On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis <jablons...@gmail.com> wrote:
> Hi People,
>
> I would like some insight from you on how to easily manage SSL certs/keys.
>
> My puppet infrastructure is pretty straight forward:
> puppet3+puppetdb+hiera+hiera-gpg.
>
> I am in the process of writing tons of modules, which are pretty general
> modules with no hardcoded dependencies between them. As I am going forward
> with building modules and stuff I came across an issue how to manage SSL
> certs.
>
> Let me give you an example scenario:
> I have a node named "node.example.com" which gets some apps configured by
> puppet by 3 different modules, let's call them app1, app2 and app3. Those
> application require SSL certificates to function properly. The CN of the
> cert needs to reflect the hostname of the node.
>
> What options do I have here? From my opinion I could:
>
> 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a
> variable something like: "ssl_cert_node.example.com" and
> "ssl_key_node.example.com" and then reference this variable inside a module
> using variables so nothing is hardcoded.
> 2. Build an SSL module which would distribute certs/keys taken from
> hiera/hiera-gpg.
>
> Any other ideas? I do not want to use module dependencies and I hate
> hardcoding stuff into modules.
I use the "private" area in the puppet file server.
$ cat /etc/puppet/fileserver.conf
[private]
path /etc/puppet/private/%h
allow *
For example:
file { "/etc/ssh/ssh_host_dsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
-mz
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
