Ubuntu UEC/EC2 Puppet Client Howto

Tags: , , , , , , , ,

Configuring an amazon EC2 image to associate itself with your puppet master on boot was once an involved manual process requiring custom boot scripts and hand-rolling your own AMI. With the UEC (Ubuntu Enterprise Cloud) AMIs this is much more straightforward. As long as you use an AMI from this list youโ€™ll be able to pass information about the puppet master into the user-data field when booting the instance.

Simply modify the following and place it in the user-data field when booting your instance to automatically connect to your puppet master.

Note: indentation counts!

#cloud-config
#
# This is an example file to automatically setup and run puppetd
# when the instance boots for the first time.
# Make sure that this file is valid yaml before starting instances.
# It should be passed as user-data when starting the instance.
puppet:
 # Every key present in the conf object will be added to puppet.conf:
 # [name]
 # subkey=value
 #
 # For example the configuration below will have the following section
 # added to puppet.conf:
 # [puppetd]
 # server=puppetmaster.example.org
 # certname=i-0123456.ip-X-Y-Z.cloud.internal
 #
 # The puppmaster ca certificate will be available in 
 # /var/lib/puppet/ssl/certs/ca.pem
 conf:
   puppetd:
     server: "puppetmaster.mydomain.com"
     # certname supports substitutions at runtime:
     #   %i: instanceid 
     #       Example: i-0123456
     #   %f: fqdn of the machine
     #       Example: ip-X-Y-Z.cloud.internal
     #
     # NB: the certname will automatically be lowercase as required by puppet
     certname: "%i-%f"
   # ca_cert is a special case. It won't be added to puppet.conf.
   # It holds the puppetmaster certificate in pem format. 
   # It should be a multi-line string (using the | yaml notation for 
   # multi-line strings).
   # The puppetmaster certificate is located in 
   # /var/lib/puppet/ssl/ca/ca_crt.pem on the puppetmaster host.
   #
   ca_cert: |
     -----BEGIN CERTIFICATE-----
     MIICKTCCAZKgAwIBAgIBATANBgkqhkiG9w0BAQUFADAdMRswGQYDVQQDDBJzZXJ2
     ZXIuZGNzdGVhbS5jb20wHhcNMTAwODI4MjAyNTE1WhcNMTUwODI3MjAyNTE1WjAd
     MRswGQYDVQQDDBJzZXJ2ZXIuZGNzdGVhbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
     gY0AMIGJAoGBANvMoMdOBfBWinFsfAIvEhnCHI73AUeAZYuOmIE3FeZwoHDvY/To
     y9zzgVSXTmXE9GSQUiOJ6jq/xFpfClPSGJb+KLDWAt+gCVTI8RaMsFCnyltFpBaP
     KnT6P0nwMrrNgxEpZ2U8qIiqibqOzabcdp3X183N8uQEumnfmhmm8i1ZAgMBAAGj
     eTB3MDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVyYXRl
     ZCBDZXJ0aWZpY2F0ZTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQwtldWP7Gf
     +469Ywmr8KaM23DEfTALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEArbaS
     3TZP5Tn+E6Vn8souVD8e4UG1jSeGeb639cGUyMSJBOhKQ0gGYtsmx84cu8wVCXFx
     KfJsWhxWFNZ/0RapuhOg5uGJLDJNuC6QCXRjh/T+Bk1oMNif6noBi6ObhubFRWJd
     e3B9hRPbAaTMg6cpA/3bvQT5LyvwsN4D6VkT4sw=
     -----END CERTIFICATE-----

Thatโ€™s really all there is to it! Give the machine a few minutes to initialize and soon you will see a new certificate waiting to be signed by puppetca!


Thanks to this post.