1

Puppet version: 3.6.2

In order to simplify the management of ssl certificates, our puppet agents use the same certname, certname=agent.puppet.com

When puppet master gets request from agent(hostname: web00.xxx.com), it executes Enc script with certname as parameter. 

node_terminus = exec
external_nodes = /home/ocean/puppet/conf/bce_puppet_bns

puppet.log:

2015-05-06 09:55:34 +0800 Puppet (debug): Executing '/home/ocean/puppet/conf/bce_puppet_bns agent.puppet.com'

How do I configure to make puppet master pass agent's real hostname/FQDN to Enc script like:

/home/ocean/puppet/conf/bce_puppet_bns web00.xxx.com

Or how can I get the agent's hostname/FQDN in Enc script ?

Markus Amalthea Magnuson
  • 8,415
  • 4
  • 41
  • 49
journey journey
  • 36
  • 2

2 Answers2

1

Don't.

Don't use any info other than $clientcert passed from the agent.

Don't share certificates among different agents.

There are deeply rooted assumptions in Puppet that each agent node has an individual certificate. You will wreak havoc in your infrastructure by trying such stunts.

For example, PuppetDB data is usually grouped by owning agents' certnames. This data will become inconsistent quickly with all agents calling themselves the same, but being quite different of course.

Felix Frank
  • 8,125
  • 1
  • 23
  • 30
0

ensure puppetmaster says this

 [master]
   node_name = facter

alter auth.conf so that all the sections have the "agent.puppet.com" cert like this

# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
allow agent.puppet.com

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
allow agent.puppet.com

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
allow agent.puppet.com

That's just puppetmaster <=> client, Felix is right that if you are using puppetdb that would have to be altered too

Vorsprung
  • 32,923
  • 5
  • 39
  • 63
  • Are you certain that *can* be altered? Last time I checked, there was quite a bit of hardcoding around `clientcert`. – Felix Frank May 06 '15 at 10:55
  • It seems to work for me with only a puppetmaster, no puppetdb or other things. If it starts to play up I'll have to think up a different way of fixing the AWS reusing ip addresses and using the ip addresses to make hostnames – Vorsprung May 06 '15 at 12:10
  • In the cloud, (one of) the best way(s) is to use a UUID for CN and a secure autosigning method. I sketched such a setup in Puppet Essentials. – Felix Frank May 06 '15 at 14:29
  • Yes, the `node_name` config parameter is documented, with the behavior @Vorsprung describes. Dunno whether it works completely as advertised, and I don't intend to find out. – John Bollinger May 14 '15 at 00:13