Add Nodes for the Puppet Master to Manage
Important
The AWS OpsWorks for Puppet Enterprise service reached end of life on March 31, 2024 and has been disabled for both new and existing customers. We strongly recommend customers migrate
their workloads to other solutions as soon as possible. If you have questions about migration, reach out to the AWS Support Team on AWS re:Post
The recommended way to add nodes is by using the AWS OpsWorks associateNode() API.
The Puppet Enterprise master server hosts a repository that you use to install the Puppet
agent software on nodes that you want to manage, whether nodes are on-premises physical
computers or virtual machines. Puppet agent software for some operating systems is
installed on the OpsWorks for Puppet Enterprise server as part of the launch process. The following table shows
the operating system agents that are available on your OpsWorks for Puppet Enterprise server at launch.
| Supported operating system | Versions |
|---|---|
| Ubuntu | 16.04, 18.04, 20.04 |
| Red Hat Enterprise Linux (RHEL) | 6, 7, 8 |
| Windows | 64-bit editions of all Puppet-supported |
You can add puppet-agent to your server for other operating systems. Be
aware that system maintenance will delete agents that you have added to your server after
launch. Although most existing attached nodes that are already running the deleted agent
continue to check in, nodes running Debian operating systems can stop reporting. We
recommend that you manually install puppet-agent on nodes that are running
operating systems for which the agent software is not preinstalled on your OpsWorks for Puppet Enterprise server.
For detailed information about how to make puppet-agent available on your
server for nodes with other operating systems, see Installing
agents
For information about how to associate nodes with your Puppet master automatically by populating EC2 instance user data, see Adding Nodes Automatically in OpsWorks for Puppet Enterprise.
Run associateNode() API calls
After you add nodes by installing puppet-agent, nodes send certificate
signing requests (CSRs) to the OpsWorks for Puppet Enterprise server. You can view the CSRs in the Puppet
console; for more information about node CSRs, see Managing certificate signing requestsassociateNode() API call processes node CSRs, and associates
the node with your server. The following is an example of how to use this API call in
the AWS CLI to associate a single node. You will need the PEM-formatted CSR that the node
sends; you can get this from the Puppet console.
aws opsworks-cm associate-node --server-name "test-puppet-server" --node-name "node or instance ID" --engine-attributes "Name=PUPPET_NODE_CSR,Value='PEM_formatted_CSR_from_the_node'
For more information about how to add nodes automatically by using
associateNode(), see Adding Nodes Automatically in OpsWorks for Puppet Enterprise.
Considerations for Adding On-premises Nodes
After you have installed puppet-agent on your on-premises computers or
virtual machines, you can use either of two ways to associate on-premises nodes with
your OpsWorks for Puppet Enterprise master.
-
If a node supports installation of the AWS SDK
, AWS CLI , or AWS Tools for PowerShell , you can use the recommended method for associating a node, which is to run an associateNode()API call. The starter kit that you download when you first create an OpsWorks for Puppet Enterprise master shows how to assign roles to nodes by using tags. You can apply tags at the same time that you are associating nodes with the Puppet master by specifying trusted facts in the CSR. For example, the demo control repository that is included with the starter kit is configured to use the tagpp_roleto assign roles to Amazon EC2 instances. For more information about how to add tags to a CSR as trusted facts, see Extension requests (permanent certificate data)in the Puppet platform documentation. -
If the node cannot run AWS management or development tools, you can still register it with your OpsWorks for Puppet Enterprise master the same way you would register it with any unmanaged Puppet Enterprise master. As mentioned in this topic, installing
puppet-agentsends a CSR to the OpsWorks for Puppet Enterprise master. An authorized Puppet user can sign the CSR manually, or configure automatic signing of CSRs by editing theautosign.conffile that is stored on the Puppet master. For more information about configuring autosigning and editingautosign.conf, see SSL configuration: autosigning certificate requestsin the Puppet platform documentation.
To associate on-premises nodes with a Puppet master and allow the Puppet master to
accept all CSRs, do the following in the Puppet Enterprise console. The parameter that
controls the behavior is
puppet_enterprise::profile::master::allow_unauthenticated_ca.
Important
Enabling the Puppet master to accept self-signed CSRs or all CSRs is not recommended for security reasons. By default, allowing unauthenticated CSRs makes a Puppet master accessible to the world. Setting the upload of certificate requests to be enabled by default can make your Puppet master vulnerable to denial of service (DoS) attacks.
-
Sign in to the Puppet Enterprise console.
-
Choose Configure, choose Classification, choose PE Master, and then choose the Configuration tab.
-
On the Classification tab, locate the class puppet_enterprise::profile::master.
-
Set the value of the allow_unauthenticated_ca parameter to true.
-
Save your changes. Your changes are applied during the next Puppet run. You can allow 30 minutes for changes to take effect (and on-premises nodes to be added), or you can initiate a Puppet run manually in the Run section of the PE console.
More Information
Visit the Learn Puppet tutorial site
