How should SIMP 6 handle PKI?

Owned by Chris Tessmer
Last updated: Jan 30, 2019 by Trevor Vaughan
3 min read
Status
DECIDED
Stakeholders
Outcome
Due date
Owner
Chris Tessmer 

Background

Acceptance Testing

simp-beaker-helpers has several fun abilities with PKI certs.  It can:

  • generate PKI certificates for each SUT
  • install a working keydist/ onto a Puppet Master (for testing profiles)
  • install PKI certificates for each host without keydist/ from   pki::copy (for testing modules)  

However, acceptance testing for PKI has exposed that each module handles PKI certs differently with parameters and logic.

Parameters

In various modules that deal with PKI, parameters such as the following have been observed:

  • $enable_pki = true 

  • $use_simp_pki = true

    • Okay, this looks like it explicitly means "Use SIMP's PKI system (e.g., FakeCA, keydist/, pki::copy)"

  • $cert_source = '/absolute/path/to/dir'

    • simp-apache & simp-rsyslog: Defines what directory look for certs in a 

    • Suggested Alternative Name: $pki_cert_dir = '/same/as/cert_source/w/a/better/name'

  • Individual cert files (names differ between examples, but basically):

    • $pki_cert_file = "${::modulename::cert_source}/public/${::fqdn}.pub"

    • $pki_key_file  = "${::modulename::cert_source}/private/${::fqdn}.pem"

    • $pki_ca_file   = "${::modulename::cert_source}/cacerts/cacerts.pem"

    • NOTE: The fact $::fqdn is used instead of $::trusted['certname'] because masterless environments such as "puppet apply" must be honored.

  • Various tweaks (probably vary from:
    • $enable_ssl       = true  # Turn SSL on or off
    • $validate_ssl     = true  # vsftpd setting
    • $validation_depth = 2     # example of app-specific setting; apache uses this for SSL
  • There are variations and permutation of these parameters across all modules; and we should standardize them 

Responsibilites

  • MANAGE: How should we tell a SIMP module to manage PKI  (at all)?
    • The opposite of "manage" is "leave it alone."
    • Examples of management: 
      • where to look for certs, cacerts
      • ensure that PKI/SSL is on or off
      • ensure that PKI/SSL is validated
      • These may all be controlled by subsequent parameters
    • Examples of something other than management: 
      • Distributing certificates on the filesystem  
        • This is EXTRA because it needs additional information and can change
    • current param:       $enable_pki (bool)
    • suggested param: $manage_pki (bool or see below)
      • QUESTION what should the type be? 

  • ASSETS: What resources does the module need to know about to integrate PKI?

    • PKI assets = key, cert, cacert

      • file-based: x509+RSA files

        • simp-pki module's pki::copy from FakeCA

        • simp-beaker-helpers gem's pki_copy_to function.

        • IMPORTANT: Independent file delivery mechanism

          • The files get there, but in a way SIMP (and possibly Puppet) doesn't manage

          • probably no need to do anything

          • QUESTION: Is it reasonable to always expect PKI cert/key/cacert to be present in the same directory structure as pki::copy?

      • file-based: java keystore / truststore
      • moonshots (probably not feasible):

        • PKI stored in LDAP

        • PKI stored in TPM


  • DISTRO: What PKI asset distribution methods should SIMP manage?

    • SIMP has the pki::copy function, which copies the host's cert+key+cacert into a local directory 

      • the structure:
          HOST_PKI_DIR/
            cacerts/cacerts.pem
            public/fdqn.pub
            private/fdqn.pem

    • This supports individual PKI distribution per-application
      • accommodates SELinux
      • some applications (particularly in multi-homed environments) some use separate PKI certs/CAs
    • current param:       $use_simp_pki (bool)

    • suggested param: $use_simp_pki or $manage_pki (if "Stroolean")

Questions


  • What PKI-related parameters should we standardize on?
    • One solution:

      • $manage_pki       = true                # 

      • $use_simp_keydist = true                # uses pki::copy

      • $pki_cert_dir = '/absolute/path/to/dir' #

      • If individual:

        • $pki_cert_file = "${::modulename::pki_cert_dir}/public/${::fqdn}.pub"

        • $pki_key_file  = "${::modulename::pki_cert_dir}/private/${::fqdn}.pem"

        • $pki_ca_file   = "${::modulename::pki_cert_dir}/cacerts/cacerts.pem"

        • NOTE: The fact $::fqdn is used instead of $::trusted['certname'] because masterless environments such as "puppet apply" must be honored.

        • $enable_ssl       = true  # Turn SSL on or off
        • $validate_ssl     = true  # vsftpd setting
        • $validation_depth = 2     # example of app-specific setting; apache uses this for SSL

  • How do we tell a SIMP module to use a given distribution method?
    • Some modules use a boolean parameter, $use_simp_pki, to turn on pki::copy
    • Any alternative delivery mechanism is currently not managed by SIMP
      • Additional question: will (should) we manage distribution methods other than SIMP?

  • WTF is a Stroolean?
    • A parameter that is either the boolean false or a String that determines the source (e.g., 'simp', 
      something else we might manage in the future)
    • Pros:
      • It collapses manage_pki and use_simp_pki into a single parameter
      • It models the idea that if the SIMP module supports PKI integration, it must be expecting a particular distribution method.
    • Cons:
      • It's confusing
      • It complicates validation logic and usage 
      • PuppetForge will probably ding us on the logic
      • MANAGE and DISTRO are conceptually different responsibilities:
        • It is true that DISTRO being on or off isn't relevant if MANAGE if off, but they are separate concepts.


Action items

  • Decide (record decisions/reasoning):
    •  whether or not to rename all "$enable_*" parameters to "$manage_*
    • $manage_pki : Boolean or Stroolean?
  •