ReleaseEngineering/PuppetAgain/Puppetmasters
The masters update their manifests from mercurial once every 5 minutes, with a bit of "splay" added (so it does not always occur on the 5-minute mark). Any errors during the update are emailed, as well as a diff of the manifests when they change; the latter forms a kind of change control.
Within releng, the puppet master should respond at the unqualified hostname puppet. This should also be adjustable through manifests/settings.pp.
Cert Signing
A sysadmin asked the Architect, "What's the best way to install a new system?" The Architect answered, "Turn it on." The sysadmin was enlightened.
All of our installation tools are scriptable. These tools are responsible for fetching a signed certificate from the puppet master and installing it on the client before its first boot. This transaction IS be authenticated using a protected secret. Non-Mozilla users can simply omit this part of the setup and sign certificates by hand.
That secret takes the form of an SSH private key. This "deploykey" is added to the image by a means that depends on the install process, and is used by the puppetize.sh script to contact the puppetmaster. The key does not allow login, but generates and returns a puppet certificate for the machine connecting to it.