Automating Puppet Certificates Renewal

•

0 likes•69 views

Everyone who has been using Puppet with a self-signed CA for over 5 years knows that dreaded time: the time when the CA and client certificates must be renewed. This talk will present the ways to ease CA renewal, and present a new approach to renew Puppet client certificates in a secure and automated way.

Software

Automating Puppet Certificates Renewal
Raphaël Pinson

2/19www.camptocamp.com /
Who am I?
■ Raphaël Pinson (@raphink)
○ Infrastructure Developer & Training Leader
○ Augeas & Augeasproviders developer
○ Various contributions to Puppet & Ecosystem

3/19www.camptocamp.com /
Camptocamp
■ Switzerland / France / Germany
■ Open-source development/integration expert
■ Puppet user and contributor since 2008
■ Major contributor to the Puppet Forge

4/19www.camptocamp.com /
Camptocamp infra team

5/19www.camptocamp.com /
CA cert has expired

6/19www.camptocamp.com /
CA renewal options
NEWCAKEY
PAIR
NEWCACERT
FROMKEYPAIR
AUTOMATECA
CERTDEPLOYMENT
AUTOMATEAGENT
CERTDEPLOYMENT

8/19www.camptocamp.com /
puppetlabs/certgen
■ Install from Puppet Forge
mod 'puppetlabs-certregen', '0.2.0'
■ Regenerate CA cert
$ sudo puppet certregen ca ca_serial 01–
■ Deploy new CA cert (before it expires!)
include certregen::client

9/19www.camptocamp.com /
How about agent certificates?

10/19www.camptocamp.com /
Certificate autosign
■ autosign.conf
○ Insecure by design
○ Don't use
■ Autosign policy
○ (possibly) secure autosigning
○ Use psk, unique tokens, etc.
○ See also danieldreier/puppet-autosign

11/19www.camptocamp.com /
The puppet_certificate type
■ Automate Puppet
certificate generation
■ Manage with Puppet
manifests

$12/19www.camptocamp.com / Cleaning certificats on CA ■ Required before new certificate can be generated ■ Requires to tune the CA API in auth.conf { name: "Allow nodes to delete their own certificates", match-request: { path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$" type: regex method: [delete] }, Allow: "$2", sort-order: 500 }$

$13/19www.camptocamp.com / Unique renewal tokens ■ Use hashed token incl. unchangeable trusted facts ■ Sample hashing function (compatible with Terraform's base64sha256 builtin function) ■ Generate unique token per node in Puppet manifest: Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args| Digest::SHA256.base64digest(args[0]) end # $psk is a secret parameter (e.g. from hiera) # $certname comes from trusted facts $token = base64_sha256("${psk}/${certname}")$

$14/19www.camptocamp.com / Adapt autosign script #!/usr/bin/env ruby require 'openssl' request = STDIN.read csr = OpenSSL::X509::Request.new(request) # Don't you love OpenSSL's nested values? challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value # Puppetmaster logs include exit code exit 2 if challenge.nil? certname = ARGV[0] hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}") if challenge == hash exit 0 end exit 1$

$15/19www.camptocamp.com / Throw in certificate extensions def get_ext(csr, name) Puppet::SSL::Oids.register_puppet_oids # Some more OpenSSL nested values exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value # Turtles all the way down val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value OpenSSL::ASN1.decode(val).value end pp_role = get_ext(csr, 'pp_role') pp_environment = get_ext(csr, 'pp_environment') hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}") ■ Lock token to specific trusted facts$

16/19www.camptocamp.com /
Couple with trusted facts provisioning
$role = $::trusted['extensions']['pp_role']
include sprintf(
'::roles_c2c::%s', regsubst($role, '/', '::', 'G')
)
■ Dynamic provisioning (no server code added)
■ Safe because linked to certificate

$17/19www.camptocamp.com / Put it all together! # csr_attributes.yaml --- custom_attributes: 1.2.840.113549.1.9.7: '$ {token}' # in common Puppet profile puppet_certificate { $certname: ensure => valid, waitforcert => 60, renewal_grace_period => 20, clean => true, }$

This document discusses automating the renewal of Puppet certificates for both the Puppet CA certificate and agent certificates. It describes using the puppetlabs-certregen module to regenerate the CA certificate before expiration and generating unique renewal tokens to securely automate approval of agent certificate signing requests. It also discusses integrating certificate extensions to provision roles and environments based on the certificate and tying the renewal process to trusted facts for security.

