Skip to content
A securish automated puppet cert signing method
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README
bottle.py
dbc.py
puppetreg.conf
puppetreg.sql
register.wsgi
sign_certs.py
wsgi.conf

README

## About
I wasn't satisfied with any of the methods for automatically signing puppet certificates I found, so I wrote a little rest service that would do a base level of authentication (shared password) and submit a system to be signed. This contains a second script which runs every minute out of cron to sign authenticated certificates.

## Contents
bottle.py - courtesy of http://bottlepy.org/docs/dev/! used by register.wsgi
dbc.py - database class, used by register.wsgi and sign_certs.py
puppetreg.conf - reference apache wsgi puppetreg service config
puppetreg.sql - schema for DB
register.wsgi - restful json service for authorizing systems submitted for signing to puppet, and presenting general status of signing
sign_certs.py - script to run as cron, signs authorized puppet certs
wsgi.conf - reference update for generic wsgi config

## Installation

1. install mysql server and create database, something like: mysqladmin create puppetreg; mysql puppetreg < puppetreg.sql
2. install apache, wsgi, and python json,mysql support - on RHEL6: yum -y install httpd mod_ssl mod_wsgi MySQL-python
3. configure wsgi service and put bottle.py, dbc.py, register.wsgi, and sign_certs.py under the same directory
4. configure:
 - dbc.py: db information
 - register.wsgi: sharedpass, domainname, vpcprefix
5. add a cron job running sign_certs.py every minute
6. test it with something like: 
export NODE=`uname -n`; curl -H "Accept: application/json" -X POST -d '{"pass": "sharedpass", "node": "'${NODE}'"}' http://puppet/puppetreg/submit

That should be it!

NOTE: I would HIGHLY recommend putting the restful service behind SSL so no one can snoop your shared secret!

You can’t perform that action at this time.