Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf...
-
Upload
puppet-labs -
Category
Technology
-
view
402 -
download
5
description
Transcript of Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf...
2014
Presented by
Cloudy with a chance of FireballsManaging Trusted Instances in the Cloud !!!!eric sorenson [email protected]
Presented by
What’s the problem? Why you might care End to End Overview Walkthrough w/ AWS Related work
Presented by
What's the problem?
Presented by
What’s the REAL problem?
Presented by
Presented by
Why you might care
Presented by
Presented by
Presented by
Presented by
Presented by
+-------------------------------+ +-----------+ | | | | | Amazon EC2 API <--------+provisioner| +---------------------^---------+ +-----------+ | | +-------+ +------+---------+ | | | | | node1 +------> puppetmaster | +-------+ +----------------+ !
!
Follow along at home: https://github.com/ahpook/mrzarquon-certsigner/tree/eric0-wip
Presented by
!
+----------------------------+ Prerequisites: | | - Puppetmaster w/IAM credentials | Amazon EC2 API | <--+ and autosign policy configured | | | | - AMI with user-data install or +----------------------------+ preloaded agent+ec2-utils, IAM policy permitting query tags !
Presented by
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1411031868000", "Effect": "Allow", "Action": [ "ec2:DescribeTags" ], "Resource": [ "*" ] } ] }
Presented by
+----------------------------+ | | | Amazon EC2 API | | | +------^---------------------+ | +------+------+ | | Your provisioning node requests | Provisioner | <-------+ some new instances using that image, | | tagging them w/ role: 'webserver' +-------------+
Presented by
[vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107 --region=us-west-2 --instance-tags=role=webserver --type=t1.micro --keyname=certsigner --security-group=webservers Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634), ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8 Info: Connecting to AWS us-west-2 ... Done Info: Instance Type: t1.micro Notice: Creating new instance ... Done Info: Instance identifier: i-abc8f0a6 Notice: Creating tags for instance ... Info: Creating tag for Created-By ... Done Info: Creating tag for role ... Done Notice: Creating tags for instance ... Done Notice: Launching server i-abc8f0a6 ... ##### Notice: Server i-abc8f0a6 is now launched Notice: Server i-abc8f0a6 public dns name: ec2-54-68-132-30.us-west-2.compute.amazonaws.com
Presented by
+---------------------------------+ | | | Amazon EC2 + using your image | | | EC2 builds your instances, +----+-----------+-----------+----+ running the user-data script | | | which drops instance-specific | | | metadata into csr_attributes.yaml +---v---+ +---v---+ +---v---+ + | | | | | | | | node1 | | node2 | | node3 | <----------------+ +-------+ +-------+ +-------+
Presented by
Presented by
Presented by
+-------------------------------+ | | Each node generates a CSR which | Amazon EC2 API | embeds the metadata as requested +---------------------^---------+ attributes and submits it to the | puppetmaster, which checks the | instance-ID against EC2 to verify +-------+ +------+---------+ it came from a valid instance. | | | | | node1 +------> puppetmaster | +-------+ +----------------+
Presented by
+-------------------------------+ | | If the API is OK, the puppetmaster | Amazon EC2 API | signs the CSR, moving the tags, +---------------------+---------+ instance-id and any other metadata in | whitelisted extension requests | inside the signed certificate. The +-------+ +------v---------+ signed cert is retrieved by the node | | | | and normal Puppet runs can begin. | node1 <------+ puppetmaster | +-------+ +----------------+
Presented by
openssl x509 -noout -text -in /var/lib/puppet/ssl/ca/signed/i-f3cef5fe.pem [ ... tons of crap trimmed ... ] X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate 1.3.6.1.4.1.34380.1.1.5: webserver 1.3.6.1.4.1.34380.1.1.3: ami-37713107 1.3.6.1.4.1.34380.1.1.2: i-f3cef5fe
Presented by
!
+-------+ +----------------+ When the node checks in, the extensions | | | | will be available under the '$trusted' | node1 +----> puppetmaster | top-scope hash for classification, +-------+ +----------------+ manifests, etc. !
# puppet.conf [master] trusted_node_data = true immutable_node_data = true !
Presented by
## site.pp node default { notify { "trusted_data": message => inline_template("<%= scope.lookupvar('trusted').inspect %>") } } !
## agent output Notice: /Stage[main]/Main/Node[default]/Notify[trusted_data]/message: defined 'message' as ' {"certname"=>"i-f3cef5fe", "authenticated"=>"remote", "extensions"=>{"pp_instance_id"=>"i-f3cef5fe", "pp_image_name"=>"ami-37713107", "1.3.6.1.4.1.34380.1.1.5"=>"webserver"}}'
Presented by
Related and future work!
Signing policy for AWS: mrzarquon-certsigner
Signing policy for GCE: puppetlabs-gce_compute
Signing policy for in-house CMDBs?
Puppet Enterprise Node Manager
Presented by
Presented by
Presented by
Photo/Link CreditsCERN - http://www.slideshare.net/gmccance/cern-data-centre-evolution
Google maps screenshot of Apple Data Center - fair use, with attribution inline Imagery (c) 2014 Google
NSA HQ, fort meade - "National Security Agency headquarters, Fort Meade, Maryland" by Unknown - http://www.nsa.gov/about/photo_gallery/gallery.shtml. Licensed under Public domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg#mediaviewer/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg
Bitcoin mining rigs from buttcoin.org http://buttcoin.org/mining-rigs-3
“Cloud City at Sunset” http://balsavor.deviantart.com/art/The-Falcon-escapes-Cloud-city-143511722
han and Lando
Mario Fireball - from http://www.giantbomb.com/fireball/3055-120/
© Yorkberlin | Dreamstime.com - Sorceress With Fireball Photo