Skip to content

Instantly share code, notes, and snippets.

View justinstoller's full-sized avatar

Justin Stoller justinstoller

40 followers · 24 following
View GitHub Profile
@justinstoller
justinstoller / manual.sh
Last active October 13, 2023 18:39
This script, if given a host, will create or update a konwn_hosts file that r10k can use in PE 2023.3 or greater.
# These are the four pertinent lines from the script if folks would rather do it themselves:
mkdir -p /opt/puppetlabs/server/data/puppetserver/.ssh
touch /opt/puppetlabs/server/data/puppetserver/.ssh/known_hosts
ssh-keyscan <additional ssh-keyscan args> <hostname> 2>/dev/null | grep -v '# ' >> /opt/puppetlabs/server/data/puppetserver/.ssh/known_hosts
chown -R pe-puppet:pe-puppet /opt/puppetlabs/server/data/puppetserver/.ssh
@justinstoller
justinstoller / r10k-4.0.md
Last active February 27, 2024 16:35
support discussion

7 Things to know about r10k 4 in PE 2023.4

(From the PE documentation at: https://www.puppet.com/docs/pe/2023.4/upgrading_pe#upgrade_cautions-r10k-4-upgrade)

  1. Starting in PE 2023.4, if you use Code Manager or r10k, with SSH protocol for remote Git repository access, you must set up SSH host key verification.

To manage the known_hosts file and enable host key verification for Code Manager or r10k, you must define the puppet_enterprise::profile::master::r10k_known_hosts paramet er with an array of hashes specifying "name", "type", and "key" with your hostname, key type, and public key, respectively.

This is the error message you will see if running code deploy:

@justinstoller
justinstoller / pave.rb
Last active August 19, 2020 15:42
Revoke and Clean Certs in Certdir
require 'optparse'
require 'openssl'
require 'fileutils'
options = {
crl: '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem',
signeddir: '/etc/puppetlabs/puppet/ssl/ca/signed',
ca_key_path: '/etc/puppetlabs/puppet/ssl/ca/ca_key.pem',
certs_to_skip: ['ca.pem', "`hostname -f`.pem"],
timing: false,
@justinstoller
justinstoller / 1. steps
Last active May 13, 2020 04:16
Potential 2018.1 patches to aid JRuby 1.7 vs 9k performance disparity
# Steps are to:
# 1. Use `wget` to download the raw content of one of the two included changesets
# 2. Use `patch` to install
#
# Patches can be optionally reverted with `patch` by adding the `--reverse` flag
# The two patches in this gist are mutually exclusive (full-changeset.patch is a superset of the unasserted-iterables.patch).
# The PR corresponding to the unasserted-iterables.patch is here:
# https://github.com/puppetlabs/puppet/pull/8150
# The full-changeset.patch includes the above plus the contents of these PRs (as of 12 May):
# https://github.com/puppetlabs/puppet/pull/8151
@justinstoller
justinstoller / README.md
Created December 17, 2019 22:13 — forked from chadh/README.md
Puppet Server with AWS Certificate Manager as External Root CA

Here are the set of steps I ultimately came up with when trying to set up Puppet 6 servers in AWS using an ACM private CA for the Root.

  1. Create Private CA in AWS Certificate Manager

    • Type: Root
    • Common Name: domain.int (whatever you want)
    • Key Algorithm: RSA 2048
    • provide S3 Bucket for storing CRL

  2. Generate Private Key and CSR for each Puppet Server’s Intermediate CA certificate:

    • configuration for openssl command (certreq.cnf):
@justinstoller
justinstoller / logback1.xml
Created December 6, 2019 18:17
<configuration scan="true">
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d %-5p [%t] [%c{2}] %m%n</pattern>
</encoder>
</appender>
<logger name="org.eclipse.jetty" level="warn"/>
<logger name="org.apache.http" level="warn"/>
<logger name="org.jruby" level="warn"/>
@justinstoller
justinstoller / Puppetfile.rb
Last active August 23, 2019 18:23
Puppetfile nonsense
forge "http://forge.puppetlabs.com"
mod 'puppetlabs-stdlib',
git: 'git://github.com/puppetlabs/puppetlabs-stdlib.git',
commit: '653f2fb34b1586476f96883cf352253acf60c331'
mod 'puppetlabs-concat',
git: 'git://github.com/puppetlabs/puppetlabs-concat.git',
commit: 'e10a7a40e80c30ead4d33ffe421fde18999fd72d'
@justinstoller
justinstoller / broken-ca-cert.pem
Last active August 8, 2019 16:18
fips integration work
08:54:04 sellout:puppetserver justin (master *<>) ‖ cat ~/.puppetlabs/etc/puppet/ssl/certs/ca.pem
-----BEGIN CERTIFICATE-----
MIIFbzCCA1egAwIBAgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRQdXBw
ZXQgQ0E6IGxvY2FsaG9zdDAeFw0xOTA4MDcxNTUzMjhaFw0yNDA4MDYxNTUzMjha
MB8xHTAbBgNVBAMMFFB1cHBldCBDQTogbG9jYWxob3N0MIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAoFiE1ox1AuQRuba/vkyy/TbNa+MtBYL1Fbn0BaLm
M6+uXfO8HZLdjthBW0YYOdSIrozPmz/R+9HklZHyxr0IhJHhgOFpeRhA31cj1DIi
Za4SD3vyfjGyiH1B6dYUSy3RyWQqE9QxLCQtI+UwCYpNMqa+EAsycHnhLrkbDfcn
T5+Gx444NJjNiiEKCAIrblVtdhtcx3x8a5lLiW8NU0ChzFBDsrevB36epw3oZ6aj
@justinstoller
justinstoller / irb session
Last active April 8, 2020 18:57
Puppet Server Dev Debugger
puppetserver justin (master *$%<>) ‖ wget https://gist.githubusercontent.com/justinstoller/aa2f0ede214c42adede9278085a55051/raw/e089a2474608af9d42fff1ba2832f3e989b2f562/puppet_server_helper.rb
puppetserver justin (master *$%<>) ‖ lein gem install pry-nav
puppetserver justin (master *$%<>) ‖ lein irb
....
irb(main):002:0> load './puppet_server_helper.rb'
=> true
irb(main):005:0> req = @helper.basic_catalog_request
@justinstoller
justinstoller / openssl.sh
Created May 29, 2019 21:04
fips stuff
tk-jetty9 justin (newjetty %) ‖ cat osx
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256