On Thursday, January 9, 2014 7:40:42 AM UTC-5, pablo.f...@cscs.ch wrote: > > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use all > those nice features that make a Puppet installation complete: specially > hiera searches and PuppetDB. Modules, too, should be compatible with other > clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have > just checked myself if autosign works if the same node was already > registered in the CA... but according to the documentation it does not look > like it, not to mention the security issues that come with it. >
I have hundreds of systems built off a single image, and we use autosigning to do it. Puppet 3.4.0 introduced policy based autosigning<http://docs.puppetlabs.com/puppet/3/reference/ssl_autosign.html#policy-based-autosigning>. Our image has a file which contains extra information to add to the certificate signing request. One of these bits of information is a secret key. The puppet CA server then has a script which authorizes autosigning any requests which contain a valid secret key. -Patrick -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d87d9a3-5647-4a36-ad7e-a0d6fa66a8a2%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.