Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create mco client config if also using sshkeyauth
Added support for sshkey client and server configuration. Changed the default value for server send_key to align with sshkey module. This is because the setting both specifies and enables sending the public key. If you're using a static deployment method for key data, you may want to shuffle those around yourself in puppet profile code. Fixed syntax error & disabled resource enforcement on the public_key directory if you don't need it. Added new parameters to specify the user certificate and private keys as content instead of a source. This permits providing the data through hiera rather than a file reference. Moving the private key declaration into the existing SSL section for now for clarity. There also appears to be an assumption that the CA for the user and the middleware are the same. Also go ahead and split the private key of the server into its own local file for middleware TLS communication so it doesn't require the SSL securityprovider plugin. Moved & Added more to the client implementation. In the process refactored to pull all client code away from a central definition to being user based. Add version selection for sshkey required gem. (+1 squashed commit) Squashed commits: [67133ae] Moved gem installation to init where it should have been. The file function gives an unhelpful error if given a file that doesn't exist on the puppet master at compile time. Changed middleware ssl files name for clarity on what it contains. Provide an empty response when it asks for the passphrase (+1 squashed commit) Squashed commits: [fa93e7f] Add the option to regenerate the private key if it's not provided. Discovered you can't use both publickey_dir and known_hosts when it comes to the client. Changed default for user pubkey_dir to avoid permissions issues with $mcollective::confdir Variable interpolation inside class parameters can be inconsistent (PUP-1080) Add sshkey documentation Puppet-lint cleanup Preserve old behavior that the server's private key gets reused as the default user ssl private key. Attempt to fix tests. Fixed a bad syntax error I'd introduced. Yay tests! Added argument to tell factor to load puppet facts as well (Issue #262). Fixed autolayout puppet-lint error (+2 squashed commits) Squashed commits: [9587b06] moving around for more standard module layout [d428859] Fixing puppet-lint errors Update Test based on changes to middleware ssl key being renamed. Fixed the test again from copy/paste error.
- Loading branch information
Showing
22 changed files
with
447 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# MCollective Sshkey Example # | ||
|
||
This directory is not a structurally correct example, but rather the essential code needed | ||
to demonstrate the use of the sshkey security provider in a dynamic key setup. It does | ||
assume a basic knowledge of both puppet and hiera. The example provided also uses hiera-eyaml | ||
to facilitate the deployment of the user sshkey private key, but this can be accomplished in | ||
many other ways as your environment dictates. |
7 changes: 7 additions & 0 deletions
7
examples/sshkey_example/mco_profile/hieradata/client_node.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
mcollective::userconfigs: | ||
jsmith: | ||
group: 'wheel' | ||
private_key_content: ENC[PKCS7,MIIOHQYJKoZIhvcNAQc...snip...bSBN7XAvw=] | ||
bob: | ||
group: 'admins' | ||
private_key_content: ENC[PKCS7,ASDGADSIIFGHDFGNAQc...snip...bFKLAOXTW=] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
--- | ||
mcollective::middleware_hosts: | ||
- 'middleware.domain.com' | ||
mcollective::middleware_user: 'mcollective' | ||
mcollective::middleware_password: ENC[PKCS7,MIIBuQYJKoZIh...snip...qn8NT9EkEJenQ==] | ||
mcollective::middleware_ssl_port: '61614' | ||
mcollective::middleware_ssl: true | ||
mcollective::middleware_admin_user: 'admin' | ||
mcollective::middleware_admin_password: ENC[PKCS7,MIIBeQYJKoZIh...snip...+AzSGTSq] | ||
mcollective::securityprovider: 'sshkey' | ||
# Adjusted for puppet 4 | ||
mcollective::confdir: '/etc/puppetlabs/mcollective' | ||
# Adjusted for puppet 4 | ||
mcollective::libdir: '/usr/local/libexec/mcollective:/usr/libexec/mcollective:/opt/puppetlabs/mcollective' | ||
# Reuse puppet ssl infrastructure for secure communications | ||
mcollective::middleware_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/%{::clientcert}.pem" | ||
