Today we’re excited to announce the release of Puppet Enterprise 2.7. While this is a small release in terms of features, it brings with it the capability to view and respond to node requests graphically from within the Puppet Enterprise console. Nodes can now be approved or rejected without requiring access to the puppet master command line interface.
Node request management
Here’s an example of a new node, examplenode.foo.bar, waiting for approval:
The newly redesigned header shows how many nodes are pending approval on the top right:
With previous versions of Puppet Enterprise, sysadmins had to use the command line to manually approve or reject certificates from agent nodes attempting to join the site. This approval process has to happen to prevent unexpected nodes from joining your Puppet infrastructure and possibly gain access to sensitive information. Once a node is approved, a two-way handshake happens between the node and the master, where they both verify each other is who they say they are. This prevents a node from impersonating another node, including a puppet master.
SSL is used for this layer of verification under the hood. To simplify the management of SSL certificates, Puppet’s command line interface has a simple-to-use-and-understand utility called puppet cert. With puppet cert list, you can quickly list all of the available nodes requesting to be managed by Puppet. puppet cert sign node_name would then approve the requesting node, node_name, to be managed by Puppet. However, this action requires access to the puppet master. Many administrators are not comfortable giving this level of access to other admins or members outside of their team.
Now with Puppet Enterprise 2.7, you can approve or reject nodes requesting to be managed by Puppet directly in the Puppet Enterprise console. Using this utility, you can delegate the provisioning and approval of new Puppet-managed nodes to users who you would normally have to grant access to your puppet master. Or, if you have always approved the nodes yourself, you can now approve new nodes and classify without leaving the Puppet Enterprise console.
Approving or rejecting node requests
When you visit the node approval page and there are no pending approvals, you are greeted with simple instructions on how to install new Puppet Enterprise nodes.
Whenever a pending node contains DNS alt names, Puppet Enterprise does not allow the approval to be made through the console. A DNS alt name is when a node’s identity can be verified to a different name than its actual name. This is useful, for example, when you have multiple puppet masters. When a node contacts the puppet master, you can simply configure the node to go to puppet.mydomain.com. However, your puppet masters will probably be named something like puppet1.mydomain.com, puppet2.mydomain.com, etc. The puppet.mydomain.com DNS name may simply switch between the puppet masters as requests come in. So, as a node contacts puppet.mydomain.com, the node may actually end up talking to puppet1.mydomain.com. Since there is a SSL handshake in order for both the master and node to trust each other, the node will not trust the master since it was expecting puppet.mydomain.com to respond, not puppet1.mydomain.com. With DNS alt names, we can have each puppet master not only be verified by their DNS hostname, but also by a DNS alias, such as puppet.mydomain.com. With the DNS alt name in place within both puppet master’s SSL certificates, the node can now talk to either puppet master and will trust that they are puppet.mydomain.com.
As you can imagine, a node requesting to be trusted to not only be its own identity, but potentially someone else’s identity, can be a huge security risk. Because of this, Puppet Enterprise does not allow node approvals through the Puppet Enterprise console with DNS alt names. These node requests must be approved through the puppet master’s (specifically, your Certificate Authority’s) command line interface.
With the new node request management capabilities in Puppet Enterprise 2.7, bringing new nodes under Puppet Enterprise’s control is easier than ever and can now be a more self-service operation. This makes the experience of puppetizing your infrastructure a simpler and more enjoyable one.