Tyler Fitch

Remote Copying of Generated Keys

• Tyler Fitch • Chef and Artifactory

A customer asked me this question:

I feel like I’m trying to accomplish something fairly common, but I can’t find any good documentation around it and I’m not sure of the correct design pattern to use here. On each machine during a chef-client run, I need to generate an SSL keypair, upload the public key to another server, and the run commands on that remote machine necessary to add the key to a TLS truststore. That other machine is managed by Chef as well, so it’s possible to deal with importing any new keys into the truststore during that machine’s chef-client run, but getting the key onto the machine is proving to be a little more complicated.

Is the best way to deal with this just to issue an scp command through the execute resource that uploads the key to the TLS server or is there some more idiomatic way to upload a file to a specific location on a remote machine?

So I thought about the question for a while and came up with a possible solution to this.

##TL;DR * Understand that the public key is an artifact and should be treated as such. * Decide what the preferred method for artifact sharing is within your architecture. * Use that method (probably something like Artifactory) to make the public keys accessible via HTTP(S) for easy consumption by the tools that need it.

Share the Public Key

Any server can generate its SSL key pair when it is being created. Then when once you have the public key, add a bit of logic to the Chef cookbook (or configuration management tool of choice, but you know which way I lean) to upload the public key to your artifact server of choice. Since I recommend Artifactory, consider using the Artifactory gem in your Chef cookbook to handle this piece of code.

When uploading the public key to Artifactory, use tactics to allow for systematic scripted uploading and subsequent downloading of the public keys. I prefer to use a consistent naming convention like /ssl_public_keys/<hostname>.

Then on any remote machine that needs to add the public key for <hostname_zyx> to its TLS truststore, the remote machine will go find the public key on the Artifactory server in the /ssl_public_keys/<hostname_zyx> location and pull it down over HTTP(S).

Long story short (but not the TL;DR), a Chef recipe can generate the key pair on the server and a Chef recipe will be used to install the key on remote nodes, but Chef does not have to manage all the pieces of the puzzle between those two events.

Alternate solutions

Lots of choices - find one that works for you

The list of alternate solutions is about as long as my description of how to setup one of the solutions (and I’m certain I missed some options). So like most technology choices, it comes down to finding the solution that works for your application. If you’re not sure which one works, and that is totally okay, don’t spend all your time just thinking about the options while trying to find why it won’t work. Just try one for two weeks. It might work - it might not. If you find the edge case where it is not going to work, then try the next option. Eventually you will have a working solution for your needs and you’ll know a lot more about the tool(s) because you have used them instead of just thought about them.

comments powered by Disqus