Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Similar a Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates (20)
Último
Último (20)
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
- 1. How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
- 3. Self Signed Verification Flow Server Client App/Browser CA public Web Server priv pub 2. Pub Key 1. Hello 3. Verify PUB KEY DOESN’T MATCH CA NO TRUST!
- 4. Proper SSL Verification Flow Server Client App/Browser CA public Web Server priv pub 2. Pub Key 1. Hello 3. Verify PUB KEY MATCHES ONE OF THE CAs TRUSTED!
- 5. PKI Old School Root CA Linux Windows Root Root Public Private Public Private Apache / Nginx IIS CSR CSR Public Public CSR CSR Manually Copy Manually Copy Sign Sign Manually Copy Manually Copy Manually Copy Client Client Root Root Root
- 6. Villains •Painful signed certs •Oprah – self signed certs for everyone •No trust •Disable validation •MITM Attacks •Renewal and Expiration •Security tickets
- 7. Call For Help •Security • Centrally signed with CA • Validation enabled • Strong ciphers •DevOps • Auto renewal • Cross-platform • Integrated with services
- 8. •Configuration Management •Distribution •encore/vault module •vault_cert {} •github.com/EncoreTechnologies/puppet-vault Justice HashiCorp Vault Puppet •PKI Secrets Engine •REST API
- 9. PKI with Vault + Puppet (vault_cert) Root CA Vault CA Puppet Server Root Vault Sign Intermediate CA Copy Copy Copy Linux Windows Root Vault Root Vault Public Private Public Private Apache / Nginx IIS Client Root Vault Client Root Vault
- 10. Check Expiration Check Revocation Revoke old Create New Write to filesystem Bounce service vault_cert run
- 11. vault_cert { ‘synapse’: cert_dir => '/etc/pki/tls/certs’ priv_key_dir => '/etc/pki/tls/private’ notify => Service[‘nginx’], } nginx::resource::server { ‘synapse’: ssl_port => 443, ssl => true, ssl_cert => '/etc/pki/tls/certs/synapse.crt', ssl_key => '/etc/pki/tls/private/ synapse.key’, } Linux Linux Public Private Nginx Vault CA CSR Cert & Key Write to Filesystem Reload Service
- 12. Puppet 101
- 13. Windows problem • Certs in cert store have a path • Cert:LocalMachineMy<UNIQUE-THUMBPRINT> • Cert:LocalMachineMyABC1234 • Thumbprints are unique • Thumbprints = hash of cert content • Services bind to cert path • relies on Thumbprint
- 14. vault_cert { ‘chocolatey’: cert_dir => 'Cert:LocalMachineMy’ notify => Service[‘iis’], } iis_binding { ‘chocolatey’: binding_info => { certificatestore => ‘Cert:LocalMachineMy’ certificatehash => WHAT DO I PUT HERE????, }, } Windows Manifest PROBLEM: Puppet can’t output data from a resource
- 15. Windows solution – Use a function! • Functions run on the server • Function calls Vault API • Embed certificate in Catalog • Path to certificate is known at compile time
- 16. $cert_output = vault::cert(...args...) vault_cert { ‘chocolatey’: cert => $cert_output['cert’], priv_key => $cert_output['priv_key’], } iis_binding { ‘chocolatey’: binding_info => { certificatehash => $cert_output['thumbprint'], }, } Windows solution Vault CA Windows Public Private IIS 2. CSR 4. Embed in Catalog 7. Write to Cert Store Puppet Server 1. Facts 3. Cert & Key 5. Catalog 6. Agent 8. Bind and reload IIS
- 17. Windows “machine cert” profile class profile::machine_cert { $data = vault::cert(args) vault_cert { $trusted['certname’]: cert => $data['cert’], priv_key => $data['priv_key’], } } ######################### class { ‘winrm’: certificate_hash => $profile::machine_cert::data['thumbprint'], } iis_binding { ‘chocolatey’: binding_info => { certificatehash => $profile::machine_cert::data['thumbprint’], } }
- 18. CA Cert Manifest Linux class profile::ca (Hash $certs) { class { 'trusted_ca': } create_resources('trusted_ca::ca’, $certs) } profile::ca::certs: vault.domain.tld: content: | -----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- Hiera (YAML Config Data) Puppet Server Root Vault Linux Root Vault puppet/trusted_ca 1. Facts 2. Compile 3. Hiera 4. Catalog 5. Apply 6. Write to Filesystem
