Integrating Puppet (v3.8) with Vault as the Puppet Master CA?

[Turbo Fredriksson]

I've been putting of on making my Puppet master redundant for quite a while now, but it's starting to become an issue now. So I'm starting to put this as a higher importance issue.

Although making the master itself highly available isn't much of a problem (I've already running it behind a load balancer in anticipation of making it HA).

But the problem is the CA "part" of Puppet. I guess it would be (theoretically) possible to put the Puppet master directory on a shared filesystem and have all Puppet masters use that as their storage. This also seems to be the recommended way to do it, but something about that just puts me off!

But I have need for a CA for other purposes anyway, so I've been, for the last year (on and off), looking into Hashicorps Vault.

From the documentation and the information I've seen so far about Vault, it could solve a whole bunch of problems for me, not just the distributed CA part.

It can acts as a CA, but is there any way to integrate that into Puppet? As in, having Vault acts as the CA for the Puppet master(s)? Any API one could "hook into" to make this happen? I don't "speak" Ruby (or Go), so can't dig into that myself.

PS. Many seems to use Puppet in a masterless capacity, and that would of course negate this CA problem, but for various reasons, I don't want to do that (respect the decision please).

[Turbo Fredriksson]

Anyone?

[Thomas Müller]

Read https://docs.puppet.com/puppet/4.9/config_ssl_external_ca.html about external ca support within puppet.

There is no plug-and-play support for your idea.

- Thomas

[waz0wski]

But I have need for a CA for other purposes anyway, so I've been, for the last year (on and off), looking into Hashicorps Vault.

Are you hard-set on using Vault? 

I use FreeIPA, which includes PKI management (via Dogtag), and can be used as the CA for puppet and also issue the per-node certs.

Technically, Foreman is doing the work for me -- I use it to manage RHEL/CentOS node provisioning, and the FreeIPA realm enrollment and node certificate creation/deployment happen automagically, along with a puppet agent run to configure the node, at provision time. For network devices or other operating systems I'm not yet managing w/ Foreman, I manually create the host record in FreeIPA and then manually create/fetch the cert/key pair.

This stack of tools is not lightweight, and takes some time to get functional, but it's worth the effort.

I've used this stack for a few years now, with h/a pairs of both Freeipa and Puppet servers spread across multiple datacenters, and have not had any major issues.

[Turbo Fredriksson]

On Friday, March 10, 2017 at 10:28:06 AM UTC, waz0wski wrote:

Are you hard-set on using Vault? 

No, but it have features that I'm interested in exploring more. Such as the SSH OTP backend.

I could see myself using that at least.

 

I use FreeIPA, which includes PKI management (via Dogtag), and can be used as the CA for puppet and also issue the per-node certs.

I've only heard about FreeIPA in passing. I'll have a look at it, thanx!

 

Technically, Foreman is doing the work for me

Sounds a little like MCOllective (?) - which I'm currently using (with great success I might add).