> The only problem I see with deprecating active_record storeconfigs is: > How are you going to use exported resources in puppet apply > environments, without having to do all the SSL dance? > > https://groups.google.com/forum/#!msg/puppet-users/L4CAHh3eYag/To9nHlAvA34J
Well, we could simplify the SSL for puppetdb, An option to let it use server side validation only basically (so still SSL, but no client auth). CA validation is also on the table. Of course, just to mention: reducing authentication requirements is what it is, its a compromise to security somewhere and one has to make the correct decisions around this. Another entirely different approach for production environments is to remove PKI handling, so its independant of puppet apply, and make it easier and closer to system bootstrap time for everyone. ie. make ssl easier, so we don't have to drop security features. > While I might not yet have fully figured out that puppetdb can also be > used without SSL nowadays, it looks like no one could answer my question. It can, but the terminus won't use cleartext. Probably a bad idea to ever let this happen in production. I can see use cases for it in test/debugging. > Why does one want to use storeconfigs/exported resources in a puppet > apply environment? Actually you don't, but if you share modules, you > might end up with modules that require them. Exported resources can still be a thing for masterless environments, plus searching based solutions like puppetdbquery. I can totally see this - all the same rules apply to mastered environments in this case, generally speaking. Plus some users just want facts or reports, not exported resources or searching. So that their tools can analyze this out-of-band. Thats also a viable use-case. > And currently - up to my knowledge - it is not possible to use them in > apply-mode without getting any kind of warning or doing all the heavy > lifting of installing puppetdb. Which is quite easy, but still it's > not just yum install puppet; git clone mymodules; git apply mymodules. If we presume PuppetDB would already exist somewhere its about making the client install easier. I think if we allow server side validation only, then perhaps the dance would become somewhat smaller. If we presume no PuppetDB, then its a little more trickier to make this fast. I'm guessing this is a dev environment requirement in most cases. Me? I'd probably want tooling around the puppetdb subcommand to help me fire up PuppetDB easier, like puppetdb dev <insert params here> where params could be port etc. Or maybe a jar file I can fire up. Helpers in tooling like beaker come to mind, especially if you wanted to test a module that requires exported resources for example, end-to-end. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAE4bNTn3Zw7kF606sr_occSp-AUjbDX9m3qBy9X3cnoZw%3D_Q-A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
