Puppet Roles, Profiles, and Trusted Facts

Transcript

1. Roles, Profiles & Trusted Facts! Puppet Meetup, 23rd Feb 2016

   Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace

2. Who am I? Devops contractor Home brewer Connector of people

   (3000+)

3. What do I do? • Help people (companies) stay relevant

   in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…

4. What Are Roles & Profiles? • An area of confusion!

   • Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp

5. How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export

   FACTER_role=thingo • custom fact to read a file • console

6. Do you want this flexibility in production?! export FACTER_role=whatever

7. Normal vs Trusted Facts • Normal facts are self-reported by

   the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.

8. Enabling & Using Trusted Facts $ sudo puppet config print

   trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html

9. What Other Practical Uses? • Embed a deployment key ?

   • $trusted[‘extensions']['pp_role'] ?

10. Setting Trusted Facts • Extra data for the CSR is

    read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana

11. Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl

    req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)

12. Puppet Agent Workflow - Before • New agent generates certs,

    and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.

13. Puppet Agent Workflow - After • New agent generates CSR

    reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM

14. Policy Based Autosigning • puppet config set --section master autosign

    /usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix
15. None
16. None
17. None

18. Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html

    • https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts

19. Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr

    = OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Match\n" exit 0 else puts "The key in the CSR is #{key}, no match." print "No match\n" exit 1 end

20. Thanks! • Stephen J Wallace • [email protected] • Follow for

    details of CD training event in May 2016 - @stphnwallace / @devopsdan