Hello!
We recently released a new version of the Puppet Platform that contained
many CA related deprecations and we wanted to reach out and clarify a few
things.
Currently in Puppet 5 there are two(!) mostly identical CA implementations,
which can cause race conditions in signing and revoking, makes the entire
system needlessly complicated, and doubles the cost of fixing any one bug.
In Puppet 6 we plan to remove one of the implementations which will allow
us to address many long standing bugs with our CA functionality. I
encourage you to check out a recent announcement regarding changes to our
CLI workflows[1].
As part of this, most of our CA related settings that currently live in
puppet.conf are *un-used* by anything that ships with the puppet-agent
package. In Puppet 6, the puppet.conf file will contain mostly agent/apply
related settings, while most master and CA related settings will move to
Puppet Server's configuration files. Almost all of these changes should be
mechanical in nature, for example:
Setting autosign in Puppet 5 looks like this:
$ cat /etc/puppetlabs/puppet/puppet.conf
[main]
autosign = /usr/local/bin/my-autosigner
In Puppet 6 this will look like:
$ cat /etc/puppetlabs/puppetserver/conf.d/ca.conf
certificate-authority: {
autosign: /usr/local/bin/my-autosigner
}
While we wanted to get the deprecation notices in front of everyone as soon
as possible, the Puppet Server side config changes have yet to land. For
now, just be aware that these changes are coming and expect more from us
soon about potential upgrade paths.
Thank you,
The Puppet Server Team
1. https://groups.google.com/d/msg/puppet-users/ri69kbtuSmQ/vizBEe-7AAAJ
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUiKk5_V1d1RYGV%3D5yxx8RZNqRTqMFF5FF2uskXYDPXiw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
