On Mon Dec 22 2014 at 9:01:51 PM Eric Sorenson <eric.soren...@puppetlabs.com>
wrote:
> [ sorry for the double-post, I sent this to puppet-users as well, but am
> posting separately here to keep the threading separate.. Damn reply-to
> munging ]
>
> Hiya, one of the cool things in the new Puppet Server is a
> re-implementation of Puppet's certificate authority code. The
> implementation up to last week's 1.0.0 release is pretty strictly
> backwards-compatible with the Ruby implementation, using the same
> filesystem layout, same HTTP endpoints, etc., but early next year we need
> to start making some changes and I wanted to solicit some feedback to see
> what y'all are using. So, some questions:
>
> - Are you using scripts which run and parse output from `puppet cert`,
> `puppet certificate`, `puppet ca`, `puppet certificate_request` and/or
> `puppet certificate_revocation_list`? If so, what do the scripts do with
> the commands, and what output do they expect? (As an aside one of the
> problems we're aiming to fix is the multiplicity of confusingly overlapping
> functionality available in these subcommands)
>
> - Are you using the HTTP API around certificates in your own
> tooling/automation? These are endpoints like `/certificate/ca`,
> `/certificate/<some host name>`,
> `/<environment>/certificate_revocation_list/ca` ,
> `/<environment>/certificate_request/`, `/<environment>/certificate_status`
> Same question -- what do you use the endpoints to accomplish, and are
> there particularly important pieces of data in the output for your
> use-cases?
>
We use this to revoke certificates when we decomission hosts in our
provisioning tool chain. So mostly the certificate_status endpoint is used.
We also have some puppet code to get a request from some other puppet
master than the current one, that uses all the endpoints the agent uses to
request a certificate.
> - Are you using any programs which load the Puppet Ruby code as a library
> in order to make use of the certificate-related classes/methods directly?
> Is that because there was something you couldn't do through the
> command-line or REST APIs? I would be pretty surprised if anyone was doing
> this but you're going to have to make the deepest changes so it's important
> for me to understand what you're relying on.
>
Yes, we do this to request the certificate as part of running masterless
puppet. So this is mostly this code snippet:
require 'puppet/ssl/host'
Puppet::SSL::Host.ca_location = :remote
host = Puppet::SSL::Host.new
host.wait_for_cert(0)
This is inside of a Puppet application so made sense to reuse the same code
as the agent does.
> - Are you making use of stuff that lives in the CA filesystem in your own
> tooling, that does NOT go through any of the Puppet APIs? If so, STOP DOING
> THAT! Just kidding, sorta. But it would be very interesting to know whether
> you're using things like the `serial` or `inventory.txt` files in your
> scripts or workflows.
>
Yes, we do this as well, have a script that will figure out which
certificates (serial numbers) should be active, and revokes everything
else. So it can from the inventory.txt and a list of active hosts rebuild
the CRL from scratch. Needed every time PUP-2189 happens.
The script can be seen in all its ugliness here:
https://gist.github.com/dalen/82461936d4d3af17b695
>
> Feel free to follow-up here or on
> https://tickets.puppetlabs.com/browse/SERVER-270
>
> Eric Sorenson - eric.soren...@puppetlabs.com - freenode #puppet: eric0
> puppet platform // coffee // techno // bicycles
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-dev/50D1D662-A11B-4CA6-8A63-0E7240C561B1%40puppetlabs.com
> <https://groups.google.com/d/msgid/puppet-dev/50D1D662-A11B-4CA6-8A63-0E7240C561B1%40puppetlabs.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLdeORp58_xNorrbWNMDys8aKpjY5%2Bf9uL84o2%3Dije15vg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
