Undocumented Features: Salt File Source mTLS
Author: Nicholas M. Hughes
It’s funny what you can find when you start digging around in source code. This might become a regular column on the EITR Blog if I keep finding interesting things like this…
It’s like TLS… but Mutual
A few weeks ago, I was looking at the level of effort involved in adding a feature to Salt Project which would allow retrieving files from web servers secured with Mutual TLS (mTLS). Salt can handle web sources just fine in states like file.managed
or archive.extracted
, as shown below:
get_important_file: file.managed: - name: /var/tmp/so_important.txt - source: https://docs.eitr.tech/stuff/important.txt - use_etag: True install_cool_thing: archive.extracted: - name: /opt/awesome - source: https://repo.eitr.tech/apps/superawesome-1.0.0.tar.gz - use_etag: True
…but what if those files are sensitive? Or maybe you just want to increase the security of your file delivery mechanisms. Well, there isn’t a way to provide a client certificate and key directly to file.managed
or archive.extracted
as state parameters. However, it seems there is an undocumented feature nestled down in the http.query
utility that allows the desired behavior in file.managed
, archive.extracted
, and potentially other states as well.
So Much Mutual-ness! Mutual-ality? Mutual… osity.
The http
utility will attempt to pull the cert
key from the minion configuration and use that as a client certificate and key if none is provided to the function directly… which it isn’t in the case of the aforementioned states since you can’t pass it directly as a paramter at this time. The value of the cert
key is expected to be a list where the first item is the path to the certificate and the second item is the path to the key. Assuming your Certificate Authority (CA) trust chains are loaded system-wide, that’s all you need. If you do need to pass the CA, the ca_bundle
minion configuration option can be passed.
So, we’d end up with a new minion configuration that looked something like this:
# /etc/salt/minion.d/mtls.conf cert: - /etc/ssl/certs/srv.crt - /etc/ssl/private/srv.key # optional ca_bundle: /etc/ssl/certs/ca-certificates.crt
Pretty cool! Now our minion can provide its TLS certificate to the web server when it attempts to retrieve our super important, awesome files and the server can verify that the system is allowed to grab them.
Stay Mutual, San Diego
Well… that’s all for that undocumented feature. I hope you found it useful. If you’re interested in other Salt use cases with mTLS, you should check out this Cloudflare Blog post where they announce that an mTLS-based transport system is on the way!
Nicholas Hughes helps businesses integrate cloud and cybersecurity automation into their IT lifecycle processes in order to amplify the efforts of the existing workforce, prevent employee burnout, and free them to do the more important tasks that might be currently neglected. As part of his daily duties as a founding partner and CEO of EITR Technologies LLC., he’s responsible for all of those super awesome elements of the CEO job that you read about as a kid, like setting the strategic direction of the company and modeling corporate values. Additionally, Nick still performs technical consulting work with specializations in Automation & Orchestration, Cloud Infrastructure, Cloud Security, and Systems Architecture. He has nearly 20 years of experience in a wide breadth of roles within Information Technology, which is invaluable to clients seeking comprehensive technical solutions to business problems. Nick highly values pragmatism, logical thinking, and integrity in both his business and personal life… which is a decidedly boring set of core values that reap great results when applied to the task at hand. He also has a wonderful wife and two boys who keep him on his toes.