turbodog

turbodog

node /secret-[a,l,w].*/ {
   notify { title:  message => "I am a secret agent." }

# Fetch a secret

#   $secret = Deferred("azure_key_vault::secret", ['turbodog-keyvault', 'foo', {
#     metadata_api_version => '2018-02-01',
#     vault_api_version    => '2016-10-01',
#   }])

turbodog

Quick-start documentation for building support for Puppet agents fetching from secret stores

Intro

New in Puppet 6 is a capability called the Deferred type that allows agents to execute a Puppet function to resolve a data value at the time of catalog application.

When compiling catalogs, functions are normally executed on the puppet master with results entered into the catalog directly. The complete and fully resolved catalog is then sent to the agent for application. Starting in Puppet 6, functions can now be deferred until the agent applies the catalog, meaning the agent executes the function on the agent instead of the master. The upshot of this is that agents can use a function to fetch data like secrets directly rather than having the Puppet master act as an intermediary. Builds with this functionality are now available from the puppet6 nightly repos.

Using a deferred function

turbodog

curl -X POST https://localhost:4433/classifier-api/v1/groups --cert /etc/puppetlabs/puppet/ssl/certs/master.pem --key /etc/puppetlabs/puppet/ssl/private_keys/master.pem --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem -H "Content-Type: application/json" -d '
{
  "name": "Group 04",
  "environment": "production",
  "parent": "00000000-0000-4000-8000-000000000000",
  "classes": {},
    "rule": [
        "or",
	["=", "name", "agent004000"],
	["=", "name", "agent004001"],

turbodog

curl -X POST https://localhost:4433/classifier-api/v1/groups --cert /etc/puppetlabs/puppet/ssl/certs/master.pem --key /etc/puppetlabs/puppet/ssl/private_keys/master.pem --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem -H "Content-Type: application/json" -d '
{
  "name": "Group 03",
  "environment": "production",
  "parent": "00000000-0000-4000-8000-000000000000",
  "classes": {},
    "rule": [
        "or",
	["=", "name", "agent003000"],
	["=", "name", "agent003001"],

turbodog

curl -X POST https://localhost:4433/classifier-api/v1/groups --cert /etc/puppetlabs/puppet/ssl/certs/master.pem --key /etc/puppetlabs/puppet/ssl/private_keys/master.pem --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem -H "Content-Type: application/json" -d '
{
  "name": "Group 02",
  "environment": "production",
  "parent": "00000000-0000-4000-8000-000000000000",
  "classes": {},
    "rule": [
        "or",
	["=", "name", "agent002000"],
	["=", "name", "agent002001"],

turbodog

curl -X POST https://localhost:4433/classifier-api/v1/groups --cert /etc/puppetlabs/puppet/ssl/certs/master.pem --key /etc/puppetlabs/puppet/ssl/private_keys/master.pem --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem -H "Content-Type: application/json" -d '
{
  "name": "Group 01",
  "environment": "production",
  "parent": "00000000-0000-4000-8000-000000000000",
  "classes": {},
    "rule": [
        "or",
	["=", "name", "agent001000"],
	["=", "name", "agent001001"],

turbodog

curl -X POST https://localhost:4433/classifier-api/v1/groups --cert /etc/puppetlabs/puppet/ssl/certs/master.pem --key /etc/puppetlabs/puppet/ssl/private_keys/master.pem --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem -H "Content-Type: application/json" -d '
{
  "name": "Group 00",
  "environment": "production",
  "parent": "00000000-0000-4000-8000-000000000000",
  "classes": {},
    "rule": [
        "or",
	["=", "name", "agent000000"],
	["=", "name", "agent000001"],