Thank you for these suggestions.
I might be missing something, but these patterns seem to link parts of the
infrastructure at different locations/availablility zones through virtual
private cloud links. I did not see if/how a Puppet Master is exposed to the
public internet there?
Any suggestio
Hi Matthias,
Yeah it was more as closest documentation I could find. I got some advice
that the main thing people looked for when publically exposed was to
prevent anyone being able to make CSR requests to the server which would be
on the configured in /etc/puppetlabs/puppetserver/conf.d/auth.c
Hi Matthias,
I considered this myself some time ago in a project which was later
aborted, so here are some unfinished thoughts:
* You put all your trust into the cryptography implementation code of the
puppetserver process, so that server should always be kept up to date,
including the kernel.
*
We're using the vault_lookup[1] module to retrieve secrets from Vault via
mTLS. It works fairly well when grabbing secrets within a manifest.
However it feels like an anti-pattern by forcing lookups into our manifests
when we want to keep that in Hiera. I found a previous related thread[2]
wher