Php arduino

Jonadri Bundo

Hadoop meetup : HUGFR Construire le cluster le plus rapide pour l'analyse des...

Modern Data Stack France

Construire le cluster le plus rapide pour l'analyse des datas : benchmarks sur un régresseur par Christopher Bourez (Axa Global Direct) Les toutes dernières technologies de calcul parallèle permettent de calculer des modèles de prédiction sur des big datas en des temps records. Avec le cloud est facilité l'accès à des configurations hardware modernes avec la possibilité d'une scalabilité éphémère durant les calculs. Des benchmarks sont réalisés sur plusieurs configuration hardware, allant de 1 instance à un cluster de 100 instances. Christopher Bourez, développeur & manager expert en systèmes d'information modernes chez Axa Global Direct. Alien thinker. Blog : http://christopher5106.github.io/

Orchestrated Functional Testing with Puppet-spec and Mspectator

Raphaël PINSON

Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...

Puppet

This document discusses using Puppet-spec and Mspectator to orchestrate functional testing of Puppet configurations. Puppet-spec allows running unit and integration tests as part of Puppet runs, while Mspectator provides RSpec matchers to run functional tests across nodes using MCollective. The tests validate resources, packages, files and more, failing runs when tests don't pass to ensure configurations meet standards.

georchestra SDI: Project Status Report

Camptocamp

geOrchestra is the free, modular and secure Spatial Data Infrastructure software born in 2009 to meet the requirements of the INSPIRE directive in Europe. It is built on top of the latest stable versions of GeoServer and GeoNetwork. In this talk we will briefly present the geOrchestra SDI, before going through the major contributions during the previous year, to answer the following questions: * how the project moved from tainted to generic artifacts (war files, debian packages, docker images) * how to deploy a geOrchestra SDI instance in 10 minutes * how to build your robust, high performance and high availability SDI in the clouds.

1032 practical linux system administration

Noel Ng

The document describes an IoT project that uses a Raspberry Pi to control motors and stream video. Materials used include a Raspberry Pi, webcam, servo motor, stepper motor, and other electronic components. Software like LAMP, MJPG-streamer, and Pi4J were used. Code was written to control the motors from webpages using PHP, Python, and Java. The project allows controlling the motors and viewing the webcam stream remotely through a web interface. Some challenges around remote access were addressed using techniques like AJAX and SSH tunnels. The final working project demonstrates automated control of physical devices through a web browser.

Dependencies Managers in C/C++. Using stdcpp 2014

biicode

Vagrant, Packer, and Puppet can be used together to create a development environment. Packer is used to build custom base boxes that include only the operating system. Vagrant uses these base boxes to create isolated virtual machines. Puppet then provisions the virtual machines by installing additional software, configuring applications, and defining infrastructure as code. This allows for consistent, reproducible development environments that match production.

Icinga 2 and Puppet - Automate Monitoring

OlinData

Walter Heck presented on using Puppet to automate Icinga monitoring. He discussed what Puppet is and its typical architecture. He then showed how to set up the Icinga server and client using Puppet modules, including configuring MySQL/Postgres, setting up Icinga2 and Icingaweb2, and exporting host configurations from Puppet to populate Icinga's monitoring configuration. He concluded by discussing next steps like creating application-specific profiles and advertising upcoming Icinga training in Amsterdam.

