Hello all,
I am scratching my head currently on a problem. I believe this is not even
supposed to work in puppet. But anyway, asking is never wrong.
Here is what I would like to implement: A 'SSL Certificate authority'
Much like puppet's ca, but for some reason (please don't ask), I can not
use puppetca.
I am using the puppetlabs/openssl module, to create certificates and such.
Now, here's the workflow:
nodeA - the CA.
nodeB,C,... - clients
So, at setup time, nodeA does not have anything. Thus I create the
ca-certs. private and public. The public Cert needs to be exported to all
client(s). These will then create their csr, send it to the CA. This will
sign it and send the signed cert back to the client.
The trouble here is now:
* Certificates, CSRs and all that are all created via Exec or X509_cert
resources.
* These can not be exeported to other nodes via storeconfigs.
* Using @@file{"path-to-CSR-OR-CERT": ... } does not work either. If I do
not use the "content=> ..." parameter, the collected file will be empty.
I am now thinking about these possible solutions:
* NFS shared directories, git repositories for CERTs. For some reasons,
these obvious solutions are not possible :(
* filebucket: I can store CSRs and all CERTs in a remote file-bucket and
retrieve them on another client. Problem: I need the file's checksum :(
I was thinking of writing a type which is based on filebucket, but can
retrieve a file by its path w/o checksum. This would then retrieve the most
recent version of that file from the bucket.
* puppetdb? I need to explore this one further. I am not really sure about
what puppetdb can do. It does more than the old 'storeconfig'
functionality. I have the feeling that this could potentially help my
endeavour
* mcollective? - I never really used this tool, but am somewhat confident
that this could solve the problem. given enough time ;)
Anyway, it would be great to hear of some solution to this problem. Are
there any which I might have missed?
I like the filebucket idea. Its simple and would solve the problem at hand
easily. If I can somehow make the checksum of my files available to all
nodes, this would be the solution.
Thanks for your thoughts,
udo.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
