A collection of task oriented solutions in Puppet

 

Autosigning Client Certificates

Challenge

You want to autosign any new client certificates that are sent to the puppet master. Be sure to understand the lack of security this presents.

Solution

$ cat /etc/puppet/autosign.conf 
*

Explanation

By adding a single * to the autosign.conf file you tell the puppet master to accept the first certificate it sees for each client host. This allows machines to come up on build and immediately connect to puppet and begin their configuration. If you rebuild a machine, or do anything that triggers a change in the clients certificate, the puppet master will not allow the new certificate to connect until the old one has been removed.

To reiterate - having this option enabled may seem like a time saver but the risk is that any machine can connect without authorisation and request your manifests, which may contain privileged information such as passwords, certificates, shared keys etc.

See also