Just concerning this PSK aspect of Sites, would this also be a similar alternative to using a shared cert (or set of certs) in tandem with the node_name_value or node_name_fact, as was recently suggested by Gary in this thread?
https://groups.google.com/d/msg/puppet-users/2s0PJ7p_S7M/jLVUjL34Wz4J We're just evaluating Puppet now, but I'd considered using this strategy with my cert(s) to allow me to more freely deploy/recycle nodes and with one less human involved. Tim On Friday, 11 May 2012 12:39:40 UTC-4, Daniel Sauble wrote: > > We don't want Puppet admins to have to trust that their network is secure. > What Puppet Sites provides (among other things) is a PSK system that allows > you to generate multiple-use keys for securely joining nodes to your site. > In the provisioning case, you could generate a pre-shared key, bake it into > your install tarball, and use that tarball to install Puppet and add each > node to your site without human intervention. When you're done installing, > you can revoke the PSK so it can't be used anymore. This gets you the > convenience of autosigning with the confidence that even if your network is > compromised, your Puppet deployment won't be. > > But note that you can still use autosigning if you don't want to mess with > pre-shared keys, or if you trust your network. We're just providing an > alternative, not a replacement. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/tlhNPcDx9iIJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
