FAI + SaltStack anybody?
Andrew Ruthven
andrew at etc.gen.nz
Fri Oct 6 10:57:28 CEST 2023
On Fri, 2023-10-06 at 06:47 +0200, Diego Zuccato wrote:
> Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto:
> > Its been a while since I worked with Salt, but IIRC it sounds like what
> > is not "clicking" is that you need to fix the TOFU problem.
>
> Actually there are 2 distinct problems:
> - pass the pubkey from the minion to FAI during the install (possibly in
> an authenticated way)
> - authorize that key in Salt from FAI
Not related to Salt, but possibly an approach that can be used here.
I have a script that we run on the FAI server for managing secrets. It will
copy secrets, generating them as required, into the NFSROOT and then remove
them after a period of time.
I have this handling ssh hostkeys so we can get the same keys on a rebuild.
It can handle Puppet keys, including signing them, although we no longer use
it for Puppet.
This isn't ideal as the secrets are still present in the NFSROOT for a short
period of time, but does solve the chicken and egg issue others mentioned
and removes the need for a generic "sign any request that comes in" that
others have suggested.
Cheers,
Andrew
--
Andrew Ruthven, Wellington, New Zealand
andrew at etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |
More information about the linux-fai
mailing list