On Fri, 2023-10-06 at 06:47 +0200, Diego Zuccato wrote: > Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto: > > Its been a while since I worked with Salt, but IIRC it sounds like what > > is not "clicking" is that you need to fix the TOFU problem. > > Actually there are 2 distinct problems: > - pass the pubkey from the minion to FAI during the install (possibly in > an authenticated way) > - authorize that key in Salt from FAI
Not related to Salt, but possibly an approach that can be used here. I have a script that we run on the FAI server for managing secrets. It will copy secrets, generating them as required, into the NFSROOT and then remove them after a period of time. I have this handling ssh hostkeys so we can get the same keys on a rebuild. It can handle Puppet keys, including signing them, although we no longer use it for Puppet. This isn't ideal as the secrets are still present in the NFSROOT for a short period of time, but does solve the chicken and egg issue others mentioned and removes the need for a generic "sign any request that comes in" that others have suggested. Cheers, Andrew -- Andrew Ruthven, Wellington, New Zealand [email protected] | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz |
