[puppet-users] A note regarding deprecated CA related settings in Puppet 5.5

[Justin Stoller]

Hello!

We recently released a new version of the Puppet Platform that contained many CA related deprecations and we wanted to reach out and clarify a few things.

Currently in Puppet 5 there are two(!) mostly identical CA implementations, which can cause race conditions in signing and revoking, makes the entire system needlessly complicated, and doubles the cost of fixing any one bug.

In Puppet 6 we plan to remove one of the implementations which will allow us to address many long standing bugs with our CA functionality. I encourage you to check out a recent announcement regarding changes to our CLI workflows[1].

As part of this, most of our CA related settings that currently live in puppet.conf are *un-used* by anything that ships with the puppet-agent package. In Puppet 6, the puppet.conf file will contain mostly agent/apply related settings, while most master and CA related settings will move to Puppet Server's configuration files. Almost all of these changes should be mechanical in nature, for example:

Setting autosign in Puppet 5 looks like this:

$ cat /etc/puppetlabs/puppet/puppet.conf

[main]

  autosign = /usr/local/bin/my-autosigner

In Puppet 6 this will look like:

$ cat /etc/puppetlabs/puppetserver/conf.d/ca.conf

certificate-authority: {

  autosign: /usr/local/bin/my-autosigner

}

While we wanted to get the deprecation notices in front of everyone as soon as possible, the Puppet Server side config changes have yet to land. For now, just be aware that these changes are coming and expect more from us soon about potential upgrade paths.

Thank you,

The Puppet Server Team

1. https://groups.google.com/d/msg/puppet-users/ri69kbtuSmQ/vizBEe-7AAAJ