Control server based provisioning : Credentials

Provisioning tools like puppet and ansible can operate in two modes

  1. Master slave [control server mode]
  2. Standalone

In the control server mode, there is a process running on the master (control server) which could be used to either manually or automatically provision a new machine. In standalone mode, the puppet or ansible scripts are downloaded to the machine that you want to provision and executed from there.

One problem with Standalone mode is credential information. Regardless of whether your provisioning code is open source (eg github) or not, it is a bad idea to check in credential information into the source code. The provisioning script thus would have to download the credential information from a central and controlled location securely.

Though storing credential information on a central server solves the problem, setting up and running a server process and maintaining it is additional cost that one would have to incur. For small scale automations, the most cost effective strategy might be to manually enter the credential information when you are provisioning a machine. This could be tricky if you would provisioning in the standalone mode, but natural when you are using a control server to configure your machines.

Ansible solves this problem beautifully by allowing you to specify prompts that will get this information at run time from the systems administrator. Given that we are provisioning at most eight machines, we find this strategy more effective than the standlone setup.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s