Icinga Camp Amsterdam - Icinga2 and Puppet

Icinga

Python para equipos de ciberseguridad

Jose Manuel Ortega Candel

Python se ha convertido en el lenguaje más usado para desarrollar herramientas dentro del ámbito de la seguridad. Esta charla se centrará en las diferentes formas en que un analista puede aprovechar el lenguaje de programación Python tanto desde el punto de vista defensivo como ofensivo. Desde el punto de vista defensivo Python es una de las mejores opciones como herramienta de pentesting por la gran cantidad de módulos que nos pueden ayudar a desarrollar nuestras propias herramientas con el objetivo de realizar un análisis de nuestro objetivo. Desde el punto de vista ofensivo podemos utilizar Python para recolección de información de nuestro objetivo de forma pasiva y activa. El objetivo final es obtener el máximo conocimiento posible en el contexto que estamos auditando. Entre los principales puntos a tratar podemos destacar: 1.Introducción a Python para proyectos de ciberseguridad(5 min) 2.Herramientas de pentesting(10 min) 3.Herramientas Python desde el punto de vista defensivo(10 min) 4.Herramientas Python desde el punto de vista ofensivo(10 min)

Test-Driven Puppet Development - PuppetConf 2014

Puppet

This document discusses testing driven development of Puppet modules. It covers using puppet-lint to check style, puppet-syntax to validate code, and rspec-puppet to test catalogs and verify relationships. Packer is used to build consistent virtual machine images, Vagrant manages virtual environments for testing, and Beaker runs acceptance tests across multiple platforms. The goal is to create a virtuous cycle of testing, validation, and development feedback to continuously improve module quality.

Puppet at Pinterest

Puppet

"Puppet at Pinterest", by Ryan Park, Operations Engineer at Pinterest. Talk from PuppetConf 2012. Video of "Puppet at Pinterest": http://youtu.be/aU-bCbBq8zs Learn more about Puppet: http://bit.ly/QQoAP1 Abstract: A case study of how Pinterest uses Puppet to manage its infrastructure. Pinterest has hundreds of Amazon EC2 virtual servers and uses Puppet Dashboard as the “source of truth” about its server inventory. Pinterest built a REST API for this database, which powers tools and automated scripts that integrate Puppet with internal systems and with Amazon Web Services. Speaker Bio: Ryan Park leads operations and infrastructure at Pinterest, one of 2012’s fastest growing web sites. Pinterest’s entire infrastructure is in the cloud, built atop hundreds of Amazon EC2 virtual server instances. Ryan introduced Puppet to their infrastructure as soon as he joined the company, and they now use Puppet as the primary tool for managing their infrastructure. Prior to joining Pinterest, Ryan was the Head of Operations at PBworks, an online team collaboration service.

Spark summit2014 techtalk - testing spark

Anu Shetty

The document discusses best practices for testing Spark applications including setting up test environments for unit and integration testing Spark in both batch and streaming modes. It also covers performance testing Spark applications using Gatling, including developing a sample performance test for a word count Spark job run on Spark job server. Key steps for testing, code coverage, continuous integration and analyzing performance test results are provided.

Our Puppet Story (GUUG FFG 2015)

DECK36

This document discusses using Puppet and related tools to automate the configuration and provisioning of development environments and servers. It covers using Vagrant and Puppet to set up local virtual machine environments, managing configurations with Puppet and Hiera, structuring code according to roles and profiles, integrating with version control and the Puppet Forge, and monitoring changes with tools like the Puppet Dashboard and MCollective. The document provides an overview of best practices and strategies for implementing infrastructure as code with Puppet.

Apache Spark SQL- Installing Spark

Experfy

Symfony War Stories

Jakub Zalas

Piwik elasticsearch kibana at OSC Tokyo 2016 Spring

Takashi Yamamoto

1. This document discusses using Piwik, fluentd, elasticsearch, and kibana to analyze Piwik web analytics data. Fluentd is used to collect and parse Apache access logs from Piwik and forward the data to elasticsearch for storage and indexing. Kibana queries and visualizes the elasticsearch data. 2. Instructions are provided for installing fluentd, elasticsearch, and building RPM packages for kibana on Red Hat 6 and 7. Configuration details explain how to setup fluentd input, filtering, and output plugins to ingest Piwik log data from Apache logs and store it in elasticsearch. 3. The elasticsearch and kibana installations provide visualization of the Piwik web analytics data for

Infinum Android Talks #04 - How to publish an android archive (.aar) to Maven...

Infinum

Infinum Android Talks #04 - How to publish an Android archive (.aar) to Maven...

