On 22/12/14 20:01, Eric Sorenson wrote: > [ sorry for the double-post, I sent this to puppet-users as well, but am > posting separately here to keep the threading separate.. Damn reply-to > munging ] > > Hiya, one of the cool things in the new Puppet Server is a > re-implementation of Puppet's certificate authority code. The > implementation up to last week's 1.0.0 release is pretty strictly > backwards-compatible with the Ruby implementation, using the same > filesystem layout, same HTTP endpoints, etc., but early next year we > need to start making some changes and I wanted to solicit some feedback > to see what y'all are using. So, some questions: > > - Are you using scripts which run and parse output from `puppet cert`, > `puppet certificate`, `puppet ca`, `puppet certificate_request` and/or > `puppet certificate_revocation_list`? If so, what do the scripts do with > the commands, and what output do they expect? (As an aside one of the > problems we're aiming to fix is the multiplicity of confusingly > overlapping functionality available in these subcommands)
Foreman's smart proxy (a management agent) uses `puppet cert`. You can find it here: https://github.com/theforeman/smart-proxy/blob/develop/modules/puppetca/puppetca_main.rb It uses "puppet cert --list --all", "puppet cert sign" and "puppet cert clean". sign/clean are just basic execution, but listing appears to parse the output very precisely, so I expect any change in output format would break it. "puppet cert --generate" is also used to generate a CA and certificate when setting up a Puppet master in this module: https://github.com/theforeman/puppet-puppet/blob/2.3.1/manifests/server/config.pp#L62-L66 (usually run from puppet apply). > - Are you using the HTTP API around certificates in your own > tooling/automation? These are endpoints like `/certificate/ca`, > `/certificate/<some host name>`, > `/<environment>/certificate_revocation_list/ca` , > `/<environment>/certificate_request/`, > `/<environment>/certificate_status` Same question -- what do you use > the endpoints to accomplish, and are there particularly important pieces > of data in the output for your use-cases? I'd prefer to reimplement it against the API, incidentally. A change in the CLI might be a good reason to do it. > - Are you using any programs which load the Puppet Ruby code as a > library in order to make use of the certificate-related classes/methods > directly? Is that because there was something you couldn't do through > the command-line or REST APIs? I would be pretty surprised if anyone was > doing this but you're going to have to make the deepest changes so it's > important for me to understand what you're relying on. Not for certificates. > - Are you making use of stuff that lives in the CA filesystem in your > own tooling, that does NOT go through any of the Puppet APIs? If so, > STOP DOING THAT! Just kidding, sorta. But it would be very interesting > to know whether you're using things like the `serial` or `inventory.txt` > files in your scripts or workflows. By default, Foreman re-uses Puppet certificates and keys, so the locations are important, however they're not modified. Cheers, -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/54B64E69.9090801%40redhat.com. For more options, visit https://groups.google.com/d/optout.
