Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

StatusNOT STARTED
Stakeholders
Outcome
Due date
OwnerChris Tessmer 

Background

In various modules that deal with PKI, parameters such as the following have been observed:

  • $enable_pki = true 

  • $use_simp_pki = true

    • Okay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"

  • $cert_source = '/absolute/path/to/dir'

    • simp-apache & simp-rsyslog: Defines what directory look for certs in a 

    • Suggested Alternative Name: $pki_cert_dir = '/same/as/cert_source/w/a/better/name'

  • Individual cert files (names differ between examples, but basically):

    • $pki_cert_file = "${::modulename::cert_source}/public/${::fqdn}.pub"

    • $pki_key_file  = "${::modulename::cert_source}/private/${::fqdn}.pem"

    • $pki_ca_file   = "${::modulename::cert_source}/cacerts/cacerts.pem"

    • NOTE: The fact $::fqdn is used instead of $::trusted['certname'] because masterless environments such as "puppet apply" must be honored.

  • There are variations and permutation of these

Questions

  • MANAGE: How should we tell a SIMP module to manage PKI  (at all)?
    • The opposite of "manage" is "leave it alone."
    • Examples of management: 
      • where to look for certs, cacerts
      • ensure that SSL is on or off
      • ensure that SSL is validated
      • These may all be controlled by subsequent parameters
    • Examples of something other than management: 
      • Distributing certificates on the filesystem  
        • This is EXTRA because it needs additional information and can change
    • current param:       $enable_pki (bool)
    • suggested param: $manage_pki (bool or see below)
      • QUESTION what should the type be?type: boolean

  • ASSETS: What resources does the module need to know about to integrate PKI?

    • PKI assets = key, cert, cacert

      • file-based: x509+RSA files

        • simp-pki module's pki::copy from FakeCA

        • simp-beaker-helpers gem's pki_copy_to function.

        • IMPORTANT: Independent file delivery mechanism

          • The files get there, but in a way SIMP (and possibly Puppet) doesn't manage

          • probably no need to do anything

          • QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?

      • file-based: java keystore / truststore
      • moonshots (probably not feasible):

        • PKI stored in LDAP

        • PKI stored in TPM

     

  • DISTRO: What PKI asset distribution methods should SIMP manage?

    • SIMP has the pki::copy function, which copies the host's cert+key+cacert into a local directory in the following structure:

        HOST_PKI_DIR/
          cacerts/cacerts.pem
          public/fdqn.pub
          private/fdqn.pem

    • This is supported per-application, if necessary.

    • Methods:

      • Parameters:

      • $manage_pki:
        • Formerly named enable_pki.
        • Type: We have a choice: 
          • boolean
            • true = manage PKI integration for this module
            • false = do not manage PKI aspects of this module 
          • "Stroolean:

  •  
  • How do we tell a SIMP module to use a given distribution method?
    • Some modules use an extra parameter, $use_simp_pki, to distinguish between


    • How do we tell a SIMP module to use a given distribution method?



  • WTF is a Stroolean?
    • A parameter that is either the boolean false or a String that determines the source (e.g., 'simp', 
      something else we might manage in the future)
    • Pros:
      • It collapses manage_pki and use_simp_pki into a single parameter
      • It models the idea that if the SIMP module supports PKI integration, it must be expecting a particular distribution method.
    • Cons:

  • What parameters should we standardize on?
    • $manage_pki:
      • Formerly named enable_pki.
      • Type: We have a choice: 
        • boolean
          • true = manage PKI integration for this module
          • false = do not manage PKI aspects of this module 
        • "Stroolean:
          • The most Trevor
          • It will either be the boolean false or a String that determines the source (e.g., 'simp', 'simp',
          • Pros:
            • It collapses manage_pki and use_simp_pki
    • $pki_source (String) or $use_simp_pki (boolean)


Action items

  • Decide (record decisions/reasoning):
    •  whether or not to rename all "$enable_*" parameters to "$manage_*
    • $manage_pki : Boolean or Stroolean?
  •  
  • No labels