Skip to content
/ puppet-python-autosigner Public

Puppet autosigner and JWT creator written in Python for use with GCP

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PrimarySite/puppet-python-autosigner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
requirements
requirements
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
autosign.sh
autosign.sh
 
 
autosigner.py
autosigner.py
 
 
jwt-builder.py
jwt-builder.py
 
 

Repository files navigation

Autosigner

The details of how the autosign mechanism works can be found here.

In summary, the autosign executable is run by the Puppet master server process. It is given the certname (FQDN) of the node as the first argument. The CSR in pem format is provided over stdin.

If the executable exits 0, the certificate is autosigned. Any other exit code, the certificate is not autosigned.

At the moment, our autosigner works in two ways:

  • Instance autosigning - When a new instance is created on GCP, the jwt-builder.py script gets some additional information from the Google Metadata server. This information is validated by the autosigner to prove that the instance is in one of our GCP projects.
  • Jail autosigning - We generate a token on the Puppet master during the jail creation and add it to the csr_attributes.yaml file inside the jail. This token gets included in the CSR generated by Puppet inside the jail. This is effectively a pre-shared key, which can be validated by the autosigner.

About

Puppet autosigner and JWT creator written in Python for use with GCP

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages