Ubuntu UEC/EC2 Puppet Client Howto

Tags: , , , , , , , ,


Configuring an amazon EC2 image to associate itself with your puppet master on boot was once an involved manual process requiring custom boot scripts and hand-rolling your own AMI. With the UEC (Ubuntu Enterprise Cloud) AMIs this is much more straightforward. As long as you use an AMI from this list you’ll be able to pass information about the puppet master into the user-data field when booting the instance.

Simply modify the following and place it in the user-data field when booting your instance to automatically connect to your puppet master.

Note: indentation counts!

#cloud-config
#
# This is an example file to automatically setup and run puppetd
# when the instance boots for the first time.
# Make sure that this file is valid yaml before starting instances.
# It should be passed as user-data when starting the instance.
puppet:
 # Every key present in the conf object will be added to puppet.conf:
 # [name]
 # subkey=value
 #
 # For example the configuration below will have the following section
 # added to puppet.conf:
 # [puppetd]
 # server=puppetmaster.example.org
 # certname=i-0123456.ip-X-Y-Z.cloud.internal
 #
 # The puppmaster ca certificate will be available in 
 # /var/lib/puppet/ssl/certs/ca.pem
 conf:
   puppetd:
     server: "puppetmaster.mydomain.com"
     # certname supports substitutions at runtime:
     #   %i: instanceid 
     #       Example: i-0123456
     #   %f: fqdn of the machine
     #       Example: ip-X-Y-Z.cloud.internal
     #
     # NB: the certname will automatically be lowercase as required by puppet
     certname: "%i-%f"
   # ca_cert is a special case. It won't be added to puppet.conf.
   # It holds the puppetmaster certificate in pem format. 
   # It should be a multi-line string (using the | yaml notation for 
   # multi-line strings).
   # The puppetmaster certificate is located in 
   # /var/lib/puppet/ssl/ca/ca_crt.pem on the puppetmaster host.
   #
   ca_cert: |
     -----BEGIN CERTIFICATE-----
     MIICKTCCAZKgAwIBAgIBATANBgkqhkiG9w0BAQUFADAdMRswGQYDVQQDDBJzZXJ2
     ZXIuZGNzdGVhbS5jb20wHhcNMTAwODI4MjAyNTE1WhcNMTUwODI3MjAyNTE1WjAd
     MRswGQYDVQQDDBJzZXJ2ZXIuZGNzdGVhbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
     gY0AMIGJAoGBANvMoMdOBfBWinFsfAIvEhnCHI73AUeAZYuOmIE3FeZwoHDvY/To
     y9zzgVSXTmXE9GSQUiOJ6jq/xFpfClPSGJb+KLDWAt+gCVTI8RaMsFCnyltFpBaP
     KnT6P0nwMrrNgxEpZ2U8qIiqibqOzabcdp3X183N8uQEumnfmhmm8i1ZAgMBAAGj
     eTB3MDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRl
     ZCBDZXJ0aWZpY2F0ZTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwtldWP7Gf
     +469Ywmr8KaM23DEfTALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEArbaS
     3TZP5Tn+E6Vn8souVD8e4UG1jSeGeb639cGUyMSJBOhKQ0gGYtsmx84cu8wVCXFx
     KfJsWhxWFNZ/0RapuhOg5uGJLDJNuC6QCXRjh/T+Bk1oMNif6noBi6ObhubFRWJd
     e3B9hRPbAaTMg6cpA/3bvQT5LyvwsN4D6VkT4sw=
     -----END CERTIFICATE-----

That’s really all there is to it! Give the machine a few minutes to initialize and soon you will see a new certificate waiting to be signed by puppetca!


Thanks to this post.

Join the Conversation