On Thursday, January 9, 2014 7:40:42 AM UTC-5, [email protected] wrote: > > Thanks for your suggestions, > > Running masterless is a bit too exotic, since we would like to use all > those nice features that make a Puppet installation complete: specially > hiera searches and PuppetDB. Modules, too, should be compatible with other > clusters, so no big deviations can occur. > > Enabling auto-sign, as Jose Luis suggested, may be a possibility. I have > just checked myself if autosign works if the same node was already > registered in the CA... but according to the documentation it does not look > like it, not to mention the security issues that come with it. >
I have hundreds of systems built off a single image, and we use autosigning to do it. Puppet 3.4.0 introduced policy based autosigning<http://docs.puppetlabs.com/puppet/3/reference/ssl_autosign.html#policy-based-autosigning>. Our image has a file which contains extra information to add to the certificate signing request. One of these bits of information is a secret key. The puppet CA server then has a script which authorizes autosigning any requests which contain a valid secret key. -Patrick -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d87d9a3-5647-4a36-ad7e-a0d6fa66a8a2%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
