search

rundeck-plugins / rundeck-puppetenterprise-nodes-plugin

Get resource node data from Puppet Enterprise
3 stars 9 forks source link

rundeck needs the private key of the puppetdb ? #3

Closed fbacchella closed 8 years ago

fbacchella commented 8 years ago

In the plug in help of the current version (0.9.3), it says :

PuppetDB SSL Directory:
local directory for SSL, if null it'll use http, it should contain <ssl directory>/private_keys/<puppetdb host>.pem , <ssl directory>/certs/<puppetdb host>.pem and <ssl directory>/ca/ca_crt.pem

configuration: resources.source.[index].config.PROPERTY_PUPPETDB_SSL_DIR=value

And indeed in the logs I see: Caused by: java.io.FileNotFoundException: /data/rundeck/var/sslpuppet/private_keys/puppedb.mydomain.pem (No such file or directory)

But I generate a certificate for rundeck with puppet cert --generate rundeck.mydomain and give it to curl and it worked:

curl  -v -o /dev/null  'https://puppedb.mydomain:8081/pdb/query/v4/nodes' --tlsv1 --cacert /data/rundeck/var/sslpuppet/ca/ca_crt.pem --cert /data/rundeck/var/sslpuppet/certs/rundeck.mydomain.pem --key /data/rundeck/var/sslpuppet/private_keys/rundeck.mydomain.pem

returned

* Connected to puppedb.mydomain () port 8081 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /data/rundeck/var/sslpuppet/ca/ca_crt.pem
  CApath: none
* NSS: client certificate from file
*   subject: CN=rundeck.mydomain
*   start date: Aug 09 15:45:44 2016 GMT
*   expire date: Aug 09 15:45:44 2021 GMT
*   common name: rundeck.mydomain
*   issuer: CN="Puppet CA: "
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=puppedb.mydomain
*   start date: Dec 25 11:05:12 2013 GMT
*   expire date: Dec 25 11:05:12 2018 GMT
*   common name: puppedb.mydomain
*   issuer: CN="Puppet CA: "
> GET /pdb/query/v4/nodes HTTP/1.1
> User-Agent: curl/7.29.0
> Host: puppedb.mydomain:8081
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 10 Aug 2016 16:17:54 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Server: Jetty(9.2.z-SNAPSHOT)
<

So why this plugin looks for /data/rundeck/var/sslpuppet/private_keys/puppedb.mydomain.pem ?

I will not give one of the most important secret of the environment (the key to puppet) to an application.

gschueler commented 8 years ago

surely the client only needs a private key for its own certificate, maybe it's simply looking for the file with the puppet-server hostname, when it should be using the client's key.

fbacchella commented 8 years ago

Yes, this plugin miss a argument: certName, to build the certificate (.../certs/rundeck.mydomain.pem) and private key (.../private_keys/rundeck.mydomain.pem) file name. The server will be identified using the CA file (.../ca/ca_crt.pem)

fbacchella commented 8 years ago

close by commit b63a1a80a81e76e47463683826b55955f4e7509e