我们正在扩展我们的 Puppet 基础设施,并希望将 CA 组件从 Puppet Master 服务器分离到另一台服务器。部分更改还涉及 PuppetMaster 的服务器名称更改。
我遇到了一个问题,我无法让 ca_server 指令在 [main] 或 [agent] 部分正常工作。它就是不起作用。因此,当我将 server= 更改为新的服务器名称时,它会破坏代理签入的能力,因为服务器名称已更改并且不再与证书匹配。
我不是傀儡专家,但我认为我需要做的是创建一个包含新旧名称的 SAN 证书(为了安全起见),然后重新签署所有代理节点,这将是一个皇家 PITA。
有没有更快/更智能的方法来做到这一点?我们已经有数百个代理节点,单独重新签名它们将是一项艰巨的任务。
答案1
我们采用了不同的方法来解决这个问题,从长远来看,这种方法似乎更加灵活和可靠。
我们创建了一个前端 Apache 服务器,运行 mod_proxy 和 mod_balancer。然后,它会识别传入的 URL 请求,并将 CA 相关请求路由到本地 CA 服务器,将 puppetmaster 请求路由到 puppetmaster 池。这还有一个好处,那就是我们可以拥有一个单独的服务器来处理不同的环境。
必须配置 puppetmaster,以便它们接受来自前端服务器的身份验证信息。
定义平衡器(注意,600 超时很重要):
<Proxy balancer://puppetmaster>
BalancerMember http://pupappprd01.its.auckland.ac.nz:18140 timeout=600
BalancerMember http://pupappprd02.its.auckland.ac.nz:18140 timeout=600
BalancerMember http://pupappprd03.its.auckland.ac.nz:18140 timeout=600
</Proxy>
# CA, facts and filebucket server
<Proxy balancer://puppetmasterca>
BalancerMember http://puprepprd01.its.auckland.ac.nz:18140
</Proxy>
现在定义前端:
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.auckland.ac.nz.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.auckland.ac.nz.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# Send info to downstream workers
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location / >
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
# The manifest can take up to 10min to build (default timeout is 2min)
Timeout 600
ProxyTimeout 600
# This is required to prevent a race condition that can cause
# the puppet agent to lock up
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
ProxyPreserveHost On
# CA - centralise the authentication
# members of the puppetmasterca cluster will rsync the cert stores
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca
# Filebucket - this be on the central server to minimise duplication
# members of the puppetmasterca cluster will rsync the file bucket
ProxyPassMatch ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca
# ALL Report uploads handled by central servers
# These will in turn upload reports to dashboard, depending on settings
# in the puppet.conf for that environment
ProxyPassMatch ^(/.*?)/report/(.*)$ balancer://puppetmasterca
ProxyPassReverse ^(/.*?)/report/(.*)$ balancer://puppetmasterca
# Production servers - catalogue, cache, facts, file metadata and fetch
# These servers all synchronise with subversion every 15 min
# Need the extended timeout because some manifest generation can
# be slow. 5min should be sufficient.
ProxyPassMatch ^/production/ balancer://puppetmaster timeout=600
ProxyPassReverse ^/production/ balancer://puppetmaster timeout=600
</VirtualHost>
现在,我们可以定义 puppetmaster 来处理 CA 服务器和 Puppetmaster 上的请求。请注意我们如何在附加标头字段中传递身份验证信息:
Listen 18140
<VirtualHost *:18140>
SSLEngine off
# Obtain Authentication Information from Client Request headers
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
RackAutoDetect On
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from 127.0.0.1
allow from puprepprd01.its.auckland.ac.nz
deny from all
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/puppetmaster_error.log
CustomLog /var/log/httpd/puppetmaster_access.log combined
</VirtualHost>
在 puppet.conf 中,您需要另外几行来从环境中提取身份验证信息:
[master]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
这更复杂,但允许我们水平扩展,并将环境拆分到我们想要的自己的 puppetmaster 服务器。一个单独的服务器保存报告前端和 CA(尽管如果您设置某种证书复制,可以将其拆分为多个 CA 后端)。