A simple Sinatra app to sign Puppet certificate requests via an API
MIT License
PSigner is a sinatra application that allows you to sign and delete Puppet certificates via a simple web service. It is designed as an example prototype to show you how you can use an automatic signing and deleting process with a simple shared secret when (de-)provisioning hosts.
NOTE: You could also do this directly via the Puppet API but that requires SSL authentication. This is less secure but potentially somewhat simpler.
It allows the remote signing of Puppet client certificates via an API call, by passing the
certname
to be signed and the shared secret as the value of the
secret
parameter.
$ curl -d 'secret=SHAREDSECRET' -d 'certname=bob' -X POST http://localhost:4567/api/cert
You can configure the shared secret via the config.yml
file in the config
directory.
To revoke and remove a cert from Puppet's CA
$ curl -d 'secret=SHAREDSECRET' -d 'certname=bob' -X DELETE http://localhost:4567/api/cert
Simply run the bundle
and then rackup
commands.
To sign certificates you will need to run PSigner on the Puppet master as the root
user.
You should run the API service behind a web server with HTTPS/SSL enabled to prevent someone sniffing the network and getting your shared secret. There are also a number of ways you could store and retrieve the shared secret other than a config file that would this more functional.
gem build psigner.gemspec
sudo gem install psigner-0.0.1.gem