Roles, Profiles & Trusted Facts!Puppet Meetup, 23rd Feb 2016

Stephen Wallace https://au.linkedin.com/in/stephenwallace

@stphnwallace

Who am I?Devops contractor

Home brewer

Connector of people (3000+)

What do I do?

• Help people (companies) stay relevant in a fast moving world

• Build people, which builds teams. Collaborative Economy

• Help enough people get what they want…

What Are Roles & Profiles?• An area of confusion!

• Role….business speak

• Profile….tech stacks…think Lego

• Classification….role only!

• IT facilitates the business, right?

• Quick peek at site.pp

How can we apply a role?

• /etc/puppetlabs/facter/facts.d/BLAH

• export FACTER_role=thingo

• custom fact to read a file

• console

Do you want this flexibility in production?!

export FACTER_role=whatever

Normal vs Trusted Facts• Normal facts are self-reported by the node, and nothing

guarantees their accuracy.

• Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them.

• The variable name $trusted is reserved, so local scopes cannot re-use it.

• Useful for deciding whether a given node should receive sensitive data in its catalogue.

Enabling & Using Trusted Facts

$ sudo puppet config print trusted_node_data immutable_node_data --section master

trusted_node_data = trueimmutable_node_data = true

Example;

if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys}

(*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>].

(*) OID / name mapping can be found here - https://docs.puppetlabs.com/puppet/latest/reference/config_file_csr_attributes.html

What Other Practical Uses?

• Embed a deployment key ?

• $trusted[‘extensions']['pp_role'] ?

Setting Trusted Facts• Extra data for the CSR is read from the

csr_attributes.yaml file in Puppet Agent’s $confdir.

• YAML hash containing one or both of the following keys:

• custom_attributes

• extension_requests

• e.g. ---extension_requests: pp_preshared_key: banana

Checking for the CSR OIDs

• cd /etc/puppetlabs/puppet/ssl/ca/requests

• openssl req -noout -text -in ip-172-31-35-224.ap-southeast-2.compute.internal.pem

• Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop

Cool bananas? :)

Puppet Agent Workflow - Before

• New agent generates certs, and submits CSR.

• Puppet master / CA signs the cert, and the catalog is served.

• Uses cert for auth ongoing.

Puppet Agent Workflow - After

• New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR.

• Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served.

• Uses cert for auth ongoing, and reads trusted facts when communicating with the PM

Policy Based Autosigning

• puppet config set --section master autosign /usr/local/bin/autosign-psk.rb

• Can be used for policy based autosigning

• See autosign-psk.rb in appendix

Further Reading

• http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/

• https://docs.puppetlabs.com/puppet/3.8/reference/ssl_attributes_extensions.html#recommended-oids-for-extensions

• https://docs.puppetlabs.com/puppet/latest/reference/ssl_attributes_extensions.html

• https://docs.puppetlabs.com/puppet/latest/reference/config_file_csr_attributes.html

• https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts

Appendix 1 - autosign-psk.rb

#!/opt/puppetlabs/puppet/bin/ruby

require "openssl" include OpenSSL

csr = OpenSSL::X509::Request.new $stdin.read

atts = csr.attributes()

if atts.empty? exit 1 end

key = nil

atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end

if key == "banana" print "Match\n" exit 0 else puts "The key in the CSR is #{key}, no match." print "No match\n" exit 1 end

Thanks!

• Stephen J Wallace

• whizbang.wallace@gmail.com

• Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan