Opposite model to Ansible: pull, not push — agents reach out to the server.
Every ~30 min the agent fetches a catalog and converges the node — point at the diagram.
This is the key idea: enforcement runs on a loop, not just at deploy.
+
Authentication: mutual TLS, not SSH keys or passwords. The Puppet Server runs its own built-in Certificate Authority (CA). Every agent and the server are identified by an X.509 certificate the CA signs.
+
First contact: a new agent generates a keypair and sends a Certificate Signing Request (CSR) to the CA, keyed on its certname (usually the FQDN). The cert is pending until signed.
+
Signing gate: an admin runs puppetserver ca sign --certname <node> (or autosign for trusted ranges/policies). Until signed, the agent gets no catalog — so signing is the enrollment/trust decision.
+
Steady state: every run is mutual TLS — the agent verifies the server's cert, the server verifies the agent's. Same CA signs both sides, so identity is cryptographic, not network-trust.
+
Lifecycle: revoke a decommissioned node with puppetserver ca revoke (lands in the CRL); ca clean removes the cert so a rebuilt host can re-enroll. Watch for clock skew and cert expiry — classic agent-checkin failures.