Denis_infinum

OpenStack for Centos

Chandan Kumar

Virtualization and automation of library software/machines + Puppet

Omar Reygaert

The document discusses virtualization, automation, and Puppet. It begins with an introduction to virtualization and hands-on labs. It then covers automation through kickstart files and preseeding to automate operating system installation. Hands-on labs are also provided for automation. Finally, it discusses Puppet for configuration management, including node definitions, modules, and resources to manipulate files, packages, users and more. Hands-on labs are presented for implementing SFX configuration with Puppet.

Adding replication protocol support for psycopg2

Alexander Shulgin

This document discusses adding logical replication protocol support to the psycopg2 library to allow Python applications to consume real-time replication streams from PostgreSQL. It provides code examples for connecting to replication slots, consuming change streams and messages, and stopping replication. Docker images are also available to simplify testing logical replication. Physical replication is also supported through a separate connection class. Asynchronous replication connections and keepalive messages are demonstrated as well.

Introducing Playwright's New Test Runner

Applitools

Beyond AEM Curl Commands

Cliffano Subagio

The document discusses problems with using curl commands for interacting with AEM APIs and proposes using OpenAPI specification and generated API clients as a better solution. It outlines issues like inconsistent response formats, unreliable status codes, and lack of error handling with curl. The proposed solution is to define AEM endpoints in OpenAPI format and generate API clients in various languages like Ruby, Python, and Java. These clients provide response objects, better error handling, and easier integration with different technologies compared to curl commands. Use cases like Puppet modules for AEM configuration management are discussed.

PuppetCamp SEA 1 - Use of Puppet

OlinData

Explore the World of Cilium, Tetragon & eBPF

Raphaël PINSON

Come explore the World of Cilium with us! In this workshop, you'll have the opportunity to discover about Cilium and Tetragon, and the kernel technology that makes them possible, eBPF. Through a collection of hands-on labs (available at https://labs-map.isovalent.com/) and the presenter's support, you'll be able to explore many topics covering Cloud Native Networking, Security, and Observability. In this gamified approach, you'll also be able to earn badges for completing labs. Whether you're a Platform Engineer, SRE, Network Engineer, SecOps Professional, Cloud Architect, and more, you'll certainly find subjects to explore in this session!

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...

Raphaël PINSON

eBPF is used in several cloud native security tools. In this talk we’ll dive into demos and code to explore how eBPF can be used for the next generation of security enforcement tooling. This talk will cover: - Why enforcing NetworkPolicy with eBPF has been in place for years, but preventive security for applications has taken longer. - How Phantom attacks can compromise the use of basic system call hooks. - How other eBPF attachment points, such as BPF LSM, can be used for preventive security.

Similar to Automating Puppet Certificates Renewal

First steps with Gazebo simulation for ROS

Sergey Matyunin

Create your very own Development Environment with Vagrant and Packer

frastel

Icinga 2 and Puppet - Automate Monitoring

OlinData

Icinga Camp Amsterdam - Icinga2 and Puppet

Icinga

Python para equipos de ciberseguridad

Jose Manuel Ortega Candel

Test-Driven Puppet Development - PuppetConf 2014

Puppet

Puppet at Pinterest

Puppet

Spark summit2014 techtalk - testing spark

Anu Shetty

Our Puppet Story (GUUG FFG 2015)

DECK36

Apache Spark SQL- Installing Spark

Experfy

Symfony War Stories

Jakub Zalas

Piwik elasticsearch kibana at OSC Tokyo 2016 Spring

Takashi Yamamoto

Infinum Android Talks #04 - How to publish an android archive (.aar) to Maven...

Infinum

Infinum Android Talks #04 - How to publish an Android archive (.aar) to Maven...

