Puppet users - Nov 2012 - How do you manage SSL/TLS certificates and private keys?

Hi People,

I would like some insight from you on how to easily manage SSL certs/keys.

My puppet infrastructure is pretty straight forward: 
puppet3+puppetdb+hiera+hiera-gpg.

I am in the process of writing tons of modules, which are pretty general 
modules with no hardcoded dependencies between them. As I am going forward 
with building modules and stuff I came across an issue how to manage SSL 
certs.

Let me give you an example scenario:
I have a node named "node.example.com" which gets some apps configured
by
puppet by 3 different modules, let''s call them app1, app2 and app3.
Those
application require SSL certificates to function properly. The CN of the 
cert needs to reflect the hostname of the node.

What options do I have here? From my opinion I could:

1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a 
variable something like: "ssl_cert_node.example.com" and 
"ssl_key_node.example.com" and then reference this variable inside a
module
using variables so nothing is hardcoded.
2. Build an SSL module which would distribute certs/keys taken from 
hiera/hiera-gpg.

Any other ideas? I do not want to use module dependencies and I hate 
hardcoding stuff into modules.

Thanks,
Vaidas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/Eu4HaYd8-AQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis <jablonskis@gmail.com>
wrote:
> Hi People,
>
> I would like some insight from you on how to easily manage SSL certs/keys.
>
> My puppet infrastructure is pretty straight forward:
> puppet3+puppetdb+hiera+hiera-gpg.
>
> I am in the process of writing tons of modules, which are pretty general
> modules with no hardcoded dependencies between them. As I am going forward
> with building modules and stuff I came across an issue how to manage SSL
> certs.
>
> Let me give you an example scenario:
> I have a node named "node.example.com" which gets some apps
configured by
> puppet by 3 different modules, let''s call them app1, app2 and
app3. Those
> application require SSL certificates to function properly. The CN of the
> cert needs to reflect the hostname of the node.
>
> What options do I have here? From my opinion I could:
>
> 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a
> variable something like: "ssl_cert_node.example.com" and
> "ssl_key_node.example.com" and then reference this variable
inside a module
> using variables so nothing is hardcoded.
> 2. Build an SSL module which would distribute certs/keys taken from
> hiera/hiera-gpg.
>
> Any other ideas? I do not want to use module dependencies and I hate
> hardcoding stuff into modules.
I use the "private" area in the puppet file server.

$ cat /etc/puppet/fileserver.conf
[private]
  path /etc/puppet/private/%h
  allow *

For example:

  file { "/etc/ssh/ssh_host_dsa_key":
    mode    => 0600,
    source  => "puppet:///private/etc/ssh/ssh_host_dsa_key",
    require => Class["ssh::install"],
    notify  => Service["ssh"],
  }

-mz

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

That would work if I didn''t want to have everything under version 
control. I guess the only option for storing certs/keys I have is hiera-gpg 
with yaml or some other backend.

I am still trying to figure out what should distribute certs/keys - is it a 
separate module or the app module itself? What would be the best practice 
in this case?

Thanks

On Tuesday, 6 November 2012 15:28:39 UTC, Matt Zagrabelny
wrote:
>
> On Tue, Nov 6, 2012 at 7:29 AM, Vaidas Jablonskis
<jablo...@gmail.com<javascript:>>
> wrote: 
> > Hi People, 
> > 
> > I would like some insight from you on how to easily manage SSL 
> certs/keys. 
> > 
> > My puppet infrastructure is pretty straight forward: 
> > puppet3+puppetdb+hiera+hiera-gpg. 
> > 
> > I am in the process of writing tons of modules, which are pretty
general
> > modules with no hardcoded dependencies between them. As I am going 
> forward 
> > with building modules and stuff I came across an issue how to manage
SSL
> > certs. 
> > 
> > Let me give you an example scenario: 
> > I have a node named "node.example.com" which gets some apps
configured
> by 
> > puppet by 3 different modules, let''s call them app1, app2 and
app3.
> Those 
> > application require SSL certificates to function properly. The CN of
the
> > cert needs to reflect the hostname of the node. 
> > 
> > What options do I have here? From my opinion I could: 
> > 
> > 1. Use hiera text blocks and store certs/keys in hiera/hiera-gpg in a 
> > variable something like: "ssl_cert_node.example.com" and 
> > "ssl_key_node.example.com" and then reference this variable
inside a
> module 
> > using variables so nothing is hardcoded. 
> > 2. Build an SSL module which would distribute certs/keys taken from 
> > hiera/hiera-gpg. 
> > 
> > Any other ideas? I do not want to use module dependencies and I hate 
> > hardcoding stuff into modules. 
>
> I use the "private" area in the puppet file server. 
>
> $ cat /etc/puppet/fileserver.conf 
> [private] 
>   path /etc/puppet/private/%h 
>   allow * 
>
> For example: 
>
>   file { "/etc/ssh/ssh_host_dsa_key": 
>     mode    => 0600, 
>     source  => "puppet:///private/etc/ssh/ssh_host_dsa_key", 
>     require => Class["ssh::install"], 
>     notify  => Service["ssh"], 
>   } 
>
> -mz 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/bY_e4y4_qYcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.