- 19. CA Certs on Windows file { 'C:/ProgramData/Puppetlabs/ca_certs': ensure => directory, } # root certs go into Cert:/LocalMachine/Root $certs.each |$name, $data| { file { "C:/ProgramData/Puppetlabs/ca_certs/${name}.crt": ensure => file, content => $data['content'], } $cert_details = vault::cert_details($data['content']) sslcertificate { "${name}.crt": location => 'C:ProgramDataPuppetlabsca_certs', thumbprint => $cert_details['thumbprint'], store_dir => 'Root', interstore => true, } Puppet Master Root Vault Windows Root Vault puppet/sslcertificate 3. Catalog 1. Facts 2. Compile 5. Write to Cert Store 4. Agent
- 20. Vault + Puppet = Dynamic Duo •Every server has a cert (500+) •CA distributed Cross Platform •Services bound to certs •Certs auto-renew (30d) •Services auto-refreshed •Validation enabled
- 21. Future •DevOps for HPC •GPU Algorithms •C++ •Heavily Optimized Software
Notas del editor
- Show lock link
- - Landscape? - Ohio in middle of the Brown Field - - Windows - 2008 - 2012 - 2016 - Linux - RHEL 6 & 7 - Ubuntu 14.04, 16.04, 18.04
- - Parts - CA Cert - Server public / private keys - Signing infrastructure
- - Security - More often (weekly) - Faster (1 day or less) - Reports of available patches - - DevOps - HA groups - Customizable workflows - Cross-platform - Windows Update + Chocolatey
- - Built on bolt - - Open source for community - - Eat our own dogfood - - Forge
- - Parts - CA Cert - Server public / private keys - Signing infrastructure
- - Available updates - Create snapshot - Pre - app shutdowns - Update - Post - Reboot - Delete snapshot
- - Inventory YAML on the left - - Result on the right - - Puts data into a array - - Sorted by patching order - - If multiple inventory groups with same patching_order, result in one group - - Allows inventory to be defined by different dimension, say application
- - Show screenshot of cert paths in powershell
- - Show screenshot of cert paths in powershell
- - Inventory YAML on the left - - Result on the right - - Puts data into a array - - Sorted by patching order - - If multiple inventory groups with same patching_order, result in one group - - Allows inventory to be defined by different dimension, say application
- - Windows - Choco upagrade all : EASY - Special snowflake windows update - Scheduled task - RHEL - yum update - Ubuntu - apt-get dist-upgrade
- - Opinionated workflow - - Uses all of the components we just talked about - - Customizable / pluggable - vars - dynamic dispatch - - Super easy way to get started - - Fully expect people to make their own workflows
- - Opinionated workflow - - Uses all of the components we just talked about - - Customizable / pluggable - vars - dynamic dispatch - - Super easy way to get started - - Fully expect people to make their own workflows
- - Opinionated workflow - - Uses all of the components we just talked about - - Customizable / pluggable - vars - dynamic dispatch - - Super easy way to get started - - Fully expect people to make their own workflows
- - Opinionated workflow - - Uses all of the components we just talked about - - Customizable / pluggable - vars - dynamic dispatch - - Super easy way to get started - - Fully expect people to make their own workflows
- - 500+ Vms - 6x internal and customer environments - - 1 engineer - < 1 day - - Every week - dev = latest - prod = dev from week before
- - Monitoring - SolarWinds - Prometheus - - Reporting - - Notifications - email - Slack - - ServiceNow change integration - - Inventory from Satellite, WSUS, AD, IPA, Vmware, ServiceNow - - More workflows - Network patching - Vmware patching
- - Thanks! - - Build a patching community - - Twitter, github - - Puppet slack #puppetize-pdx