Puppet module has undergone XA

[izgeri]

• Run Conjur OSS, and define a host, a secret, and ensure the host can access the secret
• Run Puppet 6 server
• Follow instructions in repo README to enable agent to read the Conjur secret
  • By specifying the Conjur config in the manifest
  • By specifying the Conjur config on the agent ahead of time

Document any issues you encounter in trying to figure out how to use this module, and troubleshooting UX as issues are encountered.

[diverdane]

Test Setup

Intent is to use Linux VMs to make it as "production-like" as possible, and to test with a different Puppet master/agent than the containers we use in local/integrations.

• Conjur OSS running in GKE
• Puppet master on Ubuntu 18.04 VirtualBox VM, running Puppet 6.18.0
• Puppet agent on Ubuntu 18.04 VirtualBox VM, running Puppet 6.18.0
• (Time permitting) Puppet agent on Windows 2016 VirtualBox VM

Puppet Master/Agent VMs are connected via a private (host-only) VirtualBox network, with fixed IPs and /etc/hosts entries added to allow agent to connect to master and vice versa.

Tests

• [x] Doc review, main README.md
• [x] Doc review, https://forge.puppet.com/cyberark/conjur
• [x] Hiera-based Conjur identity, Linux Master / Linux Agent
• [x] Direct-Manifest-based Conjur identity, Linux Master / Linux Agent
• [x] Pre-provisioned Conjur identity on Linux Agent
• [ ] (Time permitting) Pre-provisioned Conjur identity on Windows Agent
• [x] Misconfiguration, how to detect?: Incorrect/Missing API Key Error for this was obvious:

  Error: Failed to apply catalog: Unauthorized

• [x] Misconfiguration, how to detect?: API configure without 'Sensitive' The error message for a missing Sensitive wrapper for the Conjur API key is very obvious. Similarly, the error message for a Sensitive wrapper around a conjur::secret function parameter where it's not expected is also clear.
• [x] Misconfiguration, how to detect?: Wrong Conjur URL Error for this was a little bit obscure, because I think there was some connection caching going on. So even though I changed the URL to something nonsensical, the error referred to the original, correct URL:

  Warning: Could not find Conjur authentication info for host 'https://conjur-oss.itd-google.conjur.net'

Any other suggestions???

Findings (So Far)

1. Forge doc has broken link for REFERENCE.md here: https://forge.puppet.com/cyberark/conjur#reference
2. Forge doc has broken link for metadata.json here: https://forge.puppet.com/cyberark/conjur#limitations
3. (Tiny nit, should have caught this earlier) In the [Conjur Module Basics](https://github.com/cyberark/conjur-puppet#conjur-module-basics] section of the main README.md
   • "agent-side" identity can probably be "pre-provisioned" to match desriptions below.
   • "server-provided configuration" can probably be "Puppet manifest based" or something like that to match what's below.
4. Might help to have some troubleshooting hints:
   • Use '--trace' and '--verbose' when running puppet agent to get verbose output with traces, e.g. `sudo /opt/puppetlabs/bin/puppet agent --trace --verbose --test'
   • Use 'systemctl status puppetserver' to check server status on a Linux host
   • Use 'journalctl -xe' to get puppetserver logs on a Linux host

[izgeri]

@sgnn7 I am going to close this to close out M3, but can you please make sure any follow-up cards have been filed and placed in M4 as appropriate? Thank you!!