Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6239

Allow csr_attributes.yaml to inject dynamic facts

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: PUP 4.4.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Currently in Puppet there isn't an easy way to automate deployments of new instances with puppet pre-installed in the template. The current workarounds involve having to write a custom first boot script (or userdata) to customize the certificate name and populate the csr_attributes.yaml file prior to installing the agent / starting the daemon.

      The reason for being able to boot from an AMI or snapshotted instance and be configured with a new certificate comes from organizations use that AMI baking or similar operational practices to speed up boot times of instances. These are dynamic environments that don't want to rely on user intervention to populate load balancers or add capacity to services.

      Being able to reference facts in csr_attributes.yaml goes a long way to a set of files that can be baked into images, but allow for dynamic configuration of the puppet agent once the instance starts.

      For example, csr_attributes.yaml could contain

      extension_requests:
        pp_instance_id: $ec2_metadata.instance-id
        pp_role: $ec2_tags.role

      Removing the need to run a custom for each use case (as provided in our lifecycle tools example):
      https://github.com/puppetlabs/aws_lifecycle_tools/blob/master/userdata/rhel_userdata.sh#L20-L26

      This would allow for Puppet to start handling more dynamic environments and requiring less extra work by those who want to use Puppet in those environments. Having the agents automatically pick the right certificate and populate their ssl extensions from a template instead of a static file matchs the dynamic workloads AWS and other environments use (in the above example, one would just set the role tag at provisioning time of the instance and let puppet, not a custom script, handle the rest).

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              cbarker Chris Barker
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support