Disable SSL when compiling catalogs for testing purposes

[Alexander Fortin]

Hi folks,

recently in our Puppet pipeline we added a few tests on catalogs
leveraging Ripienaar's puppet-catalog-diff [1]. Basically, before
merging to production, for each node we compare the catalogs between
production and the committed developing version, to spot any (maybe
unwanted) change before the agent run. Also, we run catalog diffs for
a single node locally in a Docker container to help refactoring-like
tasks, and to test with different versions of puppet too (still at
v2.7, will upgrade to 3 hopefully very soon).

This has been working quite well for us so far, but of course will be
nice to reduce the amount of time needed to run those tests. I know
very little about the puppet master process, but my understanding is
that every time we create the catalog, i.e. running

puppet master --compile myhost

this will also create a SSL cert for myhost. Is there a way to disable
this behavior? Any other suggestions about how to make this catalog
creation process as lightweight as possible?

--
https://www.vizify.com/alexander-fortin

[jcbollinger]

On Wednesday, March 5, 2014 8:35:40 AM UTC-6, Alexander Fortin wrote:

[...] my understanding is

that every time we create the catalog, i.e. running

puppet master --compile myhost

this will also create a SSL cert for myhost.

I can't say for certain that you're wrong, but I have never heard of that certificate-generating behavior.  From whence comes your "understanding"?

Even if Puppet were doing that, I think you would find the savings available from eliminating it to be negligible compared to the cost of the actual catalog compilation.

John

[Alexander Fortin]

On Wednesday, March 5, 2014 7:07:42 PM UTC+1, jcbollinger wrote:

On Wednesday, March 5, 2014 8:35:40 AM UTC-6, Alexander Fortin wrote:

[...] my understanding is
that every time we create the catalog, i.e. running

puppet master --compile myhost

this will also create a SSL cert for myhost.

I can't say for certain that you're wrong, but I have never heard of that certificate-generating behavior.  From whence comes your "understanding"?

I noticed because running two 'puppet master --compile' in parallel with the same host and same vardir path was creating conflicts, anyway these are the (SSL) files that get created at every run:

ssl/ca/ca_crt.pem

ssl/ca/ca_crl.pem

ssl/ca/serial

ssl/ca/ca_pub.pem

ssl/ca/ca_key.pem

ssl/ca/inventory.txt

ssl/ca/private/ca.pass

ssl/crl.pem

ssl/certs/ca.pem

Even if Puppet were doing that, I think you would find the savings available from eliminating it to be negligible compared to the cost of the actual catalog compilation.

I guess you are right, I hoped it was just a matter of setting a config parameters to false but didn't find anything like that. Thanks

[jcbollinger]

On Thursday, March 6, 2014 1:50:43 AM UTC-6, Alexander Fortin wrote:

On Wednesday, March 5, 2014 7:07:42 PM UTC+1, jcbollinger wrote:

On Wednesday, March 5, 2014 8:35:40 AM UTC-6, Alexander Fortin wrote:

[...] my understanding is
that every time we create the catalog, i.e. running

puppet master --compile myhost

this will also create a SSL cert for myhost.

I can't say for certain that you're wrong, but I have never heard of that certificate-generating behavior.  From whence comes your "understanding"?

I noticed because running two 'puppet master --compile' in parallel with the same host and same vardir path was creating conflicts, anyway these are the (SSL) files that get created at every run:

ssl/ca/ca_crt.pem

ssl/ca/ca_crl.pem

ssl/ca/serial

ssl/ca/ca_pub.pem

ssl/ca/ca_key.pem

ssl/ca/inventory.txt

ssl/ca/private/ca.pass

ssl/crl.pem

ssl/certs/ca.pem

Do you see the "ca" in most of those?  That stands for "certificate authority".  The one file that doesn't have it, ssl/crl.pem, is a certificate revocation list, which is also associated with the CA.  The Puppet master provides a (as in one) certificate authority for the infrastructure it manages.  It will create the needed keys and certificate only if they do not already exist.

IMPORTANT: you must not disturb the master's CA.  Doing so will make the certificates it has already signed unusable, rendering those agents using them both unwilling AND unable to request catalogs from that master.


John

[Alexander Fortin]

On Thursday, March 6, 2014 3:15:39 PM UTC+1, jcbollinger wrote:

Do you see the "ca" in most of those?  That stands for "certificate authority".  The one file that doesn't have it, ssl/crl.pem, is a certificate revocation list, which is also associated with the CA.  The Puppet master provides a (as in one) certificate authority for the infrastructure it manages.  It will create the needed keys and certificate only if they do not already exist.

IMPORTANT: you must not disturb the master's CA.  Doing so will make the certificates it has already signed unusable, rendering those agents using them both unwilling AND unable to request catalogs from that master.

Hi John, thanks for the concern and for the insights you are providing. Yes, now I realize it's not creating the $host cert as I initially said but only the certificate authority files. I think I could just create these files just once and place them in the Docker image to avoid puppet recreating them at any run, maybe it will not give us any visible gain in performance but it's trivial to do so why not.

Also, these "puppet master --compile" processes are not run in the actual puppet master machine(s) but on dedicated testing environments (Jenkins + Docker images) so no harm done to the actual CA :)