Download - Puppet Roles & Profiles Using Trusted Facts
Roles, Profiles & Trusted Facts!Puppet Meetup, 23rd Feb 2016
Stephen Wallace https://au.linkedin.com/in/stephenwallace
@stphnwallace
What do I do?
• Help people (companies) stay relevant in a fast moving world
• Build people, which builds teams. Collaborative Economy
• Help enough people get what they want…
What Are Roles & Profiles?• An area of confusion!
• Role….business speak
• Profile….tech stacks…think Lego
• Classification….role only!
• IT facilitates the business, right?
• Quick peek at site.pp
How can we apply a role?
• /etc/puppetlabs/facter/facts.d/BLAH
• export FACTER_role=thingo
• custom fact to read a file
• console
Normal vs Trusted Facts• Normal facts are self-reported by the node, and nothing
guarantees their accuracy.
• Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them.
• The variable name $trusted is reserved, so local scopes cannot re-use it.
• Useful for deciding whether a given node should receive sensitive data in its catalogue.
Enabling & Using Trusted Facts
$ sudo puppet config print trusted_node_data immutable_node_data --section master
trusted_node_data = trueimmutable_node_data = true
Example;
if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys}
(*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>].
(*) OID / name mapping can be found here - https://docs.puppetlabs.com/puppet/latest/reference/config_file_csr_attributes.html
Setting Trusted Facts• Extra data for the CSR is read from the
csr_attributes.yaml file in Puppet Agent’s $confdir.
• YAML hash containing one or both of the following keys:
• custom_attributes
• extension_requests
• e.g. ---extension_requests: pp_preshared_key: banana
Checking for the CSR OIDs
• cd /etc/puppetlabs/puppet/ssl/ca/requests
• openssl req -noout -text -in ip-172-31-35-224.ap-southeast-2.compute.internal.pem
• Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop
Cool bananas? :)
Puppet Agent Workflow - Before
• New agent generates certs, and submits CSR.
• Puppet master / CA signs the cert, and the catalog is served.
• Uses cert for auth ongoing.
Puppet Agent Workflow - After
• New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR.
• Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served.
• Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
Policy Based Autosigning
• puppet config set --section master autosign /usr/local/bin/autosign-psk.rb
• Can be used for policy based autosigning
• See autosign-psk.rb in appendix
Further Reading
• http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/
• https://docs.puppetlabs.com/puppet/3.8/reference/ssl_attributes_extensions.html#recommended-oids-for-extensions
• https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html
• https://docs.puppetlabs.com/puppet/latest/reference/config_file_csr_attributes.html
• https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts
Appendix 1 - autosign-psk.rb
#!/opt/puppetlabs/puppet/bin/ruby
require "openssl" include OpenSSL
csr = OpenSSL::X509::Request.new $stdin.read
atts = csr.attributes()
if atts.empty? exit 1 end
key = nil
atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end
if key == "banana" print "Match\n" exit 0 else puts "The key in the CSR is #{key}, no match." print "No match\n" exit 1 end
Thanks!
• Stephen J Wallace
• Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan