Conjur Puppet integration supports Puppet 6

[jvanderhoof]

Puppet 6 Support

In this epic (which will be completed in several stages, with milestones defined for each stage) we update this Conjur integration to include support for Puppet v6.

Project Scope

In Scope

• Deprecating support for Conjur Enterprise v4. (anticipated but not yet confirmed)
• Conjur credentials provided to integration using host factory or hardcoded API token.
• Support matrix:
  • OS: Windows (Server 2012 and Server 2016) and Linux.
  • Puppet: v5 and v6.
• New deferred flow: Puppet master passes deferred function to node, which executes secret fetch.
• Updating docs to reflect Puppet v6 and deferred function support.
• Improved development environment creation, particularly for Windows.
• Automated tests across the support matrix above.
• Enhanced stability in production enterprise environments.

Out of Scope

• Support for alternate methods of providing integration with Conjur identity.
• Conjur credentials provided via conjurize (we anticipated deprecating this workflow).
• Conjur Enterprise v4 support.
• PDK for test automation.

Project Value Overview

• Puppet 6 Support – This new major version of the Conjur Puppet module adds support for Puppet v6 across both Linux and Windows nodes. Additionally, Puppet v5 remains fully supported.
• Deferred Secret Retrieval – Leveraging the new deferred function feature in Puppet 6, the Conjur module can now delegate secret retrieval to the node itself. Previously, secrets were always retrieved by the Puppet master and provided to each node via the requested catalog. This follows Puppet’s recommend best practices for secret store integrations, as it removes the Puppet master as an unnecessary intermediary.
• **Conjur Enterprise v4 Support Deprecated **– Official support for Conjur EE v4 using the Conjur Puppet module v2 is now deprecated. Support for module v2 and Conjur v4 will be officially removed in [TBD by PM]. Also, the new module v3 will not provide any support for Conjur EE v4. All customers on Conjur EE v4 are strongly recommended to upgrade to the most recent release of CyberArk’s Dynamic Access Provider.
• “Conjurize” Support Removed – The “conjurize” method of providing Conjur credentials to a Puppet node has been removed from module v3. Please update your integration to use of the supported methods: API key identity or host factory tokens.

Release Plan

Milestone 1: Windows Puppet v6 Preview

• Scope: Windows Only, Puppet v6 only, non-deferred retrieval only.
• Release Stage: Community

Milestone 2: Linux Puppet v6 Preview

• Scope: Linux and Windows, Puppet v6 only, non-deferred retrieval only.
• Release Stage: Community

Milestone 3: Deferred Secret Retrieval Preview

• Scope: Linux + Windows, Puppet v6, non-deferred + deferred secret retrieval.
• Release Stage: Community

Milestone 4: Certified Release

• Scope: Complete support matrix, Puppet v5 + v6
• Release Stage: Certified (aka GA)

Implementation Plan

Milestone 1

• Puppet CA chain retrieval doesn't rely on internal Puppet API methods (bug) - Puppet CA chain retrieval doesn't rely on internal Puppet API methods #44
• Manually verify that the Conjur Puppet plugin does not work in Windows with Puppet v6 - Manually verify that the Conjur Puppet plugin does not work in Windows with Puppet v6 #84
• Manually verify that the Conjur Puppet plugin works in Windows with Puppet v5 - Manually verify that the Conjur Puppet plugin works in Windows with Puppet v5 #86
• Agent (facter?) doesn't find credentials in WinCred - Agent (facter?) doesn't find credentials in WinCred #47
• There has been a security review of Puppet v6 support for Windows - There has been a security review of Puppet v6 support for Windows #87

Milestone 2

• TBA

Milestone 3

• TBA

Milestone 4

• TBA

[turbodog]

@jvanderhoof excited to see this coming!

[jvanderhoof]

You're fast @turbodog!

[boazmichaely]

See this blog

It points to a puppet ticket that mentions Conjur directly

[micahlee]

Also necessary for full support of Puppet 6: #44

[jvanderhoof]

@izgeri, I've put together two workflow sequence diagrams to help explain the workflow changes we'll need to make to take advantage of the deferred functions:

Current Workflow

Shortcomings

• Requests are made from the Puppet Master, which masks the IP address of the requesting node.
• CIDR restrictions can't be used with Nodes (as requests all come from master)

Deferred Function Workflow (API keys stored in Hiera)

Shortcomings

• API keys are stored on Master (in Hiera), which centralizes access. In the future, we'd like to remove this problem by creating a Puppet Authenticator.

Advantages

• Requests come from node requesting variables, so the Node's IP address is captured in Audit. CIDR restrictions can be used to further restrict the IP address (or network range) of a node.

Notes

• Images were generated using PlantUML. The raw files and images are located in the deferred-function-design branch of this project.

[sgnn7]

All task associated with this epic are complete and the milestone was closed. Closing.