That would work if I didn't want to have everything under version control. I guess the only option for storing certs/keys I have is hiera-gpg with yaml or some other backend.
I am still trying to figure out what should distribute certs/keys - is it a separate module or the app module itself? What would be the best practice in this case? Thanks On Tuesday, 6 November 2012 15:28:39 UTC, Matt Zagrabelny wrote: > > On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis > <jablo...@gmail.com<javascript:>> > wrote: > > Hi People, > > > > I would like some insight from you on how to easily manage SSL > certs/keys. > > > > My puppet infrastructure is pretty straight forward: > > puppet3+puppetdb+hiera+hiera-gpg. > > > > I am in the process of writing tons of modules, which are pretty general > > modules with no hardcoded dependencies between them. As I am going > forward > > with building modules and stuff I came across an issue how to manage SSL > > certs. > > > > Let me give you an example scenario: > > I have a node named "node.example.com" which gets some apps configured > by > > puppet by 3 different modules, let's call them app1, app2 and app3. > Those > > application require SSL certificates to function properly. The CN of the > > cert needs to reflect the hostname of the node. > > > > What options do I have here? From my opinion I could: > > > > 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a > > variable something like: "ssl_cert_node.example.com" and > > "ssl_key_node.example.com" and then reference this variable inside a > module > > using variables so nothing is hardcoded. > > 2. Build an SSL module which would distribute certs/keys taken from > > hiera/hiera-gpg. > > > > Any other ideas? I do not want to use module dependencies and I hate > > hardcoding stuff into modules. > > I use the "private" area in the puppet file server. > > $ cat /etc/puppet/fileserver.conf > [private] > path /etc/puppet/private/%h > allow * > > For example: > > file { "/etc/ssh/ssh_host_dsa_key": > mode => 0600, > source => "puppet:///private/etc/ssh/ssh_host_dsa_key", > require => Class["ssh::install"], > notify => Service["ssh"], > } > > -mz > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/bY_e4y4_qYcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.