Puppet Integration

Hello,
I’m doing a PoC and I try to integrate Puppet and DAP.
It’s a standalone Master and a puppet master and a node.
I created few secrets and assigned read and execute permissions to a host.
I’m able to login using Hosts API and I’m able to see the variables.

Now in the Master, I’ve installed a puppet module for conjur (puppet module install cyberark-conjur)… I’m not sure whether this is necessary?

Then I created two .pp files on the puppet master server namely conjur.pp and site.pp

image691×98 19.5 KB

Conjur.pp

image727×697 83.3 KB

image735×243 23.3 KB

The problem is when I run the puppet agent its not writing the secrets on the file.

Im new to the DAP and Puppet world and I’m not sure what I’m doing is the right way to do this use case. Am I missing anything here? Any help would be much appreciated? Thanks

Hi Nirmal,
I saw that you made this post multiple times so I will get rid of the other posts and we will give you assistance on this one. I talked to @rpothier and he is consulting with his team to assist you.
CC @izgerij . We apologize for the delay. Thank you for your patience!

Hi Nirmal,
Can you verify puppet works by itself without Conjur? For example set site.pp to
create a file foo with the text bar to verify puppet itself is working. I am also
looking at reproducing this setup to verify that it works.
Thanks - Rob

Hi Nirmal,
Reviewed this a little more, there are three methods on configuration.
The first method might be a good start, as it combines everything into one file,
the second method might be closer to what you are looking to do with the creds
in a separate file.

Set the Conjur creds/identity directly in the node statement for node-01 in site.pp
(There would be no need for a conjur.pp ). This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur

Set the Conjur creds/identity using Hiera This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur. Hiera provides a way of setting up a dictionary/mapping to which node manifests can refer, by using a lookup() function.In this particular case, we’d want to create this file:
/etc/puppetlabs/code/data/nodes/node-01.yaml
And the content would look like this:
NOTE: Please check the following authn_login. Usually it begins with host/dev

lookup_options:
'^conjur::authn_api_key':
convert_to: 'Sensitive'conjur::account: 'dev'
conjur::appliance_url: 'https://dap-standalone.corpad.com'
conjur::authn_login: 'dev/srv/nix/node-01'
conjur::authn_api_key: '<REPLACE_ME>'
conjur::ssl_certificate: |
-----BEGIN CERTIFICATE-----
<REPLACE_ME>
-----END CERTIFICATE-----

And the code in the site.pp would look similar to what’s in the “Using Hiera” section of the README.md (GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur).There’s a really good example of this here:
conjur-puppet/test.sh at master · cyberark/conjur-puppet · GitHub

Setting the Conjur creds/identity as "pre-provisioned" Conjur identity files ON THE AGENT NODE This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur requires pre-provisioned (i.e. set up before Puppet runs) identity files ON THE AGENT NODE . Having this identity set up on the node beforehand greatly simplifies how the Conjur Puppet Module is invoked in the manifest… looking something like this:

$dbpassword = Deferred(conjur::secret, ['dev/db-password'])

Hope this helps - Rob

Thanks @rpothier and @Natalia for your great help… It’s working now…