Puppet workflows have been validated in a realistic environment with DAP

[izgeri]

Given:

• an existing DAP deployment with at least one secret loaded (in our sample env, Puppet should be set up to point to the L7 LB in GKE)
• a Linux Puppet 6 server
• a Windows Server 201x Puppet 6 agent (on a different machine than the Puppet server, with a different IP)

We will run through the following test flows with our Conjur Puppet module:

• (core team) Set up a host that has an IP restriction to the Puppet agent IP, and provide the host / Conjur config info to the Puppet team
• Attempt to run the Puppet agent and see that the agent receives a 401 response when it attempts to authenticate to DAP
• (core team) Verify that the authentication failure is logged in the audit log, and that it shows the Puppet agent IP (not the Puppet server IP)
• (core team) Add the load balancer IP and the internal k8s IP range as trusted proxies on both Followers
• Attempt to run the agent and see that it's successfully able to retrieve a secret from DAP
• (core team) The IP address is reported correctly in both the server log and the audit log as the Puppet agent IP (not the Puppet server IP)

[izgeri]

Notes on the Puppet env if using Puppet Enterprise (cc @hughsaunders):

• AWS has hosted Puppet Enterprise
• Puppet docs on compile masters
• Puppet post on autoscaling compile masters (may be useful)
• Puppet docs on installing compilers

[jvanderhoof]

Assumptions

• Two Puppet managed nodes:

  1. Windows server, with Puppet agent installed. Will run Puppet Role: role-1
  2. Linux server, with Puppet agent installed. Will run Puppet Role: role-2

• DAP Master + Follower(s)

Steps

• [x] Create two Puppet Role manifests and load into Puppet Master

  • Role 1 should use the Conjur variables credentials/api-key, and credentials/public certificate (note space in public certificate)
  • Role 2 should use the Conjur variables credentials/authorization-token, and credentials/public certificate (note space in public certificate)

• [x] Load Conjur Policies

  Click to expand

  ```yml # puppet-servers.yml - !policy id: puppet-servers body: - !layer - &hosts - !host id: role-1 annotations: description: "Windows server" - !host id: role-2 annotations: description: "Linux server" - !grant role: !layer member: *hosts # credentials.yml - !policy id: credentials body: - !policy id: api-key body: - !variable - !group read - !group write - !permit resource: !variable privileges: [ read, execute ] role: !group read - !permit resource: !variable privileges: [ update ] role: !group write - !grant member: !group write role: !group read - !policy id: authorization-token body: - !variable - !group read - !group write - !permit resource: !variable privileges: [ read, execute ] role: !group read - !permit resource: !variable privileges: [ update ] role: !group write - !grant member: !group write role: !group read - !policy id: "public certificate" body: - !variable - !group read - !group write - !permit resource: !variable privileges: [ read, execute ] role: !group read - !permit resource: !variable privileges: [ update ] role: !group write - !grant member: !group write role: !group read # role-credential-mapping.yml - !grant member: !host puppet-servers/role-1 role: !group credentials/api-key/read - !grant member: !host puppet-servers/role-2 role: !group credentials/authorization-token/read - !grant member: !layer puppet-servers role: !group "credentials/public certificate/read" ``` Load the generated API keys into Puppet to insure a role can use the corresponding host API key. ```sh api_key=$(curl --insecure --user $user:$password "$url/authn/demo/login") raw_token=$(curl \ --insecure \ --request POST \ --data "$api_key" \ "$url/authn/demo/$user/authenticate") token=$(echo -n $raw_token | base64 | tr -d '\r\n') curl --header "Authorization: Token token=\"$token\"" \ --insecure \ --request POST \ --data "$(cat $policy)" \ "$master_url/policies/demo/policy/$namespace") ```

• [x] Set variable values

  Click to expand

  ```sh api_key=$(curl --insecure --user $user:$password "$url/authn/demo/login") raw_token=$(curl \ --insecure \ --request POST \ --data "$api_key" \ "$url/authn/demo/$user/authenticate") token=$(echo -n $raw_token | base64 | tr -d '\r\n') curl --header "Authorization: Token token=\"$token\"" \ --insecure \ --data "$value" \ "$master_url/secrets/demo/variable/$variable" ```

• [x] (Puppet) Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1 with the corresponding API key. Expected Result: Puppet run succeeds because the agent received a 200 response from DAP.

• [x] (Puppet) Run Playbook for Role 2 on Linux server. The playbook should use the Conjur host puppet-servers/role-2 with the corresponding API key. Expected Result: Puppet run succeeds because the agent received a 200 response from DAP.

• [x] (DAP) Verify

  • [x] Authentication success is logged in the audit log
  • [x] Verify audit log shows Follower L7 load balancer IP

• [x] Reload policy with restricted_to field set to the IP address of the Puppet agent

• [x] (Puppet) Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1 with the corresponding API key. Expected Result: Puppet run fails because the agent received a 401 response from DAP.

• [x] (Puppet) Run Playbook for Role 2 on Linux server. The playbook should use the Conjur host puppet-servers/role-2 with the corresponding API key. Expected Result: Puppet run fails because the agent received a 401 response from DAP.

• [x] (DAP) Verify:

  • [x] Authentication failures are logged in the audit log
  • [x] Verify audit log shows Follower L7 load balancer IP

• [x] (DAP) Add the Follower load balancer IP and internal Kubernetes IP range as trusted proxies

  Click to expand

  ```sh docker exec cyberark-dap evoke proxy add ```

• [x] (DAP) Verify:

  • [x] Authentication success is logged in the audit log
  • [x] Verify audit log shows Puppet agent IP

• [x] (Puppet) Update the credentials on agents, altering the API key so it's no longer correct. Run Playbook for Role 1 on Windows server. The playbook should use the Conjur host puppet-servers/role-1 with an incorrect API key. Expected Result: Puppet run fails.

• [x] (DAP) Verify:

  • [x] Authentication failure is logged in the audit log
  • [x] Audit log shows Puppet agent IP (not the Puppet server IP)

[sgnn7]

Very broad-strokes info with some of the manual steps missing on how the puppet infra was setup for this so that it doesn't get lost: https://gist.github.com/sgnn7/362ea52dcb2ce848ae931f5be619148c

[jtuttle]

Logs for the steps used to run through the tests above: https://gist.github.com/jtuttle/80247fddbbf62577c0154deb4b349cb0

[sgnn7]

Closing as the tests have been successful.