Puppet Community

but it does rely on the certificate to establish communication, no?

if certificate revoked, communication will be lost, I presume?

that would be fine - sounds like Choria would be able to work in all but that one situation.

No it has a few modes of operation. One where instead of a CA for identity and trust it uses jwts and can enroll itself with its host etc 

And should the JWT expire it goes back to enrolling automatically etc 

got it, I normally use it with Puppet's CA

Yeah what’s documented on <http://choria.io|choria.io> is essentially a distribution of choria for puppet. 

But like I run 7 figure node counts with no puppet etc 

Anyway for what I describe it’s early days in assembling sometning turnkey there. But yeah it’s for that problem 

bookmarked <http://choria.io|choria.io>.
will investigate.  if you have any useful links on how we just discussed using it, much appreciated!

another thought I had was to let customers know that they just may have to give us  ssh inbound on occasion for external support.  I'd prob just use ansible then

Running puppet from cron also helps a bunch - no stick children unless they are very very badly behaving 

unless you've upgraded away from systemd to BSD  :sunglasses:

QQ - according to the <https://choria.io/docs/deployment/requirements/index.html|website>, "You need to run middleware, Choria has its own Choria Broker that supports RedHat 7 and 8, Debian and Ubuntu."

We're running FreeBSD - is that a deal breaker?  Or, what middleware would be available for BSD?

Yes it supports freebsd thanks to <@U6B5Q9BSA> 