Puppet Integration

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
1

Hello,
I’m doing a PoC and I try to integrate Puppet and DAP.
It’s a standalone Master and a puppet master and a node.
I created few secrets and assigned read and execute permissions to a host.
I’m able to login using Hosts API and I’m able to see the variables.

Now in the Master, I’ve installed a puppet module for conjur (puppet module install cyberark-conjur)… I’m not sure whether this is necessary?

Then I created two .pp files on the puppet master server namely conjur.pp and site.pp

image
image691×98 19.5 KB

Conjur.pp

image
image727×697 83.3 KB

site.pp (here I’m trying to write the secrets into a file)
image
image735×243 23.3 KB

The problem is when I run the puppet agent its not writing the secrets on the file. :worried:
image

Im new to the DAP and Puppet world and I’m not sure what I’m doing is the right way to do this use case. Am I missing anything here? Any help would be much appreciated? Thanks

2

Hi Nirmal,
I saw that you made this post multiple times so I will get rid of the other posts and we will give you assistance on this one. I talked to @rpothier and he is consulting with his team to assist you.
CC @izgerij . We apologize for the delay. Thank you for your patience!

3

Hi Nirmal,
Can you verify puppet works by itself without Conjur? For example set site.pp to
create a file foo with the text bar to verify puppet itself is working. I am also
looking at reproducing this setup to verify that it works.
Thanks - Rob

4

Hi Nirmal,
Reviewed this a little more, there are three methods on configuration.
The first method might be a good start, as it combines everything into one file,
the second method might be closer to what you are looking to do with the creds
in a separate file.

Set the Conjur creds/identity directly in the node statement for node-01 in site.pp
(There would be no need for a conjur.pp ). This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur

Set the Conjur creds/identity using Hiera This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur. Hiera provides a way of setting up a dictionary/mapping to which node manifests can refer, by using a lookup() function.In this particular case, we’d want to create this file:
/etc/puppetlabs/code/data/nodes/node-01.yaml
And the content would look like this:
NOTE: Please check the following authn_login. Usually it begins with host/dev

lookup_options:
'^conjur::authn_api_key':
convert_to: 'Sensitive'conjur::account: 'dev'
conjur::appliance_url: 'https://dap-standalone.corpad.com'
conjur::authn_login: 'dev/srv/nix/node-01'
conjur::authn_api_key: '<REPLACE_ME>'
conjur::ssl_certificate: |
-----BEGIN CERTIFICATE-----
<REPLACE_ME>
-----END CERTIFICATE-----

And the code in the site.pp would look similar to what’s in the “Using Hiera” section of the README.md (GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur).There’s a really good example of this here:
conjur-puppet/test.sh at master · cyberark/conjur-puppet · GitHub

1 Like
5

Setting the Conjur creds/identity as "pre-provisioned" Conjur identity files ON THE AGENT NODE This method is described here: GitHub - cyberark/conjur-puppet: Official Puppet module for CyberArk Conjur requires pre-provisioned (i.e. set up before Puppet runs) identity files ON THE AGENT NODE . Having this identity set up on the node beforehand greatly simplifies how the Conjur Puppet Module is invoked in the manifest… looking something like this:

$dbpassword = Deferred(conjur::secret, ['dev/db-password'])

Hope this helps - Rob

1 Like
6

Thanks @rpothier and @Natalia for your great help… It’s working now…

2 Likes