Denis_infinum

OpenStack for Centos

Chandan Kumar

Virtualization and automation of library software/machines + Puppet

Omar Reygaert

Adding replication protocol support for psycopg2

Alexander Shulgin

Introducing Playwright's New Test Runner

Applitools

Beyond AEM Curl Commands

Cliffano Subagio

PuppetCamp SEA 1 - Use of Puppet

OlinData

Similar to Automating Puppet Certificates Renewal (20)

First steps with Gazebo simulation for ROS

Create your very own Development Environment with Vagrant and Packer

Icinga 2 and Puppet - Automate Monitoring

Icinga Camp Amsterdam - Icinga2 and Puppet

Python para equipos de ciberseguridad

Test-Driven Puppet Development - PuppetConf 2014

Puppet at Pinterest

Spark summit2014 techtalk - testing spark

Our Puppet Story (GUUG FFG 2015)

Apache Spark SQL- Installing Spark

Symfony War Stories

Piwik elasticsearch kibana at OSC Tokyo 2016 Spring

Infinum Android Talks #04 - How to publish an android archive (.aar) to Maven...

Infinum Android Talks #04 - How to publish an Android archive (.aar) to Maven...

OpenStack for Centos

Virtualization and automation of library software/machines + Puppet

Adding replication protocol support for psycopg2

Introducing Playwright's New Test Runner

Beyond AEM Curl Commands

PuppetCamp SEA 1 - Use of Puppet

More from Raphaël PINSON

Explore the World of Cilium, Tetragon & eBPF

Raphaël PINSON

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...

Raphaël PINSON

ContainerDays Hamburg 2023 — Cilium Workshop.pdf

Raphaël PINSON

KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf

Raphaël PINSON

eBPF (extended Berkeley Packet Filter) is a powerful and versatile technology that can be used to extend observability in Linux systems. In this talk, we will explore how eBPF can be used to bridge the gap between dev and ops by providing a deeper understanding of the kernel and OS internals as well as the applications running on top. We will discuss how eBPF can be used to extend observability downwards by enabling access to low-level system information and how it can be used to extend observability upwards by providing application-level tracing capabilities.

Cloud Native Bern 05.2023 — Zero Trust Visibility

Raphaël PINSON

As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies. In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace. By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.

DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...

Raphaël PINSON

Révolution eBPF - un noyau dynamique

Raphaël PINSON

De KubeCon à ContainerDays, eBPF a le vent en poupe dans le monde Cloud Native. Mais de quoi s’agit-il, pourquoi cette technologie est-elle révolutionnaire, et qu’est-ce qu’elle peut m’apporter concrètement? À travers des exemples concrets appliqués aux domaines de l’observabilité, du réseau et de la sécurité, cette session explique les tenants d’eBPF et ses avantages concrets pour connecter et sécuriser les applications Cloud Native. Vous y découvrirez comment démarrer votre aventure avec eBPF, avec des outils vous permettant de bénéficier de ses super-pouvoirs en toute simplicité.

Cfgmgmtcamp 2023 — eBPF Superpowers

Raphaël PINSON

From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically? Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications. This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.

Cloud Native Networking & Security with Cilium & eBPF

Raphaël PINSON

This document summarizes a presentation about Cilium and eBPF. Cilium provides cloud native networking and security using eBPF. eBPF allows programs to run securely in the Linux kernel for networking, security, and observability. Cilium offers networking features like Kubernetes services, cluster mesh for multi-cluster connectivity, and platform integration. It also provides security using identity-based policies and API authorization. Observability features include flow visibility and service maps. Cilium can be used as a service mesh or with Tetragon for prevention capabilities without proxies.

2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf

Raphaël PINSON

The document discusses technical debt and strategies for managing it over time. It advocates for loose coupling between components using techniques like immutability, microservices, and standards. This distributes technical debt across teams and helps systems evolve more gradually over time like a tortoise, rather than taking on large debt quickly like a hare. The document recommends focusing on direction over speed and emphasizes the importance of stability, feedback, and continual learning to effectively manage technical debt.

SKS in git ops mode

Raphaël PINSON

Raphaël Pinson presented on implementing GitOps with the DevOps Stack. The DevOps Stack provides an opinionated Kubernetes stack that is deployed and managed using GitOps. It handles provisioning Kubernetes, integrating single sign-on, and managing observability tools through Argo CD. Argo CD syncs the cluster state with the desired manifests in Git, ensuring congruence. It also provides an interface for managing applications and templates. The DevOps Stack offers a standardized way to deploy common services and manage infrastructure as code.