mcollective::middleware_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/%{::clientcert}.pem" | ||
mcollective::middleware_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" | ||
# Use the dynamic learning method for sshkey | ||
mcollective::sshkey_server_learn_public_keys: true | ||
mcollective::sshkey_server_overwrite_stored_keys: true | ||
mcollective::sshkey_server_send_key: '/etc/ssh/ssh_host_rsa_key.pub' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Installs Mcollective client code and deploys user credentials | ||
# This utilizes the dynamic sshkey deployment method | ||
# This also assumes that your client is going to be deployed | ||
# on the same system as your server code | ||
class mco_profile::client { | ||
$mcollective_users = hiera_hash('mcollective::userconfigs') | ||
|
||
# Set defaults for all mcollective::user resources | ||
Mcollective::User { | ||
sshkey_learn_public_keys => true, | ||
sshkey_overwrite_stored_keys => true, | ||
sshkey_enable_private_key => true, | ||
sshkey_enable_send_key => true, | ||
} | ||
# Refer to hiera documentation on merging if a more complex scenario is needed | ||
create_resources('mcollective::user',$mcollective_users) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Installs mcollective server components and configuration | ||
class mco_profile::server ( | ||
$server_pubkey = '/etc/ssh/ssh_host_rsa_key.pub', | ||
$server_privkey = '/etc/ssh/ssh_host_rsa_key', | ||
) { | ||
# Validate the ssh keys for the server exist | ||
file { [$server_pubkey, $server_privkey]: | ||
ensure => 'file', | ||
before => Class['mcollective'], | ||
} | ||
|
||
# Install sshkey plugin | ||
# Requires you to have obtained the security directory from https://github.com/puppetlabs/mcollective-sshkey-security | ||
# and placed it on your puppetmaster's file server | ||
mcollective::plugin { 'sshkey': | ||
source => 'puppet:///modules/profile/mco/plugins/sshkey', | ||
} | ||
|
||
# Enable syslog output | ||
# mcollective::common::setting { 'use_syslog_logging': | ||
# setting => 'logger_type', | ||
# value => 'syslog', | ||
# order => '90', | ||
# } | ||
|
||
# Set syslog facility | ||
# mcollective::common::setting { 'use_syslog_logging_facility': | ||
# setting => 'logfacility', | ||
# value => 'user', | ||
# order => '90', | ||
# } | ||
|
||
include ::mcollective | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# MCollective SSL Example # | ||
|
||
This directory contains example business-logic level Puppet configuration to | ||
build a complete ssl-based infrastructure for MCollective. | ||
|
||
To show this example, a structurally correct module named "mco_profile" is | ||
rooted in this directory. |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# private class | ||
class mcollective::server::config::securityprovider::sshkey { | ||
if $caller_module_name != $module_name { | ||
fail("Use of private class ${name} by ${caller_module_name}") | ||
} | ||
|
||
if $mcollective::sshkey_server_learn_public_keys { | ||
# In the event the node is both a server and a client and they share a public key directory | ||
ensure_resource('file', $mcollective::sshkey_server_publickey_dir_real, { | ||
'ensure' => 'directory', | ||
'mode' => '0755', } | ||
) | ||
} | ||
|
||
# https://github.com/puppetlabs/mcollective-sshkey-security/blob/master/security/sshkey.rb | ||
|
||
mcollective::server::setting { 'plugin.sshkey.server.learn_public_keys': | ||
value => bool2num($mcollective::sshkey_server_learn_public_keys), | ||
} | ||
|
||
mcollective::server::setting { 'plugin.sshkey.server.overwrite_stored_keys': | ||
value => bool2num($mcollective::sshkey_server_overwrite_stored_keys), | ||
} | ||
|
||
if $mcollective::sshkey_server_publickey_dir_real { | ||
mcollective::server::setting { 'plugin.sshkey.server.publickey_dir': | ||
value => $mcollective::sshkey_server_publickey_dir_real, | ||
} | ||
} | ||
|
||
if $mcollective::sshkey_server_private_key { | ||
mcollective::server::setting { 'plugin.sshkey.server.private_key': | ||
value => $mcollective::sshkey_server_private_key, | ||
} | ||
} | ||
|
||
if $mcollective::sshkey_server_authorized_keys { | ||
mcollective::server::setting { 'plugin.sshkey.server.authorized_keys': | ||
value => $mcollective::sshkey_server_authorized_keys, | ||
} | ||
} | ||
|
||
if $mcollective::sshkey_server_send_key { | ||
mcollective::server::setting { 'plugin.sshkey.server.send_key': | ||
value => $mcollective::sshkey_server_send_key, | ||
} | ||
} | ||
} |
Oops, something went wrong.