Closed izgeri closed 4 years ago
Notes on the Puppet env if using Puppet Enterprise (cc @hughsaunders):
Two Puppet managed nodes:
role-1
role-2
DAP Master + Follower(s)
[x] Create two Puppet Role manifests and load into Puppet Master
credentials/api-key
, and credentials/public certificate
(note space in public certificate
)credentials/authorization-token
, and credentials/public certificate
(note space in public certificate
)[x] Load Conjur Policies
[x] Set variable values
[x] (Puppet) Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1
with the corresponding API key.
Expected Result: Puppet run succeeds because the agent received a 200 response from DAP.
[x] (Puppet) Run Playbook for Role 2 on Linux server. The playbook should use the Conjur host puppet-servers/role-2
with the corresponding API key.
Expected Result: Puppet run succeeds because the agent received a 200 response from DAP.
[x] (DAP) Verify
[x] Reload policy with restricted_to
field set to the IP address of the Puppet agent
[x] (Puppet) Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1
with the corresponding API key.
Expected Result: Puppet run fails because the agent received a 401 response from DAP.
[x] (Puppet) Run Playbook for Role 2 on Linux server. The playbook should use the Conjur host puppet-servers/role-2
with the corresponding API key.
Expected Result: Puppet run fails because the agent received a 401 response from DAP.
[x] (DAP) Verify:
[x] (DAP) Add the Follower load balancer IP and internal Kubernetes IP range as trusted proxies
[x] (DAP) Verify:
[x] (Puppet) Update the credentials on agents, altering the API key so it's no longer correct. Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1
with an incorrect API key.
Expected Result: Puppet run fails.
[x] (DAP) Verify:
Very broad-strokes info with some of the manual steps missing on how the puppet infra was setup for this so that it doesn't get lost: https://gist.github.com/sgnn7/362ea52dcb2ce848ae931f5be619148c
Logs for the steps used to run through the tests above: https://gist.github.com/jtuttle/80247fddbbf62577c0154deb4b349cb0
Closing as the tests have been successful.
Given:
We will run through the following test flows with our Conjur Puppet module: