then change hiera.yaml datadir = <blah>/${my_hierarchy}

ooo....even better.

Then I can just do this in the hierarchy:

id/%{identifier_paths}.yaml

You're tinkering with the wild west with all those hierarchies, IMHO. How will you control sprawl?

I like it. IIRC role comes from your enc in that env. You shouldn't have to deal with any strangeness of locally specified role not matching enc role.

Good question 🙂 Welcome to my life. Having consistent and useful variables in the ENC is one way of controlling it, so I think this new idea is a good one.

You're completely mostly avoiding data merging in this case?

You're completely mostly voiding data merging in this case?

You're completely mostly avoiding data merging in this case?

Yeah, this is tangential to data merging. It doesn’t change how a team uses this data, just simplifies how they can write a hierarchy for roles with an arbitrary number of segments..

Okay that makes more sense. More of a convention for where local data goes than dealing with the common/specific case of config data per role.

Okay that makes more sense. More of a convention for where local data goes than dealing with the common/specific case of config data per role.

@natemccurdy what ENC are you using?

I'm building a new puppet environment after being out of the puppet business for five years and I'm always open to new ideas.

A custom one. Just a Python script that reads from an inventory management system’s API.

#C0W298S9G I'm building a Puppet open-source environment and am building/destroying virtual machines and docker containers 20/30 times a day to test my automation. Is there a way to 'reuse' the client's certificate on the Puppet server so that I don't have to "puppetserver ca clean --certname=test.example.com" every time I rebuild test.example.com and it registers itself (anew) to the Puppet server?

Sure, just save the generated certificate somewhere in a central place, and during provsiioning of the automated system, use that shared cert.

“use it” by placing it in

/etc/puppetlabs/puppet/ssl/...

before running Puppet for the first time

woot, woot! Thanks!

I assume allow-duplicate-certs is global and is somewhat dangerous. 😉

Yes, allow_duplicate_certs is global.

This message was deleted.

Next: /etc/puppetlabs/puppet/puppet.conf --

[main]
server = pm5.${my_domain}.com
stage = ci
[master]
masterport = 8240
report_port = 8240
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
autosign = /etc/puppetlabs/puppet/autosign.sh
[agent]
environment = ymd_infra
masterport = 8140
[server]
ca_port = 8140
ca_server = 127.0.0.1
masterport = 8240

in that file I see this:

{
            # Allow the CA CLI to access the certificate_status endpoint
            match-request: {
                path: "/puppet-ca/v1/certificate_status"
                type: path
                method: [get, put, delete]
            }
            allow: {
               extensions: {
                   pp_cli_auth: "true"
               }
            }
            sort-order: 500
            name: "puppetlabs cert status"
        },

I only sign certificates from localhost for the puppetserver / certificate authority. How should that be configured to allow me to do the deed?

The

pp_cli_auth

default allow rule was added in Puppetserver 6 as a default, and all new installs of a Puppetserver at version 6+ will generate that extension by default. How is your container’s cert generated? Maybe it’s an old one from before Puppet 6? Either way, your two options are: 1) Add the certname of your CA Puppetserver to that allow list, replacing the existing value. Like

allow: <certname_here>

2) Add the extension to your puppetserver’s cert with something like this: https://github.com/smortex/puppet-add-cli-auth-to-certificate

This message was deleted.

This message was deleted.

Hello Anyone call explain below things, preferable with example.

noone can?