Puppet is one of the most mature and widely used config management tools out there. But one question comes up time and again: where and how do I store secrets in Puppet code? HashiCorp Vault safely manages your secrets in an automated and secure way.
In this webinar, Peter Souter will demonstrate how to use HashiCorp Vault for secrets management while using Puppet as the configuration management software.
2. “Technical Account Manager at HashiCorp
Peter Souter
Based in...
London, UK
Been using...
The HashiCorp stack and Puppet for about 7
years
Worn a lot of hats in my time...
Developer, Consultant, Pre-Sales, TAM
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS
Introductions - Who are these People?
3. “
Introductions - Who are these People?
Principal Solutions Architect at Puppet
Andrew Brader
Based in...
Philadelphia, Pennsylvania
Been using...
Puppet for about 8 years
Also worn a lot of hats in his time...
Developer, Consultant, Solutions Architect
Interested in...
Making people’s operational life easier and
more secure
DEVOPS ALL THE THINGS
4. “
▪ You’re using Puppet to
manage systems
▪ You’re happy!
▪ Your infrastructure as
code is great!
▪ Everything is awesome!
Let's talk about the landscape
5. “
“Uhhh, the production passwords are in
plaintext in the Puppet code… and I accidentally
pushed it to a public Git repo...”
But there is a problem:
6. “▪ Puppet code needs to be treated like any code: secrets
need to be encrypted at rest
▪ You need to think about some things:
• How would you rotate your secrets?
• How would you know what was leaked?
• How do you onboard new team members?
• How do new secrets get introduced?
• How do you track what secrets have been changed?
Managing Secrets is Hard
7. “
Best Practises for Secrets in Puppet
Here’s something I made earlier! - https://www.youtube.com/watch?v=JwuXUxSCDGY
9. “
These have a similar problems...
▪The rotation process is a little fiddly
▪Onboarding new team members is hard
▪Harder to keep track of who changed what
▪No easy way audit whats being used where
10. “
“If only there was a Secret management
application we could tap into to...”
There’s got to be a better way!?
13. “
▪ Hiera is just key/value lookup
▪ So, Hiera will plug into Vault with a little bit of Ruby glue
▪ https://github.com/davealden/hiera-vault
▪ This uses Hiera 5, so allows finer tuning and features
Plugging Hiera into Vault
15. “
confine_to_keys
▪ With automatic parameter lookup, it might be trying
to make a call to Vault for every parameter you
could set in your Puppet code
▪ This an increase to catalog compilation time, as it’s
an extra hop to check if it exists
▪ The backend has a key called “confine_to_keys”,
which allows you to set Vault lookup to certain
key-names
▪ For example, a regex that only allows lookup for
“password” or containing the string “vault”
▪
16. “▪ We can secure our lookup process even more by
creating a Hiera specific policy:
path "secret/puppet/*" {
capabilities = ["read", "list"]
}
▪ When we create a token using this policy, the Puppet
token will only be able to read values under the
Puppet namespace from Vault
Vault Policy for Hiera
21. “▪ One of the easiest solutions to integrate Vault on an
existing Puppet estate
▪ Minimises connectivity requirements: Vault only needs to
be able to talk to the Puppetserver, not all agents
▪ Debugging can be done normally through Hiera processes
▪ However, you can’t do finer tuned control like one could
do with a cubbyhole system
There are advantages and disadvantages
22. “▪ Use Puppet to configure consul-env or
consul-template
Advantages
● Secrets never touch Puppet
● Puppet does not need to run on a regular
interval to catch changes
● Puppet does not need to interact with
Vault at all
Disadvantages
● Go's templating language is not fun
● Added indirection
● Wouldn’t work for non templated resources
(user management for example)
Alternative Solution: consul-env/template
▪ {{ with vault "postgresql/creds/readonly" }}
[config]
username = "{{ .Data.username }}"
password = "{{ .Data.password }}"
{{ end }}
23. “▪ Use a library in your application to talk to
Vault directly
▪ Vault-rails, Vault-spring
Advantages
● More performant
● More control over interactions with Vault
● Less responsibility on configuration
management
Disadvantages
● Requires applications to be Vault-aware
● Requires engineering effort
● Slower (for existing applications)
Alternative Solution: Direct Integration
▪ class Person < ActiveRecord::Base
include Vault::EncryptedModel
vault_attribute :ssn
end
class AddEncryptedSSNToPerson < ActiveRecord::Migration
add_column :persons, :ssn_encrypted, :string
end
person = Person.new
person.ssn = "123-45-6789"
person.save #=> true
person.ssn_encrypted #=> "vault:v0:EE3EV8P5hyo9h..."