Wednesday, October 6, 2010

Overview of a Puppet Split CA architecture


The Puppet Master CA is the only Certificate Authority (CA) in the whole infrastructure. It issues certificates for all Puppet agents. It also manages the Puppet Master systems.

The Puppet Masters are only responsible for compiling catalogs requested by Puppet Agents - they don't act as CA themselves. They only accept Puppet Agents which certificates have been issued by the Puppet Master CA.

The Puppet Agent retrieves their certificates from the Puppet Master CA the first time they run. They connect to the Puppet Masters afterwards to get their catalogs. They won't contact the Puppet Master CA anymore.

Puppet Master CA


The Puppet Master CA manages all Puppet Masters. In particular it distributes its own Certificate Revocation List (CRL) file to every Puppet Master. The Puppet Master CA also issues certificates to Puppet Agents.

Puppet Master


A Puppet Master runs under Apache and Passenger. Apache ssl module is configured to require certificates signed by the Puppet Master CA (/etc/apache2/site-available/puppetmaster):
# Require certificates to be valid
SSLVerifyClient require
SSLVerifyDepth  1

The Puppet Master is also configured to not act as a Puppet CA (/etc/puppet/puppet.conf):
[main]
ca = false

Puppet Agent


Puppet Agents retrieve their certificate from the Puppet Master CA and request their catalog from one of the Puppet Masters (/etc/puppet/puppet.conf):
[agent]
ca_server = PUPPET_MASTER_CA
server = PUPPET_MASTER

Conclusion


From a security perspective setting the SSLVerifyClient option to require increases the protection of Puppet Masters from unknown requests and revoked Puppet Agents. Having the Puppet Master CA manage the Puppet Masters also facilitates the distribution of the Puppet Master CA CRL.

On the reliability front new systems won't be added to the infrastructure if the Puppet Master CA is unavailable. However existing Puppet Agents are still functional as long as they can connect to a Puppet Master.

17 comments:

  1. Did you ever implement this or extend on the concept further?

    I would be interested to see your approach to SPOF and dual site-failover resilience using this.

    ReplyDelete
  2. This is the right weblog for any individual who wants to find out about this topic. You comprehend so much its just about difficult to argue with you (not that I basically would want?-HaHa). You surely put a brand new spin on a subject thats been written about for years. Superb stuff, just amazing! Hadoop Online Training .

    ReplyDelete
  3. hadoop training in hyderabad referred me to this blog to know about latest trends in the IT and staffing related information. Really appreciable information on overview of a Puppet Split CA architecture with diagram. Thank you.

    ReplyDelete
  4. This information is great.It is useful for all in future.I like to read the information.It is very impressing matter.

    hadoop training in chennai

    ReplyDelete
  5. thanks for sharing great blog with us. keep updating more useful information.
    Software Testing Training in Chennai

    ReplyDelete
  6. It is really very helpful for us and I have gathered some important information from this blog.Keep update..

    SEO Training in Chennai

    ReplyDelete
  7. Thanks for sharing the valuable information here. So i think i got some useful information with this content. Thank you and please keep update like this informative details.

    Dotnet Training in Chennai

    ReplyDelete
  8. wow really superb you had posted one nice information through this. Definitely it will be useful for many people. So please keep update like this.

    Hadoop Training in Chennai

    ReplyDelete
  9. This blog is having a wonderful talk. The technology are discussed and provide a great knowledge toall. This helps to learn more details about technology. All this details are important for this technology. Thank you for this blog.
    Hadoop Training in Chennai

    ReplyDelete
  10. Hii you are providing good information.Thanks for sharing if anyone interested SAP APO
    Online training See below

    http://www.sapapoonlinetraining.in/

    ReplyDelete
  11. All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.

    SAP training in Chennai

    ReplyDelete

  12. Truely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this content.


    PHP Training in Chennai

    ReplyDelete
  13. It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day. Keep update more information..

    J2ee Training in Chennai Thiruvanmiyur

    ReplyDelete
  14. HAve an overview of puppet nice posts..

    Hadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
    hadoop training in hyderabad

    ReplyDelete
  15. Great job and keep blogging,hadoop is the best online training course in hyderabad for more details refer at
    hadoop online training

    ReplyDelete
  16. Well said ,you have furnished the right information that will be useful to anyone at all time.Thanks for sharing your Ideas.
    informatica online training

    ReplyDelete
  17. Very Nice Blog I like the way you explained these things. I’ve been looking for ways to improve my website and overall rankings.I hope your future article will help me further.Take SEO Training in Chennai to mould yourself.

    ReplyDelete