Improving puppet client registration
puppet client enrollment process (puppet CA) - puppetmaster hooks for csr signing - installer support
Blueprint information
- Status:
- Complete
- Approver:
- Jos Boumans
- Priority:
- Medium
- Drafter:
- Mathias Gug
- Direction:
- Approved
- Assignee:
- Mathias Gug
- Definition:
- Approved
- Series goal:
- Accepted for maverick
- Implementation:
-
Implemented
- Milestone target:
-
ubuntu-10.10
- Started by
- Mathias Gug
- Completed by
- Mathias Gug
Whiteboard
Status:
[20100811]
* What did you say you would do?
[WI] Investigate failing tests: TODO
* What did you actually do?
Finish and upload puppetmaster-
* What issues or problems are you having? What do you need help with?
* What's next?
[WI] Push all changes back to Debian git repository: TODO
[20100803]
* What did you say you would do?
[WI] Investigate failing tests: TODO
* What did you actually do?
Asked for help on the Debian maintainer and got great responses there. I have a working prototype of a puppetmaster-
* What issues or problems are you having? What do you need help with?
Some of the code is a bit ugle. Under discussion with the Debian maintainers.
* What's next?
[WI] Investigate failing tests: TODO
[20100802]
* What did you say you would do?
Discuss a potential solution with Debian maintainers for
[WI] Create puppetmaster-
* What did you actually do?
Looked into A. building a puppetmaster-
* What issues or problems are you having? What do you need help with?
Option A. above is blocked by the necessity of updating puppet.conf which is a configuration file owned by puppet-common. Option B. would require pulling mod-passenger into main which is too late for maverick given all the dependencies.
* What's next?
[WI] Investigate failing tests: TODO
[20100730]
* What did you say you would do?
[WI] Investigate failing tests: TODO.
* What did you actually do?
Puppet 2.6 was released and uploaded to maverick (and experimental). Worked on providing a puppet passenger package.
* What issues or problems are you having? What do you need help with?
Running into some issues with puppet.conf being a conffile (thus not modifiable by maintainer scripts).
All the ssl certificate upstream WIs have been postponed by upstream. So 2.6 currently in Maverick doesn't have the necessary support. We'll probably postponed all the certificate work for maverick+1.
* What's next?
Discuss a potential solution with Debian maintainers for
[WI] Create puppetmaster-
[20100705]
* What did you say you would do?
Not available.
* What did you actually do?
Caught up with puppet upstream at Velocity/Devops Day. Updated the work items for alpha3 planning based on discussion outcome.
* What issues or problems are you having? What do you need help with?
None.
* What are your plans for next week?
[WI] Investigate failing tests: TODO.
Complexity:
maverick-alpha-3: 2
ubuntu-10.10-beta: 2
ubuntu-10.10: 1
Roadmap Notes:
Spec timeboxed to 2 points per milestone
All non-beta critical items to done during RC time.
Work items for maverick-alpha-3:
Merge from Debian: DONE
Upgrade puppet to 2.6: DONE
Investigate failing tests: POSTPONED
Investigate feasibility of puppetmaster-
Test that CA chaining for puppetmaster certificates is working with clients during registration and run processes: POSTPONED
File upstream bugs related to puppetmaster extension: DONE
Write POC of csr validator hook based on the CSR format outlined in the spec: POSTPONED
Extend client to accept csr attributes (http://
Extend puppetmaster to send both the client certificate and its own certificate to the client (http://
Extend puppetmaster to provide a hook for doing csr validation when new requests are coming in (http://
Work items for ubuntu-10.10-beta:
Investigate failing tests: POSTPONED
Finish puppetmaster-
Push all changes back to Debian git repository: DONE
Test that CA chaining for puppetmaster certificates is working with clients during registration and run processes: DONE
Cloud conductor - implement PoC for deploying new instances with external puppet CA: DONE
Write up blog post about PoC: POSTPONED
Work items for ubuntu-10.10:
Sync/merge 2.6.1~rc3 from Debian: DONE
Get 2.6.1~rc4 in Ubuntu: DONE
Get 2.6.1 in Ubuntu: DONE
Backport 2.6.1 from maverick to lucid (bug 638213): INPROGRESS
Write up blog post about PoC: DONE
Investigate failing tests: POSTPONED
Sync/merge 2.6.1 from Debian: POSTPONED
List of planned work-items:
[puppet-upstream] Extend client to accept csr attributes (http://
[puppet-upstream] Extend puppetmaster to send both the client certificate and its own certificate to the client (http://
[puppet-upstream] Extend puppetmaster to provide a hook for doing csr validation when new requests are coming in (http://
Write POC of csr validator hook based on the CSR format outlined in the spec: TODO
* Puppet Root CA scripts:
- issue conductor certificates.
- issue puppet master certificates.
* Cloud-config:
- extend format to support csr attributes.
- refine signature algorithm.
* Node classification embedded in certificate:
- [upstream] extend the puppet master to extract the node classification from the
client certificate.
- [upstream] extend puppet master signing process to allow for extended attributes to
be set in the certificate.
Reviewers: ttx + jib
ttx review / 20100526:
* Solid design, cannot really be half-implemented though
* Should move "work items" from spec to whiteboard
* Suggested assignees: mathiaz / ttx
* Estimated complexity: 7-9
* Suggested priority: 2/Medium
* Suggested Subcycle: Iteration 1 or 2 (Alpha2 or Alpha3) -- before FF
jib review / 20100526:
* very heavy spec that is 'all or nothing'
* for which part do we have or can we get upstream commitment?
* strive for a max complexity of 3-4
