From 07b89ab737f87d2aa309adb04df94bd17be32964 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 28 Apr 2025 18:46:58 +1000 Subject: [PATCH] feat: enable terraform access to puppetca (#267) - enable terraform to clean certificates Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/267 --- site/profiles/manifests/puppet/server.pp | 9 + .../templates/puppet/server/auth.conf.erb | 266 ++++++++++++++++++ 2 files changed, 275 insertions(+) create mode 100644 site/profiles/templates/puppet/server/auth.conf.erb diff --git a/site/profiles/manifests/puppet/server.pp b/site/profiles/manifests/puppet/server.pp index 657bd41..94753ab 100644 --- a/site/profiles/manifests/puppet/server.pp +++ b/site/profiles/manifests/puppet/server.pp @@ -65,6 +65,15 @@ class profiles::puppet::server ( notify => Service['puppetserver'], } + file { '/etc/puppetlabs/puppetserver/conf.d/auth.conf': + ensure => 'file', + content => template('profiles/puppet/server/auth.conf.erb'), + group => 'root', + owner => 'root', + mode => '0644', + notify => Service['puppetserver'], + } + service { 'puppetserver': ensure => running, enable => true, diff --git a/site/profiles/templates/puppet/server/auth.conf.erb b/site/profiles/templates/puppet/server/auth.conf.erb new file mode 100644 index 0000000..9f36063 --- /dev/null +++ b/site/profiles/templates/puppet/server/auth.conf.erb @@ -0,0 +1,266 @@ +authorization: { + version: 1 + rules: [ + { + # Allow nodes to retrieve their own catalog + match-request: { + path: "^/puppet/v3/catalog/([^/]+)$" + type: regex + method: [get, post] + } + allow: "$1" + sort-order: 500 + name: "puppetlabs v3 catalog from agents" + }, + { + # Allow services to retrieve catalogs on behalf of others + match-request: { + path: "^/puppet/v4/catalog/?$" + type: regex + method: post + } + deny: "*" + sort-order: 500 + name: "puppetlabs v4 catalog for services" + }, + { + # Allow nodes to retrieve the certificate they requested earlier + match-request: { + path: "/puppet-ca/v1/certificate/" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs certificate" + }, + { + # Allow all nodes to access the certificate revocation list + match-request: { + path: "/puppet-ca/v1/certificate_revocation_list/ca" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs crl" + }, + { + # Allow nodes to request a new certificate + match-request: { + path: "/puppet-ca/v1/certificate_request" + type: path + method: [get, put] + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs csr" + }, + { + # Allow the CA CLI to access the certificate_status endpoint + match-request: { + path: "/puppet-ca/v1/certificate_status" + type: path + method: [get, put, delete] + } + allow: [ + { + extensions: { + pp_cli_auth: "true" + } + }, + terraform + ] + sort-order: 500 + name: "puppetlabs cert status" + }, + { + match-request: { + path: "^/puppet-ca/v1/certificate_revocation_list$" + type: regex + method: put + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs CRL update" + }, + { + # Allow the CA CLI to access the certificate_statuses endpoint + match-request: { + path: "/puppet-ca/v1/certificate_statuses" + type: path + method: get + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert statuses" + }, + { + # Allow authenticated access to the CA expirations endpoint + match-request: { + path: "/puppet-ca/v1/expirations" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs CA cert and CRL expirations" + }, + { + # Allow the CA CLI to access the certificate clean endpoint + match-request: { + path: "/puppet-ca/v1/clean" + type: path + method: put + } + allow: { + extensions: { + pp_cli_auth: "true" + } + } + sort-order: 500 + name: "puppetlabs cert clean" + }, + { + # Allow unauthenticated access to the status service endpoint + match-request: { + path: "/status/v1/services" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - full" + }, + { + match-request: { + path: "/status/v1/simple" + type: path + method: get + } + allow-unauthenticated: true + sort-order: 500 + name: "puppetlabs status service - simple" + }, + { + match-request: { + path: "/puppet/v3/environments" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs environments" + }, + { + # Allow nodes to access all file_bucket_files. Note that access for + # the 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_bucket_file" + type: path + method: [get, head, post, put] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file bucket file" + }, + { + # Allow nodes to access all file_content. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_content" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file content" + }, + { + # Allow nodes to access all file_metadata. Note that access for the + # 'delete' method is forbidden by Puppet regardless of the + # configuration of this rule. + match-request: { + path: "/puppet/v3/file_metadata" + type: path + method: [get, post] + } + allow: "*" + sort-order: 500 + name: "puppetlabs file metadata" + }, + { + # Allow nodes to retrieve only their own node definition + match-request: { + path: "^/puppet/v3/node/([^/]+)$" + type: regex + method: get + } + allow: "$1" + sort-order: 500 + name: "puppetlabs node" + }, + { + # Allow nodes to store only their own reports + match-request: { + path: "^/puppet/v3/report/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs report" + }, + { + # Allow nodes to update their own facts + match-request: { + path: "^/puppet/v3/facts/([^/]+)$" + type: regex + method: put + } + allow: "$1" + sort-order: 500 + name: "puppetlabs facts" + }, + { + match-request: { + path: "/puppet/v3/static_file_content" + type: path + method: get + } + allow: "*" + sort-order: 500 + name: "puppetlabs static file content" + }, + { + match-request: { + path: "/puppet/v3/tasks" + type: path + } + allow: "*" + sort-order: 500 + name: "puppet tasks information" + }, + { + # Deny everything else. This ACL is not strictly + # necessary, but illustrates the default policy + match-request: { + path: "/" + type: path + } + deny: "*" + sort-order: 999 + name: "puppetlabs deny all" + } + ] +}