Re: [Puppet-dev] [PATCH] Support for external certificate keys in the agent

Bryan Kearney Mon, 12 Jul 2010 08:22:44 -0700

On 07/09/2010 04:05 PM, Bryan Kearney wrote:

Attached is a patch off of the 2.6 branch. It adds support for the the
agent having the certificates and keys managed externally to the puppet
system.


This is done with a new terminus, named "External". This new terminus
makes use of the current settings hostprivkey and hostpubkey. To
activate the new terminus, the setting:

key_terminus = external

should be set. This new setting defaults to file, so there are minimal
code changes to the existing process paths.

I have not made much use of the SSL layer, so any comments on this patch
are appreciated.

-- bk

Updated the patch based on RC2. Would this be worthwhile in the 0.25.Xbranch as well?


-- bk

--
You received this message because you are subscribed to the Google Groups "Puppet 
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en.

>From a7ed0de957e2d884c7835d2e2f3c6232a020c8a5 Mon Sep 17 00:00:00 2001
From: Bryan Kearney <[email protected]>
Date: Fri, 9 Jul 2010 16:00:57 -0400
Subject: [PATCH] Add support for externally managed certificates. This is done via a new terminus which makes use of the hostprivkey and hostpubkey settings. This is activated with a ket_terminus setting. The default is to work as it does today, using hte key terminus

---
 lib/puppet/defaults.rb                             |    1 +
 lib/puppet/indirector/certificate/external.rb      |    9 +++++++++
 .../indirector/certificate_request/external.rb     |    8 ++++++++
 .../certificate_revocation_list/external.rb        |    8 ++++++++
 lib/puppet/indirector/key/external.rb              |   18 ++++++++++++++++++
 lib/puppet/ssl/host.rb                             |   11 +++++++----
 lib/puppet/ssl/key.rb                              |    2 +-
 7 files changed, 52 insertions(+), 5 deletions(-)
 create mode 100644 lib/puppet/indirector/certificate/external.rb
 create mode 100644 lib/puppet/indirector/certificate_request/external.rb
 create mode 100644 lib/puppet/indirector/certificate_revocation_list/external.rb
 create mode 100644 lib/puppet/indirector/key/external.rb

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 0af40f2..bdaec5d 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -112,6 +112,7 @@ module Puppet
       huge numbers that can then not be fed back into the system.  This is a hackish way to fail in a
       slightly more useful way when that happens."],
     :node_terminus => ["plain", "Where to find information about nodes."],
+    :key_terminus => ["file", "How an agent can store keys. 'file' is internally managed, 'external' is externally managed "],
     :catalog_terminus => ["compiler", "Where to get node catalogs.  This is useful to change if, for instance,
       you'd like to pre-compile catalogs and store them in memcached or some other easily-accessed store."],
     :facts_terminus => ["facter", "Where to get node facts."],
diff --git a/lib/puppet/indirector/certificate/external.rb b/lib/puppet/indirector/certificate/external.rb
new file mode 100644
index 0000000..4e0fcff
--- /dev/null
+++ b/lib/puppet/indirector/certificate/external.rb
@@ -0,0 +1,9 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate'
+
+class Puppet::SSL::Certificate::External < Puppet::Indirector::SslFile
+    desc "Use an externally managed Certificate"
+
+    store_at :hostcert
+    store_ca_at :localcacert
+end
diff --git a/lib/puppet/indirector/certificate_request/external.rb b/lib/puppet/indirector/certificate_request/external.rb
new file mode 100644
index 0000000..ba86ad1
--- /dev/null
+++ b/lib/puppet/indirector/certificate_request/external.rb
@@ -0,0 +1,8 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate_request'
+
+class Puppet::SSL::CertificateRequest::External< Puppet::Indirector::SslFile
+    desc "Manage the collection of certificate requests on disk."
+
+    store_in :requestdir
+end
diff --git a/lib/puppet/indirector/certificate_revocation_list/external.rb b/lib/puppet/indirector/certificate_revocation_list/external.rb
new file mode 100644
index 0000000..55338c5
--- /dev/null
+++ b/lib/puppet/indirector/certificate_revocation_list/external.rb
@@ -0,0 +1,8 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/certificate_revocation_list'
+
+class Puppet::SSL::CertificateRevocationList::External < Puppet::Indirector::SslFile
+    desc "Manage the global certificate revocation list."
+
+    store_at :hostcrl
+end
diff --git a/lib/puppet/indirector/key/external.rb b/lib/puppet/indirector/key/external.rb
new file mode 100644
index 0000000..6468698
--- /dev/null
+++ b/lib/puppet/indirector/key/external.rb
@@ -0,0 +1,18 @@
+require 'puppet/indirector/ssl_file'
+require 'puppet/ssl/key'
+
+class Puppet::SSL::Key::External < Puppet::Indirector::SslFile
+    desc "Use an external file as the source for the key."
+
+    store_at :hostprivkey
+
+    store_ca_at :cakey
+    
+    def public_key_path(name)
+            Puppet[:hostpubkey]
+    end
+    
+    def path(name)
+            Puppet[:hostprivkey]
+    end
+end
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 8a6f0aa..2f5b93e 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -43,6 +43,8 @@ class Puppet::SSL::Host
 
   # Configure how our various classes interact with their various terminuses.
   def self.configure_indirection(terminus, cache = nil)
+    terminus = Puppet[:key_terminus] if terminus == :default
+    cache = Puppet[:key_terminus] if cache == :default  
     Certificate.terminus_class = terminus
     CertificateRequest.terminus_class = terminus
     CertificateRevocationList.terminus_class = terminus
@@ -74,13 +76,13 @@ class Puppet::SSL::Host
   CA_MODES = {
     # Our ca is local, so we use it as the ultimate source of information
     # And we cache files locally.
-    :local => [:ca, :file],
+    :local => [:ca, :default],
     # We're a remote CA client.
-    :remote => [:rest, :file],
+    :remote => [:rest, :default],
     # We are the CA, so we don't have read/write access to the normal certificates.
     :only => [:ca],
     # We have no CA, so we just look in the local file store.
-    :none => [:file]
+    :none => [:default]
   }
 
   # Specify how we expect to interact with our certificate authority.
@@ -191,7 +193,8 @@ class Puppet::SSL::Host
 
   def initialize(name = nil)
     @name = (name || Puppet[:certname]).downcase
-    @key = @certificate = @certificate_request = nil
+    @key = Key.find(name)
+    @certificate = @certificate_request = nil
     @ca = (name == self.class.ca_name)
   end
 
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index 0ddc962..244c25c 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -6,7 +6,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
   wraps OpenSSL::PKey::RSA
 
   extend Puppet::Indirector
-  indirects :key, :terminus_class => :file
+  indirects :key, :terminus_setting => :key_terminus
 
   # Because of how the format handler class is included, this
   # can't be in the base class.
-- 
1.6.6.1

Re: [Puppet-dev] [PATCH] Support for external certificate keys in the agent

Reply via email to