The Hare and the Tortoise: Open Source, Standards & Technological Debt

Raphaël PINSON

The document summarizes key points from a presentation about open source, standards, and technical debt. It discusses how technical debt can go unnoticed but must eventually be paid back, and how following standards helps avoid issues related to not invented here syndrome. It also covers topics like loose coupling through immutability, team topologies as related to code ownership and debt dilution, and how public cloud can help delegate technical debt but introduce new dependencies. Throughout, it emphasizes that the important thing is not speed but direction when it comes to reducing technical debt over time.

Devops stack

Raphaël PINSON

YAML Engineering: why we need a new paradigm

Raphaël PINSON

Container Security: a toolchain for automatic image rebuilds

Raphaël PINSON

Containers and Kubernetes have revolutionized the way applications are deployed at scale. This new approach, along with the use of CI/CD for deployment automation, brings new challenges, in particular when it comes to security, as containers are static artifacts that require rebuilding and redeployment in order to perform updates. This talk will demonstrate how to set up an automated CI/CD pipeline to deploy applications on Kubernetes using OpenShift and GitLab, so that updates of public base images trigger rebuilds and deployments of derivative containers. It will also show how static image analysis can be plugged into the pipeline to increase application security.

K9s - Kubernetes CLI To Manage Your Clusters In Style

Raphaël PINSON

This document discusses K9s, a rich Kubernetes client that provides a VIM-like interface for interacting with Kubernetes clusters. K9s does not require in-cluster installation but is instead a standalone Golang binary. It allows viewing and filtering Kubernetes resources, logs, port forwarding, and more through an intuitive interface with key bindings. Plugins can add additional functionality and views can be customized through skins defined in YAML.

Argocd up and running

Raphaël PINSON

This document discusses setting up ArgoCD, an open source tool for continuous delivery for Kubernetes applications, including building and testing source code, deploying Docker images to a registry, and using ArgoCD to apply configuration definitions and deploy applications. It also provides links to additional Dev.to posts and GitHub projects about using Kustomize and secrets management with ArgoCD.

Bivac - Container Volumes Backup

Raphaël PINSON

Containers have become a great facility to easily deploy applications, whether locally or on orchestrated clusters. However, containers are ephemeral, meaning their data should be stored externally. When possible, they can be stored using databases or object storage. Most often though, you will need to resort to using data volumes, mounted inside your containers. How then can be perform a backup of this data?

Running the Puppet Stack in Containers

Raphaël PINSON

Installing a Puppet Configuration Management system always starts with setting up the Puppet Master infrastructure. This is a complex task. Various installers exist, and managing the infrastructure on the long run isn't an easy task either. At Camptocamp, we have decided to containerize the whole Puppet server stack to deploy it without the help of Puppet, and ease its scaling and updating. This talk outlines our journey and the benefits we got from this setup.

Narcissus — mapping configs in Go

Raphaël PINSON

More from Raphaël PINSON (20)

Explore the World of Cilium, Tetragon & eBPF

Cfgmgmtcamp 2024 — eBPF-based Security Observability & Runtime Enforcement wi...

ContainerDays Hamburg 2023 — Cilium Workshop.pdf

KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf

Cloud Native Bern 05.2023 — Zero Trust Visibility

DevOpsDays Zurich 2023 — Bridging Dev and Ops with eBPF: Extending Observabil...

Révolution eBPF - un noyau dynamique

Cfgmgmtcamp 2023 — eBPF Superpowers

Cloud Native Networking & Security with Cilium & eBPF

2022 DevOpsDays Geneva — The Hare and the Tortoise.pdf

SKS in git ops mode

The Hare and the Tortoise: Open Source, Standards & Technological Debt

Devops stack

YAML Engineering: why we need a new paradigm

Container Security: a toolchain for automatic image rebuilds

K9s - Kubernetes CLI To Manage Your Clusters In Style

Argocd up and running

Bivac - Container Volumes Backup

Running the Puppet Stack in Containers

Narcissus — mapping configs in Go

Recently uploaded

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Neo4j

Atelier - Innover avec l’IA Générative et les graphes de connaissances Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement. Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.

