我们正在扩展我们的木偶基础设施,并希望将CA组件从木偶主服务器分离到另一台服务器。 部分更改还涉及puppetmaster的服务器名称更改。
我遇到了一个问题,我不能让ca_server指令在[main]或[agent]部分正常工作。 这只是没有生效。 所以当我将server =更改为新的服务器名称时,由于服务器名称已更改且不再与该证书相匹配,因此会中断代理签入的能力。
我不是傀儡专家,但我想我需要做的是创build一个新旧名称(安全)的SAN证书,然后重新签署所有的代理节点,这是成为皇家PITA。
有没有更快/更聪明的方法来做到这一点? 我们已经有了数百个代理节点,单独重新签名将是一项艰巨的任务。
我们以不同的方式处理这个问题,从长远来看似乎更加灵活和可靠。
我们创build了一个前端apache服务器,运行mod_proxy和mod_balancer。 然后,这识别传入的URL请求,并将与CA有关的请求路由到本地CA服务器,并且puppetmaster请求傀儡总pipe。 这还有一个好处,就是我们可以有一个单独的服务器来处理不同的环境。
puppetmasters必须被configuration,以便他们接受来自前端服务器的authentication信息。
定义平衡器(注意,600超时很重要):
<Proxy balancer://puppetmaster> BalancerMember http://pupappprd01.its.auckland.ac.nz:18140 timeout=600 BalancerMember http://pupappprd02.its.auckland.ac.nz:18140 timeout=600 BalancerMember http://pupappprd03.its.auckland.ac.nz:18140 timeout=600 </Proxy> # CA, facts and filebucket server <Proxy balancer://puppetmasterca> BalancerMember http://puprepprd01.its.auckland.ac.nz:18140 </Proxy>
现在定义前端:
Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.auckland.ac.nz.pem SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.auckland.ac.nz.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # Send info to downstream workers RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location / > SetHandler balancer-manager Order allow,deny Allow from all </Location> # The manifest can take up to 10min to build (default timeout is 2min) Timeout 600 ProxyTimeout 600 # This is required to prevent a race condition that can cause # the puppet agent to lock up SetEnv proxy-nokeepalive 1 SetEnv proxy-initial-not-pooled 1 ProxyPreserveHost On # CA - centralise the authentication # members of the puppetmasterca cluster will rsync the cert stores ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca # Filebucket - this be on the central server to minimise duplication # members of the puppetmasterca cluster will rsync the file bucket ProxyPassMatch ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca # ALL Report uploads handled by central servers # These will in turn upload reports to dashboard, depending on settings # in the puppet.conf for that environment ProxyPassMatch ^(/.*?)/report/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/report/(.*)$ balancer://puppetmasterca # Production servers - catalogue, cache, facts, file metadata and fetch # These servers all synchronise with subversion every 15 min # Need the extended timeout because some manifest generation can # be slow. 5min should be sufficient. ProxyPassMatch ^/production/ balancer://puppetmaster timeout=600 ProxyPassReverse ^/production/ balancer://puppetmaster timeout=600 </VirtualHost>
现在,我们可以定义处理CA服务器和Puppetmaster上的请求的puppetmaster。 请注意,我们如何在其他头字段中传递身份validation信息:
Listen 18140 <VirtualHost *:18140> SSLEngine off # Obtain Authentication Information from Client Request headers SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 SetEnvIf X-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from 127.0.0.1 allow from puprepprd01.its.auckland.ac.nz deny from all </Directory> LogLevel warn ErrorLog /var/log/httpd/puppetmaster_error.log CustomLog /var/log/httpd/puppetmaster_access.log combined </VirtualHost>
在puppet.conf中,您需要多行来从环境中提取authentication信息:
[master] ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
这是更复杂的,但允许我们横向扩展,并尽可能多地将环境拆分到他们自己的puppetmaster服务器。 一个单独的服务器包含报告前端和CA(尽pipe如果您设置某种证书复制,可以将其拆分为多个CA后端)。