Eric, Thank you for the response, and yes, our current configuration and security requirements have made things a bit difficult at the moment. Fortunately we do already have an ENC which does access an access-controlled database and does have the environment information in it, though we still do pass '--environment' due to this not working long ago... and looking at the first issue ticket you mention, this could be a problem as our developers are allowed to connect their own VMs to the development Puppet server but can easily choose to point '--environment' to whatever they please. In actuality, they can do that now (and it would probably work), so the problem is already there, though I would definitely not want to make it worse. :) Right now our ENC only has a minimal amount of information in it, but the plan is to eventually populate it with more and reduce the amount of work the Puppet configuration has to do itself, as you suggested below.
>From the brief exchange on IRC this morning, the indication seems to be moving to a single CA should be the follow-up to this, and I think this is doable, though I'm still uncertain what the best path is to handle this. Once that's done, I can then look into improving the security of our systems (as in actually making it secure rather than what it really is right now). Thank you for your input. - Ken Lareau On Wed, Apr 18, 2012 at 7:56 AM, Eric Sorenson <eric.soren...@me.com> wrote: > Hi Ken, thanks for posting. > > It seems like you have introduced some tension between the security > requirements (clients which are in a particular environment must not be > able to retrieve other environments) and the need to have widespread > testing with good coverage. From what I understand you've managed this now > by having different CA certificates for each environment, but -- as it > sounds like you realise -- that is pretty problematic. I'd suggest you can > end-run around a lot of this trouble by using an external node classifier > to set and enforce client environment, so regardless of what the > --environment string says from the client, each of the masters will > consistently enforce policy. You don't have to go all-in to node > class/parameter assignment in the ENC because static configs are merged > with the output. A prerequisite is that you need to have some source of > truth which the ENCs can consult to determine the disposition of each node > that connects, but that source-of-truth could be an access-controlled > database (maybe you already have one?) that is, in general, going to be a > better place to put business logic (which nodes should be able to access > each environment, and even perhaps some of the conditional logic in your > manifests) than Puppet itself. > > This isn't without its own set of problems and might not be a panacea but > I think would help a lot of your use case. Some relevant reading: > http://docs.puppetlabs.com/guides/external_nodes.html > https://projects.puppetlabs.com/issues/3910 > https://projects.puppetlabs.com/issues/12869 > > Hope this helps > - Eric Sorenson - N37 17.255 W121 55.738 - http://twitter.com/ahpook - > > On Tuesday, April 17, 2012 7:34:43 PM UTC-7, Ken Lareau wrote: >> >> Hello folks, >> >> After some conversation on #puppet on Freenode IRC, Eric Sorenson >> requested I repost the information and question here, so I am doing so >> and hopefully it will all make sense... >> >> We currently have a well-established and relatively complex Puppet >> setup in place at my company and I'm in the process of trying to >> streamline changes as well as implement better testing to ensure >> minimal disruption or issues when making those changes. Some >> information on the current situation: >> >> - There are currently three environments: development, staging, >> production. These are controlled via the '--environment' setting for >> puppet in each client. All clients only belong to one environment and >> do not move between them. >> - We have a single Puppet configuration to manage all environments. >> Various conditional statements based on environment, application type, >> hostname, etc. control what each client receives for its >> configuration. >> - There are separate servers for each environment for security reasons >> (primarily sensitive information that can only exist in the production >> environment). >> - The Puppet configuration maintained via a Git repo, currently on a >> single branch. >> - Each person on the admin team checks out own copy of the repo, make >> changes, commits the changes, then updates each environment on the >> Puppet servers for the changes to take effect. >> >> There are several issues with this process, unfortunately: >> >> - Every so often a configuration mistake will adversely affect an >> entire environment, and much of the time is only noticed _after_ the >> changes are pushed out. As a result, local changes tend to be made in >> the development environment for testing and sometimes aren't committed >> for a long time, leaving discrepancies between the environments which >> can lead to other subtle issues. >> - Less frequent but still occuring often enough, changes can still >> have subtle issues which cause things to work in one environment and >> break horribly in another; this is especially bad when the broken >> environment is the production one. >> - The configuration for a given type of client is complex enough that >> to change a client to a different application type (what we primarily >> key most of our configuration off of, followed by the environment) to >> test against a server would require rebuilding the client, which is a >> 25-45 minute process; too slow for simple changes and even too slow >> for all but the most complex changes, given how many changes we make >> in a single day. >> - We allow our users to create local VMs that the development Puppet >> server can key off their names to create a given configuration, but >> since the configuration for the various environments is shared in a >> Puppet configuration, potential for users point their puppet agents to >> the production environment is a concern (due to the sensitive >> information there). >> >> After discussion with a few coworkers, the following process was laid >> out to try to implement to resolve these issues: >> >> - Create separate branches for each of the environments and have only >> the matching branch checked out on the primary Puppet servers; changes >> will be merged into the various branches one at a time to prevent >> unintentional changes in a given environment before testing can be >> done on that environment. >> - Ensure a client in a given environment can ONLY run against that >> configuration (e.g. disallow a client in the development environment >> requesting the production configuration). >> - Each person on the admin team will have a test server where they can >> create their own branches from the Git repo for the changes they're >> working and use their test server to test changes against existing >> clients in the various environments (preventing the need to build out >> a new test client(s) to validate each change). The existing clients >> would only be run in no-op mode against the test servers. >> >> The reason for each person on the admin team to have their own test >> server that has access to all the environments is considered since: >> >> - Having a different server for each environment would be affected by >> the tight hardware resources currently. >> - The need for having separate test servers would prevent needing to >> use the primary servers for testing, which is difficult due to >> multiple admins continuously making changes and needing to test them >> without disturbing the other admins' work, along with not affecting >> the current primary servers from being able to properly handle their >> existing clients. >> >> What this all boils down to is I'm trying to find a way to deal with a >> single test server trying to be able to communicate with existing >> clients in all the environments; most of the current configuration >> would work fine except for the cert issue, which is the sticking point >> at this time. Any solution on how to handle this in the most >> straightforward manner would greatly be appreciated, as my research >> has been leading to solutions far more complex than what I would like >> (such as load balancing for the CA or trying to synchronize the certs >> across the various systems). >> >> Hopefully this made sense and I can find someone who can give advice >> on how to proceed with this issue. Thanks in advance. >> >> - Ken Lareau >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/HvWvZVO4JbYJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- - Ken Lareau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
