Martez Reed- 26 Sep, 2024
The Need for Workload Identity in the Private Cloud
A growing consideration for cloud spending and the proliferation of AI have caused many organizations to evaluate their use of the public cloud. Many …
What is Policy Based Autosigning
A critical aspect of any Puppet deployment is determining how we want to allow nodes to get their certificate signed by the Puppet master. Before we delve into policy based autosigning we’ll discuss the other three methods for managing certificate signing.
Manual
- Manually signing certs breaks automated deployment processes.
Naive
- Naive is insecure as it allows any node access to the Puppet master.
Basic Autosigning
- Basic autosigning signs requests based upon a whitelist which can be circumvented by modifying the name used in the request.
Now that we’ve gone over the other three methods let’s go over policy based autosigning. Policy based autosigning utilizes a script that can be written in any language supported by the puppet master to validate some piece of information in the certificate request. This could be something as simple as a shell script to validate a challenge password against a file with a static list or as complex as reaching out to multiple external systems to validate. This adds additional security to our signing process as we’re challenging our node to provide additional information before signing a certificate.
Puppet Policy Based Autosigning with vRA7
Now that we understand the goal and purpose of policy based autosigning we’ll jump into how we can use VMware vRealize Automation 7 as our validation source.
Overview
First we’ll cover how the entire process works from a high level.
Request catalog item
Trigger vRO workflow
- Pull machine uuid from the payload
- Create a csr_attributes.yaml file with the machine uuid
- Deploy the csr_attributes.yaml file onto the guest
- Install Puppet on the guest and trigger an agent run
The agent presents it’s request for signing
The policy based autosiging script is run against the certificate request
- The script contacts our vRA7 instance to validate the machine uuid provided in the request
- If the machine uuid exists sign the certificate
- If the machine uuid doesn’t exist reject the request
Configure Puppet
Let’s start by adding our autosigning script to our puppet master, we’ll place it in “/etc/puppetlabs/puppet”. The script can be downloaded from github using the link below.
https://github.com/martezr/puppet-vra7-autosign/blob/master/vrapolicysign.rb
We need to make our script executable and ensure it is accessible by the user that Puppet is running as.
Puppet Enterprise
chmod +x vrapolicysign.rb && chown pe-puppet:pe-puppet vrapolicysign.rb
Puppet Open Source
chmod +x vrapolicysign.rb && chown puppet:puppet vrapolicysign.rb
With our script in place we now need to add our connection for our vRA7 instance. We’ll add the “vrapolicyconfig.yaml” config file to the puppet master in the same location as our autosign script.
grtvra7:
url: https://cloudportal.grt.local
username: [email protected]
password: P@$$w0rd
tenant: vsphere.local
connection name: An arbitrary name for the connection
url: The url of the vRA7 instance
username: username an account with credentials to query the system for all VMs in the tenant
password: password for the account
tenant: tenant to query
The script supports multiple connection entries but hasn’t not been tested to ensure properly functionality.
Now that we’ve configured our connection information we just need to add our script to our Puppet config file and then restart the Puppet server service in order to start using policy based autosigning.
Add the following entry to the “[master]” section of the puppet.conf configuration file on the Puppet master.
autosign = $confdir/vrapolicyautosign.rb
Restart the puppet server service.
Puppet Enterprise
systemctl restart pe-puppetserver
Puppet Open Source
systemctl restart puppetserver
With everything in place we’re ready to provision a new machine and have Puppet automatically sign the node’s certificate.
The script also has a logging mechanism that outputs the results of incoming requests in the “vrapolicylog.json” log file in the “/etc/puppetlabs/puppet/ssl” directory.
{"status":"success","certname":"engineering0141.grt.local","uuid":"afcd55a3-20ea-47cf-90cc-8bbb6c6d5324"}
{"status":"success","certname":"engineering0154.grt.local","uuid":"dd3b798f-d7c5-434f-8e0e-2df9cacea6e0"}
{"status":"success","certname":"engineering0155.grt.local","uuid":"db30bec4-858d-4f46-bb6b-b64c0670a3ac"}
References
Puppet
https://docs.puppet.com/puppet/latest/ssl_autosign.html
