Last active
August 29, 2015 14:23
-
-
Save muresan/a133903568e7feec8528 to your computer and use it in GitHub Desktop.
enable puppet to autosign clients based on a shared secret
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# puppet client part: | |
# create the file /etc/puppet/csr_attributes.yaml with the PSK in it: | |
##--- | |
##extension_requests: | |
## pp_preshared_key: @the_psk@ | |
# puppet master part: | |
## puppet config set --section master autosign /usr/local/bin/autosign-psk | |
# For a more complex autosign script, see: | |
# http://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html#recommended-oids-for-extensions | |
# which documents all the OIDs that puppet registered. Options are separate keys for environent, for role, for instance-id, etc | |
# but that would complicate things because an outside agent will need to create the PSK on the client and on the master. | |
PSK_FILE=/etc/puppet/autosign/psk | |
csr=$(< /dev/stdin) | |
certname=$1 | |
# Get the certificate extension with OID $1 from the csr | |
function extension { | |
echo "$csr" | openssl req -noout -text | fgrep -A1 "$1" | tail -n 1 \ | |
| sed -e 's/^ *//;s/ *$//' | |
} | |
if [ ! -f "$PSK_FILE" ] ; then | |
echo "Could not find PSK file $PSK_FILE" | |
exit 1 | |
fi | |
PUPPET_PSK=`cat $PSK_FILE` | |
CLIENT_PSK=$(extension '1.3.6.1.4.1.34380.1.1.4') | |
if [ ! -n "$CLIENT_PSK" ] ; then | |
echo "Did not receive PSK from $certname" | |
exit 1 | |
fi | |
echo "autosign $certname with PSK $CLIENT_PSK" | |
if [ -n "$PUPPET_PSK" -a "$PUPPET_PSK" = "$CLIENT_PSK" ]; then | |
echo "All good!" | |
exit 0 | |
else | |
echo "PSK does not match $PUPPET_PSK != $CLIENT_PSK" | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment