On Fri, Mar 26, 2010 at 3:22 AM, Daniel Pittman <dan...@rimspace.net> wrote:
> G'day. > > One of the current problems we face with our puppet network, and about > which > I would like to solicit opinions, is the distribution of secret keys for > (mostly) SSL secured services. > > The most pressing example of this is that for reasons of availability want > to > process SSL on multiple machines for a single certificate. The same issue > applies to a wide range of internal and public services, though, where we > need > to distribute key material.[1] > > > The prospect of putting the secret key into our revision control system has > ... well, little appeal is probably being fair: we could certainly do it, > but > it suddenly means that a whole bunch of extra data has to be treated as > high > security rather than low security.[2] > > One way to handle this would be by keeping confidential information in a seperate version control repository (not public), rather than in your main one. Puppet has a system of module paths so you could keep your confidential info seperate from the content you would want to give to everyone who would normally be working with Puppet, and check *both* of these out on the Puppet server. For development systems/testing, you could just check out a copy of a different repo, with testing/stage credentials in the modules instead. You could also use a custom function to pull this information from other sources for accessing a keystore server side, though I'd be curious to what those other services might be. How is everyone else handling this? --Michael -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
