On Thursday, May 10, 2012 11:37:34 AM UTC-7, ohad wrote: > > > > On Thu, May 10, 2012 at 9:34 PM, Daniel Sauble <djsau...@puppetlabs.com>wrote: > >> On Thursday, May 10, 2012 10:39:22 AM UTC-7, windowsrefund wrote: >>> >>> >>> On May 10, 12:44 pm, Daniel Sauble <djsau...@puppetlabs.com> wrote: >>> > >>> > - Securely add nodes to your deployment without manually signing >>> > certificates on the CA... >>> > - ...so that you can have the advantages of autosigning without >>> its >>> > security problems. >>> > >>> >>> I'm about to engage on a similar effort and was thinking of writing a >>> puppet face to handle this job. Can you elaborate on the work flow and >>> solution you're thinking about? >>> >> >> We're looking to implement a Puppet Face to address this need. The >> workflow currently looks like: >> >> >> 1. Login to the site host >> 2. Generate a pre-shared key >> 3. Join a node to the site using the pre-shared key >> 4. Repeat step 3 for every node you want to add to the site >> >> >> From the command-line, this workflow might be represented as the >> following: >> * >> node02$ ssh ad...@site02.domain.com >> Last login: Mon May 7 18:15:43 2012 >> site02$ mount /media/usbdisk >> site02$ puppet site generate key > /media/usbdisk/site.key >> site02$ umount /media/usbdisk >> site02$ exit >> node02$ mount /media/usbdisk >> node02$ puppet node join site02.domain.com < /media/usbdisk/site.key >> Trying to add node02.domain.com to the site at site02.domain.com... >> >> Use `puppet site status node02.domain.com` to confirm success >> >> To stop waiting for the command to complete, press Ctrl-C. >> >> The command will still complete in the background. >> Added node02.domain.com to the site at site02.domain.com* >> >> > will you allow the older workflow to co exists? would it be possible to > drive all of the process via an external api? > >
No, at present we are looking to deprecate the 'clean', 'generate', 'list', 'revoke', and 'sign' actions of the puppet cert face. The reason for this is we want the semantics of the user interface to match the user need. The impression I've gotten (and feel free to chime in) is that users don't want to sign certificates, they want to add nodes to their deployment. Yes, the goal is that all the functionality of the Puppet Face will also be available via the REST API. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/riGf_rgukFgJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
