Ask Your Question
0

use trusted facts in site.pp

asked 2016-05-24 04:07:51 -0500

buzzdeee gravatar image

Hi,

I'm with Puppet 3.8.7 on the agent and master, I have puppetdb-2.3.8 as the backend. I wanted to replace my static ENC in Hiera with trusted facts in the Puppet certificate.

I was following docs I found here:

https://docs.puppet.com/puppet/3.8/re...attributesextensions.html http://www.sebdangerfield.me.uk/2015/...

But I think I'm missing something.

On the agent, I have a /etc/puppet/csr_attributes.yaml file with contents:

extension_requests:
  1.3.6.1.4.1.34380.1.2.100: role::networkmanagement::backupserver
  1.3.6.1.4.1.34380.1.2.101: networkmanagement
  1.3.6.1.4.1.34380.1.2.102: backupserver
  1.3.6.1.4.1.34380.1.2.110: home

On the master I have trusted facts enabled:

# puppet config print trusted_node_data --section master
true
# puppet config print immutable_node_data --section master
true

On the master, I see the OIDs encoded in the agents certificate, using puppet cert print ...

...
         X509v3 extensions:
             Netscape Comment: 
                 Puppet Ruby/OpenSSL Internal Certificate
             1.3.6.1.4.1.34380.1.2.100: 
                 role::networkmanagement::backupserver
             1.3.6.1.4.1.34380.1.2.101: 
                 networkmanagement
             1.3.6.1.4.1.34380.1.2.102: 
                backupserver
             1.3.6.1.4.1.34380.1.2.110: 
                 home
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment

I have this in my site.pp (outside of any node statement)

$factsrole = $trusted['extensions']['1.3.6.1.4.1.34380.1.2.100'] notify { "role ${factsrole} trusted ${trusted}": }

And on a puppet agent --test run on the agent I get this printed out: Notice: role trusted {authenticated => remote, certname => my.cert.name, extensions => {}}

So I'm wondering why these extensions hash is empty, I expected it to have the extensions as contents?

Any cluebats appreciated ;)

cheers, Sebastian

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-05-25 01:36:45 -0500

buzzdeee gravatar image

updated 2016-05-25 02:01:30 -0500

answering myself:

after a debugging session, I came up with the following patch to puppet:

+--- lib/puppet/ssl/certificate.rb.orig Wed May 25 08:13:50 2016
++++ lib/puppet/ssl/certificate.rb      Wed May 25 08:14:35 2016
+@@ -60,6 +60,8 @@ DOC
+         Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid)
+     end
+ 
+-    custom_exts.map { |ext| {'oid' => ext.oid, 'value' => ext.value} }
++    extensions = []
++    custom_exts.map { |ext| extensions << {'oid' => ext.oid, 'value' => ext.value} }
++    return extensions
+   end
+ end

I run on OpenBSD, and there ruby 2.2.5 is used, is that kind of incompatibility?

but this only seems to help, when I run 'puppet master' which I did for debugging the problem. Running the puppet master behind ruby unicorn, the extensions are still not propagated.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-05-24 04:07:51 -0500

Seen: 329 times

Last updated: May 25 '16