Hey, I'm not sure if this is preferred or not, but the approach I take is to have a command we run first, that copies any required secrets (and will generate SSH host keys and puppet certs if required first) into the NFS root. A cron job runs every 15 minutes and cleans up any of those secrets which are older than 2 hours (this could be much shorter).
Cheers, Andrew On Thu, 2022-07-07 at 08:12 +0200, Diego Zuccato wrote: > Hi all. > > Is there a preferred way to pass a (different) secret to every host > being installed? > > Something to implement a workflow like: > - admin asks Salt to (re)install a host > - salt handles shutdown and switch reconfiguration (OT) > - salt tells FAIserver to enable install of given host > - FAI generates the secret and passes it back to Salt (or Salt > generates > the secret and passes it to FAI, as long there's a shared secret) > - the host boots via network and installs as usual, saving/using the > given secret > - FAI (or the reinstalled host) tells Salt reinstall is complete and > Salt "cleans up" (reconfig switches & so on) (OT) > > The only "solution" I could find is to save the secret in > /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS, > FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most > 255 > chars there's not much space... I's good just for very small > "secrets" > (that gets transferred in the clear, hence the need to reconfigure > the > switches). > -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |