+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Puppet Roles & Profiles Using Trusted Facts.
1. Roles, Profiles &
Trusted Facts!
Puppet Meetup, 23rd Feb 2016
Stephen Wallace
https://au.linkedin.com/in/stephenwallace
@stphnwallace
2. Who am I?
Devops contractor
Home brewer
Connector of people
(3000+)
3. What do I do?
• Help people (companies) stay
relevant in a fast moving world
• Build people, which builds
teams. Collaborative Economy
• Help enough people get what
they want…
4. What Are Roles & Profiles?
• An area of confusion!
• Role….business speak
• Profile….tech stacks…think Lego
• Classification….role only!
• IT facilitates the business, right?
• Quick peek at site.pp
5. How can we apply a role?
• /etc/puppetlabs/facter/facts.d/BLAH
• export FACTER_role=thingo
• custom fact to read a file
• console
6. Do you want this flexibility in
production?!
export FACTER_role=whatever
7. Normal vs Trusted Facts
• Normal facts are self-reported by the node, and nothing
guarantees their accuracy.
• Trusted facts are extracted from the node’s certificate,
which can prove that the CA checked and approved them.
• The variable name $trusted is reserved, so local scopes
cannot re-use it.
• Useful for deciding whether a given node should receive
sensitive data in its catalogue.
8. Enabling & Using
Trusted Facts
$ sudo puppet config print trusted_node_data immutable_node_data --section master
trusted_node_data = true
immutable_node_data = true
Example;
if $trusted['extensions']['pp_image_name'] == 'storefront_production' {
include private::storefront::private_keys
}
(*) If trusted facts are enabled, any cert extensions can be accessed in manifests as
$trusted[extensions][<EXTENSION OID>].
(*) OID / name mapping can be found here - https://docs.puppetlabs.com/
puppet/latest/reference/config_file_csr_attributes.html
9. What Other Practical Uses?
• Embed a deployment key ?
• $trusted[‘extensions']['pp_role'] ?
10. Setting Trusted Facts
• Extra data for the CSR is read from the
csr_attributes.yaml file in Puppet Agent’s $confdir.
• YAML hash containing one or both of the following
keys:
• custom_attributes
• extension_requests
• e.g.
---
extension_requests:
pp_preshared_key: banana
11. Checking for the CSR OIDs
• cd /etc/puppetlabs/puppet/ssl/ca/requests
• openssl req -noout -text -in ip-172-31-35-224.ap-
southeast-2.compute.internal.pem
• Check out the attributes section
Attributes:
Requested Extensions:
1.3.6.1.4.1.34380.1.1.4:
..banana
1.3.6.1.4.1.34380.1.1.13:
..webshop
Cool bananas? :)
12. Puppet Agent Workflow
- Before
• New agent generates certs, and submits CSR.
• Puppet master / CA signs the cert, and the catalog
is served.
• Uses cert for auth ongoing.
13. Puppet Agent Workflow
- After
• New agent generates CSR reading in any additional
attributes from the csr_attributes.yaml file in the
Puppet agent’s $confdir, and submits CSR.
• Puppet master / CA signs the cert with the option
for (*)auto-signing policy, and the catalog is served.
• Uses cert for auth ongoing, and reads trusted facts
when communicating with the PM
14. Policy Based Autosigning
• puppet config set --section master autosign /usr/
local/bin/autosign-psk.rb
• Can be used for policy based autosigning
• See autosign-psk.rb in appendix
19. Appendix 1
- autosign-psk.rb
#!/opt/puppetlabs/puppet/bin/ruby
require "openssl"
include OpenSSL
csr = OpenSSL::X509::Request.new $stdin.read
atts = csr.attributes()
if atts.empty?
exit 1
end
key = nil
atts.each do |a|
if (a.oid=="extReq")
val = a.value.value.first.value.first.value
if val[0].value == "1.3.6.1.4.1.34380.1.1.4"
key = val[1].value
key = key.chomp
end
end
end
if key == "banana"
print "Matchn"
exit 0
else
puts "The key in the CSR is #{key}, no match."
print "No matchn"
exit 1
end
20. Thanks!
• Stephen J Wallace
• whizbang.wallace@gmail.com
• Follow for details of CD training event in May 2016 -
@stphnwallace / @devopsdan