The document discusses managing trusted instances in the cloud. It outlines the problem of verifying instances provisioned in the cloud are legitimate. It then provides an overview of a solution where instances generate certificate signing requests with metadata upon launch, and a puppetmaster signs the requests after verifying the instance information with the cloud provider API. Signed certificates are returned to the instances containing the metadata, allowing the instances to be identified and classified in puppet configurations.
14. Presented by
+----------------------------+
| |
| Amazon EC2 API |
| |
+------^---------------------+
|
+------+------+
| | Your provisioning node requests
| Provisioner | <-------+ some new instances using that image,
| | tagging them w/ role: 'webserver'
+-------------+
15. Presented by
[vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107
--region=us-west-2 --instance-tags=role=webserver --type=t1.micro
--keyname=certsigner --security-group=webservers
Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634),
ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8
Info: Connecting to AWS us-west-2 ... Done
Info: Instance Type: t1.micro
Notice: Creating new instance ... Done
Info: Instance identifier: i-abc8f0a6
Notice: Creating tags for instance ...
Info: Creating tag for Created-By ... Done
Info: Creating tag for role ... Done
Notice: Creating tags for instance ... Done
Notice: Launching server i-abc8f0a6 ...
#####
Notice: Server i-abc8f0a6 is now launched
Notice: Server i-abc8f0a6 public dns name:
ec2-54-68-132-30.us-west-2.compute.amazonaws.com
16. Presented by
+---------------------------------+
| |
| Amazon EC2 + using your image |
| | EC2 builds your instances,
+----+-----------+-----------+----+ running the user-data script
| | | which drops instance-specific
| | | metadata into csr_attributes.yaml
+---v---+ +---v---+ +---v---+ +
| | | | | | |
| node1 | | node2 | | node3 | <----------------+
+-------+ +-------+ +-------+
19. Presented by
+-------------------------------+
| | Each node generates a CSR which
| Amazon EC2 API | embeds the metadata as requested
+---------------------^---------+ attributes and submits it to the
| puppetmaster, which checks the
| instance-ID against EC2 to verify
+-------+ +------+---------+ it came from a valid instance.
| | | |
| node1 +------> puppetmaster |
+-------+ +----------------+
20. Presented by
+-------------------------------+
| | If the API is OK, the puppetmaster
| Amazon EC2 API | signs the CSR, moving the tags,
+---------------------+---------+ instance-id and any other metadata in
| whitelisted extension requests
| inside the signed certificate. The
+-------+ +------v---------+ signed cert is retrieved by the node
| | | | and normal Puppet runs can begin.
| node1 <------+ puppetmaster |
+-------+ +----------------+
22. Presented by
!
+-------+ +----------------+ When the node checks in, the extensions
| | | | will be available under the '$trusted'
| node1 +----> puppetmaster | top-scope hash for classification,
+-------+ +----------------+ manifests, etc.
!
# puppet.conf
[master]
trusted_node_data = true
immutable_node_data = true
!
24. Presented by
Related and future work
!
Signing policy for AWS: mrzarquon-certsigner
Signing policy for GCE: puppetlabs-gce_compute
Signing policy for in-house CMDBs?
Puppet Enterprise Node Manager