Hand Rolled Applicative User ValidationCode Kata

Philip Schwarz

Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>? The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory. Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away. The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.

Using Xen Hypervisor for Functional Safety

Ayan Halder

SWEBOK and Education at FUSE Okinawa 2024

Hironori Washizaki

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

socradar-q1-2024-aviation-industry-report.pdf

SOCRadar

SOCRadar's Aviation Industry Q1 Incident Report is out now! The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers. SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

Aftab Hussain

Understanding variable roles in code has been found to be helpful by students in learning programming -- could variable roles help deep neural models in performing coding tasks? We do an exploratory study. - These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Google

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-fusion-buddy-review AI Fusion Buddy Review: Key Features ✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini ✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique! ✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs! ✅Fully automated AI articles bulk generation! ✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more. ✅With one keyword or URL, generate complete websites, landing pages, and more… ✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7. ✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches. ✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all! ✅Save over $5000 per year and kick out dependency on third parties completely! ✅Brand New App: Not available anywhere else! ✅ Beginner-friendly! ✅ZERO upfront cost or any extra expenses ✅Risk-Free: 30-Day Money-Back Guarantee! ✅Commercial License included! See My Other Reviews Article: (1) AI Genie Review: https://sumonreview.com/ai-genie-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review #AIFusionBuddyReview, #AIFusionBuddyFeatures, #AIFusionBuddyPricing, #AIFusionBuddyProsandCons, #AIFusionBuddyTutorial, #AIFusionBuddyUserExperience #AIFusionBuddyforBeginners, #AIFusionBuddyBenefits, #AIFusionBuddyComparison, #AIFusionBuddyInstallation, #AIFusionBuddyRefundPolicy, #AIFusionBuddyDemo, #AIFusionBuddyMaintenanceFees, #AIFusionBuddyNewbieFriendly, #WhatIsAIFusionBuddy?, #HowDoesAIFusionBuddyWorks

Enterprise Resource Planning System in Telangana

NYGGS Automation Suite

Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics. To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/

Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...

kalichargn70th171

A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

DDS-Security 1.2 - What's New? Stronger security for long-running systems

Gerardo Pardo-Castellote

Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf

timtebeek1

Energy consumption of Database Management - Florina Jonuzi

Green Software Development

Empowering Growth with Best Software Development Company in Noida - Deuglo

Deuglo Infosystem Pvt Ltd

Do you want Software for your Business? Visit Deuglo Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions. Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC). Requirement — Collecting the Requirements is the first Phase in the SSLC process. Feasibility Study — after completing the requirement process they move to the design phase. Design — in this phase, they start designing the software. Coding — when designing is completed, the developers start coding for the software. Testing — in this phase when the coding of the software is done the testing team will start testing. Installation — after completion of testing, the application opens to the live server and launches! Maintenance — after completing the software development, customers start using the software.

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

lorraineandreiamcidl

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Neo4j

Recently uploaded (20)

Atelier - Innover avec l’IA Générative et les graphes de connaissances

Hand Rolled Applicative User ValidationCode Kata

Using Xen Hypervisor for Functional Safety

SWEBOK and Education at FUSE Okinawa 2024

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

socradar-q1-2024-aviation-industry-report.pdf

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App

Enterprise Resource Planning System in Telangana

Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...

May Marketo Masterclass, London MUG May 22 2024.pdf

DDS-Security 1.2 - What's New? Stronger security for long-running systems

Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf

Energy consumption of Database Management - Florina Jonuzi

Empowering Growth with Best Software Development Company in Noida - Deuglo

LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris

Automating Puppet Certificates Renewal

1. Automating Puppet Certificates Renewal Raphaël Pinson

2. 2/19www.camptocamp.com / Who am I? ■ Raphaël Pinson (@raphink) ○ Infrastructure Developer & Training Leader ○ Augeas & Augeasproviders developer ○ Various contributions to Puppet & Ecosystem

3. 3/19www.camptocamp.com / Camptocamp ■ Switzerland / France / Germany ■ Open-source development/integration expert ■ Puppet user and contributor since 2008 ■ Major contributor to the Puppet Forge

