Hi all, Hi all,
We use puppet for, amongst other things, managing the private-key files needed for things like SSL certificates for HTTPS web servers. We have a few constraints on how these are handled, and changes in recent versions of puppet are making this harder than it perhaps ought to be to implement, so I'm curious to know how others are handling it. A site's private key file should obviously be kept private, and only those nodes which are running the site should have access to it. This would seem to rule out using something like file{"/path/to/foo.key": source=>"puppet:///keys/foo.key"} , because any valid puppet client could access foo.key. It's possible to secure the file server, but not (as far as I can see) in a way which is aware of the node's manifest. So either we'd have to keep updating auth.conf with a list of nodes that were allowed to access each key file (error-prone, we have hundreds of both, and the node<=>required keys relationship is many-to-many ), or accept that other nodes could access keys that they shouldn't be able to. So, we currently do this: file{"/path/to/foo.key": content=>file("/keys/foo.key")} Since (AIUI) nodes can only access the catalog for the FQDN which matches their certificate, the puppetmaster will ensure that the key is available only to the hosts that need it. All good, except that in 0.25 and up (which we're slowly migrating to), this often doesn't work. The rest APIs require UTF-8 content, and keys are binary, so catalog requests fail if the key happens to contain bytes which aren't valid UTF-8. (http:// projects.puppetlabs.com/issues/4832 talks about this a bit, and includes the observation that "So there’s a design decision after all: If PSON is to be JSON compatible – no binary data.". How are other people getting around this? Do you just allow all clients to access all keys? Is there a native type, or an auth.conf trick, that I'm missing? Or a more binary-friendly encoding than JSON/ PSON ? thanks! Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.