From e4e42f3e69dba662f1deb512ab49794b00d6ab07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arnaud=20Pr=C3=A9mel-Cabic?= Date: Mon, 8 Jun 2026 14:59:09 +0200 Subject: [PATCH] =?UTF-8?q?docs:=20slide=2033=20=E2=80=94=20add=20speaker?= =?UTF-8?q?=20notes=20on=20Puppet's=20CA/certificate=20auth=20model?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- index.html | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/index.html b/index.html index 9231a3f..5b879d2 100644 --- a/index.html +++ b/index.html @@ -1229,6 +1229,11 @@ $ ansible-galaxy install <namespace>.<role>
  • Opposite model to Ansible: pull, not push — agents reach out to the server.
  • Every ~30 min the agent fetches a catalog and converges the node — point at the diagram.
  • This is the key idea: enforcement runs on a loop, not just at deploy.
    • +
  • Authentication: mutual TLS, not SSH keys or passwords. The Puppet Server runs its own built-in Certificate Authority (CA). Every agent and the server are identified by an X.509 certificate the CA signs.
    • +
  • First contact: a new agent generates a keypair and sends a Certificate Signing Request (CSR) to the CA, keyed on its certname (usually the FQDN). The cert is pending until signed.
    • +
  • Signing gate: an admin runs puppetserver ca sign --certname <node> (or autosign for trusted ranges/policies). Until signed, the agent gets no catalog — so signing is the enrollment/trust decision.
    • +
  • Steady state: every run is mutual TLS — the agent verifies the server's cert, the server verifies the agent's. Same CA signs both sides, so identity is cryptographic, not network-trust.
    • +
  • Lifecycle: revoke a decommissioned node with puppetserver ca revoke (lands in the CRL); ca clean removes the cert so a rebuilt host can re-enroll. Watch for clock skew and cert expiry — classic agent-checkin failures.