Module supports using the Deferred Type to execute lookups on the remote node

cyberark / conjur-puppet

Official Puppet module for CyberArk Conjur

https://forge.puppet.com/cyberark/conjur

Apache License 2.0

6 stars 3 forks source link

Module supports using the Deferred Type to execute lookups on the remote node #13

Closed jvanderhoof closed 4 years ago

jvanderhoof commented 6 years ago

As a Puppet operator, I want to be able to leverage Puppet's new Deferred Type, so that I can use the remote node's identity to retrieve secrets from Conjur, without having those secrets transferred to the master.

GIVEN a Puppet master and an un-configured node which is enrolled in Conjur and have permission to access a credential WHEN the module is run against the node THEN credential are placed on the node AND that credential does not flow through the master

Developer Notes Overview and example of how this can be done in the upcoming Puppet 6 release: https://gist.github.com/turbodog/06d3fecef403bfefd9c8174ede4d9174

izgeri commented 4 years ago

Adding note from #20

To follow Puppet 6 best practices for secrets retrieval, we will update the Puppet integration to use deferred actions by default.

Note: this would be a breaking change for current Puppet integration users that conjurize their agents (a method of bootstrapping host identity that is not documented for Conjur OSS / DAP). These users would have to upgrade to another identity bootstrapping mechanism to use the new version with this change.

izgeri commented 4 years ago

Additional notes from the original definition of #20

With the arrival of Puppet 6's deferred data types, we can move credential retrieval off the Puppet master and onto the node being configured. Deferred data types reduce the security challenges by eliminating the Puppet Master as a conduit for credential delivery.

This effort will address the following areas:

Credentials delivered through the deferred data type, falling back to the current approach for Puppet version < 6.
Puppet module can be run on the following operating systems:
- Windows
- Red Hat Linux
- CentOS
- Ubuntu
- Debian
README is updated to include examples for the deferred data type

References

Related issues

Module supports a variety of common Operating Systems - #23

izgeri commented 4 years ago

There is an initial implementation of this in #179. This issue will remain open until a more complete implementation is done.

sgnn7 commented 4 years ago

Per the new code that is now on the main brach, method signature has to change to accommodate the Deferred use.

New signatures:

Using agent-side identity:

$dbpass = Sensitive(Deferred(conjur::secret, ['production/postgres/password']))

Using server-provided configuration:


$sslcert = @("EOT")
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
|-EOT

$dbpass = Sensitive(Deferred(conjur::secret, ['production/postgres/password', "https://my.conjur.org", "myaccount", "host/myhost", Sensitive("2z9mndg1950gcx1mcrs6w18bwnp028dqkmc34vj8gh2p500ny1qk8n"), $sslcert ]))



The longer signature may also change again depending on if #184 gets implemented.

sgnn7 commented 4 years ago

Released with v3.0.0rc3. Closing.