That would work if I didn't want to have everything under version
control. I guess the only option for storing certs/keys I have is hiera-gpg
with yaml or some other backend.
I am still trying to figure out what should distribute certs/keys - is it a
separate module or the app module itself? What would be the best practice
in this case?
Thanks
On Tuesday, 6 November 2012 15:28:39 UTC, Matt Zagrabelny wrote:
>
> On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis
> <jablo...@gmail.com<javascript:>>
> wrote:
> > Hi People,
> >
> > I would like some insight from you on how to easily manage SSL
> certs/keys.
> >
> > My puppet infrastructure is pretty straight forward:
> > puppet3+puppetdb+hiera+hiera-gpg.
> >
> > I am in the process of writing tons of modules, which are pretty general
> > modules with no hardcoded dependencies between them. As I am going
> forward
> > with building modules and stuff I came across an issue how to manage SSL
> > certs.
> >
> > Let me give you an example scenario:
> > I have a node named "node.example.com" which gets some apps configured
> by
> > puppet by 3 different modules, let's call them app1, app2 and app3.
> Those
> > application require SSL certificates to function properly. The CN of the
> > cert needs to reflect the hostname of the node.
> >
> > What options do I have here? From my opinion I could:
> >
> > 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a
> > variable something like: "ssl_cert_node.example.com" and
> > "ssl_key_node.example.com" and then reference this variable inside a
> module
> > using variables so nothing is hardcoded.
> > 2. Build an SSL module which would distribute certs/keys taken from
> > hiera/hiera-gpg.
> >
> > Any other ideas? I do not want to use module dependencies and I hate
> > hardcoding stuff into modules.
>
> I use the "private" area in the puppet file server.
>
> $ cat /etc/puppet/fileserver.conf
> [private]
> path /etc/puppet/private/%h
> allow *
>
> For example:
>
> file { "/etc/ssh/ssh_host_dsa_key":
> mode => 0600,
> source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
> require => Class["ssh::install"],
> notify => Service["ssh"],
> }
>
> -mz
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/bY_e4y4_qYcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
