Attached is a patch off of the 2.6 branch. It adds support for the the
agent having the certificates and keys managed externally to the puppet
system.
This is done with a new terminus, named "External". This new terminus
makes use of the current settings hostprivkey and hostpubkey. To
activate the new terminus, the setting:
key_terminus = external
should be set. This new setting defaults to file, so there are minimal
code changes to the existing process paths.
I have not made much use of the SSL layer, so any comments on this patch
are appreciated.
-- bk
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
>From add83891f1cd986bf86cee4673fdc18a77c36e15 Mon Sep 17 00:00:00 2001
From: Bryan Kearney <[email protected]>
Date: Fri, 9 Jul 2010 16:00:57 -0400
Subject: [PATCH] Add support for externally managed certificates. This is done via a new terminus which makes use of the hostprivkey and hostpubkey settings. This is activated with a ket_terminus setting. The default is to work as it does today, using hte key terminus
---
lib/puppet/defaults.rb | 1 +
lib/puppet/indirector/certificate/external.rb | 9 +++++++++
.../indirector/certificate_request/external.rb | 8 ++++++++
.../certificate_revocation_list/external.rb | 8 ++++++++
lib/puppet/indirector/key/external.rb | 18 ++++++++++++++++++
lib/puppet/ssl/certificate.rb | 2 +-
lib/puppet/ssl/host.rb | 11 +++++++----
lib/puppet/ssl/key.rb | 2 +-
8 files changed, 53 insertions(+), 6 deletions(-)
create mode 100644 lib/puppet/indirector/certificate/external.rb
create mode 100644 lib/puppet/indirector/certificate_request/external.rb
create mode 100644 lib/puppet/indirector/certificate_revocation_list/external.rb
create mode 100644 lib/puppet/indirector/key/external.rb
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 6ded3c0..f02b5a8 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -117,6 +117,7 @@ module Puppet
huge numbers that can then not be fed back into the system. This is a hackish way to fail in a
slightly more useful way when that happens."],
:node_terminus => ["plain", "Where to find information about nodes."],
+ :key_terminus => ["file", "How an agent can store keys. 'file' is internally managed, 'external' is externally managed "],
:catalog_terminus => ["compiler", "Where to get node catalogs. This is useful to change if, for instance,
you'd like to pre-compile catalogs and store them in memcached or some other easily-accessed store."],
:facts_terminus => ["facter", "Where to get node facts."],
diff --git a/lib/puppet/indirector/certificate/external.rb b/lib/puppet/indirector/certificate/external.rb
new file mode 100644
index 0000000..4e0fcff
--- /dev/null
+++ b/lib/puppet/indirector/certificate/external.rb
@@ -0,0 +1,9 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate'
+
+class Puppet::SSL::Certificate::External < Puppet::Indirector::SslFile
+ desc "Use an externally managed Certificate"
+
+ store_at :hostcert
+ store_ca_at :localcacert
+end
diff --git a/lib/puppet/indirector/certificate_request/external.rb b/lib/puppet/indirector/certificate_request/external.rb
new file mode 100644
index 0000000..ba86ad1
--- /dev/null
+++ b/lib/puppet/indirector/certificate_request/external.rb
@@ -0,0 +1,8 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate_request'
+
+class Puppet::SSL::CertificateRequest::External< Puppet::Indirector::SslFile
+ desc "Manage the collection of certificate requests on disk."
+
+ store_in :requestdir
+end
diff --git a/lib/puppet/indirector/certificate_revocation_list/external.rb b/lib/puppet/indirector/certificate_revocation_list/external.rb
new file mode 100644
index 0000000..55338c5
--- /dev/null
+++ b/lib/puppet/indirector/certificate_revocation_list/external.rb
@@ -0,0 +1,8 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate_revocation_list'
+
+class Puppet::SSL::CertificateRevocationList::External < Puppet::Indirector::SslFile
+ desc "Manage the global certificate revocation list."
+
+ store_at :hostcrl
+end
diff --git a/lib/puppet/indirector/key/external.rb b/lib/puppet/indirector/key/external.rb
new file mode 100644
index 0000000..6468698
--- /dev/null
+++ b/lib/puppet/indirector/key/external.rb
@@ -0,0 +1,18 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/key'
+
+class Puppet::SSL::Key::External < Puppet::Indirector::SslFile
+ desc "Use an external file as the source for the key."
+
+ store_at :hostprivkey
+
+ store_ca_at :cakey
+
+ def public_key_path(name)
+ Puppet[:hostpubkey]
+ end
+
+ def path(name)
+ Puppet[:hostprivkey]
+ end
+end
diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb
index f9297f3..284396c 100644
--- a/lib/puppet/ssl/certificate.rb
+++ b/lib/puppet/ssl/certificate.rb
@@ -10,7 +10,7 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
wraps OpenSSL::X509::Certificate
extend Puppet::Indirector
- indirects :certificate, :terminus_class => :file
+ indirects :certificate, :terminus_class => :external
# Convert a string into an instance.
def self.from_s(string)
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index f367ada..4bb349f 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -43,6 +43,8 @@ class Puppet::SSL::Host
# Configure how our various classes interact with their various terminuses.
def self.configure_indirection(terminus, cache = nil)
+ terminus = Puppet[:key_terminus] if terminus == :default
+ cache = Puppet[:key_terminus] if cache == :default
Certificate.terminus_class = terminus
CertificateRequest.terminus_class = terminus
CertificateRevocationList.terminus_class = terminus
@@ -74,13 +76,13 @@ class Puppet::SSL::Host
CA_MODES = {
# Our ca is local, so we use it as the ultimate source of information
# And we cache files locally.
- :local => [:ca, :file],
+ :local => [:ca, :default],
# We're a remote CA client.
- :remote => [:rest, :file],
+ :remote => [:rest, :default],
# We are the CA, so we don't have read/write access to the normal certificates.
:only => [:ca],
# We have no CA, so we just look in the local file store.
- :none => [:file]
+ :none => [:default]
}
# Specify how we expect to interact with our certificate authority.
@@ -191,7 +193,8 @@ class Puppet::SSL::Host
def initialize(name = nil)
@name = (name || Puppet[:certname]).downcase
- @key = @certificate = @certificate_request = nil
+ @key = Key.find(name)
+ @certificate = @certificate_request = nil
@ca = (name == self.class.ca_name)
end
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index d91df03..792c6de 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
wraps OpenSSL::PKey::RSA
extend Puppet::Indirector
- indirects :key, :terminus_class => :file
+ indirects :key, :terminus_setting => :key_terminus
# Because of how the format handler class is included, this
# can't be in the base class.
--
1.6.6.1
