Deferred functions are agent-based rather than master-based. This allows users to leverage Vault in more ways. Instead of being locked into a more basic Hiera hierarchy, operators can use any authentication method available on the agent side, including leveraging the existing certificate authority (CA) from the Puppet master with the Vault certificate backend.
2. “Technical Account Manager at HashiCorp
Peter Souter
Based in...
London, UK
Been using...
The HashiCorp stack and Puppet for about 7
years
Worn a lot of hats in my time...
Developer, Consultant, Pre-Sales, TAM
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS
Introductions - Who are these People?
3. “
Introductions - Who are these People?
Principal Integration Engineer at
Puppet
Chris Barker
Based in…
Portland, Oregon
Been using
Puppet for over 7 years
Also worn a lot of hats in his time…
Consulting, Support, Pre-Sales...
Works on…
Integrations of Puppet with other
systems and tools
4. “
Here’s what we did earlier...
▪ We’ve talked previously about the
benefits of using Vault for secrets
with Puppet
▪ As well as using Hiera for server
side Vault lookups
• https://www.hashicorp.com/resou
rces/hashicorp-vault-with-puppet-
hiera-5-for-secret-management
▪ Lets build on that...
5. ““How can I use other auth methods than k/v?”
“Can I use the certificate from Puppet already on
the machine for secret introduction?”
“How would I do this from the agent side?”
A few people asked...
6. “
Previously this was not possible...
▪ Functions only run on the Puppet master
▪ No direct way of calling vault from the agent side
▪ Difficult to do anything other than k/v
▪ Unable to leverage the native auth of a machine
(AWS metadata etc)
8. “
Puppet 6: Deferred Functions
Puppet agents can fetch or calculate data for themselves at catalog application
time. One use case for this is to securely retrieve sensitive information
like passwords from a secrets store.
The Deferred type enables these two capabilities. It instructs agents to execute a
function locally to resolve a data value at the time of catalog application. When
compiling catalogs, functions are normally executed on the master, with results
entered into the catalog directly. The complete and fully resolved catalog is then
sent to the agent for application. Starting in Puppet 6.0, you can defer the
function call until the agent applies the catalog, meaning the agent calls
the function on the agent instead of on the master. This way, agents can
use a function to fetch data like secrets directly, rather than having the
master act as an intermediary.
https://puppet.com/docs/puppet/6.0/integrating_secrets_and_retrieving_agent-size_data.html
9. “
A simple example with vault_lookup
$d = Deferred('vault_lookup::lookup', ["secret/test"])
notify { "example":
message => $d
}
https://github.com/voxpupuli/puppet-vault_lookup
10. “
Behind the scenes...
https://github.com/voxpupuli/puppet-vault_lookup/blob/61ee6c7dbf4fbc57a725c651c5649ed870c78e70/lib/puppet/functions/vault_lookup/lookup.rb
connection = Puppet::Network::HttpPool.http_instance(uri.host, uri.port, use_ssl)
token = get_auth_token(connection)
secret_response = connection.get("/v1/#{path}", 'X-Vault-Token' => token)
unless secret_response.is_a?(Net::HTTPOK)
message = "Received #{secret_response.code} response code from vault at #{uri.host} for secret
lookup"
raise Puppet::Error, append_api_errors(message, secret_response)
end
def get_auth_token(connection)
response = connection.post('/v1/auth/cert/login', '')
unless response.is_a?(Net::HTTPOK)
message = "Received #{response.code} response code from vault at #{connection.address} for
authentication"
raise Puppet::Error, append_api_errors(message, response)
end
11. “
The cool bit… We use the cert for auth!
https://github.com/voxpupuli/puppet-vault_lookup/blob/61ee6c7dbf4fbc57a725c651c5649ed870c78e70/lib/puppet/functions/vault_lookup/lookup.rb
$ vault write auth/cert/certs/puppetserver
display_name=puppet
policies=prod,test
certificate=@/path/to/puppetserver/ca.pem
ttl=3600
12. “
This is a sandbox example, and is not hardened
to production standards!
Standard Demo Pre-Warning!
14. “Now that functions are running on the agent,
any valid auth method with Vault could be used!
• Vault Cloud Auth Backend
(AWS, GCP, Azure)
• AppRole
• Username and password
This is just one example for certs