Attached is a patch off of the 2.6 branch. It adds support for the the agent having the certificates and keys managed externally to the puppet system.
This is done with a new terminus, named "External". This new terminus makes use of the current settings hostprivkey and hostpubkey. To activate the new terminus, the setting: key_terminus = external should be set. This new setting defaults to file, so there are minimal code changes to the existing process paths. I have not made much use of the SSL layer, so any comments on this patch are appreciated. -- bk -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
>From add83891f1cd986bf86cee4673fdc18a77c36e15 Mon Sep 17 00:00:00 2001 From: Bryan Kearney <[email protected]> Date: Fri, 9 Jul 2010 16:00:57 -0400 Subject: [PATCH] Add support for externally managed certificates. This is done via a new terminus which makes use of the hostprivkey and hostpubkey settings. This is activated with a ket_terminus setting. The default is to work as it does today, using hte key terminus --- lib/puppet/defaults.rb | 1 + lib/puppet/indirector/certificate/external.rb | 9 +++++++++ .../indirector/certificate_request/external.rb | 8 ++++++++ .../certificate_revocation_list/external.rb | 8 ++++++++ lib/puppet/indirector/key/external.rb | 18 ++++++++++++++++++ lib/puppet/ssl/certificate.rb | 2 +- lib/puppet/ssl/host.rb | 11 +++++++---- lib/puppet/ssl/key.rb | 2 +- 8 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 lib/puppet/indirector/certificate/external.rb create mode 100644 lib/puppet/indirector/certificate_request/external.rb create mode 100644 lib/puppet/indirector/certificate_revocation_list/external.rb create mode 100644 lib/puppet/indirector/key/external.rb diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 6ded3c0..f02b5a8 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -117,6 +117,7 @@ module Puppet huge numbers that can then not be fed back into the system. This is a hackish way to fail in a slightly more useful way when that happens."], :node_terminus => ["plain", "Where to find information about nodes."], + :key_terminus => ["file", "How an agent can store keys. 'file' is internally managed, 'external' is externally managed "], :catalog_terminus => ["compiler", "Where to get node catalogs. This is useful to change if, for instance, you'd like to pre-compile catalogs and store them in memcached or some other easily-accessed store."], :facts_terminus => ["facter", "Where to get node facts."], diff --git a/lib/puppet/indirector/certificate/external.rb b/lib/puppet/indirector/certificate/external.rb new file mode 100644 index 0000000..4e0fcff --- /dev/null +++ b/lib/puppet/indirector/certificate/external.rb @@ -0,0 +1,9 @@ +require 'puppet/indirector/ssl_file' +require 'puppet/ssl/certificate' + +class Puppet::SSL::Certificate::External < Puppet::Indirector::SslFile + desc "Use an externally managed Certificate" + + store_at :hostcert + store_ca_at :localcacert +end diff --git a/lib/puppet/indirector/certificate_request/external.rb b/lib/puppet/indirector/certificate_request/external.rb new file mode 100644 index 0000000..ba86ad1 --- /dev/null +++ b/lib/puppet/indirector/certificate_request/external.rb @@ -0,0 +1,8 @@ +require 'puppet/indirector/ssl_file' +require 'puppet/ssl/certificate_request' + +class Puppet::SSL::CertificateRequest::External< Puppet::Indirector::SslFile + desc "Manage the collection of certificate requests on disk." + + store_in :requestdir +end diff --git a/lib/puppet/indirector/certificate_revocation_list/external.rb b/lib/puppet/indirector/certificate_revocation_list/external.rb new file mode 100644 index 0000000..55338c5 --- /dev/null +++ b/lib/puppet/indirector/certificate_revocation_list/external.rb @@ -0,0 +1,8 @@ +require 'puppet/indirector/ssl_file' +require 'puppet/ssl/certificate_revocation_list' + +class Puppet::SSL::CertificateRevocationList::External < Puppet::Indirector::SslFile + desc "Manage the global certificate revocation list." + + store_at :hostcrl +end diff --git a/lib/puppet/indirector/key/external.rb b/lib/puppet/indirector/key/external.rb new file mode 100644 index 0000000..6468698 --- /dev/null +++ b/lib/puppet/indirector/key/external.rb @@ -0,0 +1,18 @@ +require 'puppet/indirector/ssl_file' +require 'puppet/ssl/key' + +class Puppet::SSL::Key::External < Puppet::Indirector::SslFile + desc "Use an external file as the source for the key." + + store_at :hostprivkey + + store_ca_at :cakey + + def public_key_path(name) + Puppet[:hostpubkey] + end + + def path(name) + Puppet[:hostprivkey] + end +end diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb index f9297f3..284396c 100644 --- a/lib/puppet/ssl/certificate.rb +++ b/lib/puppet/ssl/certificate.rb @@ -10,7 +10,7 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base wraps OpenSSL::X509::Certificate extend Puppet::Indirector - indirects :certificate, :terminus_class => :file + indirects :certificate, :terminus_class => :external # Convert a string into an instance. def self.from_s(string) diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index f367ada..4bb349f 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -43,6 +43,8 @@ class Puppet::SSL::Host # Configure how our various classes interact with their various terminuses. def self.configure_indirection(terminus, cache = nil) + terminus = Puppet[:key_terminus] if terminus == :default + cache = Puppet[:key_terminus] if cache == :default Certificate.terminus_class = terminus CertificateRequest.terminus_class = terminus CertificateRevocationList.terminus_class = terminus @@ -74,13 +76,13 @@ class Puppet::SSL::Host CA_MODES = { # Our ca is local, so we use it as the ultimate source of information # And we cache files locally. - :local => [:ca, :file], + :local => [:ca, :default], # We're a remote CA client. - :remote => [:rest, :file], + :remote => [:rest, :default], # We are the CA, so we don't have read/write access to the normal certificates. :only => [:ca], # We have no CA, so we just look in the local file store. - :none => [:file] + :none => [:default] } # Specify how we expect to interact with our certificate authority. @@ -191,7 +193,8 @@ class Puppet::SSL::Host def initialize(name = nil) @name = (name || Puppet[:certname]).downcase - @key = @certificate = @certificate_request = nil + @key = Key.find(name) + @certificate = @certificate_request = nil @ca = (name == self.class.ca_name) end diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb index d91df03..792c6de 100644 --- a/lib/puppet/ssl/key.rb +++ b/lib/puppet/ssl/key.rb @@ -6,7 +6,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base wraps OpenSSL::PKey::RSA extend Puppet::Indirector - indirects :key, :terminus_class => :file + indirects :key, :terminus_setting => :key_terminus # Because of how the format handler class is included, this # can't be in the base class. -- 1.6.6.1
