions though.

On Thursday, December 11, 2014 1:04:59 AM UTC-8, Martin Alfke wrote:
>
> Hi Matt, 
> On 09 Dec 2014, at 19:58, Matt Wise <ma...@nextdoor.com <javascript:>> 
> wrote: 
>
> > We boot up/shut-down 50-100 hosts a day on average... we're exploring 
> PuppetDB, but I'm concerned about the model of just 'waiting' for hosts to 
> be purged based on some checkin time. Is there any way to have our hosts 
> send a signal through the puppet-masters (or directly to puppetdb?) to 
> purge themselves when they're being terminated? 
>
> You can use the puppetdb rest api: 
> https://docs.puppetlabs.com/puppetdb/2.2/api/index.html 
>
> In my actual project we disable hosts via VM management system using this 
> API. 
> Works like a charm. 
>
> hth, 
>
> Martin 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6b368c6b-3e35-47a1-87f2-f28850e53370%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to