Wednesday, October 6, 2010

Overview of a Puppet Split CA architecture


The Puppet Master CA is the only Certificate Authority (CA) in the whole infrastructure. It issues certificates for all Puppet agents. It also manages the Puppet Master systems.

The Puppet Masters are only responsible for compiling catalogs requested by Puppet Agents - they don't act as CA themselves. They only accept Puppet Agents which certificates have been issued by the Puppet Master CA.

The Puppet Agent retrieves their certificates from the Puppet Master CA the first time they run. They connect to the Puppet Masters afterwards to get their catalogs. They won't contact the Puppet Master CA anymore.

Puppet Master CA


The Puppet Master CA manages all Puppet Masters. In particular it distributes its own Certificate Revocation List (CRL) file to every Puppet Master. The Puppet Master CA also issues certificates to Puppet Agents.

Puppet Master


A Puppet Master runs under Apache and Passenger. Apache ssl module is configured to require certificates signed by the Puppet Master CA (/etc/apache2/site-available/puppetmaster):
# Require certificates to be valid
SSLVerifyClient require
SSLVerifyDepth  1

The Puppet Master is also configured to not act as a Puppet CA (/etc/puppet/puppet.conf):
[main]
ca = false

Puppet Agent


Puppet Agents retrieve their certificate from the Puppet Master CA and request their catalog from one of the Puppet Masters (/etc/puppet/puppet.conf):
[agent]
ca_server = PUPPET_MASTER_CA
server = PUPPET_MASTER

Conclusion


From a security perspective setting the SSLVerifyClient option to require increases the protection of Puppet Masters from unknown requests and revoked Puppet Agents. Having the Puppet Master CA manage the Puppet Masters also facilitates the distribution of the Puppet Master CA CRL.

On the reliability front new systems won't be added to the infrastructure if the Puppet Master CA is unavailable. However existing Puppet Agents are still functional as long as they can connect to a Puppet Master.

16 comments:

  1. Did you ever implement this or extend on the concept further?

    I would be interested to see your approach to SPOF and dual site-failover resilience using this.

    ReplyDelete
  2. This is the right weblog for any individual who wants to find out about this topic. You comprehend so much its just about difficult to argue with you (not that I basically would want?-HaHa). You surely put a brand new spin on a subject thats been written about for years. Superb stuff, just amazing! Hadoop Online Training .

    ReplyDelete
  3. hadoop training in hyderabad referred me to this blog to know about latest trends in the IT and staffing related information. Really appreciable information on overview of a Puppet Split CA architecture with diagram. Thank you.

    ReplyDelete
  4. This information is great.It is useful for all in future.I like to read the information.It is very impressing matter.

    hadoop training in chennai

    ReplyDelete
  5. thanks for sharing great blog with us. keep updating more useful information.
    Software Testing Training in Chennai

    ReplyDelete
  6. It is really very helpful for us and I have gathered some important information from this blog.Keep update..

    SEO Training in Chennai

    ReplyDelete
  7. This blog is having a wonderful talk. The technology are discussed and provide a great knowledge toall. This helps to learn more details about technology. All this details are important for this technology. Thank you for this blog.
    Hadoop Training in Chennai

    ReplyDelete
  8. Hii you are providing good information.Thanks for sharing if anyone interested SAP APO
    Online training See below

    http://www.sapapoonlinetraining.in/

    ReplyDelete

  9. Truely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this content.


    PHP Training in Chennai

    ReplyDelete
  10. It’s really amazing that we can record what our visitors do on our site. Thanks for sharing this awesome guide. I’m happy that I came across with your site this article is on point,thanks again and have a great day. Keep update more information..

    J2ee Training in Chennai Thiruvanmiyur

    ReplyDelete
  11. HAve an overview of puppet nice posts..

    Hadoop training in hyderabad.All the basic and get the full knowledge of hadoop.
    hadoop training in hyderabad

    ReplyDelete
  12. Great job and keep blogging,hadoop is the best online training course in hyderabad for more details refer at
    hadoop online training

    ReplyDelete
  13. Well said ,you have furnished the right information that will be useful to anyone at all time.Thanks for sharing your Ideas.
    informatica online training

    ReplyDelete
  14. This blog is really nice and informative blog, The explanation given is really comprehensive and informative. Ziyyara Edutech brings you top-notch online tuition for Class 11. Our experienced tutors provide personalized guidance and comprehensive support to help you achieve your academic goals.
    For more info Contact us: +91-9654271931, +971-505593798 or visit online tuition for class 11

    ReplyDelete
  15. Awesome blog. I enjoyed reading your articles. Ziyyara’s expert tutors provide customized guidance to ensure comprehensive understanding and mastery of CBSE curriculum.
    For more info contact +91-9654271931 or visit CBSE Online Tuition Classes

    ReplyDelete