This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated by a self signed CA (on cruncher).
Masters update themselves by puppet::periodic (ReleaseEngineering/PuppetAgain/Modules/puppet).
To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a cron job and gracefuly restart apache.
Creation of new certificates is guarded by a password, using the username 'deploy'
- the cleartext password
- always 'deploy'
- the htpasswd-hashed version of the password. Generate with htpasswd -n - deploy and only include the portion after "deploy:" in the secrets file