Sorry for the late reply. The previous message became buried under last-minute
stuff...
>> I've done some more development on my Puppet module that handles password
>> integration with Secret Server from Thycotic, and now it handles
>> certificates as well.
>
>That is pretty darn awesome - lots of people out there want some sort
>of solution to this, and when I looked the Thycotic solution seemed
>pretty solid. Does this work with the hosted service as well as the
>in-house service?
I don't think it will work with the hosted service; however, if it supports the
same API, then there's no reason why it should not, as long as you can make an
account with the required privileges.
>> This allows you to have a 'password' define that ensures the password is
>> stored in SecretServer, and changes it on a regular basis:
>>
>> password { 'root': maxage=>60; }
>> password { 'oracle': }
>>
>> Also now you can manage certificates, and it will install and update them:
>>
>> ssl::cert { $fqdn: }
>> ssl::cert { 'foo.company.com': key=>'/usr/local/ssl/foo.key',
>> crt=>'/usr/local/ssl/foo.crt'; }
>>
>> The module will retrieve the certificate and key from SecretServer, then
>> optionally restart Apache after installing them. You can override this
>> behaviour, or specify a different location for the files than the default of
>> /etc/httpd/conf.
>> It can also work from files instead of secretserver if necessary.
>
> That looks pretty reasonable, but there are a couple of points that I
> wondered at - and so, I wanted to take a look at the code and help
> this be absolutely awesome!
I've uploaded a repackaged module to Puppet Forge --
http://forge.puppetlabs.com/sshipway/ss if you want to get it. There are still
a few issues to iron out with it; we are using it in a slightly different form
but the backed ruby fuctions are the same.
The new module has classes:
ss::cert { 'www.foo.com': }
ss::password { root: maxage=>30 }
>Is this the best email address to send any suggestions about improvements?
[email protected] or [email protected] will get to me fastest.
>Would you accept pull requests or whatever?
This would not really be easy since our Svn server is internal and not
internet-visible. Also, devleopment is a bit skewed since the version we
actually use is customised for our particular environment. The 'public'
version is more generic.
>Again, this looks absolutely awesome, and I would love to make it
>something that everyone wanted to use.
Hope it is of use to more people. I've also replied to Nigel Kirsten (your
colleague) about this as he's mentioned that he'd like an article for the blog
about how it was developed.
Note there is a known but in the current public version - with the latest
Secretserver API, it can result in the incorrect password object being updated
due to the Search function in the API becoming a lot more fuzzy. I have a fix
for this in our internal version now and will copy it out to the public one
soon. In the meantime, the workaround is to disable the full text searching in
the SecretServer.
I'm also adding the ability for the class to pull out and install any
intermediate certificates required.
Steve
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
