New autosign tool

Corey_Osman · August 4, 2015, 10:17pm

Hi,

I was at the local PUG meeting last night and one of puppet guys was presenting a new tool for policy based auto signing.

https://github.com/danieldreier/autosign <https://github.com/danieldreier/autosign>

Its built to be extensible and I am sure they must be a use case with foreman. See link above if your interested.

Corey

Dominic_Cleal · August 5, 2015, 8:26am

Looks nice, and I'd like to see it switched over Puppet's policy-based
autosigning instead of autosign.conf management
(Feature #3623: Use Puppet's autosign approver command instead of editing autosign.conf - Foreman).

Using that gem would fit in well, since it'd match the style of our
existing (Kerberos) realm support, which generates an OTP and provides
it to the host during provisioning.

···

On 04/08/15 23:17, Corey Osman wrote: > Hi, > > I was at the local PUG meeting last night and one of puppet guys was > presenting a new tool for policy based auto signing. > > https://github.com/danieldreier/autosign > > Its built to be extensible and I am sure they must be a use case with > foreman. See link above if your interested.

–
Dominic Cleal
Red Hat Engineering

Aaron_Stone · August 5, 2015, 6:41pm

This tool looks really awesome!!

At a minimum for the Foreman ticket above, if I were writing the
autosign_cmd for myself, could I simply curl the Foreman API to see if the
host that is requesting signing is in Build mode? (Note: I use hostname
certs rather than uuid certs – but even so, I should be able to look up a
host by its Puppet UUID?)

Thanks,
Aaron

···

On Wed, Aug 5, 2015 at 1:26 AM, Dominic Cleal wrote:

On 04/08/15 23:17, Corey Osman wrote:

Hi,

I was at the local PUG meeting last night and one of puppet guys was
presenting a new tool for policy based auto signing.

GitHub - danieldreier/autosign: Tooling to make puppet autosigning easy, secure, and extensible

Its built to be extensible and I am sure they must be a use case with
foreman. See link above if your interested.

Looks nice, and I’d like to see it switched over Puppet’s policy-based
autosigning instead of autosign.conf management
(Feature #3623: Use Puppet's autosign approver command instead of editing autosign.conf - Foreman).

Using that gem would fit in well, since it’d match the style of our
existing (Kerberos) realm support, which generates an OTP and provides
it to the host during provisioning.

Dominic_Cleal · August 6, 2015, 6:59am

Yeah, I guess that'd work, though wouldn't be as secure as an OTP
embedded in the provisioning/finish script. It doesn't look like
certname's exposed in the search fields, but that could be added to
Hostext::Search.

···

On 05/08/15 19:41, Aaron Stone wrote: > On Wed, Aug 5, 2015 at 1:26 AM, Dominic Cleal > wrote: > > On 04/08/15 23:17, Corey Osman wrote: > > Hi, > > > > I was at the local PUG meeting last night and one of puppet guys was > > presenting a new tool for policy based auto signing. > > > > https://github.com/danieldreier/autosign > > > > Its built to be extensible and I am sure they must be a use case with > > foreman. See link above if your interested. > > Looks nice, and I'd like to see it switched over Puppet's policy-based > autosigning instead of autosign.conf management > (http://projects.theforeman.org/issues/3623). > > Using that gem would fit in well, since it'd match the style of our > existing (Kerberos) realm support, which generates an OTP and provides > it to the host during provisioning. > > > This tool looks really awesome!! > > At a minimum for the Foreman ticket above, if I were writing the > autosign_cmd for myself, could I simply curl the Foreman API to see if > the host that is requesting signing is in Build mode? (Note: I use > hostname certs rather than uuid certs -- but even so, I should be able > to look up a host by its Puppet UUID?)

–
Dominic Cleal
Red Hat Engineering