Versions Compared

Old Version 10

changes.mady.by.user Chris Tessmer

Saved on

compared with

New Version 11

changes.mady.by.user Chris Tessmer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Explained safety solutions in more detail

...

SIMP + Multiple Puppet environments

Anchor
limitations
limitations

Limitations and conflicts

...

  1. Status
    colourRed
    titleSIMP 5.0-6.3
     RPM updates and simp_rpm_helper could modify existing files Puppet and SIMP environment directories
  2. Status
    colourRed
    titleSIMP 5.0-6.3
     User-initiated tools like simp config could modify existing files Puppet and SIMP environment directories
  3. Status
    colourBlue
    titleSIMP 6.4
     
    Status
    colourYellow
    titlePARTIALLY FIXEDPARTIAL FIX
     The user-initiated tool simp environment new can ensure that there is a corresponding secondary and writable environments
    1. This is a safety improvement from earlier releases, because it only alters environment files when the user initiates it
    2. However, the simp environment tool is only partially implemented, and the remaining actions cannot be implemented safely.
    3. As things stand, this means that SIMP 6.4.0:
      1. Safely supports SIMP extra data in the Local (Puppetfile-only) deployment scenario with a single environment (production)
      2. Does not safely support SIMP extra data in the Control Repository deployment scenarios (without additional conventions and limitations)

...

Safely Referencing SIMP assets from multiple Puppet Environments

Anchor
se01
se01
SE01.
Status
colourBlue
titleSIMP 6.4
 
Status
colourYellow
titlePARTIAL FIX
 (Okay:) Ensuring new SIMP extra environments with simp environment

...

new 

Site admins must ensure that SIMP "extra" environment directories exist for every Puppet environment.  There are basically three strategies for this:

...

These choices in have been automated in SIMP 6.4.0 by the simp environment new tool.

...

Advantages

  • simp environment new automates the error-prone process of ensuring all three members of the SIMP Omni-environment exist on a local Puppet master

Drawbacks

  • Automates a mis-modeled workaround (devised long ago, when Puppet environments were new)
  • Doesn't make SIMP assets safer or easier to manage over time
  • Can't work across multiple Puppet masters
  • Can't be implemented to safely remove extra environments

During the development of SIMP 6.4.0, it became apparent that the simp environment workflow would have problems down the road:

  • Requiring a SIMP writable and secondary environment to exist for every Puppet environment was a mistake. 
    • It requires coarse workarounds like `simp environment new [--copy|--link]`
      • every time a new Puppet environment is deployed
      • even when environments used the same (or similar) resources
    • It prevents referring to a mix of the same assets in some cases
    • It adds a source of truth that is independent from the control repository
    • Linked SIMP extra environments make it easy to assume that it is safe to alter/delete assets, because the path shows an unimportant name
  • The proposed simp environment rm command would make it too easy to permanently lose data in linked environments

Anchor
se02
se02
SE02.
Status
colourBlue
titleSIMP 5.0-6.3
 (Good:

...

) Using hiera-eyaml in the control repo to replace Writeable environment data 



Site admins can prevent SIMP from using the Writable environment directory by overriding all uses of simplib::passgen() with the Hiera eyaml backend.

Advantages

  • Secret data

...

Problems

  • Not all uses of now scales with additional compile masters as part of the r10k/code manager deployment
  • Secret data is encrypted and versioned
    • PCKS7 and GPG are supported 
  • It is simple to configure multiple Hiera eyaml backends tiers, with separate keys
    • Separate teams can encrypt their secrets with their own key

Drawbacks

  • Site administrators are responsible to manage and distribute the hiera-eyaml key files (independently of SIMP)
    • key files must exist at the paths hiera.yaml expects them on compile masters
  • simp_apache, when $simp_apache::web_root is true: https://github.com/simp/pupmod-simp-simp_apache/blob/6.2.0/manifests/init.pp#L140
  • (warning) This approach is not possible for some SIMP users
    • The SIMP codebase doesn't expose every use of of simplib::passgen()
     in the SIMP codebase are exposed as parameters
    •  as an overridable parameter
    • Depending on the way your site is configured, you may not be avoid SIMP code 
    • Affected modules are:

Suggested improvements

  • Status
    colourRed
    titleFUTURE
     Expose all uses of simp::passgen() in SIMP classes as parameter defaults, so users can override them via hiera-eyaml

Examples

  • Example tiers from control repository's hiera.yaml:

    No Format
    ---
version: 5
hierarchy:
  # [...]

  # ----------------------------------------------------------------------------
  # NOTE: This tier determines which secrets to use via the top-scope variable 
  #       `$::hostgroup` (set by ENC or manifests/site.pp, prior to any lookups)
  # ----------------------------------------------------------------------------
  - name: "Per-hostgroup data (encrypted)"
    lookup_key: eyaml_lookup_key
    path: "secrets/hostgroups/%{::hostgroup}.eyaml"
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/hostgroups/%{::hostgroup}__private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/hostgroups/%{::hostgroup}__public_key.pkcs7.pem

  # ----------------------------------------------------------------------------
  # WARNING: The interpolations in this tier rely on an agent-determined fact 
  #          (`%{facts.datacenter}`) to determine which secrets will be returned
  #           during lookups.  
  #
  #          When possible, it is STRONGLY recommended to use *trusted* facts
  #          instead of agent-determined facts for this purpose.
  #          (i.e., `%{trusted.datacenter}` instead of `%{facts.datacenter}`).
  # 
  #          However, this requires either:
  #
  #            1. Baking the information into the Puppet certificate at the time
  #               it is signed, with CSR attributes/certificate extensions and
  #               setting short names in the `config_file_oid_map.yaml` file:
  #
  #               * https://puppet.com/docs/puppet/5.5/config_file_oid_map.html 
  #               * https://puppet.com/docs/puppet/5.5/ssl_attributes_extensions.html
  #
  #            2. Use the (experimental as of Puppet 6.11) `trusted_external_command`
  #               setting to add trusted facts from an external source during 
  #               catalog compilation.
  #                
  #                * https://tickets.puppetlabs.com/browse/PUP-9994
  #                * https://puppet.com/docs/puppet/latest/release_notes_puppet.html#experimental-feature:-catalog-compilation-with-external-trusted-data-from-third-parties
  # 
  # ----------------------------------------------------------------------------
  - name: "Per-datacenter secret data (encrypted)"
    lookup_key: eyaml_lookup_key
    path: "secrets/datacenters/%{facts.datacenter}.eyaml"
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/datacenters/%{facts.datacenter}__private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/datacenters/%{facts.datacenter}__public_key.pkcs7.pem

  - name: "Site-wide secret data (encrypted)"
    lookup_key: eyaml_lookup_key
    path: "secrets/site.eyaml"
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/site__private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/site__public_key.pkcs7.pem
  # [...]



  • Example encrypted data in `data/secrets/site.eyaml`:

    No Format
    ---
simp::puppetdb::database_password : >
    ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
    NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
    jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
    l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
    /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
    IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]

krb5::kdc::config::kdb5_password: > 
    ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
    NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
    jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
    l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
    /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
    IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]

# ...


  •  For more details, see:

Better: Define the site_files directory.independently of the environment

...