You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

PKI/Cloud

From Wikitech-static
< PKI
Revision as of 13:37, 10 March 2021 by imported>Jbond (→‎Using the pki service)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

At the time of writing there is no central cloud PKI service however there is a pki project which is intended to be used in development environments and tries to mimic the behaviour of the pki service in production. In order to make changes to this project you will need to either ask one of the project admins or be an admin your self. Further the project must run there own puppet master as we will be required use real secrets.

Adding a new project to pki-intermediate

The cloud hiera data already should already have sane defaults. however the class is disabled/absent by default as such you will at the vary least need to add the following into either the project or host hiera data (e.g. gerrit PS) when you actully want to start using the class

profile::pki::client::ensure: present

However before that we first need to configure the auth key on the project puppet master and add authorise the project puppet agents use the API server

Adding the auth key to the project

All requests made to the API service are signed using a hmac key. Currently we use the same key across all projects and CA's however it is still relatively secret (at the time of writing only the pki and deployment-prep projects have access). As such we need to copy the secret key somewhere into the private hiera structure on the puppet master. By default there are two options for this either somewhere appropriate under /etc/puppet/private/hieradata or in /etc/puppet/secret/hieradata/{common,$labsproject}.yaml. The former is a git repo populated by the Labs private git repo as such you would need to add this as a local commit. DO NOT ADD TO labs/private. The later is just a file location on the puppet master which reduces some complexity. however note the directory likely doesn't exists by default. The following example uses the deployment-prep project. You will need to ask one of the pki admins for the $secret_value below

$ sudo mkdir -p /etc/puppet/secret/hieradata
$ printf 'profile::pki::client::auth_key: %s\n' "$secret_value" | sudo tee /etc/puppet/secret/hieradata/common.yaml


Authorising puppet agents for a specific project

The API service alsoi authenticates connections using TLS client auth. To simplify things the pki::client tools are configured to use the puppet agent certificates to preform authentication. however to get this to work you need to add the localcacert for the project puppet CA and add it to Cloud Client Auth CA file. This file is used as the SSLCACertificateFile by Apache when validating client auth connections (e.g. gerrit change). you can retrieve the localcacert by running the following on one of the puppet agents (not the puppet master as they are often not agents of them self)

 
$ cat $(sudo facter -p puppet_config.localcacert)

Using the pki service

Once your a projects agents are authorised to use they simply need to include profile::pki::client for there node or project and follow the standard guide for creating certificates

Creating new intermediate CA's

The guides on the main Root CA guide should be all that is required using the following servers

  • root CA: pki-root.pki.eqiad1.wikimedia.cloud
  • Intermediate/Multiroot CA: pki-intermediate.pki.eqiad1.wikimedia.cloud
  • secret store: pki-pm.pki.eqiad1.wikimedia.cloud:/var/lib/git/labs/private


Debugging

It is worth noting for debugging purposes that the pki endpoint TLS connections uses the puppet CA from the pki project as such connections to the the pki service need indicate that they trust this CA. The required CA.pem file is distributed via profile::pki::client and should be available at /etc/ssl/localcerts/pki_api_CA.pem. This means that if using the cfssl tools directly you need to specify -mutual-tls-client-cert and mutual-tls-client-key pointing to the puppet agent certs and -tls-remote-ca /etc/ssl/localcerts/pki_api_CA.pem e.g.

 
$  sudo /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf \
                               -tls-remote-ca /etc/ssl/localcerts/pki_api_CA.pem \
                               -mutual-tls-client-cert "$(sudo facter -p  puppet_config.hostcert)" \
                               -mutual-tls-client-key "$(sudo facter -p  puppet_config.hostprivkey)" \
                               -label WMF_test_intermediate_ca \
                               -profile server \ 
                               /etc/cfssl/csr/foobar-client_pki_eqiad1_wikimedia_cloud.csr

