Skip to content

Instantly share code, notes, and snippets.

View ahpook's full-sized avatar
:octocat:
OSPO @ Github

Eric Sorenson ahpook

:octocat:
OSPO @ Github
150 followers · 1 following
View GitHub Profile
@ahpook
ahpook / puppet_intermediate_ca.md
Created May 16, 2016 19:28

Intermediate CA Signing with Puppet

Problem statement

Many sites have a requirement to use an enterprise-wide certificate authority. They either have a "real" signing cert that chains to a public root CA or an internal root (usually air-gapped) which only signs issuing CA certificates, one per PKI application.

Puppet does not have a currently supported configuration which fits into this model. The [existing documentation][existing] describes using an "external CA" instead of Puppet's internally generated CA (which is a combined self-signed Root and issuing CA in one), but requires that the user turn off Puppet's issuance code and leaves the whole certificate generation and distribution workflow as an "exercise to the reader".

The procedure in this document describes a supportable configuration which bridges the gap between these two positions: it is possible to use Puppet's internal signing code to issue certificates from an intermediate CA cert which was externally generated and signed. There are a

@ahpook
ahpook / puppet_logo_big.txt
Last active November 30, 2015 16:15
:::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::
.:::::::::::::::::::::::::::::::::.
,::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::
::::::::::::::::::::::::::,
:::::::::::::::::::::::::
@ahpook
ahpook / init.pp
Last active November 24, 2015 18:23
puppet reduce
$args = { msg => 'hello', voice => 'Moira', third => 'whatever' }
$argstring = $args.map |$value| {
"${value[0]}=${value[1]}"
}.join(" ")
notice("arg string is: [$argstring]")
@ahpook
ahpook / gist:ccd01cdf027ff2276747
Created November 24, 2015 01:08
wat
From: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/splayer.rb @ line 12 Puppet::Util::Splayer#splay:
10: def splay(do_splay = Puppet[:splay])
11: # return unless do_splay
=> 12: binding.pry
13: return if splayed?
14:
15: time = rand(Puppet[:splaylimit] + 1)
16: Puppet.info "Sleeping for #{time} seconds (splay is enabled)"
@ahpook
ahpook / hyphen_node.pp
Created June 24, 2015 20:17
regexp backrefences in node
[vagrant@glitched sample_pp]$ FACTER_fqdn=des-bwq0t01 puppet apply ./hyphen_node.pp
Notice: Scope(Node[__node_regexp__des-bweqs0-9t0-9]): matched des-bwq
Notice: Compiled catalog for glitched.vmlocal in environment production in 0.30 seconds
Notice: Applied catalog in 0.01 seconds
[vagrant@glitched sample_pp]$ cat hyphen_node.pp
node /(des-bw[eqs])[0-9]t[0-9]+/ {
notice("matched $1")
}
@ahpook
ahpook / iteration.pp
Created June 4, 2015 05:23
$binaries = ["cfacter", "facter", "hiera", "mco", "puppet", "puppetserver"]
# function call with lambda:
$binaries.each |String $binary| {
file {"/usr/bin/$binary":
ensure => link,
target => "/opt/puppetlabs/bin/$binary",
}
}
@ahpook
ahpook / statefile.pp
Last active August 29, 2015 14:19
statefile problem
# problem: the 'statefile' (state.yaml) never cleans up entries
# which USED to be under management but are no longer in the catalog.
# this causes the statefile to grow without cleanup, and there could
# be a bunch of extra work puppet does on intialization that
# could be totally unneeded.
#
# to repro:
# make a bunch of directories
# for a in $(echo {a..z}) ; do mkdir -p /tmp/mydirs/$a/{a..z} ; done
@ahpook
ahpook / releaseticket.rb
Last active August 29, 2015 13:57 — forked from kylog/releaseticket.rb
#!/usr/bin/env ruby
require 'jira'
require 'pp'
require 'getoptlong'
# default values
username = "gepetto-bot"
password = ENV["GEPETTO_BOT_PASSWORD"]
@ahpook
ahpook / hash.rb
Last active August 29, 2015 13:57
#!/usr/bin/env ruby
require 'yaml'
bar = [ { 'key1a' => 'value1_0', 'key1b' => 'value1_1' },
'key2',
'key3',
{ 'key4a' => 'value4_0', 'key4b' => 'value4_1' }
]
@ahpook
ahpook / mcollective.log
Created October 21, 2013 17:52
09:17 <_rc> using the yaml one is sufficent.
09:18 <_rc> just populate it in a non-dumb manner, profit.
09:18 <code-cat> ugh, puppet is not stellar when it comes to managing cron jobs though
09:18 <tremble> code-cat: What's important is not having to wait for the process to run. Making it totally asynchronous from the mcollective process.
09:19 <code-cat> k
18:00 <jaschal> If puppetcommander is raising an exception "execution expired", is there a setting somewhere I can tweak to increase this timeout? https://gist.github.com/jascha/6894461
18:06 <jaschal> Hmnn... I think the underlying problem is with ActiveMQ: https://issues.apache.org/jira/browse/AMQ-3131
16:58 <Zal> Hi all, woke up today to find that "mco find" on my puppet master suddenly only sees half of our nodes. Any suggestions as to what to check initially?
16:59 <Zal> puppet cert list -all shows all the nodes still active and managed by puppet, so I assume this is something specfic to mco
17:08 <Zal> I've also tried restaring the mcollective daemo