Module supports using the Deferred Type to execute lookups on the remote node

[jvanderhoof]

As a Puppet operator, I want to be able to leverage Puppet's new Deferred Type, so that I can use the remote node's identity to retrieve secrets from Conjur, without having those secrets transferred to the master.

GIVEN a Puppet master and an un-configured node which is enrolled in Conjur and have permission to access a credential
WHEN the module is run against the node
THEN credential are placed on the node
AND that credential does not flow through the master

Developer Notes
Overview and example of how this can be done in the upcoming Puppet 6 release: https://gist.github.com/turbodog/06d3fecef403bfefd9c8174ede4d9174

[izgeri]

Adding note from #20

To follow Puppet 6 best practices for secrets retrieval, we will update the Puppet integration to use deferred actions by default.

• Note: this would be a breaking change for current Puppet integration users that conjurize their agents (a method of bootstrapping host identity that is not documented for Conjur OSS / DAP). These users would have to upgrade to another identity bootstrapping mechanism to use the new version with this change.

[izgeri]

Additional notes from the original definition of #20

With the arrival of Puppet 6's deferred data types, we can move credential retrieval off the Puppet master and onto the node being configured. Deferred data types reduce the security challenges by eliminating the Puppet Master as a conduit for credential delivery.

This effort will address the following areas:

• Credentials delivered through the deferred data type, falling back to the current approach for Puppet version < 6.
• Puppet module can be run on the following operating systems:
  • Windows
  • Red Hat Linux
  • CentOS
  • Ubuntu
  • Debian
• README is updated to include examples for the deferred data type

References

• Docs on deferred actions
• Puppet 6 best practices for secrets retrieval

Related issues

• Module supports a variety of common Operating Systems - Module supports a variety of common Operating Systems #23

[izgeri]

There is an initial implementation of this in #179. This issue will remain open until a more complete implementation is done.

[sgnn7]

Per the new code that is now on the main brach, method signature has to change to accommodate the Deferred use.

New signatures:

• Using agent-side identity:

$dbpass = Sensitive(Deferred(conjur::secret, ['production/postgres/password']))

• Using server-provided configuration:

$sslcert = @("EOT")
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
|-EOT

$dbpass = Sensitive(Deferred(conjur::secret, ['production/postgres/password',
  "https://my.conjur.org",
  "myaccount",
  "host/myhost",
  Sensitive("2z9mndg1950gcx1mcrs6w18bwnp028dqkmc34vj8gh2p500ny1qk8n"),
  $sslcert
]))

The longer signature may also change again depending on if #184 gets implemented.

[sgnn7]

Released with v3.0.0rc3. Closing.