Hashman web configuration - ghomem/legacy_puppet_infrastructure GitHub Wiki

I this article, we are going to see how to configure the hashman web interface with self signed certificates and mail notifications. The idea is to have a demo setup to demonstrate locally hashman capabilities without having to purchase a real domain or a real certificate.

Pre-requisites

  • Having a VM or container with a Puppet master configured as described in [Master Configuration](Master Configuration)
  • This VM or container should be ping'able by fqdn (example: ping puppet.mydomain.lan)

Configuring the hashman web interface with a self-signed certificate

Overview of the self-signed certificate configuration

In order to configure a self-signed certificate to be used with the hashman, we need to:

  • Pretend we are a root CA (Certificate Authority), creating a private key and a CA certificate
  • Create certificates for our domain, and sign them as root certificate authority
  • Copy the relevant files to /etc/puppetlabs/puppet/extra_files/ssl/ so they can be deployed by the puppet master
  • Adjust the node declaration of the puppet master to include the hashman_web class, and run the agent

We will see how to perform this steps below. Before starting, you might want to create an specific directory to hold all the files we are going to create with:

mkdir self_signed_ssl_cert
cd self_signed_ssl_cert

Creating the root CA (Certificate authority) files

Generate the root CA private key with:

# Please type a passphrase when asked and store it in a secure place
# This will generate the CARoot.key file in the current directory
openssl genrsa -des3 -out CARoot.key 2048

With the CA private key generated in the previous step, generate the CA Root certificate with:

# This will generate the CARoot.pem file in the current directory
openssl req -x509 -new -nodes -key CARoot.key -sha256 -days 3650 -out CARoot.pem

Creating the certificate and ssl files for the domain

Set an environment variable with your domain to be used later in other commands with:

DOMAIN='mydomain.tld' # please put the actual name of your domain here

Create a private key for your domain:

openssl genrsa -out star.${DOMAIN}.key 2048

Using the private key created in the previous step, generate the CSR (Certificate Signing Request) with:

openssl req -new -key star.${DOMAIN}.key -extensions v3_ca -out star.${DOMAIN}.csr

Create extensions file to specify subjectAltName; the file should be named star.${DOMAIN}.cnf and must have these contents (please replace below mydomain.tld with the actual name of your domain):

basicConstraints=CA:FALSE
subjectAltName=DNS:*.mydomain.tld
extendedKeyUsage=serverAuth

Generate the Certificate using the CSR created above:

openssl x509 -req -in star.${DOMAIN}.csr -CA CARoot.pem -CAkey CARoot.key -CAcreateserial -extfile star.${DOMAIN}.cnf -out star.${DOMAIN}.crt -days 3650 -sha256

Copying the files needed by puppet to the "extra_files/ssl" directory

To get our puppet master with the relevant files we generated above, we would need to copy the following:

user@puppet:~/self_signed_ssl_cert$ sudo cp star.${DOMAIN}.key /etc/puppetlabs/puppet/extra_files/ssl
user@puppet:~/self_signed_ssl_cert$ sudo cp star.${DOMAIN}.crt /etc/puppetlabs/puppet/extra_files/ssl
user@puppet:~/self_signed_ssl_cert$ sudo cp CARoot.pem /etc/puppetlabs/puppet/extra_files/ssl/star.${DOMAIN}.intermediate.crt

Also these files should be owned by the user puppet, so we can set the ownership like this:

user@puppet:~/self_signed_ssl_cert$ sudo chown -R puppet:puppet /etc/puppetlabs/puppet/extra_files/

Once everything is done, we can edit the hasman:: variables in /etc/puppetlabs/code/environments/production/data/common.yaml, specially this ones (example for *.puppetdemo.lan):

hashman::sslprefix:           'star.puppetdemo.lan'
hashman::team:                "[ '[email protected]' , ]"
hashman::testenv:             'False'
hashman::companywebsite:      'https://example.com

Configuring the mail notifications

To configure mail notifications, you will simply need to edit the /etc/puppet/code/environments/production/data/common.yaml file and give the correct values to these variables:

# Note: Please replace <master-hostname> with the hostname of your puppet master
master-hostname::postfix_smtp_node::relayuser: 'puppet-staging' # This is necessary for hashman to send mails
master-hostname::postfix_smtp_node::relaypass: 'SOSECRET' # This is necessary for hashman to send mails

Finishing the setup

Once you have configured everything above you can uncomment the following lines in the puppet master node declaration:

node 'puppet' {
  [...]
  # uncomment only after SSL cert and key are deployed
  #include puppet_infrastructure::hashman_web

  # uncoment only when credentials are set on common.yaml
  # email sending via external relay
  # include puppet_infrastructure::postfix_smtp_node
  [...]
}

And run the agent on the puppet master:

sudo puppet agent -t
⚠️ **GitHub.com Fallback** ⚠️