4. 4/19www.camptocamp.com / Camptocamp infra team

5. 5/19www.camptocamp.com / CA cert has expired

6. 6/19www.camptocamp.com / CA renewal options NEWCAKEY PAIR NEWCACERT FROMKEYPAIR AUTOMATECA CERTDEPLOYMENT AUTOMATEAGENT CERTDEPLOYMENT

7. 7/19www.camptocamp.com /

8. 8/19www.camptocamp.com / puppetlabs/certgen ■ Install from Puppet Forge mod 'puppetlabs-certregen', '0.2.0' ■ Regenerate CA cert $ sudo puppet certregen ca ca_serial 01– ■ Deploy new CA cert (before it expires!) include certregen::client

9. 9/19www.camptocamp.com / How about agent certificates?

10. 10/19www.camptocamp.com / Certificate autosign ■ autosign.conf ○ Insecure by design ○ Don't use ■ Autosign policy ○ (possibly) secure autosigning ○ Use psk, unique tokens, etc. ○ See also danieldreier/puppet-autosign

11. 11/19www.camptocamp.com / The puppet_certificate type ■ Automate Puppet certificate generation ■ Manage with Puppet manifests

12. 12/19www.camptocamp.com / Cleaning certificats on CA ■ Required before new certificate can be generated ■ Requires to tune the CA API in auth.conf { name: "Allow nodes to delete their own certificates", match-request: { path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$" type: regex method: [delete] }, Allow: "$2", sort-order: 500 }

13. 13/19www.camptocamp.com / Unique renewal tokens ■ Use hashed token incl. unchangeable trusted facts ■ Sample hashing function (compatible with Terraform's base64sha256 builtin function) ■ Generate unique token per node in Puppet manifest: Puppet::Parser::Functions.newfunction(:base64_sha256, :arity => 1, :type => :rvalue) do |args| Digest::SHA256.base64digest(args[0]) end # $psk is a secret parameter (e.g. from hiera) # $certname comes from trusted facts $token = base64_sha256("${psk}/${certname}")

14. 14/19www.camptocamp.com / Adapt autosign script #!/usr/bin/env ruby require 'openssl' request = STDIN.read csr = OpenSSL::X509::Request.new(request) # Don't you love OpenSSL's nested values? challenge = csr.attributes.select { |a| a.oid == "challengePassword" }.first.value.value.first.value # Puppetmaster logs include exit code exit 2 if challenge.nil? certname = ARGV[0] hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}") if challenge == hash exit 0 end exit 1

15. 15/19www.camptocamp.com / Throw in certificate extensions def get_ext(csr, name) Puppet::SSL::Oids.register_puppet_oids # Some more OpenSSL nested values exts = csr.attributes.select{ |a| a.oid == "extReq" }[0].value.value[0].value # Turtles all the way down val = exts.select { |e| e.value[0].short_name == name }[0].value[1].value OpenSSL::ASN1.decode(val).value end pp_role = get_ext(csr, 'pp_role') pp_environment = get_ext(csr, 'pp_environment') hash = Digest::SHA256.base64digest("#{autosign_psk}/#{certname}/#{pp_role}/#{pp_environment}") ■ Lock token to specific trusted facts

16. 16/19www.camptocamp.com / Couple with trusted facts provisioning $role = $::trusted['extensions']['pp_role'] include sprintf( '::roles_c2c::%s', regsubst($role, '/', '::', 'G') ) ■ Dynamic provisioning (no server code added) ■ Safe because linked to certificate

17. 17/19www.camptocamp.com / Put it all together! # csr_attributes.yaml --- custom_attributes: 1.2.840.113549.1.9.7: '$ {token}' # in common Puppet profile puppet_certificate { $certname: ensure => valid, waitforcert => 60, renewal_grace_period => 20, clean => true, }

18. 18/19www.camptocamp.com /

Automating Puppet Certificates Renewal

Recommended

Recommended

More Related Content

Similar to Automating Puppet Certificates Renewal

Similar to Automating Puppet Certificates Renewal (20)

More from Raphaël PINSON

More from Raphaël PINSON (20)

Recently uploaded

Recently uploaded (20)

Automating Puppet Certificates Renewal