Thanks for feedback, Gabriel! On Fri, Aug 24, 2018 at 5:49 AM Gabriel Filion <gabs...@lelutin.ca> wrote:
> Hi there, > > On 2018-08-23 2:35 p.m., Maggie Dreyer wrote: > > In the 5.5.5 release of the Puppet Platform, we released a new > experimental > > command line tool for interacting with the Puppet CA. > > > > puppetserver ca <command> > > > > This tool uses Puppet Server's puppet-ca API to accomplish common CA > tasks > > like signing and revoking certificates, instead of the legacy Ruby code > in > > Puppet. > > I'm curious here since I'm not following the latest releases very > closely: was there a necessary change to the command-line user interface > or could it have been possible to "change all of the plumbing" without > touching the "porcelain on top"? > > if no interface change was necessary then the whole "puppetserver cert" > subcommand could have been replaced with the new code. it would have > removed yet another config+interface change necessity for users. > The deprecation and removal of the "face based" subcommands was necessary. These are the subcommands "puppet ca", "puppet certificate", "puppet certificate_request", and "puppet certificate_revocation_list". That only leaves "puppet cert", and all of the plumbing for the command had to change. We also believe its porcelain is fundamentally confusing, mixing actions that should only be taken on a CA with actions that can or should be taken on an agent. So we made the choice to split the actions that the "puppet cert" subcommand provides between a dedicated CA tool that ships with Puppet Server (puppetserver ca) and a dedicated agent tool that ships with Puppet Agent (incoming work on "puppet ssl"). Our hope is to simplify the mental model that users need to understand which features work where in a deployment. We also hope for these to be relatively simple translations. So if you called, "puppet cert sign --all" in Puppet 5, in Puppet 6 you call "puppetserver ca sign --all" now. We want to cause as little turbulence for our existing users as possible and are striving to make any upgrade work easily scriptable. But we also know that many new (and existing) users have difficulty understanding our current certificate workflows and that that difficulty impedes many from following best practices. Ultimately our goal is help users, existing and new, to get to those best practices as quickly and easily as possible. Regards, Justin > > > In addition to the existing major features of `puppet cert`, the new tool > > also provides a command for generating a chained CA for puppet, with a > > self-signed root cert and an intermediate CA signing cert. It also > provides > > a command for importing an existing root and intermediate cert, for users > > who wish to have Puppet's CA link back to their existing roots. > > hey this is nice. it used to be that advanced management of certificates > and CA was reserved to the x509 wizards! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/28df81aa-6375-9647-dbbe-52e104923c0d%40lelutin.ca > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CA%2B%3DBEqWEa2qG9JY8hk0wxFuyrYaxGYTRjAyHeMUpK6f0%3DuVbcg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
