At work we leverage Puppet for management of our infrastructure. While tools like Ansible seem to get a lot more love in the industry due to things like being based on Python (Puppet is Ruby-based) and using YAML for its definitions (Puppet has its own DSL, or Domain Specific Language), it works extremely well for our environment as many of the nodes can’t be phoned into via SSH the way Ansible needs. Similarly, installing an agent on each node isn’t a problem as they’re all Linux servers; we don’t need to worry about management of infrastructure that can’t do so, like networking hardware.
Since we don’t have a massive environment, we just leverage the open source version of Puppet rather than Puppet Enterprise. It’s a solid product that works well for us, but occasionally the documentation can be a bit sparse, making some things trickier to figure out than you may expect. One of those things is the proper way to remove a node. On the host side it’s simple enough to remove the agent and any files in /etc/puppetlabs
, but the bigger concern for me is how to clean up the node on the Puppet Master. On one hand you could say that simply leaving the certificate and metadata on the Puppet Master doesn’t really hurt anything. On the other hand, I don’t like the idea of leaving garbage lingering on my server. Similarly, we have several checks in our monitoring tool that ensure nodes are checking in with the Puppet Master and alert us when a node has missed multiple consecutive checks; leaving metadata about a node that shouldn’t be a part of the ecosystem anymore would cause false positives to trigger constantly.
After a bit of searching the following seems to work well enough for me:
sudo puppetserver ca revoke --certname {cert_name}
sudo puppetserver ca clean --certname {cert_name}
This process will revoke the given certificate and then clean up any of the metadata about the device. It also removes the certificate while the Puppet service is still running; if you attempt to manually run the delete command on a revoked certificate, you normally receive an error that this can only be done when the service is stopped. If you need to see all of the certificates in the environment to get the name, you can use:
sudo puppetserver ca list --all
If you omit the --all
, then the command will only give you certificates that are pending approval.