Unable to bootstrap modern Puppet-agent versions via cloud-config. How to set "certname=%i.%f"?

[Martijn]

Hi all,

We deploy Ubuntu 14.04 and 16.04 instances in AWS and use cloud-init to bootstrap them. Specifically we pass them user-data in 'cloud-config' yaml format (one of the formats that cloud-init understands).

Now that we've migrated to Puppet 4.10+ I'm having trouble finding the correct syntax to dynamically set the certname for the agent. I'd like the certname to contain the instance-id and the fqdn. It seems the Cloud-config format was never updated to deal with modern Puppet versions.

Previously, with Puppet 3.x we used the following:

<snip>
fqdn: test01.example.com
apt:
  sources:
    puppetlabs.list:
      source: "deb http://apt.puppetlabs.com $RELEASE main dependencies"
      keyid: 6F6B15509CF8E59E6E469F327F438280EF8D349F
apt_update: true
apt_upgrade: true
packages:
 - puppet
puppet:
  conf:
    agent:
      server: "puppet.example.com"
      certname: "%i.%f"

The last hash (puppet.conf.agent) would generate a file /etc/puppet/puppet.conf containing a line like certname=i-197f2394.test01.example.com which was fine for Puppet 3, but not 4 or 5.

For Puppet 4 the correct path is /etc/puppetlabs/puppet/puppet.conf but cloud-init doesn't appear to know that so I came up with the following new cloud-config that simply writes the correct file:

<snip>
fqdn: test01.example.com
apt:
  sources:
    puppetlabs-pc1.list:
      source: "deb http://apt.puppetlabs.com $RELEASE PC1"
      keyid: 6F6B15509CF8E59E6E469F327F438280EF8D349F
package_update: true
package_upgrade: true
packages:
  - puppet-agent
write_files:
  - path: /etc/puppetlabs/puppet/puppet.conf
    content:
        [agent]
        certname="%i.%f"
        server=puppet.insiders.nl

Unfortunately, the %i and %f variables are never replaced by the instance-id and fqdn, as they were previously. I've tried half a dozen variations, but none appear to work. Variable interpolation appears to be limited to the old "puppet.conf.agent" style.

How do *you* bootstrap your Puppet nodes on AWS?
How do you dynamically set the certname these days?

Thanks, Martijn

[Poil]

Hey,

Why not just create a symlink ?

Also you should open a bug report https://launchpad.net/cloud-init

Best regards,

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/68494e23-bc06-43e2-9329-d308c6fdb1c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Martijn Heemels]

Hmm, why didn’t I think of that. :D That should work fine for now. I’ll file a bug report at Launchpad.

Thanks, Martijn

[Martijn]

I just tested the following snippet and it turns out it doesn't work.

packages:
  - puppet-agent
puppet:

  conf:
    agent:
      server: "puppet.example.com"
      certname: "%i.%f"

run_cmd:
  - [ ln, -s, /etc/puppet/puppet.conf, /etc/puppetlabs/puppet/puppet.conf ]

The symlinking works fine, but apparently setting [puppet.conf.agent] implicitly installs the old "puppet" package (v3.x), which conflicts with the "puppet-agent" package installed a few lines before and causes it to be removed. You end up with just puppet 3.x installed. Not what I'd expect.

Any other ideas?

I'd still like to hear how others bootstrap their AWS instances with Puppet PC1 or newer? Maybe by a different cloud-init method?

Regards, Martijn

Op woensdag 8 november 2017 04:21:24 UTC+1 schreef Poil: