I am trying to configure the puppet master and puppet client to drive
off of existing x.509 certificates. The default logic is for puppet to
take over the permissions of the files. One solution, per [1], is to
crack the defaults.rb file. This seems nasty.
The second option I saw [2] was to use {} to denote the same items. So,
I added this to my puppet.conf file:
[puppetmasterd]
cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode = 644}
capub=/etc/candlepin/certs/candlepin-ca-pub.key
cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode =
644}
capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner =
root, mode = 644}
But this is not picked up because meta overrides are only taken from the
search path which is: [:cli, :memory, :name, :main]. I am guessing that
name in this case is meant to be puppetmasterd, but the magic of "turn
:name into the application name" is only found in
Puppet::Util::Settings.name method.
So, a couple of questions:
1) Is there good doco on how to use external certificates?
2) Is the goal to only set file permissions in the main section of
puppet.conf, or is this a bug?
3) Would the preferred fix for 2, assuming a bug, to fix this in the
Puppet::Util::Settings.searchpath method (substitute @name for :name if
known) or in the Puppet::Util::Settings.unsafe_parse method?
Thanks!
-- bk
[1]
http://projects.puppetlabs.com/projects/puppet/wiki/Certificates_And_Security
[2] http://linux.die.net/man/8/puppet.conf
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
