Puppet Roles, Profiles, and Trusted Facts

Roles, Proﬁles & Trusted Facts! Puppet Meetup, 23rd Feb 2016
Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace

Who am I? Devops contractor Home brewer Connector of people
(3000+)

What do I do? • Help people (companies) stay relevant
in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…

What Are Roles & Profiles? • An area of confusion!
• Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp

How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export
FACTER_role=thingo • custom fact to read a ﬁle • console

Do you want this ﬂexibility in production?! export FACTER_role=whatever

Normal vs Trusted Facts • Normal facts are self-reported by
the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certiﬁcate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.

Enabling & Using Trusted Facts $ sudo puppet config print
trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html

What Other Practical Uses? • Embed a deployment key ?
• $trusted[‘extensions']['pp_role'] ?

Setting Trusted Facts • Extra data for the CSR is
read from the csr_attributes.yaml ﬁle in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana

Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl
req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)

Puppet Agent Workﬂow - Before • New agent generates certs,
and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.

Puppet Agent Workﬂow - After • New agent generates CSR
reading in any additional attributes from the csr_attributes.yaml ﬁle in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM

Policy Based Autosigning • puppet conﬁg set --section master autosign
/usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix

Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html
• https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts

Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr
= OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Match\n" exit 0 else puts "The key in the CSR is #{key}, no match." print "No match\n" exit 1 end

Thanks! • Stephen J Wallace • [email protected] • Follow for
details of CD training event in May 2016 - @stphnwallace / @devopsdan

Puppet Roles, Profiles, and Trusted Facts

Puppet Roles, Profiles, and Trusted Facts

Stephen J Wallace

More Decks by Stephen J Wallace

Other Decks in Technology

Featured

Transcript

Roles, Proﬁles & Trusted Facts! Puppet Meetup, 23rd Feb 2016

Who am I? Devops contractor Home brewer Connector of people

What do I do? • Help people (companies) stay relevant

What Are Roles & Proﬁles? • An area of confusion!

How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export

Do you want this ﬂexibility in production?! export FACTER_role=whatever

Normal vs Trusted Facts • Normal facts are self-reported by

Enabling & Using Trusted Facts $ sudo puppet conﬁg print

What Other Practical Uses? • Embed a deployment key ?

Setting Trusted Facts • Extra data for the CSR is

Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl

Puppet Agent Workﬂow - Before • New agent generates certs,

Puppet Agent Workﬂow - After • New agent generates CSR

Policy Based Autosigning • puppet conﬁg set --section master autosign

Further Reading • http://www.sebdangerﬁeld.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html

Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr

Thanks! • Stephen J Wallace • [email protected] • Follow for