Puppet Cert Sign Task
This module adds a Task for perform puppet cert signing.
For Puppet Enterprise users, this means you can allow users or admins to sign nodes without giving them SSH access to your Puppet master! The ability to run this task remotely or via the Console is gated and tracked by the RBAC system built in to PE.
This module is compatible with Puppet Enterprise and Puppet Bolt.
To run tasks with Puppet Enterprise, PE 2017.3 or later must be used.
To run tasks with Puppet Bolt, Bolt 0.5 or later must be installed on the machine from which you are running task commands. The master receiving the task must have SSH enabled.
With Puppet Enterprise 2017.3 or higher, you can run this task from the console or the command line.
Here's a command line example where we are signing the
baz nodes from the Puppet master,
[abir@workstation]$ puppet task run cert_sign agent_certnames=foo,bar,baz -n master.corp.net Starting job ... New job ID: 24 Nodes: 1 Started on master.corp.net ... Finished on node master.corp.net bar : result : Cert successfully signed for bar baz : result : Cert successfully signed for baz foo : result : Cert successfully signed for foo Job completed. 1/1 nodes succeeded. Duration: 6 sec
With Bolt, you can run this task on the command line like so:
bolt task run cert_sign agent_certnames=foo,bar,baz --nodes master.corp.net
agent_certnames: A comma-separated list of Puppet agent certificate names.
allow_dns_alt_names: Sign a certificate request even if it contains one or more alternate DNS names. Defaults to no.
NOTE: You can not specify
--all in the
agent_certnames parameter. Attempts to sign the Puppet master cert will be ignored.
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.