This module handles installing, updating, and running puppet master. This setup uses Apache and mod_passenger. Puppet masters doesn't sign client certificates. They are generated by a self signed CA (on cruncher).

Installation

See ReleaseEngineering/PuppetAgain/HowTo/Set up a standalone puppetmaster

Updates

Masters update themselves by puppet::periodic (ReleaseEngineering/PuppetAgain/Modules/puppet).

CRL sync

To keep the list of revoced certificates (CRL) up to date, masters fetch the CRL from CA by a cron job and gracefuly restart apache.

Secrets

Creation of new certificates is guarded by a password, using the username 'deploy'

deploy_password

the cleartext password

deploy_username

always 'deploy'

puppetmaster_deploy_htpasswd

the htpasswd-hashed version of the password. Generate with htpasswd -n - deploy and only include the portion after "deploy:" in the secrets file