or with curl

# Allow insecure server connections when using SSL
$ curl -k -d '{"label": "WMF_test_intermediate_ca"}' \
 --cert "$(sudo facter -p  puppet_config.hostcert)" \
 --key  "$(sudo facter -p  puppet_config.hostprivkey)" \
 https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/info
{"success":true,"result":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDvTCCAx+gAwIBAgIUG7m3jAm3mRg6slno3tD9a1NSC7UwCgYIKoZIzj0EAwQw\ngY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEUMBIGA1UEAwwLV01GX1RFU1RfQ0Ew\nHhcNMjEwMzA1MTIxNjAwWhcNMjYwMzA0MTIxNjAwWjCBhTELMAkGA1UEBhMCVVMx\nFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoTGVdpa2ltZWRpYSBGb3Vu\nZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZpY2VzMSEwHwYDVQQDDBhX\nTUZfdGVzdF9pbnRlcm1lZGlhdGVfY2EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBAF1tjSU8YdOg6F12DqapnqU5sY2B1A5U0DmvZYUs2uQD5kd2cKLKMaP1JssFue1\nn+byZyqJvbb/MaRymLn6YuBe7ADbVr9a+bggfCWvPrO8HeHYDSqDEQ42VPAP7Syl\nko5qC7xILAff/EIc+4djxlI4gFAx8qf/TkkdFu/eWBnM4Aq8xKOCAR4wggEaMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQmTHIQ\nf33IlwKT6Owwv19LAor0qDAfBgNVHSMEGDAWgBRxHoSXgws9q2wI9x9rQn0SVs4Z\n3zBfBggrBgEFBQcBAQRTMFEwTwYIKwYBBQUHMAGGQ2h0dHA6Ly9wa2ktaW50ZXJt\nZWRpYXRlLnBraS5lcWlhZDEud2lraW1lZGlhLmNsb3VkL29jc3AvV01GX1RFU1Rf\nQ0EwUwYDVR0fBEwwSjBIoEagRIZCaHR0cDovL3BraS1pbnRlcm1lZGlhdGUucGtp\nLmVxaWFkMS53aWtpbWVkaWEuY2xvdWQvY3JsL1dNRl9URVNUX0NBMAoGCCqGSM49\nBAMEA4GLADCBhwJCAd4DMpHjs8B8ggZInwUrWBxEeOU9ZqaCHmGAqeRDcepB8xho\n2gVo7gqky0nckX+RH3aNgzJTcE8rb0wfIysLIOWHAkEdAJKqMIZ8gXumcRvvaWj9\nOar/KEfMXQOCslxgu5upHun/zPYJ5O/pqdkuvwt/o8tidC+uWHKytog9viltr901\nFA==\n-----END CERTIFICATE-----","usages":["signing","key encipherment","client auth"],"expiry":"96h"},"errors":[],"messages":[]}
# Verify peer
$ curl -d '{"label": "WMF_test_intermediate_ca", "profile": "server"}' \
 --cert "$(sudo facter -p  puppet_config.hostcert)" \
 --key  "$(sudo facter -p  puppet_config.hostprivkey)" \
 --cacert /etc/ssl/localcerts/pki_api_CA.pem \
 https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/info
{"success":true,"result":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDvTCCAx+gAwIBAgIUG7m3jAm3mRg6slno3tD9a1NSC7UwCgYIKoZIzj0EAwQw\ngY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMSIwIAYDVQQKExlXaWtpbWVkaWEgRm91bmRhdGlvbiwgSW5j\nMRcwFQYDVQQLEw5DbG91ZCBTZXJ2aWNlczEUMBIGA1UEAwwLV01GX1RFU1RfQ0Ew\nHhcNMjEwMzA1MTIxNjAwWhcNMjYwMzA0MTIxNjAwWjCBhTELMAkGA1UEBhMCVVMx\nFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xIjAgBgNVBAoTGVdpa2ltZWRpYSBGb3Vu\nZGF0aW9uLCBJbmMxFzAVBgNVBAsTDkNsb3VkIFNlcnZpY2VzMSEwHwYDVQQDDBhX\nTUZfdGVzdF9pbnRlcm1lZGlhdGVfY2EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA\nBAF1tjSU8YdOg6F12DqapnqU5sY2B1A5U0DmvZYUs2uQD5kd2cKLKMaP1JssFue1\nn+byZyqJvbb/MaRymLn6YuBe7ADbVr9a+bggfCWvPrO8HeHYDSqDEQ42VPAP7Syl\nko5qC7xILAff/EIc+4djxlI4gFAx8qf/TkkdFu/eWBnM4Aq8xKOCAR4wggEaMA4G\nA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBQmTHIQ\nf33IlwKT6Owwv19LAor0qDAfBgNVHSMEGDAWgBRxHoSXgws9q2wI9x9rQn0SVs4Z\n3zBfBggrBgEFBQcBAQRTMFEwTwYIKwYBBQUHMAGGQ2h0dHA6Ly9wa2ktaW50ZXJt\nZWRpYXRlLnBraS5lcWlhZDEud2lraW1lZGlhLmNsb3VkL29jc3AvV01GX1RFU1Rf\nQ0EwUwYDVR0fBEwwSjBIoEagRIZCaHR0cDovL3BraS1pbnRlcm1lZGlhdGUucGtp\nLmVxaWFkMS53aWtpbWVkaWEuY2xvdWQvY3JsL1dNRl9URVNUX0NBMAoGCCqGSM49\nBAMEA4GLADCBhwJCAd4DMpHjs8B8ggZInwUrWBxEeOU9ZqaCHmGAqeRDcepB8xho\n2gVo7gqky0nckX+RH3aNgzJTcE8rb0wfIysLIOWHAkEdAJKqMIZ8gXumcRvvaWj9\nOar/KEfMXQOCslxgu5upHun/zPYJ5O/pqdkuvwt/o8tidC+uWHKytog9viltr901\nFA==\n-----END CERTIFICATE-----","usages":["digital signature","key encipherment","server auth"],"expiry":"96h"},"errors":[],"messages":[]}

More details on using the API directly can be found on the cfssl docs page