is it possible to have a script/trigger/plugin run on instance creation/deletion?

i have a need to have a simple script/trigger/plugin, whatever you want to call it, run when an instance is created and/or when an instance is deleted. I would simply need the instance name(or, IP), as input. I've been searching around and haven't found any examples of such functionality, is there a mechanism for something like this in Nova/openstack?

For further explanation, this is for dealing with Puppet certificates, as well as resources/facts. I need to not only mark resources which existed on instances which no longer exist as expired, but also need to automatically clean up instances certificates when they come down, so another instance on the same ip (and thus, in our environment, same hostname), can successfully provision itself.

I've done this with many other...."traditional" provisioning systems (cobbler, etc) and am struggling to find a way to hook this into Nova/Openstack. I would prefer to have the controller system(s) fire this, not the instances themselves, for security purposes. My site can be thought of as a single tenant site, so we want this to happen for ALL instances (it fails gracefully anyways), regardless of image/tenant/project/flavor/etc.